Cyber Security and Resilience (Network and Information Systems) Bill 2024-26

NC1

To move the following Clause-"Statement on risks posed to systems by foreign interference(1) The Secretary of State must, within 12 months of the passing of this Act, publish a statement of the Government's plans in relation to risks to the security and resilience of relevant network and information systems arising from foreign interference.(2) For the purposes of this section, a “relevant network and information system" is a network and information system belonging to-(a) an operator of an essential service,(b) a relevant digital service provider,(c) a relevant managed service provider, or(d) a critical supplier,within the meaning of the NIS Regulations.(3) Any statement under this section must-(a) set out the Government's intentions to assess, manage and mitigate the risks posed, or which could potentially be posed, to the security andresilience of relevant network and information systems by foreign interference in such systems;(b) include risks associated with-(i) hardware,(ii) software,(iii) supply chains,(iv) procurement processes, and(v) the use of, or reliance on foreign technologies or systems;(c) include a specific focus on government digital procurement processes;(d) where risks are identified under (2)(b)(v), state whether the Government intends to address these risks by encouraging or supporting the use of domestic technologies or systems."

NC2

To move the following Clause-"Cyber security support service for SMEs(1) The Secretary of State must, by regulations, make provision for the establishment and operation of a cyber security support service for relevant small and medium-sized enterprises (SMEs) for the purposes of improving the security and resilience of their network and information systems.(2) For the purposes of this section, a relevant SME is one which is—(a) an operator of an essential service,(b) a relevant digital service provider,(c) a relevant managed service provider, or(d) a critical supplier,within the meaning of the NIS Regulations.(3) A support service established under this section must provide—(a) advice and technical assistance to SMEs following a cyber incident; and(b) guidance on recovery and remediation."

NC3

To move the following Clause-"Review of high-risk bodies(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies.(2) A review under this section must assess—(a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise;(b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and(c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities.(3) In this section—"relevant body" means-(a) an operator of an essential service,(b) a relevant digital service provider,(c) a relevant managed service provider, or(d) a critical supplier,within the meaning of the NIS Regulations."foreign state-owned enterprise” means a body corporate in which a foreign state has a controlling interest;"network and information systems" has the meaning given by section 24(1)."

NC4

To move the following Clause-"Critical manufacturing and retail sectors(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities-(a) the manufacture of critical transport equipment;(b) the industrial production and processing of food products; and(c) the retail sale of food and essential goods via large-scale distribution chains.(2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors."

NC5

To move the following Clause-"Local authorities to be regulated as essential services(1) The NIS Regulations are amended as follows.(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert—"LocalGovernmentLocal Government The Secretary of State for Housing,Communities and Local Government"(3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert-"The Local Government Sector12- (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector.(2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register.(3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records.(4) In this paragraph "local authority means"(a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly;(b) in Wales, a county council or a county borough council;(c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994;(d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.""

NC6

To move the following Clause-"Computer Misuse Act 1990: security and resilience of network and information systems(1) The Secretary of State must, within twelve months of the passing of this Act, review whether amendments to the Computer Misuse Act 1990 may be conducive to ensuring, maintaining or improving the security and resilience of network and information systems used or relied upon in connection with the carrying on of essential activities.(2) Following the conclusion of the review under subsection (1), the Secretary of State must lay before Parliament a report which outlines–(a) the potential amendments to the Computer Misuse Act 1990 which were considered as part of the review;(b) the review's conclusions as to whether the potential amendments considered could be beneficial in ensuring, maintaining or improving the security and resilience of relevant network and information systems; and(c) the Government's intentions to make amendments to the Computer Misuse Act 1990 or act on any other recommendations of the review.”

