Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Lincoln Jopp
Main Page: Lincoln Jopp (Conservative - Spelthorne)Department Debates - View all Lincoln Jopp's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting)
Lincoln Jopp ExcerptsTuesday 10th February 2026
(4 days, 16 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
The Chair
Good morning, everyone. I remind Members to send their speaking notes via email to Hansard and to switch electronic devices to silent. Beverages are not allowed. I ask people to speak clearly and precisely for the benefit of other colleagues and Hansard. Were they to give an early indication that they wish to speak, that would be much appreciated.
Lincoln Jopp (Spelthorne) (Con)
On a point of order, Dr Murrison. In Thursday’s session, I asked the Minister why pupil data was not within the remit of this Bill. He said:
“On the question of schools, and more broadly the question of public sector authorities, I entirely accept that the handling of pupil data in schools is a critical aspect of our public service operations. The reason why public service authorities have largely been left out of the Bill’s scope is because we do not need to wait for the legislative process to act. We have been working, not least closely with the Government’s cyber-security strategy and the cyber action plan, to ensure that pupil data is kept securely and robustly.” ––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 5 February 2026; c. 137.]
Since then, I have been researching any action taken in respect of the Government’s cyber-security strategy and the cyber action plan, and can find no record of them dealing with the issue of pupil data. I wonder whether, this morning, the Minister could specify what he meant last Thursday or commit to coming back to the Committee with that detail.
The Chair
I am sure that the Minister will have heard what the hon. Member has said. He may wish to reflect on it, but it is not really a matter for the Chair. Nevertheless, it is on the record.
Lincoln Jopp
On a point of order, Dr Murrison. Yesterday, I spoke in a petition debate in Westminster Hall. The petition was signed by 114,000 members of the public calling for a public inquiry into Russian influence in British democracy. In researching my response on behalf of His Majesty’s Opposition, I came upon the Government’s statement about this Bill, which said that it would
“require organisations in critical sectors to further protect their IT systems”.
The split infinitive notwithstanding, I do not believe that the Bill requires any organisations in critical sectors to further protect their IT systems. If the Minister thinks that the Government are correct in saying that, would he like to direct us to that requirement in the Bill?
Kanishka Narayan
Having been promoted from a position of mere confidence to faith, I will tackle questions from the hon. Member for Runnymede and Weybridge first and foremost. On the question of thresholds of incident, the Bill sets out the severity of the sorts of incidents that we expect reporting obligations to apply to, and at the same time it ensures that it is proportionate in understanding that sector-specific thresholds ought to be precisely that—sector specific, set closely with relevant entities in that sector, and working with the expertise of the relevant regulators. For that reason, it has not been specified more fully on the face of the Bill.
On information sharing, not only is there provision for the specific sets of purposes for which information sharing ought to take place between regulators, but there is a further check on the proportionality of that, through a particular requirement, to ensure that information that is shared in incident contexts is done precisely for the purposes set out in the Bill, and in a way that is proportionate.
My hon. Friend the Member for Milton Keynes Central raised the question of hardware impacts. While the focus of the Bill is primarily on network and information systems, the test, as I think of it, would look at whether any compromise in network and information systems related to a piece of hardware triggers the severity of the impact, or potential impact, to be reportable. In the event that it is reportable, in its severity and potential impact, it will require notification—to the regulator and, when customers are directly impacted in the way that is set out in the Bill, also to the customers. The test is focused on whether network and information systems are engaged, and whether the impact of any incident is likely to be severe enough, in light of the thresholds set out in the Bill.
Lincoln Jopp
My hon. Friend the Member for Bromsgrove raised the case of M&S, which would clearly be out of the scope of the Bill. However, it has a managed service provider, so it is a bit like the JLR case. I am still looking for some certainty as to whether JLR and M&S would come within the scope of the Bill by dint of the fact that they have managed service providers, which are within the scope. I am still not 100% clear on the answer to that question. I would be grateful for greater clarity from the Minister.
