Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology what assessment her Department has made of the potential impact of the Cyber Security and Resilience (Network and Information Systems) Bill on the EU’s data adequacy decisions in relation to the UK.

The CSR Bill updates the UK’s cyber resilience framework set out in the NIS Regulations 2018 and does not impact the UK's key data protection legislation. It includes a range of measures that affect the Information Commission in its capacity as a NIS regulator, but not its capacity as the UK data protection authority.

The European Commission’s draft decision from 24 June 2025 on UK adequacy concludes that the UK continues to provide an essentially equivalent level of data protection. The government does not consider there to be specific developments that pose substantive risks to the EU adequacy decisions being renewed by the EU’s deadline for adoption of 27 December 2025.

DSIT consulted with the Information Commission during the development of the Bill in accordance with its obligations under Article 36(4) of the General Data Protection Regulation.