NC7

To move the following Clause-"Consultation on resourcing of regulatory authorities and regulated persons(1) The Secretary of State must, within one year of the passing of this Act, carry out a consultation with regulatory authorities and regulated persons for the purpose of assessing-(a) whether regulatory authorities and regulated persons have resources and capabilities adequate to fulfil their requirements under this Act; and(b) whether further government support is needed.(2) The Secretary of State must publish a report setting out the findings of the assessment carried out under subsection (1)"

NC8

To move the following Clause—"Electoral infrastructure to be regulated as an essential service(1) The NIS Regulations are amended as follows.(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—"ElectionsElectoral infrastructure The Electoral Commission"(3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert-"The electoral infrastructure subsector12- (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector.(2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to-(a) maintain a register of electors containing more than 50,000 entries;(b) issue, receive, or process postal ballots for a parliamentary or local government election; or(c) count or aggregate votes cast in a parliamentary, mayoral or local government election.(3) In this paragraph—“parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom;“network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026.(4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—“(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.”””

NC9

To move the following Clause—"Political parties to be regulated as an essential service(1) The NIS Regulations are amended as follows.(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—"GovernmentPolitical partiesThe Secretary of State for Housing,Communities and Local Government"(3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert—"The political parties subsector12 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector.(2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons.(3) In this paragraph-"registered political party” means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000.""

NC10

To move the following Clause-"Board oversight of security and resilience of network and information systems(1) Where a relevant body is governed by a board or equivalent management body, that body must exercise oversight of arrangements relating to the security and resilience of the body's network and information systems.(2) In exercising oversight, the management body must—(a) approve the approach taken by the body to the management of risks to the security and resilience of the body's network and information systems; and(b) satisfy itself, on a periodic basis, that appropriate and proportionate measures are in place to manage those risks.(3) The management body may be held accountable for failures by the body to comply with duties relating to the security and resilience of its network and information systems.(4) Members of the management body must undertake training designed to enable them to identify risks and assess appropriate risk-management practices.(5) For the purposes of this section, a relevant body is one which is-(a) an operator of an essential service,(b) a relevant digital service provider,(c) a relevant managed service provider, or(d) a critical supplier,within the meaning of the NIS Regulations.”

NC11

To move the following Clause-"Requirement for regular testing of network and information systems(1) A relevant body must undertake regular testing of the security and resilience of the network and information systems on which it relies in the provision of its services.(2) Testing undertaken in accordance with this section must-(a) be proportionate, having regard to the size, nature and risk profile of the business; and(b) be conducted periodically, at intervals that are appropriate to the risks identified by the body.(3) A relevant body must document –(a) the outcomes of testing undertaken in accordance with this section; and(b) any remedial actions required or taken in response to the testing.(4) Information documented under subsection (3) must be provided to the relevant regulatory authority upon request.(5) For the purposes of this section, a relevant body is one which is –(a) an operator of an essential service,(b) a relevant digital service provider,(c) a relevant managed service provider, or(d) a critical supplier,within the meaning of the NIS Regulations.”

1

Clause 8, page 7, line 36, at end insert-"(1A) In paragraph (1), after “risks” insert “, including risks arising from fraud,””

2

Clause 40, page 63, line 7, leave out “5” and insert "3"

NC19

To move the following Clause—
“Vulnerability research: review of the merits of a statutory defence
(1) The Secretary of State must, within twelve months of the passing of this Act, review the extent to which an amendment to section 1 of the Computer Misuse Act, with the effect of introducing a statutory defence available to individuals undertaking ethical vulnerability research, would improve the security of the network and information systems of relevant bodies.
(2) A review under this section must consider whether a statutory defence would enable relevant bodies to improve the resilience of their network and information systems via enhanced vulnerability testing and research.
(3) For the purposes of this section—
(a) “ethical vulnerability research” means access, whether authorised or otherwise, to computer material with the intention of identifying vulnerabilities to cyber attacks, where—
(i) the research is aimed at enhancing the resilience of the network and information system of a relevant body or relevant bodies, and
(ii) the findings of the research are kept securely, shared only with those responsible for the security or resilience of the network and information system concerned, and shared solely for the purpose of enhancing the security or resilience of the network and information system concerned;
(b) “relevant bodies” means operators of essential services, critical suppliers, digital service providers or managed service providers, as defined by the NIS Regulations.”

This new clause would require the Government to review whether the resilience of relevant organisations could be enhanced by introducing a statutory defence to s1 of the Computer Misuse Act, so that a person could be deemed not guilty if they engage in vulnerability research in the public interest.

