Cyber Security and Resilience (Network and Information Systems) Bill
Tuesday 6th January 2026
(2 days, 20 hours ago)
Commons ChamberCyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Minister for Digital Government and Data (Ian Murray)
I beg to move, That the Bill be now read a Second time.
A happy new year to you, Mr Speaker, and to all the House staff. This is the first opportunity I have had to say that to you.
On 3 June 2024, a busy Monday morning in south-east London, criminals attacked Synnovis, an organisation that processes blood tests on behalf of our national health service. They did not turn up physically, but logged on to computers thousands of miles away and set off ransomware—malicious software that encrypts files from afar, making them unusable. The attack had a ripple effect across London hospitals. It delayed 11,000 appointments, blood transfusions had to be suspended and the company lost tens of millions of pounds.
This was not an isolated case. In the year leading up to September 2025, the National Cyber Security Centre dealt with 204 “nationally significant” incidents, meaning that they seriously disrupted central Government or our critical public services. That is more than double the 89 incidents in 2024. No one disputes that we must do everything we can to protect the UK from these attacks. The UK is the most targeted country by cyber-attacks in Europe, and it was the fifth most targeted nation in 2024 by nation state-affiliated threat actors. In 2024, it is estimated that UK businesses experienced over 8.5 million cyber-crimes in the 12 months preceding the survey, and that in that year more than four in 10, or 43%, of UK businesses were subject to a cyber-attack, affecting more than 600,000 businesses in total.
Significantly, cyber-attacks are estimated to cost UK businesses almost £15 billion each year, equivalent to 0.5% of the UK’s annual GDP, notwithstanding the wider economic effects of intellectual property theft or the experience of patients, as in the first example. The average cost of a significant cyber-attack for an individual business in the United Kingdom is estimated to be just over £190,000. There has been a 200% increase in global cyber-attacks on rail systems in the past five years, increasing the likelihood of severe disruption to the economy and to people’s daily lives.
Chris Vince (Harlow) (Lab/Co-op)
Does the Minister agree that, as we become more and more reliant on IT systems—I am thinking in particular about the new patient registration system at the Princess Alexandra hospital in my constituency—it is more and more important that we combat potential cyber-attacks, particularly from foreign powers and enemies of this country? That is why the Bill is so crucial.
Ian Murray
I could not agree more. I gave the example of the Synnovis incident that brought blood transfusions in London to a halt, affecting thousands of patients. Our everyday lives are affected by this. As we modernise and digitise our economy and our Government, we have to ensure that our systems are as secure as possible, and cyber-security is right at the heart of that. This is not just a defensive issue; it is very much an economic growth issue as well, as we can see from the impact it has on our economy, our public services and the day-to-day lives of people, as in the example of our train systems that I just mentioned.
Mr Toby Perkins (Chesterfield) (Lab)
I am grateful to my hon. Friend for giving way, and it is great to see him in his post. On economic growth, how has he sought in the Bill to balance the absolute need for a regulatory framework that businesses can have confidence in alongside the ability to attract continued investment, and to ensure that we do not end up with an over-regulatory framework that stifles investment? How did he find that balance?
Ian Murray
The Bill builds on the 2018 regulations, which were a hangover from the EU when we adopted them in this country. The Bill expands on those. As my hon. Friend the Member for Harlow (Chris Vince) just suggested, this is about economic growth as well as protecting our systems, so we have to find a balance between ensuring that our regulators have the powers and tools to regulate properly and giving businesses and our public services the confidence to use digital technology knowing that we have the most secure cyber-security in Europe, if not the world. We are very good at this stuff, and that is the balance to be sought. This Bill is about economic growth rather than about the over-regulation of businesses. I do not say this flippantly, but cyber-security is one of those areas where if everything is working, nobody notices, but when it is not working, suddenly everyone notices and it is everyone’s problem. That is why we are bringing the Bill forward and extending the scope of the powers.
Jim Shannon (Strangford) (DUP)
I thank the Minister very much for what he is saying and bringing forward. There is much in the Bill that we should encourage. I know that he is a regular visitor to Northern Ireland, and Northern Ireland is home to 130 cyber-security companies with some 2,750 employees. It is therefore essential that this legislation protects those jobs and enhances the capacity for more. Does he believe that the Bill both protects us and provides the opportunity for growth in Northern Ireland and, indeed, across the whole of the United Kingdom?
Ian Murray
Indeed it does. It is one of a number of provisions that the Government are bringing forward to create growth across the country, not just in Northern Ireland. The Secretary of State’s passion is to make sure that those jobs are everywhere, right across the United Kingdom, including in Northern Ireland. The Under-Secretary of State for Science, Innovation and Technology, my hon. Friend the Member for Vale of Glamorgan (Kanishka Narayan), has been in Belfast recently discussing this legislation and wider cyber-security issues with the industry in Northern Ireland, so I can assure the hon. Member for Strangford (Jim Shannon) that that is indeed the case.
Dame Meg Hillier (Hackney South and Shoreditch) (Lab/Co-op)
Hackney council was the subject of a major cyber-attack in 2020. It did a good job, though it was very slow because of the nature of the challenge of getting things back up and running. The Bill is therefore very welcome but, pursuant to the answer to my hon. Friend the Member for Chesterfield (Mr Perkins), there are challenges for some of the smaller companies. I represent Shoreditch, which has many tech companies that need to maintain a standard on cyber-security but are small. How is the Minister going to balance the regulation for those smaller companies to ensure that they can keep abreast of things but are not so dampened down that they cannot progress and grow?
Ian Murray
This is about making sure that we extend the scope of the 2018 regulations into other parts of the economy, and I will come on to that later in my contribution. It is about reporting things more quickly to ensure that the attacks can be seen and action can be taken more quickly. It is also about reporting to the regulators to give the regulators confidence and powers across a wider scope of sectors in the economy, and to give businesses the confidence that those sectors have to report to the regulators when things are going wrong so that swifter action can be taken. We can see from the host of recent high-profile issues, including at Hackney council, that it is important to ensure that this legislation goes through quickly and does the job that it is intended to do.
Chris Vince
I thank the Minister for giving way; I apologise for intervening again. Is there a piece of work we need to do on culture? When businesses or the public sector are victims of cyber-crime, there is a danger that employees may feel embarrassed or nervous about reporting their concerns. We need to encourage people if they are victims of cyber-crime to come forward quicker and to recognise the challenges, rather than trying to hide them away and the issue becoming worse.
Ian Murray
While physical security and national security are issues for all of us, so is cyber-security. The Bill builds on the 2018 regulations to widen the scope into other areas of the economy where such issues have become much more prevalent—for example, data centres. I hope that doing so will give industries and sectors, including their employees, the confidence to report things to the regulators. Giving powers to the regulators will give businesses the confidence that they can report stuff; it is not a regulatory heavy hand dampening businesses. I hope that I can assure my hon. Friend and the rest of the House on that.
Before that significant number of interventions, I was talking about why this issue matters and gave statistics for recent cyber-security activity in the United Kingdom. As a result of all that, one of the very first things we did as a new Government after the election was announce this new cyber-security Bill, just 10 working days in. Since then, the Department has been talking to cyber experts, businesses and regulators to turn these proposals into the comprehensive, serious and proportionate piece of legislation that we present for Second Reading today—one that protects the public and strengthens national security without placing undue burdens on businesses. I appreciate that that is a fine balance, but I think that this Bill finds that balance, so I am confident that the whole House will support it.
Pete Wishart (Perth and Kinross-shire) (SNP)
We support this Bill and its efforts to tackle cyber-security, but it does not address the mass unauthorised scraping of trusted news content by generative AI systems. That content, as the Minister knows, is often taken without consent or compensation. As the Bill progresses, will he be prepared to look at some measures—maybe something like a bot register where people have to declare their intent when it comes to this type of activity? Will the Government look at this seriously so that news can be protected in this new environment?
Ian Murray
The hon. Gentleman is ingenious in the way in which he uses interventions on pieces of legislation. I know AI copyright is close to his heart as a former, or perhaps current, professional musician and, indeed, one of the key musicians in MP4—let’s not push that to a Division! AI copyright is, of course, a key issue that the Government are looking at. The Secretary of State for Science, Innovation and Technology and the Secretary of State for Culture, Media and Sport are working closely together on this issue. I think the legislation means that there has to be a report to Parliament in March—I am sure the hon. Gentleman will be very interested in that. We are bringing together the industry and tech companies to try to find a way through that particular issue. We know that it is a huge issue. It is not in the scope of this Bill, which has been kept very tight to deal with these specific and serious cyber-security issues.
As we know, the first duty of Government is to keep people safe. The question is how precisely the Bill will achieve that goal. The answer is simple. The UK’s main cyber-rules—the Network and Information Systems Regulations 2018, or the NIS regime—were first introduced seven years ago and have not been updated since. Those rules require operators of essential services such as energy, water and hospitals, as well as some digital service providers such as online search engines, to take steps to protect the services they provide and the data they hold from cyber-threats.
As Members might expect, a lot has changed in the cyber-landscape in the past eight years. We have had the rise of AI, which cyber-criminals are using to their advantage. Data centres have become a firm fixture of modern life, and we want to see more of them. Since the rules were introduced, criminals tactics have evolved to exploit loopholes in the regulations, as they did in the attack on the NHS supplier that I mentioned, which revealed how hackers can target third parties, such as IT companies, or supply chains as a back-door way to bringing down a wider system. As always, the story is one of technology and cyber-threats moving faster than policymakers can possibly keep up with.
