Victoria Collins (Harpenden and Berkhamsted) (LD)

- View Speech - Hansard -

Copy Link

-

I wish you and everyone else in the Chamber a happy new year, Madam Deputy Speaker.

It is a pleasure to finally address the long-awaited Cyber Security and Resilience (Network and Information Systems) Bill. As has been pointed out today, it is significant. The National Cyber Security Centre reported that nationally significant cyber-incidents had more than doubled since the previous year. The past year’s surge in cyber-attacks on targets ranging from supply chains to hospitals to critical infrastructure has made one fact clear: there is no economic or societal security without cyber-security. Cyber-attacks cost the UK economy £14.7 billion annually. There have been attacks on companies such as Jaguar Land Rover and Marks & Spencer. More important, however, is the impact on the real economy. Thousands of jobs and businesses are hanging in the balance, and our public services and our private data are also being impacted. As the Minister mentioned this morning, the NHS Synnovis ransomware attack resulted in more than 11,000 postponed appointments and procedures. It has even been linked to one patient’s death, which was attributed to the delay that the attack caused. This matters. We must do all that we can to upgrade protection and our security, because jobs, the economy and lives depend on it.

Our economy—imagine it, if you will, as a house—is under attack. The Liberal Democrats welcome the Bill’s intent to upgrade our home security; the addition of data centres, managed service providers and large load controllers means that we are building stronger fences, and that companies with a master key to all our doors have stronger security. Also, the wiring has been upgraded, and the alarm system is being given an upgrade; there is increased incident reporting. However, the Bill leaves the back door wide open by leaving out key sectors. Our alarm system is not sure when it is supposed to ring, and the companies that have the keys to our doors, and are using our house, are asking for simplicity, clarity and support, so that they can do their job properly. While no single piece of cyber-security legislation can act as a silver bullet, those are gaps that we must address.

We are failing to take the whole-economy approach mentioned by the hon. Member for Warwick and Leamington (Matt Western). We are leaving out the public sector and economically significant sectors, such as retail and manufacturing. The Bill’s stated aim is to protect organisations

“that are so essential that their disruption would affect our daily lives.”—[Official Report, 12 November 2025; Vol. 775, c. 26WS.]

However, the Government apparently do not consider their own public services, provided by local authorities, to be essential enough for protection. The £10 million Redcar council incident proves that voluntary schemes are failing local authorities, but after the Bill is passed, Government institutions and councils will still lack statutory protections and ringfenced funding—and all the while, council budgets are getting tighter. I have no doubt that members of the public whose data, be it from the electoral roll or from social care records, sits in these systems would object to the public sector’s exclusion from the Bill.

As has been mentioned, we are also talking about a potential mandatory digital ID system for the whole country. The Government have already said that it would be built with home-made technology. Where will the cyber-protection be in that? What is more, leaving out sectors such as retail and manufacturing would mean that the JLR and M&S cyber-attacks remained out of scope. These are significant sectors. They involve major employers and major parts of our supply chains, and they handle significant amounts of personal data.

The Bill marks a failure of ambition. The Government claimed in response to a letter that we sent on this topic that they

“do not need to wait for or rely on legislation”

to implement cyber-security requirements in the public sector, and will instead use the Government action plan to ensure that the very same requirements in the Bill will be applied to the public sector. Why must we have this two-tier approach? Why leave out economically and socially significant sectors, such as the public sector? Does the Minister agree that we need mandatory cyber-security standards for those absent sectors of our society, governance and economy? If we are serious about national resilience, about protecting citizens’ data and about aligning with our European partners, let us vote on the issue in primary legislation in this Chamber, so that the issue has the full transparency and accountability that it demands.