NC18

To move the following Clause- "Computer Misuse act 1990: security and resilience of network and information systems (1) The Secretary of State must, within twelve months of the passing of this Act, review whether amendments to the Computer Misuse Act 1990 may be conducive to ensuring, maintaining or improving the security and resilience of network and information systems used or relied upon in connection with the carrying on of essential activities. (2) Following the conclusion of the review under subsection (1), the Secretary of State must lay before Parliament a report which outlines- (a) the potential amendments to the Computer Misuse Act 1990 which were considered as part of the review; (b) the review's conclusions as to whether the potential amendments considered could be beneficial in ensuring, maintaining or improving the security and resilience of relevant network and information systems; and (c) the Government's intentions to make amendments to the Computer Misuse Act 1990 or act on any other recommendations of the review.”

NC16

To move the following Clause- “Board oversight of security and resilience of network and information systems (1) Where a relevant body is governed by a board or equivalent management body, that body must exercise oversight of arrangements relating to the security and resilience of the body's network and information systems. (2) In exercising oversight, the management body must- (a) approve the approach taken by the body to the management of risks to the security and resilience of the body's network and information systems; and (b) satisfy itself, on a periodic basis, that appropriate and proportionate measures are in place to manage those risks. (3) The management body may be held accountable for failures by the body to comply with duties relating to the security and resilience of its network and information systems. (4) Members of the management body must undertake training designed to enable them to identify risks and assess appropriate risk-management practices. (5) For the purposes of this section, a relevant body is one which is- (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier within the meaning of the NIS Regulations.”

NC17

To move the following Clause- "Requirement for regular testing of network and information systems (1) A relevant body must undertake regular testing of the security and resilience of the network and information systems on which it relies in the provision of its services. (2) Testing undertaken in accordance with this section must - (a) be proportionate, having regard to the size, nature and risk profile of the business; and (b) be conducted periodically, at intervals that are appropriate to the risks identified by the body. (3) A relevant body must document – (a) the outcomes of testing undertaken in accordance with this section; and (b) any remedial actions required or taken in response to the testing. (4) Information documented under subsection (3) must be provided to the relevant regulatory authority upon request. (5) For the purposes of this section, a relevant body is one which is – (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier within the meaning of the NIS Regulations.”

25

Clause 8, page 7, line 31, at the end insert- "(1A) In paragraph (1), after "risks” insert “, including risks arising from fraud,""

28

Clause 8, page 8, line 4, at end insert- "(4) After paragraph (2) insert— “(2A) When taking measures to manage risks under paragraph (1), a RDSP must, in the design of the relevant digital service- (a) eliminate unnecessary functions from system requirements; (b) where risks cannot be managed by the elimination of functions, replace or substitute features in the architecture of the system; (c) where risks cannot be managed by the replacement or substitution of features, implement active functional controls; (d) where risks cannot be managed by the implementation of active functional controls, instruct and implement operational and procedural controls; (e) as a matter of last resort, apply requirements, conditions of use or instructions to service users. and (2B) For the purposes of paragraph (1), “risks” include those relating to the availability, reliability, safety, integrity, maintainability confidentiality of the relevant services or systems.””

26

Clause 40, page 63, line 7, leave out "5" and insert "3"

27

Clause 43, page 66, line 11, at end insert- "(fa) a requirement to remove, disable or modify hardware, software or other facilities;”

NC8

To move the following Clause- "Local authorities to be regulated as essential services (1) The NIS Regulations are amended as follows. (2) In the table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert- "Local Government Local Government The Secretary of State for Housing, Communities and Local Government" (3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert- "The local Government Sector 11- (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector. (2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register. (3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records. (4) In this paragraph "local authority means" (a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly; (b) in Wales, a county council or a county borough council; (c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994; (d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.""

NC9

To move the following Clause- "Critical manufacturing and retail sectors (1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities- (a) the manufacture of critical transport equipment; (b) the industrial production and processing of food products; and (c) the retail sale of food and essential goods via large-scale distribution chains. (2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors."