Dave Robertson (Lichfield) (Lab)
My right hon. Friend is right to mention the impact on supply chains. In the west midlands, we recently had the cyber-attack on Jaguar Land Rover. That had a significant impact not just on that company, but on the supply chain, which has its roots right through the west midlands. That essential part of our economy was brought to a grinding halt by a cyber-attack. Will he confirm that this Bill will help prevent such instances from happening in the future?
Ian Murray
I thank my hon. Friend for all he did on the issues facing Jaguar Land Rover. I know that the matter is close to his heart and, indeed, it was a really big issue across the country, showing how a cyber-attack can affect not just one company, but has a ripple effect throughout the economy. Of course, the Government stepped in to unlock a £1.5 billion bolster to Jaguar Land Rover’s cash reserves to help it through that problem.
I should say to my hon. Friend, and I will come to it later, that Jaguar Land Rover and other private organisations are not in the scope of this Bill. The reason is that individual private companies should take their own cyber-security seriously and ensure that the risks of such incidents and threats are minimised as much as possible. The Bill widens the scope of the existing regulations, which do not include that, but of course the Government are working closely with Jaguar Land Rover, Marks & Spencer and other high-profile cases, because we know the impact they can have on our economy. Indeed, had the Government not stepped in and resolved that issue, the impact on Jaguar Land Rover, and the tens of thousands of employees at the plants and in the supply chain, would have been catastrophic and is not worth thinking about. I thank my hon. Friend for raising that issue.
As I said, as always, the story is one of technology and cyber-threats moving faster than policymakers can possibly keep up with, but today we are fixing that. The first change in the Bill is to widen the scope of the 2018 regulations. To keep up with the changes of the past eight years, we are adding a few new things to that list, starting with large-load controllers. That includes any organisation that manages a significant flow of electricity to or from a smart appliance. It might be a company that supports electric car charging, for example. Bringing these entities into scope will safeguard our power supply and give consumers confidence in using energy-smart appliances, all of which are critical as we advance towards our clean power 2030 mission and net zero.
The second change is that we are adding large data centres in recognition of their growing importance to our day-to-day lives and to the economy. These are vast digital warehouses for the United Kingdom, home to servers that host everything from patient records to their bank details. This is the data that underpins modern life and all our lives and communities, and it must be protected.
We are expanding the scope of the regulations to include managed service providers as well. Those are organisations that provide ongoing functions, such as an IT help desk, to an outside client. Their access makes them an attractive target for cyber-attacks as criminals can find one weak spot and bring countless organisations down. For example, in 2014, an attack on a service provider for the Ministry of Defence compromised the personal data of around 270,000 people—military personnel, reservists and veterans. As organisations rely more and more on outsourced tech, we have to close this gap. In fact, weaknesses in the supply chain have become such a risk that we will go even further by allowing regulators to designate certain organisations as critical suppliers. That includes certain suppliers to essential services that could have a significant impact on the economy or society as a whole—for example, key suppliers to water companies, grid operators or air traffic control. These critical suppliers will be subject to cyber-security duties, which we will set out in secondary legislation.
Dame Meg Hillier
Last year, the Treasury Committee wrote to the top 10 banks in the UK because there had been a number of outages. There was no suggestion that cyber-security attacks were involved in most cases. A trend in the responses was that third-party software providers are often the source of the issue. What is the Minister’s thinking about how to involve the banking sector in the scope of the Bill?
Ian Murray
The banking sector is obviously in the regulators’ scope for cyber-security, and there have been a number of outages, as my hon. Friend mentions. The general principle is that cyber-attacks no longer come in through the front door, but through third parties and suppliers. We have seen that, for example, in the recent incidents at Heathrow and in cloud outages with Amazon Web Services and other such companies. They are covered by their own regulations. As I said in answer to my hon. Friend the Member for Lichfield (Dave Robertson) about Jaguar Land Rover, those companies will not be in the scope of the Bill, but we hope that the financial services sector, which is a leader in cyber-security for a whole host of fairly obvious reasons, will take that forward.
The recent attacks on British icons such as Marks & Spencer and Jaguar Land Rover will loom large in people’s minds. Many Members across the Chamber have already mentioned them. Supply chains were thrown into chaos, with small businesses paying the price, which clearly shows the ripple effect across the economy—on other businesses, smaller businesses and patients, such as in the public service examples mentioned earlier—when one part of the system is attacked.
We are clear that all businesses—that covers financial services, Jaguar Land Rover, Marks & Spencer and others—must take immediate steps to protect themselves. That is why, in October, members of the Cabinet wrote to the FTSE 350 companies urging them to strengthen their defences by doing three things: first, to make cyber risk a board priority; secondly, to require suppliers to have a cyber essentials certificate; and thirdly to sign up to the early warning service. That was followed by a similar letter to entrepreneurs and small businesses in November with bespoke advice for smaller teams. We know that those actions work. Organisations with cyber essentials are 92% less likely to claim on cyber insurance than those that do not. Businesses know best how to protect themselves; we are not here to regulate for the sake of regulating.
Government are taking action too. As I announced this morning, the Government cyber action plan sets a radically new model for how Government will strengthen their cyber-resilience and is backed by over £210 million of investment. Government Departments will be held to standards equivalent to those set out in the Bill. That is why the public sector and the Government are not included in the scope of the Bill. The Government should not need to legislate for themselves; we should just get on with making sure that we are leading the charge and that the cyber action plan strengthens the Government’s cyber-resilience. [Interruption.] I do not know if that was an attempt at an intervention from the Opposition Front Bench, but I am happy to take it.
Sir Oliver Dowden (Hertsmere) (Con)
I welcome the Minister’s comments about the obligation on the public sector. However, I caution him that, in my experience, cyber-security is one of those things that Ministers talk about, but then other priorities overtake it. The advantage of legislative requirements is that they force Ministers to think about it. I urge the Minister to look at that point again as the Bill passes through Parliament. There is a case for putting more stringent requirements on the public sector in order to force Ministers’ minds on the point.
Ian Murray
The right hon. Gentleman would have had some involvement in this when he was in government; indeed, the 2018 regulations came from the previous Government. We are all trying to make sure that we are catching up with the technology as quickly as it moves. He makes a very interesting point that I am very conscious of and happy to take away. We are determined to deliver the cyber-security action plan, which is backed by £210 million.
The actions that the previous Government took did not come to fruition in terms of their 2030 target, which is why we have refreshed the action plan and brought it forward with some significant cash. It is important for Ministers to take that forward. I hope that the right hon. Gentleman will hold us to account to ensure that we are fulfilling that promise in the cyber-security action plan. Public services, and indeed central Government, must take the leading role to show businesses that the approach to take is to ensure that all our systems are as secure as possible, not just on economic grounds, but for the people that we all seek to represent.
Dame Chi Onwurah (Newcastle upon Tyne Central and West) (Lab)
I thank the Minister for the excellent points he is making on the importance of cyber-security and the cyber-security action plan. Can he say a little bit about how the success of the cyber-security action plan will be measured, monitored and communicated to the House? He is probably aware that only 33,000 cyber essentials certificates were issued in 2024, for example, so an increased take-up of cyber essentials and the guidance in the action plan are essential.
Ian Murray
There are some key dates to monitor progress in the action plan itself. I wrote to my hon. Friend, the Chair of the Science, Innovation and Technology Committee, this morning on the publication of the action plan to lay out some of those issues; the letter will be landing soon. I would be happy to discuss that in front of the Committee in more detail. I hope that the Committee, and indeed the Opposition and our own Labour Members, hold us to account for delivering on this, because it is fundamentally important to Government, whether it be digitisation, modernising Government or winning the case with the public about why digitisation is so important and why Government should be as secure as possible and lead the charge on that across the whole economy. I hope that we and the Committee can take that forward in the weeks and months ahead.
As I said, the Government cyber action plan launched this morning is backed by over £210 million of investment and Government Departments will be held to standards equivalent to those set out in the Bill. I hope that that partially answers the question from my hon. Friend the Chair of the Science, Innovation and Technology Committee. Although the focus of the Bill is on essential services, it will also indirectly help businesses, including those damaged by the recent attacks, and Government. Almost all organisations today rely on data centres, outsourced IT or some kind of external supplier. By extending the Bill’s oversight, we are preventing attacks that could, in theory, reach thousands of organisations.
The Bill also gives new powers to regulators responsible for enforcing the NIS framework. Effective compliance is crucial to the success of any regime. These reforms could be world-leading on paper, but without proper enforcement they are meaningless.
David Reed (Exmouth and Exeter East) (Con)
We have talked about the regulators having new powers to designate critical national infrastructure in regard to cyber-security threats, but who actually has accountability? The Bill refers to
“regulations made by the Secretary of State.”
Which Secretary of State is that, given that this is a cross-departmental and cross-Government approach?
Ian Murray
Cyber-security is the responsibility of the Department for Science, Innovation and Technology, but the Cabinet Office has a clear resilience issue as well, as we heard from the right hon. Member for Hertsmere (Sir Oliver Dowden), who was in the Cabinet Office previously. The DSIT Secretary of State will make those regulations, but a plethora of regulators are involved in this process—energy, water and data centres all have different regulators. The regulators that regulate those sectors are being empowered through the expanded number of sectors being brought into the legislation to take the responsibility.