A further critical gap in the Bill is the failure to embed security by design, and a lack of clear accountability. This should be board-led, to ensure that each lock, door and window of our house is built securely. In 2019, the NCSC published design principles, and last October the Government launched a secure-by-design framework, which was seen as core to their cyber-security standard. However, the Bill not only excludes Government from critical national infrastructure but abandons that key principle, and fails to include the words “by design”, which matters, particularly as ISC2 research suggests that skills shortages are the No. 1 challenge for compliance with cyber regulation in the UK, with 88% of respondents experiencing at least one cyber-security breach as a result of skills shortages. This is also a missed opportunity for our economy and our cyber-security sector. Prioritising security by design would provide the baseline protection that our critical infrastructure so desperately needs. What consideration have the Government given to ensuring security by design?

Effective regulation does not just mean future-proofing; it must be workable. While we welcome expanded incident reporting, the current definitions risk creating a significant regulatory burden. Over-reporting will overwhelm, rather than strengthen, our cyber-security systems. Those who are coming to upgrade our security systems are not being given clear directions. The definition of a “reportable incident” is so broad that it could extend to every phishing email. How will the NCSC feasibly manage the administrative burden when the alarm may be ringing non-stop? Other critical terms lack clarity for industry, including “managed service provider” and the criteria for “digital critical suppliers”, as has been highlighted by techUK and others. These are not just technical details to be ironed out later; they are the difference between a Bill that works and one that does not, and industry needs clarity on how to comply. Will the Minister work with us and with industry to tighten those definitions, so that the Bill is workable, and will he consider the best way to ensure simplicity and effectiveness in incident reporting?

What is being done to support home-grown cyber-security in the UK? What is being done to defend us from hostile foreign interference? With one of the latest defence contracts going to Palantir, what is being done to support UK tech? Would the Government support a digital sovereignty strategy, as suggested by Open Rights Group? The Bill is yet another missed opportunity to support our domestic tech sector, at a time when we should be building UK cyber-security capabilities and creating highly skilled jobs here at home. How can we claim to be serious about national resilience when the very infrastructure protecting our critical systems could be entirely outsourced abroad?

Supporting UK tech and businesses is not just about the providers in the Bill; it is about the thousands of small and medium-sized enterprises that form the backbone of our economy. For the few SMEs and start-ups that are directly affected by it, the Bill creates a regulatory thicket of overlapping rules, different timelines and multiple bodies. Cyber-security is complicated, and for this legislation to work, it must be simple and easily implementable for UK SMEs. What support will there be for those SMEs and start-ups?

It would be remiss of me not to mention the wider cyber-crime landscape. SMEs make up 99.8% of UK businesses, and are often the most vulnerable link in cyber supply chains. The NCC Group confirms that manufacturing, retail and leisure, dominated by SMEs, were the sectors most targeted for ransomware in 2024. That is why the Liberal Democrats are calling on the Government to establish a digital safety net for SMEs—a nationwide first responder service that would provide free-at-the-point-of-use support for small businesses that have been victims of a cyber-attack. Australia is already doing that, providing person-to-person support during and after attacks. If Australia can do it, why can’t we?

On top of all that, the biggest threat is actually fraud, which costs the economy hundreds of billions a year. Two thirds of all fraud begins online, much of it through social media companies with no liability. That is why the Liberal Democrats are calling for social media platforms to be made financially liable for fraud on their sites, which would create a clear line of accountability for criminal activity. Moreover, fraud is a cyber-security issue; it exploits weak systems and inadequate protections. Families lose life savings, elderly people fall victim to sophisticated phishing, and small businesses shut down. The Bill protects infrastructure, but by leaving the back door open, it ignores the billions of pounds of savings lost and the livelihoods upended through online fraud. The Government must address that in their long-awaited fraud strategy. We cannot protect systems but abandon our businesses and our people.

The Bill is progress, but it is not the finish line. The cyber-threat is real, evolving and urgent. The Liberal Democrats will work constructively to strengthen the Bill through amendments, but we must ensure that we do not leave the back door open, and that we future-proof our security. We owe it to our businesses, our families and our national security to get this right.