NC10

To move the following Clause- “Consultation on resourcing of regulatory authorities and regulated persons (1) The Secretary of State must, within one year of the passing of this Act, carry out a consultation with regulatory authorities and regulated persons for the purpose of assessing- (a) whether regulatory authorities and regulated persons have resources and capabilities adequate to fulfil their requirements under this Act; and (b) whether further government support is needed. (2) The Secretary of State must publish a report setting out the findings of the assessment carried out under subsection (1)."

NC11

To move the following Clause- "Electoral infrastructure to be regulated as an essential service (1) The NIS Regulations are amended as follows. (2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert- "Elections Electoral infrastructure The Electoral Commission" (3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert- "The electoral infrastructure subsector 11- (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector. (2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to- (a) maintain a register of electors containing more than 50,000 entries; (b) issue, receive, or process postal ballots for a parliamentary or local government election; or (c) count or aggregate votes cast in a parliamentary, mayoral or local government election. (3) In this paragraph- "parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom; “network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026. (4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert— "(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.""

NC12

To move the following Clause- "Political parties to be regulated as an essential service (1) The NIS Regulations are amended as follows. (2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert- "Government Political parties The Secretary of State for Housing, Communities and Local Government" (3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert- "The political parties subsector 11 - (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector. (2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons (3) In this paragraph- "registered political party" means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000."""

NC13

To move the following Clause- "Statement on risks posed to systems by foreign interference (1) The Secretary of State must, within 12 months of the passing of this Act, publish a statement of the Government's plans in relation to risks to the security and resilience of network and information systems arising from foreign interference. (2) Any statement under this section must— (a) set out the Government's intentions to assess, manage and mitigate the risks posed, or which could potentially be posed, to the security and resilience of network and information systems by foreign interference in such systems; (b) include risks associated with— (i) hardware, (ii) software, (iii) supply chains, (iv) procurement processes, and (v) the use of, or reliance on, foreign technologies or systems; (c) include a specific focus on government digital procurement processes. (d) where risks are identified under (2)(b)(v), state whether the Government intends to address these risks by encouraging or supporting the use of domestic technologies or systems."

NC14

To move the following Clause- "Cyber security support service for SMEs (1) The Secretary of State must, by regulations, make provision for the establishment and operation of a cyber security support service for relevant small and medium-sized enterprises (SMEs) for the purposes of improving the security and resilience of their network and information systems. (2) For the purposes of this section, a relevant SME is one which is— (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier within the meaning of the NIS Regulations. (3) A support service established under this section must provide— (a) advice and technical assistance to SMEs following a cyber incident; and (b) guidance on recovery and remediation."

NC15

To move the following Clause- "Review of high-risk critical suppliers (1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies. (2) A review under this section must assess- (a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise; (b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and (c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities. (3) In this section— "relevant body" means- (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier within the meaning of the NIS Regulations. "foreign state-owned enterprise” means a body corporate in which a foreign state has a controlling interest; "network and information systems" has the meaning given by section 24(1)."

10

Clause 10, page 9, line 29, at end insert—
“(2A) The measures taken by an RMSP under paragraph (1) must ensure that the number of customers to whom the RMSP provides services does not exceed the critical risk threshold.
(2B) In paragraph (2A), the “critical risk threshold” is the number of customers within a sector or subsector where an incident affecting the provision of services to those customers by the RMSP would result in disruption that is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom.
(2C) Paragraph (2D) applies where the number of customers to whom an RMSP provides services exceeds the critical risk threshold by virtue of contracts entered into before the coming into force of section 10 of the Cyber Security and Resilience (Network and Information Systems) Act 2026.
(2D) The RMSP must take steps to reduce the number of customers to below the critical risk threshold, including exercising any right to terminate a contract or vary the terms of a contract.”

This amendment would place a duty on relevant managed service providers (“RMSPs”) to ensure that they do not provide services to manage the technology systems for a number of customers that exceeds a critical risk threshold, such that an incident affecting those services would be likely to result in significant disruption in the United Kingdom. This would prevent an RMSP managing the technology systems for a whole sector or subsector. Provision is also made for a situation where an RMSP is in breach of the critical risk threshold because of contracts entered into before the enactment of the Bill.