Sir Julian Lewis (New Forest East) (Con)
I am extremely grateful to the Minister for giving way. On the point about regulators, the industry has issued a brief, which points out, quite sensibly, that these regulators are going to have a lot of extra duties to perform and they will therefore need extra resources to be able to perform those duties, but the extra resources they require will only be unlocked when the Bill has passed. Is there not a danger of a transition period where duties will be laid on regulators to fulfil their role before they have the resources to carry it out?
Ian Murray
We have to pass the legislation first. It may be amended during its passage through both Houses. Therefore, the regulators will not know what they are regulating until the Bill has passed. However, as I mentioned at the start of my contribution, we have been working with regulators, businesses, organisations and cyber-security experts in the run-up to producing the Bill to make sure that it is in the right place—that it is proportionate on businesses and regulators—and that it is effective, which is the most important thing. I am sure that we will have debates on those kinds of issues as we go through Committee and on to Third Reading, but I very much acknowledge what the right hon. Gentleman said.
The Bill will strengthen the powers of the NIS regulators, ranging from Ofgem to the Civil Aviation Authority, which work together to uphold the UK’s cyber rules across those different sectors—I may have taken the previous intervention 10 seconds too early! We are raising the maximum fine that they can impose, for example, while simplifying the penalty bands to make them clearer. The key driving force for this measure is not to punish rulebreakers or raise revenue, but to incentivise firms to be vigilant. Our goal is 100% compliance and zero fines.
We will also ask regulated organisations to change the way they report attacks and expand both the types of instance they have to report and the timeframe in which they have to report them. This is a small but crucial change. Under the current rules, regulators get notified about a breach only once it has already caused significant disruption—when traffic lights have failed or the heating has shut off. The system does not include cases with the potential to cause a crisis much later, like a hospital’s computer system quietly being spied on as hackers wait for their moment to strike. Under the Bill, if an organisation is within scope, it will have to tell its regulator and the National Cyber Security Centre about these types of breaches within 24 hours and provide a full report within three days. Pace and speed are of the essence. This will not only give us better information, but help agencies to warn others, should they need to, before they become the next targets.
The Bill will also allow the Government to set clear and consistent outcomes for regulations to work towards. One of the virtues of having a regime enforced by different agencies is that each has sector-specific expertise—Ofgem understands the complex digital systems that underpin the national grid, and the Civil Aviation Authority knows the precise threats to air traffic control, for example—but that approach has sometimes led to inconsistencies in how the regime is applied. Some bodies interpret the rules differently from others. The Bill aims to fix that with a single set of objectives issued by central Government and applied across the board. That will send the message that no sector is an easy target in the UK.
We will also improve the way in which regulators, intelligence agencies and law enforcement share information with each other by providing greater clarity on what regulators can share and receive. It is important that regulators have the resources to do their job, as the right hon. Member for New Forest East (Sir Julian Lewis) said. The Bill will also give them new powers to cover the full costs associated with their regulatory duties. To ensure transparency, regulators will consult on how fees are calculated and publish a statement each year to show how the funds are being used. Together, the measures add up to a much more consistent and effective regime with better reporting and much clearer guidance for all involved.
The Bill ensures that the UK’s cyber-security regime is not only fit for today but flexible enough to head off future threats as well. I have mentioned a few things that have changed in the past eight years—shifts in technology and the nature of cyber-attacks, artificial intelligence, data centres and the economy—but one of the biggest changes was, of course, Brexit. Since our exit from the European Union in January 2020, we have been unable to amend the NIS regulations without primary legislation, because the rules were originally part of European Union law. That has slowed the process and made it difficult for us to keep pace with new emerging threats and technology. Meanwhile, Brussels is pressing ahead with NIS2—its forward-looking update—while we lag behind.
That procedural quirk has left essential UK services more exposed, which perhaps tells us something about why the UK has such appalling figures compared with some of our EU counterparts, as hackers and cyber criminals exploit gaps in our dated laws. That is an unacceptable risk, so the Bill includes new powers for the Government to update the NIS regime via secondary legislation, to make it quicker and more agile for dealing with evolving technologies—we might need to respond quickly to a new type of cyber-threat, for example. That is not in order to override Parliament; in almost all cases, the Government will still be required to consult on any changes, and Parliament will have the final say on any legislation made under the power. However, delegated powers are essential for keeping us as responsive as possible. When national security is on the line, we need the ability to act fast and decisively.
In fact, in extreme cases some threats emerge so rapidly that even secondary legislation is too slow; if an ally were to be invaded by a hostile state, for example, the cyber risk to the UK would suddenly escalate. The Government will therefore also be given powers to direct regulators or regulated entities where national security is threatened—to issue specific cyber-security guidance in a crisis, for example. Those powers are intended as a last resort to protect our national security, and safeguards will go into the Bill to ensure that they are used accordingly.
The UK’s cyber sector is the third largest in the world, as we heard from our friend from Northern Ireland, the hon. Member for Strangford (Jim Shannon). It achieves double-digit growth year on year. We have fast-growing clusters of expertise in Cheltenham and Manchester. This legislation will supercharge that success, doubling down on one of our nation’s greatest assets. At its core, the Bill is about protecting the essential services that we all rely on, so that the lights always stay switched on, clean water always runs in our taps, and hospitals are always safe and secure. Those are the real life community issues that we and our constituents all encounter every single day.
This is more than a technical upgrade; it is a bold commitment from the Government to protect one of our biggest economic strengths and keep the UK safe in a rapidly evolving digital world. Together, we are working towards a future in which security is not a hope but a guarantee. I commend the Bill to the House.
Julia Lopez (Hornchurch and Upminster) (Con)
Happy new year, Mr Speaker, and thank you for putting the heating on. I am grateful to the Minister for setting out the Government’s rationale for this legislation in the Secretary of State’s stead. I do not know why the Minister was demoted either, but I want him to know that we appreciate him.
The official Opposition recognise the scale of the cyber-security challenge that the country faces. If the pandemic accelerated the adoption of digital technology at a pace we had never before seen, then the advent of artificial intelligence will embed that technology into our economy in wholly new ways that bring not only opportunity but unprecedented risk. AI and automation will not only transform productivity but equip hostile states, criminal gangs and opportunists alike with tools capable of eroding our national defences at speed and at scale. It is right that Parliament legislates to raise the collective security bar. We on the Conservative Benches support that principle. However, legislation of this kind does not come around often. Cyber law takes time to develop, and once the Bill passes, it is unlikely that Parliament will return to this territory for some years. That means that we must ask two simple but very serious questions today: will this law work and is it enough?
Before we answer those questions, it is worth reminding ourselves of the real-world consequences of failure. Cyber risk is neither abstract nor theoretical. Last year, the UK experienced what is widely regarded as our most economically damaging cyber-incident to date when Jaguar Land Rover suffered a major attack. That was not a sophisticated act of cyber-warfare against the state—although such acts are happening with increasing regularity—but was carried out by a band of hackers. The consequences were enormous, however. For five weeks, Jaguar Land Rover was unable to operate its automated manufacturing lines, cyber-related costs mounted to nearly £200 million, and national economic output was visibly affected in that month alone. The real damage did not stop at the factory gates: hundreds of small and medium-sized enterprises in the supply chain—many of them operating on thin margins—were pushed to the brink, workers faced uncertainty and contractors had their work paused.
Ultimately, the Government had to step in with a £1.5 billion loan guarantee to prevent wider economic fallout. When we consider the Bill, we must ask whether it would do anything to strengthen our collective resilience. That is one of the tests that this legislation ought to meet, and it is not yet clear that it does. Indeed, the attack on JLR would not have been stopped, as the Minister himself has made clear, because it would not have been in scope.
The cyber-threat landscape is evolving at an extraordinary pace. New research shows that cyber-attacks now cost our economy nearly £15 billion every year. High-profile breaches of businesses such as Marks and Spencer and the Co-op have demonstrated how quickly consumer confidence, jobs and supply chains can be put at risk. Last year alone, insurers paid out £197 million to help businesses recover from cyber-incidents. In fact, the collective cyber insurance bill of the FTSE 100 is now larger than the defence research and development budget. The Bill seeks to respond to one aspect of that reality by expanding the scope of regulation. Data centres, managed service providers, load controllers and designated critical suppliers will now fall within its ambit. That is a welcome acknowledgment that digitisation has introduced systemic risks that the original NIS regulations of 2018 did not adequately cover.
The Bill also strengthens the powers of regulators, introduces cost recovery mechanisms and tightens incident reporting requirements. Those measures are intended to modernise our cyber framework and address clear shortcomings identified in reviews of the NIS regime in 2020 and 2022. On paper, that all sounds sensible, but intent alone is not enough, which brings me back to our central concern: whether this law will work in practice in raising the standard of our collective resilience. The uncomfortable truth is that, in some of the most high-profile cases of cyber-attack, the penetration of systems was carried out by attackers using valid credentials. That means systems behaved normally. The breaches looked like legitimate access until it was too late. Human frailties were exploited: help desks were persuaded to reset passwords, and staff and contractors were impersonated. This Bill would help mainly after an attack—not before—by mandating reporting, improving intelligence sharing and increasing accountability.