Kanishka Narayan
I hope this does offer the clarity that the hon. Member seeks. While I will not refer to specific businesses, broadly speaking the sector of food supply is not within the scope of the Bill; the obligations on operators of essential services or direct entities that are within the scope of the Bill will not apply.
However, if—in a hypothetical situation—a managed service provider within the scope of the Bill supplies to that business, the managed service provider would be within the scope of the Bill’s requirements. The customer—in this case, the food supply business—may, if the severity applies, be in receipt of reports from the relevant MSP, in this particular context. They will not be caught up in the full set of obligations in the Bill, but we would expect customers to be notified of incidents where the severity thresholds are met. I hope that gives the hon. Member some clarity.
Lincoln Jopp
I am grateful to the Minister for giving way a second time. I understand his answer, but, to be clear, if an incident that meets the severity threshold is reported to a client who is out of scope, would that bring any obligation to report in the normal way?
Kanishka Narayan
Under the provisions of this Bill alone, only the entities specified as critical suppliers or operators of essential services—the relevant digital providers and so on—would be caught up in obligations if an event occurred. Assuming neither of those is true of a food supply business, the Bill’s provisions would not apply.
At the same time, in the sort of incident that the hon. Member describes, we would expect the NCSC to be deeply engaged, assuming severity thresholds and wider risks are applied. We would work closely on that operationally and I am sure we would look at how that business could be supported more widely. But the Bill’s provisions are really focused on the sectors, and entities within those sectors, that have an immediate threat to day-to-day operations such as a potential threat to life. There are reasons, which we can get into later, as we have done previously, why we set the sectoral scope in that way.
New clause 6 seeks to clarify that a ransomware attack falls under the definition of “incident” within the NIS regulations. I share the concerns of the shadow Minister and the hon. Member for Bognor Regis and Littlehampton about the significant disruption that ransomware attacks can cause. Indeed, last year we saw the impact of the ransomware attack on Synnovis, a supplier to the NHS, which resulted in the delay of 11,000 out-patient and elective procedure appointments. The hon. Member for Bognor Regis and Littlehampton and the shadow Minister are quite right that this kind of attack should be considered an incident under the NIS regime. Because of the changes to incident reporting introduced by the Bill, I can confirm to the Committee that ransomware attacks will be in scope.
The Bill updates the definition of “incident” so that it applies to any event that has, or is capable of having, an adverse effect on the operation or security of network and information systems. Ransomware attacks already fall well within that definition. Although I welcome the principle and intent behind the new clause, its content is already addressed by the Bill. I hope that assures hon. Members across the Committee.
New clause 7 would require the Government to publish a review of the new incident reporting regime within a year of the Bill’s receiving Royal Assent. It is important that the effectiveness of the NIS regulations, including the reforms to incident reporting introduced by the Bill, should be reviewed periodically. That is why the Bill requires the Government to conduct a review and lay it before Parliament once every five years. That timeframe will enable the new regime to bed in and allow a meaningful period of time to measure change before the Government report on its effectiveness. As my hon. Friend the Member for Stoke-on-Trent South said, notwithstanding her and the shadow Minister’s confidence in me and the Government, to publish a review after only one year would risk giving an incomplete picture, as regulators and regulated entities may still be transitioning to the new processes.
The new clause would also require the Government to publish proposals for a single reporting platform for cyber-incidents, again within a year of the Bill’s passing. We have heard the clear ask from businesses to minimise the time they spend filling in different reporting templates following an attack, to ensure they can prioritise the technical response. I share the concerns of the hon. Member for Bognor Regis and Littlehampton, and we are exploring all options to enable a proportionate and efficient reporting system. That said, setting a fixed time limit of one year to develop proposals does not reflect the inherent complexity of the task and the need to get it absolutely right for the businesses in scope of the Bill, not least because the proposals will need to be rigorously evidenced, consulted on and tested. For those reasons, I am unable to accept the new clause.
Question put and agreed to.