11

Clause 4, page 3, line 5, column 3, leave out from beginning to “the” in line 6

This amendment and Amendment 12 would remove the Secretary of State for Science, Innovation and Technology as a joint regulator for the data infrastructure subsector, leaving the Office of Communications acting as the sole regulator for that subsector.

12

Clause 4, page 3, line 7, leave out “(acting jointly)”

See the explanatory statement for Amendment 11.

13

Clause 7, page 7, line 7, leave out paragraph (b) and insert—
“(b) a pool of computing resources is “scalable” if the resources are flexibly allocated by the provider of the service, irrespective of the geographical location of the resources, in order to handle fluctuations in demand;
(c) a pool of computing resources is “elastic” if the resources are provided and released according to demand, in order to rapidly increase and decrease available resources depending on workload;
(d) computing resources are “shareable” if—
(i) multiple users share a common access to the service, which is provided from the same electronic equipment, and
(ii) processing is carried out separately for each user.”

This amendment would refine and make further provision about certain aspects of the definition of “cloud computing service”.

14

Clause 18, page 38, line 31, at end insert—
“(aa) otherwise in connection with—
(i) the security and resilience of network and information systems, or
(ii) any other matter relating to cyber security and resilience,”

This amendment would allow NIS enforcement authorities to share information with persons listed in regulation 6(2) (inserted by clause 18), and such persons to share information with NIS enforcement authorities, for purposes relating to the security and resilience of network and information systems or cyber security and resilience.

15

Clause 18, page 39, leave out line 21

This amendment is consequential on Amendment 14.

16

Clause 18, page 39, leave out line 24

This amendment is consequential on Amendment 14.

17

Clause 18, page 39, line 26, leave out from beginning to “, or” and insert “the provision and availability of data centre services in the United Kingdom”

This amendment is consequential on Amendments 15 and 16.

18

Clause 18, page 39, line 34, leave out “anything mentioned in paragraph (5)(b)” and insert “the provision and availability of data centre services in the United Kingdom”

This amendment is consequential on Amendments 15 and 16.

19

Schedule 1, page 86, line 33, at end insert—
“(ea) in sub-paragraph (da), after “14A;” insert “or”;”

This amendment would make a minor drafting correction.

20

Schedule 2, page 89, line 35, at end insert—
“(ia) omit the “and” at the end of the definition of “relevant law-enforcement authority”;”

This amendment would make a minor drafting correction to regulation 1(2) of the Network and Information Systems Regulations 2018.

21

Schedule 2, page 89, line 37, at end insert—
“(iia) omit the “and” at the end of the definition of “representative”;”

This amendment would make a minor drafting correction to regulation 1(2) of the Network and Information Systems Regulations 2018.

22

Schedule 2, page 91, line 4, at end insert—
“11A (1)Regulation 24 (service of documents) is amended as follows.
(2)In paragraph (1)—
(a)in the words before sub-paragraph (a)—
(i)for “or notice” substitute “, notice or direction”;
(ii)after “served on” insert “or given to”;
(iii)after “served”, in the second place it occurs, insert “or given”;
(b)omit the “or” at the end of sub-paragraph (b);
(c)for sub-paragraph (c) substitute—
(c)sending it by post to the person’s proper address or by email to the person’s email address.”
(3)In each of paragraphs (2) and (3)—
(a)after “document” insert “, notice or direction”;
(b)after “served on” insert “or given to”.
(4)In paragraph (4), for “service” substitute “documents, notices and directions”.
(5)For paragraph (5) substitute—
(5)For the purposes of this regulation, a person’s “proper address” is—
(a)in a case where the person is a body corporate with a registered office in the United Kingdom, that office;
(b)in a case where paragraph (a) does not apply and the person is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office;
(c)in any other case, an address in the United Kingdom at which the person serving or giving the document, notice or direction believes, on reasonable grounds, that it will come to the attention of the person on whom it is to be served or to whom it is to be given.
(5A)For the purposes of this regulation, a person’s email address is—
(a)an email address provided to a NIS enforcement authority as an address for contacting that person,
(b)an email address published for the time being by that person as an address for contacting that person, or
(c)if no email address has been so provided or published, an email address by means of which the person serving or giving the document, notice or direction believes, on reasonable grounds, that it will come to the attention of that person.”
(6)After paragraph (5A) (inserted by sub-paragraph (5)) insert—
(5B)A document, notice or direction sent to a person by email is, unless the contrary is proved, to be treated as having been served or given at 9am on the working day immediately following the day on which it was sent.
(5C)In paragraph (5B) “working day” means a day other than a Saturday, a Sunday, Christmas Day, Good Friday or a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom.””