Chris Vince
This is a friendly intervention, as I always like to get a bit of cross-party agreement where possible. I mentioned to the Minister the importance of changing the culture among employees to ensure that they feel confident about reporting cyber-attacks. Does the shadow Secretary of State agree with that?
Julia Lopez
Absolutely. The hon. Gentleman is correct: this is fundamentally about culture—that is the point that I am making. We can pass as many regulations as we like, but a lot of the holes in our cyber-security systems come down to human frailties. That means this challenge is not just about new laws but about changing a number of things to make us more resilient.
It is right not to dictate technical standards in primary law that will soon be outdated in the fast-moving world of technology, so the question is whether this law has the right mix of carrot and stick to make affected firms act in a way that raises the security bar—there are several areas where we fear it may not.
First, there is potentially an enforcement paradox. The Bill expands regulatory powers and increases the scale of potential fines, but the evidence from the existing regime does not suggest definitively that fines and new regulations deliver us greater cyber-resilience. Under the current NIS regulations, enforcement has been slow, inconsistent and often toothless. Very few significant penalties have been issued. Where they have been issued, the delay between incident and sanction has sometimes stretched beyond two years. That delay matters, because it actively undermines deterrence and disconnects accountability from operational reality. Simply widening the scope of regulation without ensuring that regulators are properly resourced, empowered and required to act quickly risks creating obligations that exist on paper but lack any real-world bite.
We also have concerns about the Bill’s cost recovery model. Funding regulators through levies on the organisations that they oversee risks unintended consequences in terms of improving our resilience. For large firms, the cost burden may be manageable, but for smaller enterprises it amounts to an additional operational tax that could divert scarce capital away from cyber-defence, staff training and innovation.
There is also a structural risk here. Regulators that are reliant on fee income might face incentives to expand scope and complexity unnecessarily, creating bureaucratic drag that crowds out voluntary, market-led initiatives, which often raise standards more effectively than prescriptive regulation.
More generally, I worry that this Bill will play into tech monopolies. The companies that thrive in this kind of environment are those with big compliance and legal departments. That concentrates risk and makes our tech economy less diverse, with serious implications that I shall come on to.
There may be reporting challenges too. A two-stage reporting process within 24 and 72 hours may be achievable for large, well-resourced organisations with in-house cyber teams, but for smaller operators it risks creating a compliance culture focused on speed, not substance.
There is also the danger of duplication. Many organisations already face overlapping reporting obligations under UK GDPR, sectoral rules and existing legislation. Without simplification and proportionality, the administrative load could be significant, once again diverting attention and resource from the very cyber-threat management that the Bill seeks to improve. We need to avoid this legislation becoming a “something must be done” Bill that totally misses the mark.
The Bill also fails to grapple properly with the human factor in cyber-security, which has already been talked about by the hon. Member for Harlow (Chris Vince). Technology alone does not keep organisations safe; governance matters. Yet board-level ownership of cyber-risk is moving in the wrong direction. Only 27% of businesses now have a board member explicitly responsible for cyber-security, down from 38% just three years ago. Without mechanisms to ensure senior accountability, fines risk becoming little more than a cost of doing business. Directors remain insulated while operational teams are left to carry the can. National cyber-resilience depends not just on systems and software, but on leadership, culture and accountability at the very top.
For those reasons, ahead of Committee consideration, we on the Opposition Benches are examining how the legislation can be strengthened, while continuing to support its core objectives. In the meantime, regulators must be properly equipped with the right powers, resources and clarity from Parliament on the intent of the law. Sanctions must be applied swiftly and consistently, and guidance must be clear, so that enforcement is credible and deterrence is real.
The Government should also look at how reporting obligations are calibrated. A one-size-fits-all approach might place disproportionate burdens on smaller firms, and it might be better to ensure that reporting thresholds reflect the size, complexity and risk profile of an organisation.
Equally, the funding of regulators must be transparent and predictable. There have to be safeguards against regulatory expansion for its own sake and firm assurances that funds raised are reinvested directly into improving national cyber-resilience, not absorbed by administrative overheads. While the Bill rightly prioritises critical national infrastructure, it cannot afford to ignore high-risk sectors that sit beyond its immediate scope.
There is also a major role for market-based solutions. Cyber insurance, sector-wide intelligence sharing and collaborative resilience initiatives can all complement regulation. These tools can reduce risk and improve preparedness without adding unnecessary legislative complexity.
The review cycle set out in the Bill may be too slow for the threat landscape we face and the pace of technological change. Annual or biannual reviews might allow Parliament to scrutinise effectiveness, respond to emerging threats and ensure that the legislation remains fit for purpose.
Let me make some more general points about the Government’s approach to cyber-security and resilience, and issues about the risk of dependence and threat from adversaries. I see no evidence from this Government that they are thinking with any clarity about the risks of long-term technological dependency and lock-in—quite the opposite, in fact. Large parts of our economy now depend on secure, high-quality digital infrastructure, and that reliance will only increase as AI advances. Whoever provides that infrastructure will wield huge future leverage. It was that reality that ultimately drove the change of heart over Chinese tech sitting at the core of our 5G telecom networks a few years ago.
However, the Government are seemingly betting every chip on US hyper-scalers. They provide our data centres, supply the platforms on which Government Departments are run and, more often than not, are the ones winning all the Government contracts. These investments will provide our companies with things that they need, from compute power to increasingly sophisticated AI platforms, but the UK is doing little simultaneously to mitigate our increased technological dependency. When I say “technological”, we need to understand that technology is what we now run our defence systems, factories, energy networks and communications on. Technology is the plumbing of our nation.
During September’s much crowed-about state visit by President Trump, this Government were visibly begging for good economic headlines after the humiliating resignations of the Deputy Prime Minister and the ambassador to the US, not to mention the uncontainable mess of the Chancellor’s first Budget and the threat of her second Budget. The US-UK tech partnership was the result, with a huge amount of smoke and mirrors deployed over what it actually contained. Whatever substance lay within it, we heard just before Christmas that it had been paused, used as leverage by the US while other trade negotiations were under way.
I am not criticising the US Administration for skilfully playing their hand in their national interest; I am asking this Government rapidly to wake up to the reality of a new world in which the post-war settlement is coming to an end—one that has been giving clues to its existence for many years, since long before President Trump came into office. The United States remains a vital ally, but in this new era Britain must be very clear-eyed about risk, the reality of hard power and the need to protect our sovereign interests.
Cyber-risk requires as much thought about the fundamentals of plumbing as it does about the laws that try to manage how humans use or exploit technology. The UK Government have a vast procurement budget for which our own firms ought to be able to make a successful bid, but UK tech tells me consistently that, for all the talk in the Government’s AI strategy of sovereign tech capability, it has not got a look-in since Labour has been in power. I am concerned that this Bill should not introduce new, burdensome regulation for UK firms in a way that benefits non-UK incumbents with giant compliance teams and legal resources in a way that would exacerbate the risk of vendor lock-in.
Let us turn to another risk. The private sector will have noticed that the new obligations in this Bill broadly do not touch the public sector, where cyber-risk remains red-light-flashingly large, notwithstanding the public cyber strategy that was thrown out today in implicit acknowledgment of that gaping hole. Knowing that the public sector holds such enormous cyber-risk, this Labour Government choose not to minimise it, but to create a brand-new one—a hulking great identity system mandated for anyone who wants a job and, we now hear, possibly for new-born babies. It is mandatory identity by stealth, not consent, and with no honesty about it.
It is not to be against the ability of people to verify themselves digitally for banking, to access certain online services or to stop fraud to think that Labour’s mandated digital identity plan is a complete rotter. The Association of Digital Verification Professionals called what Labour inherited on digital identity a
“world-leading model for data sovereignty that digitised liberty rather than diluted it”.
The citizen, not Government, would be in control. This naive Government are crowding out private sector expertise and making everyone have one of these identities by stealth. They have no idea what this system will cost, and they will not be honest about what it will be used for.
What of the cyber-security of this system? The system on which this digital identity will be run was breached during red team testing last year. When I asked the Secretary of State if that system has now met the National Cyber Security Centre’s cyber-security standard, no answers came. Whistleblowers have continued to speak out about the vulnerabilities of the system, and there is no sense whatsoever from Government that the dodgy digital identity plan will be paused until such a point when they are confident about cyber-security.
Andrew Cooper (Mid Cheshire) (Lab)
I am absolutely staggered to hear the shadow Secretary of State talk about standard software testing practices as though someone is doing wrong by trying to penetrate systems and find flaws in them. Is not the whole point of software testing to find the flaws in a system and get them fixed, rather than parading them in front of the House of Commons as though they are some sort of failure?
Julia Lopez
The hon. Gentleman is wilfully misinterpreting what I am saying. There is not an issue with having systems tested; there is an issue with the fact that the system test failed. There is no evidence that the Government have therefore acted to deal with those systemic failures.
Julia Lopez
The whistleblowers continue to raise serious concerns about the structures upon which the Government’s digital identity platform will be built. The hon. Member looks absolutely outraged that I might suggest there are some concerns about the cyber-security risk of a national, mandated digital identity platform. I find it extraordinary that he suggests that I am expressing concerns that a system might be tested. Of course every system must be robustly tested—that is not the point I am trying to make, and the hon. Member is being wilfully ludicrous in suggesting otherwise. This Prime Minister cannot run an economy, keep promises or control his Back Benchers, or his Front Benchers, so how on earth does anybody think he can run a secure digital identity system?