Clause 15 accordingly ordered to stand part of the Bill.
Clause 16 ordered to stand part of the Bill.
Clause 17
Powers to impose charges
Question proposed, That the clause stand part of the Bill.
Lincoln Jopp
On the subject of charging and money, has the Minister had the opportunity to revisit his own impact assessment on the basis that there might be a glitch in the matrix? It says on multiple occasions that the hourly salary for a contract lawyer is £34 an hour. When we discussed it last week, I contended that this was totally unrealistic, probably to a factor of 10.
Kanishka Narayan
I am reminded of the hon. Member’s point last week. I am happy to write to him on the basis of the precise figure in the impact assessment, which I understand to be based on not just an extensive survey but the application of subsequent uplifts. I am more than happy to continue that conversation in correspondence.
On factors that ought to be considered in setting up charging schemes, I mentioned some, such as size and turnover, but I will flag that those are suggestive and indicative rather than exhaustive factors that regulators may consider. Regulators ought to be able to set different levels of fee for different types of organisations. There is also provision to exclude organisations from a charging scheme altogether if it would be disproportionate or counterproductive to include them. It is appropriate that regulators and competent authorities can vary their charging schemes in the light of that.
On current regulatory performance and its correlation with charging schemes, I have not observed any direct correlation. What I have seen, simply, is that some regulators are clearly doing well. We heard in evidence from a range of participants that in some cases things are working particularly well and that, in others, there is more scope for improvement. That is precisely why the Bill sets no fundamental lowest common denominator for how regulators ought to approach either charging or their enforcement duties; instead, it ensures that we are conducting oversight of each regulator as robustly as possible. I assure hon. Members that the question of regulatory enforcement is central and that the motivation behind the charging scheme is precisely to ensure that regulators are well resourced to implement the Bill.
Question put and agreed to.
Clause 17 accordingly ordered to stand part of the Bill.
Clause 18
Sharing and use of information under the NIS regulations etc
Dr Spencer
Clause 20 grants regulators wide-ranging information-gathering powers, in relation both to regulated entities and to organisations currently outside the scope of the regulations. These new powers will be important to competent authorities in gaining access to the information necessary to consider which businesses should be designated as critical suppliers for their sectors. The Minister will remember that we had a very extensive discussion about the allocation, or otherwise, of critical suppliers. What assurance can he give that requests for information under this new clause will be exercised proportionately? That is especially relevant for SMEs, which might struggle administratively to meet broad requests for information within short deadlines.
I know I will be told off by the Chair if I try to rehash the previous debate on clause 12, but one of the points I made during that debate was that the scope of what could fall under the definition of a critical supplier could, in my view, include any supplier to an operator of an essential service. Potentially, therefore, a request for information under this provision could be incredibly broad. Can the Minister give some reassurance about how this will work in practice, relating to the proportionality of data collection? The concern is that this could become a fishing or dredging exercise, rather than something that is proportionate and targeted on the most high-risk suppliers.
Lincoln Jopp
In terms of scope, could the Minister give us some sense, when it comes to managed service providers, whether the purpose behind this clause is to enable regulators to find out their entire client list? I would be grateful for some clarity on that point.
Kanishka Narayan
I will take each of those three questions in order. The hon. Member for Bromsgrove raised a very important point—shared, I think, in sentiment across the House—about ensuring that regulators have the capacity to deal with the volume and quality of information they might receive under the provisions of this clause. Precisely for that reason, we have set out a charging scheme possibility here that allows regulators to equip themselves. Of course, that is initially a question of resourcing, rather than the quality or capability of that resourcing. We will therefore continue to ensure, through our oversight of regulators in appropriate ways, that we are pressing home the importance of enforcement quality and regulatory capability.