This amendment would align regulation 24 of the NIS Regulations with the provisions about giving of directions and notices in clause 57 of the Bill, as amended by Amendments 23 and 24.

23

Clause 57, page 83, line 8, at end insert—
“(za) an email address provided to a regulatory authority as an address for contacting that person,”

This amendment would ensure that a direction or notice can be given to a person using an email address which has been provided to a regulatory authority as a contact email address.

24

Clause 57, page 83, line 11, leave out “there is no such published address” and insert “no email address has been so provided or published”

This amendment is consequential on Amendment 23.

NC2

To move the following Clause—
“Register of foreign powers for the purposes of Part 4
(1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must, by regulations, establish and maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom’s critical network and information systems within six months of the passing of this Act.
(2) Foreign powers designated by the Secretary of State under subsection (1) must include states –
(a) which have been confirmed by GCHQ as having—
(i) perpetrated, or attempted to perpetrate, a cyber-attack in the UK in the preceding seven years,
(ii) targeted, or intended to target, that attack at the network or information systems of one or more operators of an essential service or critical suppliers, or
(iii) carried out, or intended to carry out, that attack through a state department, agency or affiliate group,
(b) which GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.
(3) Regulations under this section are subject to the affirmative resolution procedure.
(4) In this section, “foreign power" means–
(a) the sovereign or other head of a foreign state in their public capacity;
(b) a foreign government, or part of a foreign government;
(c) an agency or authority of a foreign government, or of part of a foreign government;
(d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or
(e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government—
(i) hold those posts as a result of, or in the course of, their membership of the party, or
(ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party.”

This new clause would require the Government to maintain a register of state actors posing a threat to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of the Act, which enable the giving of directions in the interests of national security.

NC3

To move the following Clause—
“Register of foreign powers for the purposes of Part 4: review of nature of risk
(1) For each foreign power added to the register established under section [Register of foreign powers for the purposes of Part 4], the Secretary of State must review the extent and nature of the risk posed to the network and information systems of operators of essential services and critical suppliers, including whether the risk arises –
(a) from activities undertaken outside of the UK, or
(b) from foreign owned or controlled infrastructure or locations within the UK.
(2) Within six months of the establishment of the register under section [Register of foreign powers for the purposes of Part 4(1)], the Secretary of State must lay before Parliament a report containing –
(a) the findings and conclusions of the review conducted under subsection (1), and
(b) the Government’s plan for addressing the risks identified.
(3) If the Secretary of State considers that laying a report, or any portion of a report, under subsection (2) would be contrary to the interests of national security, the Secretary of State must make a statement to Parliament confirming that –
(a) a review has been conducted under subsection (1), and
(b) that the report, or a portion of the report, cannot be laid before Parliament for reasons of national security.”

This new clause would require the Government to report on the risk to relevant network and information systems posed by foreign powers appearing on the register established by NC2 considering whether such risks arise from extra-territorial activities and infrastructure or premises owned or controlled by foreign powers.

NC4

To move the following Clause—
“Review of effect of information sharing and analysis centres
(1) The Secretary of State must, within six months of the passing of this Act, conduct a review of the effect of information sharing and analysis centres on the security and resilience of network and information systems in regulated sectors.
(2) Following the conclusion of a review under subsection (1), the Secretary of State must publish and lay before Parliament a report which –
(a) identifies advantages and challenges associated with the operation of information sharing and analysis centres;
(b) identifies sectors in which the establishment of information sharing and analysis centres is likely to be beneficial for the purposes of increasing the security and resilience of systems; and
(c) where the establishment of further information sharing and analysis centres is likely to be beneficial, sets out a plan for the establishment of such centres.
(3) In this section –
“information sharing and analysis centres” means organisations –
(a) whose membership is primarily comprised of entities operating within a regulated sector for the purposes of the NIS Regulations and this Act,
(b) that are independent of the designated competent authority or authorities for the relevant regulated sector, and
(c) whose aim is to increase cyber security among its membership
“regulated sectors” means sectors and subsectors under the regulatory oversight of designated competent authorities as defined at section 3 and Schedule 1 of the NIS Regulations (as amended by this Act).”