At the same time as risking technological lock-in by friendly allies, we are creating new vulnerabilities for adversaries to attack. Just before Christmas, UK intelligence agencies warned about increasing, large-scale cyber-espionage from China, targeting commercial and political information. We discovered from Ministers that the Foreign Office itself was the subject of a major cyber-attack in October, which officials believe was carried out by Chinese hackers, and this came in the midst of a major row between the Government and the Crown Prosecution Service about the prosecution of spies operating here in Parliament.
We will be looking closely at this legislation to identify where the Government should be addressing this cyber-reality with much greater force. An approach to cyber-resilience that looks only at introducing new regulations and compliance burdens without thinking through risks such as a mandated identity scheme, dependence on non-sovereign suppliers, the malign intent of other nations, and a failure to build up our own workforce and skills is one that will fail.
Sir Julian Lewis
I do not think I heard the Minister mention anything about the risk of cyber-attacks on local government. Does my hon. Friend agree that that is another potentially juicy target for people who wish to cause major mischief?
Julia Lopez
As my right hon. Friend is aware, local government is outside of the scope of the Bill, but it is a very juicy target—much of the public sector remains a very juicy target. In acknowledgment of that, the Government whipped out a strategy very quickly this morning that is meant to give us assurances about the public sector’s cyber-resilience. I am not sure that that strategy will provide much reassurance, which is why it is important to understand that this Bill can only be one part of a much wider arsenal to tighten gaps where they exist, in both the private and public sectors.
Ian Murray
It is worth clarifying for the House that we brought forward the Government cyber-security strategy this morning because the 2022 consultation undertaken by the previous Conservative Government was not acted upon. This Government are acting on those threats, bringing forward a plan that we will subsequently see through, and I think the hon. Lady should acknowledge that.
Julia Lopez
I welcome the strategy, but I have not yet had a chance to have a good look at it, because the Government always seem to publish these sorts of documents right at the last minute. The only way to get any information out of this Government is to apply some pressure in this House, and then, remarkably, things come flying out of the cupboard.
I will be very interested to see what the strategy looks like and whether it is up to the challenge we now face. The problems and risks of cyber have increased markedly since we were in Government because of the advent of AI technology—that technology is changing the picture very rapidly, just as the defence picture is changing very rapidly. My concern is that this Government are not taking seriously enough the various defence and security challenges that this House faces; they are prioritising spending on welfare payments, union payments and all manner of other things. It is one thing to get a strategy out of the door; it is another to put in place the measures that will implement that strategy. Basically, all we have seen over the past 18 months is strategy documents, without a great deal of delivery. That is one of the reasons why the Government are so rapidly losing public confidence.
In conclusion, we support this cyber Bill in principle—the threat is real and growing, and it demands action. However, it is only a tool, not a cure-all. A Government who are trying to close down gaps in one place while wilfully opening up huge new risks in a different corner are being negligent in their approach. Furthermore, if this legislation is to command confidence, it must be practical, proportionate and genuinely effective. Without meaningful improvements, the Bill risks placing new burdens on business while delivering only marginal gains for our national resilience. Cyber-security is a shared responsibility between Government, regulators, industry and the public, but leadership must come from the top, and that is where this Bill currently falls short.
With the private sector taking the lion’s share of the load while gaping holes remain in public sector cyber-defences, the Bill begs obvious questions about the confidence that citizens should have in flagship Government projects such as the Prime Minister’s mandatory digital identity system. As it stands, the Bill would not have prevented high-profile cyber-shutdowns such as Jaguar Land Rover’s, it does little to address the chronic vulnerabilities in the public sector, and it certainly will not make Labour’s dodgy ID database any more secure. That is why, as the Bill progresses through Parliament, we will be pressing this Government to ensure that it delivers genuine security, proper accountability and raised cyber-defences across the board, while taking them to task on major mistakes such as mandatory ID. Cyber-security is no longer a niche compliance exercise; it is about protecting the fundamental economic and defence interests of our nation.
Matt Western (Warwick and Leamington) (Lab)
I start by welcoming the Bill, which is a serious step forward in protecting the United Kingdom from the great number of cyber-attacks that we face each day. As we have just heard from my right hon. Friend the Minister, this legislation is long overdue. A consultation started back in January 2022, and in April of that year, the then Government identified serious issues and limitations. I was slightly bemused that my hon. Friend the shadow Minister—I do consider her to be a friend—did not cover that in her speech. The previous Government then failed to act for over two years, and as my right hon. Friend the Minister illustrated in his speech, that has proven very costly.
Over the past couple of years, we have seen that cyber-security is not just paramount in our everyday lives; it is crucial. It ensures that there is food on our supermarket shelves and that the lights stay on. It is critical to every corner of the UK, but now we have to move at pace, and not just through this legislation—I urge us to go further. If we are to protect ourselves from our adversaries, we need to develop a true whole-of-society approach to cyber-security and start a national conversation on security at home. This legislation is clearly an important first step. It is a first chapter, but many more must be written if we are going to seriously address our national security, by which I mean our social and economic security.
Increasingly over the past decade, we have seen a blurring of war and peace, with the emergence of hybrid warfare and the widening of the grey zone. We are living in a cyber no man’s land where states or state-sponsored actors—proxies—can act with relative ease and impunity, leaving the world a more dangerous place. The cyber-realm is, and will remain, a key battleground, and it is one that we must seize. Every one of us in the United Kingdom needs to wake up to that fact, particularly with the development of AI and quantum computing and the extraordinary threats that will come from those developments. When it comes to being the target of cyber-attacks, the United Kingdom now ranks third among all nations. In 2024 alone, the NCSC handled an average of four major attacks every week—these are the really serious attacks—and the impact on the economy is staggering. In the same year, cyber-attacks cost the British economy £15 billion, or 0.5% of GDP. When we are trying to increase GDP by 1%, 2% or whatever it is, a hit of 0.5% is so significant.
While 43% of businesses have reported having any kind of security breach or attack over the past 12 months, that figure rises to 67% and 74% for medium and large businesses respectively. Every attack inflicts more pain on UK plc, meaning lower economic growth and lower tax receipts to fund our public services. As we heard earlier, the effects ripple through our whole society.
We have just been talking about the attack on Jaguar Land Rover this summer; that attack cost the company an estimated £500 million, affected over 5,000 businesses and put thousands of jobs at risk, with many of those employees based in my constituency of Warwick and Leamington. The impact was significant, whether it be on cafés, restaurants, pubs or shops, which were all affected by the downturn that immediately led from the shutdown of the factories.
The attack on Collins Aerospace was alluded to earlier. It crippled Heathrow airport, and I think Stansted was affected, too, but less so. It scuppered thousands of hard-earned family holidays in autumn last year, and the ramifications for the travel sector were significant.
It is not just businesses that have been affected. We have seen attacks on councils, as we have heard, and charities. Even the British Library was knocked out two years ago, which impacted so much of our research potential across our higher education institutions. It has significantly affected the UK. The Electoral Commission got knocked out by an attack by Chinese state-sponsored actors. There have been so many other attacks. Even our NHS is not safe. My right hon. Friend the Minister mentioned the attack on Synnovis. Last year, more than 11,000 NHS appointments were lost due to cyber-attacks. The attack in June 2024 on London hospitals by the Russian group Qilin saw 1,100 cancer treatments delayed, 2,000 out-patient appointments cancelled, more than 1,000 operations postponed and, tragically, the death of a patient. The message from across our international partners and the UK’s security services is clear.
Matt Turmaine (Watford) (Lab)
On the attack on the NHS, I worked for 10 years in health and social care prior to being elected to this place, so I witnessed that attack taking place, and nothing could give a starker demonstration of the impact on productivity that cyber-attacks have on our country and our society. There was a meeting of senior clinical commissioning group and other health trust executives in Hertfordshire at the time, and one by one they were forced to leave the room like lights blinking out as the impact of the attack became clear. Does my hon. Friend agree that this Bill is essential to keep our legislation up to date with the new methods of attack that bad actors are using on our state and infrastructure as online technology evolves?
Matt Western
I thank my hon. Friend for sharing his lived experience. I can relate that to when I have spoken to organisations through the Business and Trade Committee and through my role on the Joint Committee for National Security Strategy. I have heard from organisations that have been impacted about how paralysing the immediate aftermath of such an attack is and how it challenges an organisation. It is crucial that these red team, blue team scenarios get played out, but when it is actually happening and a company is facing an entire shutdown of its systems, it is very difficult to navigate. Many have talked about the culture change that is needed, and we need to urgently embrace that change. The experience in the NHS that my hon. Friend mentions is a good example.
These attacks are the new normal and we must be better prepared. In September 2024, led by the FBI and the National Security Agency, the United Kingdom, Germany, Estonia, Canada and a plethora of other allies released their clearest articulation of the threat posed by Russia, and Putin in particular. They said that Russia is
“responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020.”
The NCSC annual review in 2024 called the landscape “diffuse and dangerous”, while the 2025 review could not have been clearer in saying “It’s time to act” in the defining text on the front cover. Richard Horne, head of the NCSC, said:
“Empty shelves and stalled production lines are a stark reminder that cyber attacks no longer just affect computers and data, but real business, real products, and real lives… The recent cyber attacks must act as a wake-up call.”
Just last week, Andrew Bailey, the Governor of the Bank of England, said that cyber-attacks were one of the biggest threats to UK financial stability and stressed the critically important need for collaborative defence.