To the shadow Minister’s point on proportionality, I share the focus on ensuring that designation and information requirements are proportionate, not least for critical suppliers. Like him, I will avoid repeating the previous debate, but the five-step test for the designation of critical suppliers, combined with the fact that the Bill allows for secondary legislation and guidance to specify more proportionate burdens on them, rather than on key regulated entities, alongside the fact that information notices ought to be proportionate and focus primarily on the purposes of the Bill, gives me—and, I hope, him—assurance about the proportionality embedded in the Bill.
Kanishka Narayan
I would not want to imply that every organisation has a business continuity plan, but the simple point is that the framework for assessing critical third-party suppliers is established in business and other regulatory regimes, as I have mentioned. The novelty or ambiguity that the shadow Minister suggests simply does not apply. That is not to say that there will not be cases in which new critical third-party suppliers will be designated—that is the point of the provisions of the Bill. The practice will of course need rigour, efficiency and proportionality, but it will be grounded in existing, widely understood frameworks.
I need the hon. Member for Spelthorne to remind me of his question, if I might ask him to do that.
Lincoln Jopp
I might have to remind myself. I asked the Minister whether the purpose of this clause is for a regulator to be able to ask a managed service provider what their entire client list is, in order to make various assessments.
Kanishka Narayan
I thank the hon. Member for asking and repeating the question. The purposes of the provisions on information requirements are focused on ensuring that regulators can conduct their duties as provided by the Bill. I would not expect information notices to require an exhaustive list in every instance, but instead to primarily focus on a more proportionate set of asks relating to risk vectors to the security of the regulated entities and to wider national security and cyber-security.
Question put and agreed to.
Clause 20 accordingly ordered to stand part of the Bill.
Clause 21
Financial penalties
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
I thank the hon. Member on both fronts. On the penalty bands, clearly defined parameters are set out in the Bill, and my hope is that that increases the effectiveness, the clarity and—at the heart of it, to his question—the consistency of application we expect across regulatory regimes.
As I mentioned, the 4% figure for the maximum penalty in part referenced existing UK regulatory regimes and legislation that were felt to be the most comparable. In part, it was judged to be an appropriate, proportionate maximum, based on relevant concerns around the appropriate level of deterrent effect, the proportionate level of fine, the regulatory precedent and the broader impact on investment and the economy as a whole, notwithstanding the significant cyber-security costs businesses already experience.
The second change in the clause is intended to eliminate the confusion surrounding the definition of a “material contravention” in the current regulations. Finally, the clause ensures that regulators can consider a wider range of factors when determining what constitutes an appropriate penalty. Where mitigating steps have been taken to address a breach, that should be acknowledged, but so too should the impacts of the breach and any history of compliance or non-compliance.
To conclude, an effective regulatory regime must be backed by fair but effective penalties to ensure that it is followed.
Lincoln Jopp
This is really where the regulatory rubber hits the road. Earlier, we described cases involving a client who is not in the Bill’s scope but who employs a managed service provider that is, and that is therefore vulnerable to these charges. What happens when there is an interface between a client employee operating an IT system and what the managed service provider does? For example, someone could bring in a data stick, shove it in the side of a computer and break the rules, eliciting some form of ransomware. How will it work when the regulator goes to the managed service provider and says, “Here’s your £10 million fine,” and the client says, “That is down to you”? It is going to be a lawyer-fest, isn’t it? Even lawyers who get paid more than £34 an hour are going to make quite a lot of money.
Kanishka Narayan
Just so that I am clear, not least for future records, I think the case described is one where the client is not in the Bill’s scope but is provided to by an MSP that is in the Bill’s scope, and where the relevant responsible individual is in the client business as an employee or agent of that business. The hon. Gentleman raises an important point. Both the obligations and the defined focus of the Bill are on regulated entities. In this instance, if the individual is not in the regulated entity and the regulated entity has complied with the entirety of the wider cyber-security reporting obligations in the Bill, we would look to other venues of legal action against the individual in question. It would be challenging for a Bill that does not regulate the entire economy to ensure that every individual and firm unregulated by it are brought into its scope as well. But that is not to diminish the significance of requiring other pieces of law to act on individuals elsewhere.