This new clause would require the Secretary of State to conduct a review of the effect of existing information sharing and analysis centres, with a view to determining whether further such centres should be established.

NC5

To move the following Clause—
“Duty on Secretary of State to report on the meeting of existing recommendations and implementation deadlines
(1) The Secretary of State must, at least once in every 12-month period, lay before Parliament a report outlining the Government’s progress towards meeting –
(a) the recommendations made in the National Audit Office’s report on Government Cyber Resilience of 29 January 2025, and
(b) the implementation milestones set out in the Government’s Cyber Action Plan of 6 January 2026
so far as they relate to the security and resilience of network and information systems.
(2) Any report under this section must, where a deadline or implementation date has not been met in relation to the matters set out in subsection (1) above, include –
(a) an explanation for the failure to meet the deadline or implementation date;
(b) a revised deadline or implementation date and a plan for meeting the new date.”

This new clause would require the Secretary of State to report annually on the Government’s progress towards taking actions relating to the security and resilience of network and information systems arising from the NAO’s January 2025 report on the Government’s cyber resilience and from the Government’s Cyber Action Plan.

NC6

To move the following Clause—
“Inclusion of ransomware attacks in the NIS Regulations
In regulation 1(2) (interpretation) of the NIS Regulations—
(a) in the definition of “incident”, after “systems” insert “or a ransomware attack which is targeted at the security of network and information systems”;
(b) after the definition of “online search engine” insert—
“ransomware attack” means a cyber-attack involving a type of malicious software that infects a victim's computer systems, can prevent the victim from accessing systems or data, impairs the use of systems or data or facilitate theft of data, and in relation to which a ransom is demanded for access to be restored or for data not to be published.”

This new clause would include ransomware attacks in the definition of “incident” in the NIS Regulations.

NC7

To move the following Clause—
“Impact of reporting requirements on relevant bodies
(1) The Secretary of State must, within 12 months of the passing of this Act, publish and lay before Parliament—
(a) a review of the impact, on relevant bodies, of—
(i) the requirements relating to the notification of incidents in Parts 3 and 4 of the NIS Regulations (as amended by this Act); and
(ii) any additional incident notification requirements made by regulations under this Act; and
(b) proposals for the creation of a single cyber incident reporting channel for relevant bodies.
(2) A review under this section must consider –
(a) the costs of requirements on relevant bodies; and
(b) interactions with other incident reporting regimes.
(3) In this section, “relevant bodies” means operators of essential services, critical suppliers or digital service providers, as defined by the NIS Regulations.”

This new clause would require the Secretary of State to review the impact of incident reporting requirements on relevant bodies, and to set out proposals for a single incident reporting channel.

Clause 10, page 9, line 29, at end insert- "(2A) The measures taken by an RMSP under paragraph (1) must ensure that the number of customers to whom the RMSP provides services does not exceed the critical risk threshold. (2B) In paragraph (2A), the “critical risk threshold” is the number of customers within a sector or subsector where an incident affecting the provision of services to those customers by the RMSP would result in disruption that is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom. (2C) Paragraph (2D) applies where the number of customers to whom an RMSP provides services exceeds the critical risk threshold by virtue of contracts entered into before the coming into force of section 10 of the Cyber Security and Resilience (Network and Information Systems) Act 2026. (2D) The RMSP must take steps to reduce the number of customers to below the critical risk threshold, including exercising any right to terminate a contract or vary the terms of a contract.”

1

Clause 15, page 22, line 15, at end insert— “(f) whether the incident involves failure modes not previously observed in the relevant sector materially involving autonomous or adaptive systems based on machine learning, including where the potential impact of such failure modes was mitigated or prevented.”