The reality should be clear to everyone here. The frontline is everywhere. It is our phone, it is at our desk, it is our businesses, it is our infrastructure and it is even here at the heart of our democracy. Such a threat requires a whole-of-society response. We are not the first to have been targeted. Back in 2007—18 years ago—Russia launched a determined cyber-attack on Estonia. It was damaging and debilitating to Estonia’s society and economy. The cyber-attack was a call to action for Estonia and it responded at pace. It brought about cultural change, which was talked about earlier in the debate. Estonia overhauled its legal, political and strategic framework—even looking at its education system—and adopted a whole-of-society approach to cyber-security, developing a serious public-private partnership to counter the threats posed by Russia. No doubt the Minister will have looked at this case in more detail to understand what learnings could be applied here and to our cyber-security strategy more widely to ensure whole-of-society resilience.
The reality is that cyber-attacks target the weakest link. It was welcome to hear my right hon. Friend the Minister talk about the initiatives with the FTSE 350 companies and some of the smaller businesses about how they should be engaging with these threats. It cannot be acceptable that the most popular password in the United Kingdom is “password”. It is ridiculous. Every one of us must act as guardian against our cyber-adversaries.
The Bill lays out valuable and desperately needed provisions. Its extent and scope are hugely welcome, bringing in data centres, large load controllers and managed service providers under the network and information systems regulations protects more of the economy from cyber-attacks. I am particularly pleased to see the inclusion of managed service providers, given the vulnerabilities that organisations often face from external IT suppliers or their supply base.
The amendments to the regulatory framework are a positive step. Improving the reporting of incidents will allow the Government to respond at pace and be agile to the evolving threats and shared vulnerabilities. That said, during the last Parliament, the Joint Committee on the National Security Strategy, which I now chair, called for one cross-sector cyber regulator, and I echo those calls, as I believe that would enable far greater regulation and enforcement. Finally, the improved resilience and security enabled through additional powers granted to the Secretary of State are crucial in enabling the Government to act quickly in real times of crisis.
Despite all the positive aspects of the Bill—I congratulate Ministers after the years of dithering by their predecessor Government—it does leave large parts of the economy outside its scope. As I have mentioned already, how can we incorporate a whole-of-society approach to cyber-security like that of Estonia? There will be many different levers for the Government to pull. This Bill is just one part, and I trust that others will follow swiftly. It is worth noting that the EU’s NIS2 directive is broadly parallel to the Bill before us. However, the EU goes further on cyber-resilience, having added sectors such as manufacturing, food distribution and waste water. Having witnessed such devastating attacks in these sectors in the past year, I urge us to act swiftly with further legislation to address those areas.
In summary, I just restate that I absolutely welcome the Bill and the three key pillars of the legislation—the expanded scope, improving regulation and strengthening resilience—are hugely welcome, as is the importance of experience reporting and sharing by victims. The cyber-attacks we have suffered this past year must be our inflection point—our call to action. Like Estonia in 2007, we have an opportunity to reinvigorate our cyber-defences and ensure the whole of society is resilient. The shadow Minister mentioned digital ID, and I gently say that that opportunity was seized upon by Estonia at the time and it has since introduced digital ID. It is secure, as it is in Denmark. Estonia looked at the opportunity presented by that challenge and that attack that they faced, and those systems work. That has been demonstrated by both those countries. As the annual review from the National Cyber Security Centre rightly asserts,
“the UK’s cyber security is… a shared responsibility where everyone needs to play a part.”
We parliamentarians have a duty to raise the salience of the issue, and to bring about a national conversation to ensure that everyone plays their part.
Finally, may I gently encourage the Minister to go further and faster, and to look at the broader cyber-landscape, as Estonia did and as the European Union is doing with its NIS2 legislation? May I encourage him to consider introducing legislation to cover food production and distribution, manufacturing and other critical sectors? As I have said, however, the Bill is an important first step, and I look forward to working constructively with him to ensure that the UK and its citizens are secure from, and resilient to, any future cyber-attacks.
Madam Deputy Speaker (Judith Cummins)
I call the Liberal Democrat spokesperson.
Victoria Collins (Harpenden and Berkhamsted) (LD)
I wish you and everyone else in the Chamber a happy new year, Madam Deputy Speaker.
It is a pleasure to finally address the long-awaited Cyber Security and Resilience (Network and Information Systems) Bill. As has been pointed out today, it is significant. The National Cyber Security Centre reported that nationally significant cyber-incidents had more than doubled since the previous year. The past year’s surge in cyber-attacks on targets ranging from supply chains to hospitals to critical infrastructure has made one fact clear: there is no economic or societal security without cyber-security. Cyber-attacks cost the UK economy £14.7 billion annually. There have been attacks on companies such as Jaguar Land Rover and Marks & Spencer. More important, however, is the impact on the real economy. Thousands of jobs and businesses are hanging in the balance, and our public services and our private data are also being impacted. As the Minister mentioned this morning, the NHS Synnovis ransomware attack resulted in more than 11,000 postponed appointments and procedures. It has even been linked to one patient’s death, which was attributed to the delay that the attack caused. This matters. We must do all that we can to upgrade protection and our security, because jobs, the economy and lives depend on it.
Our economy—imagine it, if you will, as a house—is under attack. The Liberal Democrats welcome the Bill’s intent to upgrade our home security; the addition of data centres, managed service providers and large load controllers means that we are building stronger fences, and that companies with a master key to all our doors have stronger security. Also, the wiring has been upgraded, and the alarm system is being given an upgrade; there is increased incident reporting. However, the Bill leaves the back door wide open by leaving out key sectors. Our alarm system is not sure when it is supposed to ring, and the companies that have the keys to our doors, and are using our house, are asking for simplicity, clarity and support, so that they can do their job properly. While no single piece of cyber-security legislation can act as a silver bullet, those are gaps that we must address.
We are failing to take the whole-economy approach mentioned by the hon. Member for Warwick and Leamington (Matt Western). We are leaving out the public sector and economically significant sectors, such as retail and manufacturing. The Bill’s stated aim is to protect organisations
“that are so essential that their disruption would affect our daily lives.”—[Official Report, 12 November 2025; Vol. 775, c. 26WS.]
However, the Government apparently do not consider their own public services, provided by local authorities, to be essential enough for protection. The £10 million Redcar council incident proves that voluntary schemes are failing local authorities, but after the Bill is passed, Government institutions and councils will still lack statutory protections and ringfenced funding—and all the while, council budgets are getting tighter. I have no doubt that members of the public whose data, be it from the electoral roll or from social care records, sits in these systems would object to the public sector’s exclusion from the Bill.
As has been mentioned, we are also talking about a potential mandatory digital ID system for the whole country. The Government have already said that it would be built with home-made technology. Where will the cyber-protection be in that? What is more, leaving out sectors such as retail and manufacturing would mean that the JLR and M&S cyber-attacks remained out of scope. These are significant sectors. They involve major employers and major parts of our supply chains, and they handle significant amounts of personal data.
The Bill marks a failure of ambition. The Government claimed in response to a letter that we sent on this topic that they
“do not need to wait for or rely on legislation”
to implement cyber-security requirements in the public sector, and will instead use the Government action plan to ensure that the very same requirements in the Bill will be applied to the public sector. Why must we have this two-tier approach? Why leave out economically and socially significant sectors, such as the public sector? Does the Minister agree that we need mandatory cyber-security standards for those absent sectors of our society, governance and economy? If we are serious about national resilience, about protecting citizens’ data and about aligning with our European partners, let us vote on the issue in primary legislation in this Chamber, so that the issue has the full transparency and accountability that it demands.
A further critical gap in the Bill is the failure to embed security by design, and a lack of clear accountability. This should be board-led, to ensure that each lock, door and window of our house is built securely. In 2019, the NCSC published design principles, and last October the Government launched a secure-by-design framework, which was seen as core to their cyber-security standard. However, the Bill not only excludes Government from critical national infrastructure but abandons that key principle, and fails to include the words “by design”, which matters, particularly as ISC2 research suggests that skills shortages are the No. 1 challenge for compliance with cyber regulation in the UK, with 88% of respondents experiencing at least one cyber-security breach as a result of skills shortages. This is also a missed opportunity for our economy and our cyber-security sector. Prioritising security by design would provide the baseline protection that our critical infrastructure so desperately needs. What consideration have the Government given to ensuring security by design?
Effective regulation does not just mean future-proofing; it must be workable. While we welcome expanded incident reporting, the current definitions risk creating a significant regulatory burden. Over-reporting will overwhelm, rather than strengthen, our cyber-security systems. Those who are coming to upgrade our security systems are not being given clear directions. The definition of a “reportable incident” is so broad that it could extend to every phishing email. How will the NCSC feasibly manage the administrative burden when the alarm may be ringing non-stop? Other critical terms lack clarity for industry, including “managed service provider” and the criteria for “digital critical suppliers”, as has been highlighted by techUK and others. These are not just technical details to be ironed out later; they are the difference between a Bill that works and one that does not, and industry needs clarity on how to comply. Will the Minister work with us and with industry to tighten those definitions, so that the Bill is workable, and will he consider the best way to ensure simplicity and effectiveness in incident reporting?