2

Clause 15, page 22, line 25, at end insert— "(ea) where the incident was associated with one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;"

3

Clause 15, page 23, leave out lines 13 to 21 and insert- "(3) For the purposes of this regulation, an incident is a “data centre incident" if— (a) the incident has affected or is affecting the operation or security of the network and information systems relied on to provide the data centre service provided by the OES, and (b) the impact of the incident in the United Kingdom or any part of it has been, is or is likely to be significant having regard to the factors listed in paragraph (3A). (3A) The factors referred to in paragraph (3)(b) are— (a) the extent of any disruption which has occurred, is occurring or is likely to occur in relation to the provision of the essential service provided by the OES; (b) the number of users which have been affected, are being affected or are likely to be affected; (c) the duration of the incident; (d) the geographical area which has been affected, is being affected or is likely to be affected by the incident; (e) whether the confidentiality, authenticity, integrity or availability of data relating to users of the essential service has been, is being or is likely to be compromised; (f) whether the incident involves failure modes not previously observed in the relevant sector materially involving autonomous or adaptive systems based on machine learning, including where the potential impact of such failure modes was mitigated or prevented.”

4

Clause 15, page 23, line 32, at end insert— "(ea) where the incident involved one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;"

5

Clause 15, page 26, line 37, at end insert— "(h) whether the incident involves failure modes not previously observed in the relevant sector materially involving autonomous or adaptive systems based on machine learning, including where the potential impact of such failure modes was mitigated or prevented.”

6

Clause 15, page 27, line 7, at end insert- “(ea) where the incident was associated with one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;"

7

Clause 15, page 30, line 8, at end insert- "(fa) whether the incident involves failure modes not previously observed in the relevant sector materially involving autonomous or adaptive systems based on machine learning, including where the potential impact of such failure modes was mitigated or prevented;”

8

Clause 15, page 30, line 21, at end insert- "(ea) where the incident was associated with one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;"

9

Clause 18, page 40, line 10, at end insert- "(8A) Where the CSIRT receives notification of an incident under regulation 11, 11А, 12A, or 14E that materially involves autonomous or adaptive systems based on machine learning, the CSIRT must share relevant technical information with the relevant body within 72 hours. (8B) For the purposes of this regulation, a “relevant body” means the AI Security Institute or any successor or replacement body designated by the Secretary of State."

NC1

To move the following Clause- "Food supply chain to be regulated as an essential service (1) The NIS Regulations are amended as follows. (2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert- "Food supply Food supply chain The Secretary of State for Environment, Food and Rural Affairs (United Kingdom) (3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert- "The food supply chain subsector (1) This paragraph describes the threshold requirements which apply to essential services in the food supply chain subsector. (2) For the essential service of the food supply chain in the United Kingdom the threshold requirement is that the person is in the food supply chain and does not qualify as small or a micro-entity (or is excluded) within the meaning of Part 15 of the Companies Act 2006. (3) For the purposes of this paragraph— (a) a "food supply chain” is a supply chain for providing individuals with items of food or drink for personal consumption, where the items consist of or include, or have been produced to any extent using- (i) anything grown or otherwise produced in carrying on agriculture, or (ii) anything taken, grown or otherwise produced in carrying on fishing or aquaculture; (b) a person is "in" a food supply chain if that person is a producer or an intermediary in a food supply chain. (4) In paragraph (3)(b)— (a) "producer” means a person who is carrying on agriculture, fishing or aquaculture; (b) "intermediary” means a person in the food supply chain between a producer and the individuals referred to in paragraph (3)(a). (5) In this paragraph- "agriculture" includes any growing of plants, and any keeping of animals, for the production of food or drink; "aquaculture” means the breeding, rearing, growing or cultivation of— (a) any fish or other aquatic animal, (b) seaweed or any other aquatic plant, or (c) any other aquatic organism; "plants" include fungi. (6) In regulation 8A of the NIS Regulations (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert— (c) provides an essential service of a kind referred to in paragraph 12 of Schedule 2 (food supply chain sector) within the United Kingdom."