What is being done to support home-grown cyber-security in the UK? What is being done to defend us from hostile foreign interference? With one of the latest defence contracts going to Palantir, what is being done to support UK tech? Would the Government support a digital sovereignty strategy, as suggested by Open Rights Group? The Bill is yet another missed opportunity to support our domestic tech sector, at a time when we should be building UK cyber-security capabilities and creating highly skilled jobs here at home. How can we claim to be serious about national resilience when the very infrastructure protecting our critical systems could be entirely outsourced abroad?
Supporting UK tech and businesses is not just about the providers in the Bill; it is about the thousands of small and medium-sized enterprises that form the backbone of our economy. For the few SMEs and start-ups that are directly affected by it, the Bill creates a regulatory thicket of overlapping rules, different timelines and multiple bodies. Cyber-security is complicated, and for this legislation to work, it must be simple and easily implementable for UK SMEs. What support will there be for those SMEs and start-ups?
It would be remiss of me not to mention the wider cyber-crime landscape. SMEs make up 99.8% of UK businesses, and are often the most vulnerable link in cyber supply chains. The NCC Group confirms that manufacturing, retail and leisure, dominated by SMEs, were the sectors most targeted for ransomware in 2024. That is why the Liberal Democrats are calling on the Government to establish a digital safety net for SMEs—a nationwide first responder service that would provide free-at-the-point-of-use support for small businesses that have been victims of a cyber-attack. Australia is already doing that, providing person-to-person support during and after attacks. If Australia can do it, why can’t we?
On top of all that, the biggest threat is actually fraud, which costs the economy hundreds of billions a year. Two thirds of all fraud begins online, much of it through social media companies with no liability. That is why the Liberal Democrats are calling for social media platforms to be made financially liable for fraud on their sites, which would create a clear line of accountability for criminal activity. Moreover, fraud is a cyber-security issue; it exploits weak systems and inadequate protections. Families lose life savings, elderly people fall victim to sophisticated phishing, and small businesses shut down. The Bill protects infrastructure, but by leaving the back door open, it ignores the billions of pounds of savings lost and the livelihoods upended through online fraud. The Government must address that in their long-awaited fraud strategy. We cannot protect systems but abandon our businesses and our people.
The Bill is progress, but it is not the finish line. The cyber-threat is real, evolving and urgent. The Liberal Democrats will work constructively to strengthen the Bill through amendments, but we must ensure that we do not leave the back door open, and that we future-proof our security. We owe it to our businesses, our families and our national security to get this right.
Dame Chi Onwurah (Newcastle upon Tyne Central and West) (Lab)
Happy new year to you, Madam Deputy Speaker, to all hon. Members and to the staff.
It is appropriate that we begin 2026 by talking about an issue in the House that is of grave importance to all our constituents, but is not discussed enough either here or in the country: cyber-security. At the start of the millennium, only a quarter of the UK and 6% of the world were online. Today, almost 98% of the UK and 68% of the world use the internet. According to Ofcom, we each spend between three and six hours online every day, depending on our age and interests. For many—perhaps too many—life is lived online. Even when people are not online, the infrastructure of their lives is. Whether people use online banking or not, their bank account details will be stored in a cloud somewhere. The same is true of health records, electricity bills, children’s school records, the safety sensors of our nuclear power plants, Christmas Marks & Spencer orders and Uber ride details.
The Prime Minister said that national security is the first duty of any Government. I hope that all hon. Members agree that the Government must ensure the security of the British people as we go about our increasingly online lives. Previous Governments have not taken that issue seriously enough or done enough to protect our citizens. That is why, as Chair of the Science, Innovation and Technology Committee and a self-confessed tech evangelist, I welcome the legislation. I am pleased to see other members of the Committee here. The Committee has not examined cyber-security in detail, but we have expressed significant concerns about public sector data management, for example, after the Afghan data breach came to light.
As we have heard, the UK’s only cross-cutting cyber-security legislation is inherited from the EU. Since Brexit, the EU has updated those regulations, leaving the UK working in an outdated framework. Meanwhile, nationally significant cyber-incidents, as measured by the National Cyber Security Centre, more than doubled last year. The NCSC also warns that artificial intelligence will “almost certainly” increase both the scale and impact of attacks. When everyone can code, thanks to AI, everyone can hack, and we need to respond to that, because those attacks threaten not only our national security, but our economy. In November, the Bank of England cited, for the first time, a major cyber-attack—that on Jaguar Land Rover—as a factor in its decision to hold interest rates. The JLR breach is estimated to have cost the economy almost £2 billion.
I welcome the Bill, which seeks to expand its scope to new sectors, to make regulators more effective, and to grant the Government additional powers to respond to the ever-evolving threat landscape. However, I must be clear that there is more to be done. My main concern relates to the scope of the legislation. The Bill rightly brings data centres, large load controllers and managed service providers within the scope of regulations, and grants competent authorities the power to designate critical suppliers that are vital to the service provided, yet some of our most economically significant sectors remain outside its core obligations.
Retail is the UK’s largest private sector employer. It handles huge volumes of sensitive customer data, runs complex supply chains, and often relies on legacy IT systems, which make it a prime target for cyber-criminals, yet retail is outside the direct scope of the Bill. The legislation would therefore not have prevented the attacks on Marks & Spencer, the Co-op or Jaguar Land Rover, which affected our constituents so greatly.
I welcome the Government’s plan to promote the new cyber governance code of practice to improve preparedness in sectors such as retail. However, even after high-profile breaches, cyber-security is still not prioritised at board level. A recent report by the Information Systems Audit and Control Association—ISACA—shows that only 56% of company boards take cyber-security seriously enough, and that is after JLR.
The Minister, in his excellent speech, said that it was up to private sector companies to manage their cyber-security. I agree, but how will the Government assess whether that is happening? What will the Government do if there is evidence that companies are not managing their cyber-security effectively and that, as a result, our citizens are not adequately protected?
Without a way of monitoring and enforcing governance standards, large parts of our economy remain exposed. ISACA recommends a statutory review of the uptake and effectiveness of the cyber governance code; powers for regulators to mandate periodic external resilience assessments, such as penetration testing and scenario-based exercises; and a requirement for organisations to appoint an accountable individual who meets defined competency standards.
Government Departments, local administrations and public bodies, such as the BBC, are also outside the scope of the legislation. The Bill does nothing to address long-standing weaknesses in public sector data management, which the Select Committee highlighted. As the National Audit Office declared last year, the cyber-threat to the UK Government is “severe and advancing quickly”. The cyber-attack on the Foreign, Commonwealth and Development Office in October is a clear example of how rapidly the attacks are escalating. We need greater rigour to prevent future attacks and build the public trust that is needed for the implementation of digital ID and other digital transformation projects.
I have not been able to study in any detail the action plan that the Government published this morning, but I will look for clear measures of success when it comes to its implementation, and ways in which the cultural change that was mentioned in the debate, which is needed in the public sector as well as the private sector, has been achieved.
The Secretary of State recently told my Committee that the Government would
“assess the improvements the Cyber Security Bill brings to the UK’s cyber defences through post-implementation reviews, regular engagement with NIS regulators and industry, and monitoring the incidence and cost of any future cyber attacks.”
I would welcome clarification of whether those commitments reflect the statutory requirements in clauses 20 to 22 or additional policy commitments, and how they will be funded.
The Bill rightly focuses on critical national infrastructure, but as we all know, we are only as secure as our weakest link. The supply chains for our critical national infrastructure involve many small businesses, who may or may not be within the scope of the Bill, depending on their designation. How quickly does the Minister envisage businesses knowing whether they have been designated as critical suppliers?
I support the Bill’s proposals for mandatory cyber-incident reporting and recognise the value of the Government’s collecting and publishing data on ransomware and other attacks. However, I share the concerns raised by the Association of British Insurers and others about the feasibility of small businesses meeting the proposed two-stage reporting requirement, and particularly the requirement to submit full reports to regulators and the NCSC within 72 hours.
We have seen that the take-up of cyber essentials—the programme to help businesses, and particularly small businesses, achieve the cyber-security they need—is low among businesses. As I said, only 33,000 took it up in 2024. Cyber insurance take-up is also low among small businesses, leaving them vulnerable in terms of skills and protection. Can the Minister say a little about his plans to address that? If the Bill is to succeed, implementation must be done with industry, not to industry, so I echo techUK’s calls for clearer guidance on information sharing and for additional support to help small businesses meet compliance costs.
I hope that the Minister will address the following points specifically. Will the Government consider extending the Bill to economically significant businesses outside its current scope, and empowering regulators to mandate stronger cyber governance and resilience assessments? Will the Government consider including direct measures to strengthen cyber-security and resilience in public administration, including local authorities and Government Departments? Will the Government clarify whether the post-implementation reviews, monitoring of cyber-incidents, and engagement with regulators and industry that the Secretary of State has outlined to my Committee reflect the existing statutory requirements in the Bill? Will the Minister ensure that the new cyber- incident reporting and information sharing requirements are implemented in a practical and proportionate way for small businesses? Will the Government take steps to support cyber insurance take-up? Finally, will they ensure that there is clear guidance on information sharing requirements, and provide additional support to help businesses meet compliance costs?
We need to talk more about cyber-security. I have not touched on some of the national security implications, which the Minister and my hon. Friend the Member for Warwick and Leamington (Matt Western) described very well, but this issue is only going to get more important from the perspective of national security, economic security, and personal safety and security. If we can get the implementation of this Bill right by extending it as necessary, working with industry, supporting smaller businesses, and supporting public trust and public security, then I hope we can build a nation that is not just cyber-secure today, but prepared for the many challenges that lie ahead.
Sir Oliver Dowden (Hertsmere) (Con)
It is a pleasure to follow the hon. Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), who has brought tremendous expertise to this debate. In my previous role overseeing national resilience and cross-Government co-ordination of national security threats, cyber-security was probably the one area that caused me the greatest number of sleepless nights. There has been a lot of talk in recent months and years about the increased need to defend the realm and the steps that need to be taken to address the defence of the realm.
We all know from past experience that the first line of any attack on the defence of the realm is highly likely to be through cyber-attacks. Indeed, in a completely different context, we need only to look at the public comments made by the President of the United States a couple of days ago about the first steps that the United States took in its intervention in Venezuela: he talked about the United States’ capability to knock out the power supply there. If we look at our adversaries, particularly Russia, North Korea and Iran, we can see that they are actively inculcating and encouraging environments in which cyber-attacks can be planned and take place. Whether that is done explicitly by private sector individuals or with the connivance of the state, a deliberate grey zone is created, with the desire to increase knowledge of cyber-risks to the United Kingdom and our allies, and to carry out penetrative attacks to that effect. We are likely to see this grey zone warfare continue to increase as a result of the actions that we see in Ukraine and elsewhere.
We just have to look at our own experience. Many hon. Members have made the point that the initial attack on JLR rapidly cascaded and affected many others in the supply chain. From the Government’s own research and testing—this is in the public domain—one sees that a cyber-attack can rapidly cascade into other areas. For example, when we test the impact of a cyber-attack on our electricity system, it rapidly cascades into our water system, which is dependent on electricity. Clearly, it also rapidly cascades into our transport system. Before long, a small cyber-attack becomes a very, very large cyber-attack. In common with all other advanced countries, the United Kingdom is highly exposed to cyber-attacks—a point that I made repeatedly from the Dispatch Box.
I welcome this legislation and the steps that the Minister has outlined today, but I gently caution against what he said. I do not think it was his intention, but he said that this legislation will fix the cyber-security problem. It will not fix the cyber-security problem. No single piece of legislation is ever going to fix the cyber-security problem, nor is this a question of good guys and bad guys or of, “The last Government did nothing, and this Government are doing something.” Each Government must have a fresh look at the challenges of cyber-security, and take necessary and proportionate steps to address the risks.
Matt Western
Given the right hon. Gentleman’s extensive experience, it is very interesting to hear what he says. If he had his time again—this is not to criticise the previous Government, but to ask about the here and now—would he think that this area needs an absolute focus from across Government and across society, because it is such a crucial part of our defence?
Sir Oliver Dowden
Yes, I totally agree. Indeed, that is why the National Cyber Security Centre, working in conjunction with the last Government and now the current Government, has set out the whole-of-Government approach. It cannot just be about the actions of individual Government Ministers or individual actors in the private sector; the whole of Government need to act together.
On the further steps we could and should have taken—this goes back to my intervention on the Minister—I do think that more pressure needs to be brought to bear on Ministers in terms of their accountability for cyber-security, and I fear that if we do not put this into primary legislation, it can slip further and further down Ministers’ in-trays. Although Ministers have a desire to address it, more pressing and immediate problems distract their attention.
I have some constructive suggestions about how we can improve the proposed legislation. The first is about many of the powers being delegated to secondary legislation or ministerial direction. I do not have a problem with that, because it is essential that we have a framework piece of legislation and then the flexibility to allow secondary legislation to be brought forward to address challenges as they arise, but I urge Ministers to undertake a meaningful and mandatory consultation on any secondary legislation that comes forward, so that businesses and others can contribute to it.
I also caution against Ministers devolving to regulators their duties in respect of cyber-security. Too often—again, this applies to Governments of both colours—regulators are empowered to address cyber-security problems or any other problems. They then charge off in one direction and fail to take into account questions such as proportionality—the impact of the regulations versus their economic burden—and Parliament and Ministers cease to have a significant role. I urge Ministers to keep a tight grip on regulators and on the instructions that they give them.
I would also be a little cautious about some of the arguments made by hon. Members about the need constantly to expand the scope of this legislation to further areas of the private sector. It is very easy for us in this Chamber to talk about the need for further legislation, but when a small business is faced with a huge Act and required to interpret it, it looks a very daunting prospect. My preference would be to continue the sort of co-operation that we have seen through the whole-of-society approach advocated by the NCSC.
On proportionality, I urge Ministers to embrace AI. There are opportunities to use AI to triage incoming attacks and avoid duplication, for example, and a lot of streamlining of the system can be done in that area. On the flipside of AI, we must take very seriously the risk of cyber-attacks posed by agentic artificial intelligence. It appears that we reached an inflection point in November 2025, when Anthropic reported disrupting what it described as the first large-scale cyber-espionage campaign executed largely via agentic AI. We are likely to see much more of this. I would welcome the Minister saying in his concluding remarks what the Government intend to do to ensure that we keep up with this threat, because we are only in the foothills of the risk posed by agentic AI.
Further to the point about the role of the public sector, 40% of incidents handled by the National Cyber Security Centre when I was the Minister responsible were from the public sector, so I question the exclusion of the public sector. I appreciate that the Government have announced a plan. I have not had a chance to look at it, but I can imagine what it contains broadly. The key thing is what stick is applied to public officials and Ministers, outside the core responsible Government Departments, to make sure that they take their responsibilities seriously, so I think some legislative proposals may be needed in that area.
Similarly on budgets, again the core responsible Departments—the Cabinet Office and the Department for Science, Innovation and Technology—will prioritise cyber-security. I fear that other Departments may not, so there is a strong argument for ringfencing cyber-security budgets for all Departments so that money cannot be transferred to more pressing short-term problems, as has often been the case, particularly, for example, in the NHS.
It is very important that we do not overlook the basics. It is very easy to talk about legislation or to talk in high-level terms about threats, but probably the single biggest thing we could do to deal with cyber-risks in this country is to make sure that every time every single business and private individual gets one of those annoying pings on their phone saying that they need to upgrade their software to the latest operating system—it is the same with their PCs, iPads and so on—they do so. That is done by providers, because they know that there is a cyber-risk, and there is a patch to address it. If the patch is applied immediately, that can have a huge effect on the resilience of the whole of society, and the NCSC constantly puts out that message.
We need to look at our resilience in society as a whole when we have a major cyber-attack. We have had major cyber-attacks, but they have tended to be in just one sector, albeit with cascading effects, as with JLR. We have not yet had a whole of society cyber-attack—either one that flows out of control from a criminal attack, or a deliberate attack from a hostile state cascading widely across all of society—affecting our electricity, water supplies and so on. I fear that it is only a matter of time before that happens, and we need to look at the resilience of individuals, including the ability to have analogue systems such as battery-powered torches, rather than electric torches, and so on. I started the work on that as a Minister, and I think more needs to be done in that space.
We also need to look at the question of emergency communications. It was certainly my experience that public sector broadcasters—such as, I think, the BBC—are not required to take emergency communications from the Government in such situations. I think that is a loophole that could be exposed in such a situation.
On resilience more broadly, we are in the foothills of the impact of AI. We are going to see vast impacts on employment and how people lead meaningful lives as AI advances more and more rapidly. For the resilience of our society, this House needs to have a much wider debate—not on this Bill, but more generally—about how we address the epoch-changing challenges we are facing.
In conclusion, I think this is a welcome piece of legislation and an important step forward. My hon. Friend the Member for Hornchurch and Upminster (Julia Lopez) correctly highlighted the very important challenges, and they will need to be addressed as this Bill passes through the House. I think it is an important step forward, but it is only one step, and once this legislation is enacted, we will need to be prepared to return to this issue again and again.
Anna Gelderd (South East Cornwall) (Lab)
I am pleased to support this Bill as the MP for South East Cornwall, which is a constituency of hard-working rural and coastal communities where digital access remains a problem, as there are long distances between services and few alternatives when systems fail. As we know, digital connectivity is a growing necessity for daily life—from traditional farming and fishing businesses to carers supporting vulnerable residents—and access to online job sites, Government websites, and NHS services and emergency support are all part of our new daily existence. Reliable digital infrastructure that is protected from disruption and attack is therefore essential for our economy, public services and community safety.
That is why I am supportive of the actions this Government have taken to improve the lives of my communities, such as the digital inclusion innovation fund, which Labour has put in place to tackle the barriers that stop people getting online in the first place; the roll-out of Project Gigabit, ensuring that rural and hard-to-reach areas are not left behind; and the shared rural network, which is an important landmark partnership between Government and mobile network operators that Labour continues to support to eliminate so-called notspots—I have to say I know about them only too well in South East Cornwall—and improve 4G coverage across rural areas such as mine.
Improved connectivity and cyber-security can support small businesses, enable remote working, improve access to the NHS services we all need, and help young people build their futures through online training, job opportunities and Government support. They can also strengthen our rural resilience, ensuring communities stay connected during emergencies and are better able to adapt to future challenges. My goal is for South East Cornwall to become a digitally connected, resilient and safe constituency, where no one is left behind because of their rural postcode. I am pleased to have been raising constituents’ concerns with Ministers and working with them to improve that for local residents.
Digital systems must also be secure. Cyber-attacks carry real costs for both individual businesses and our wider economy. Businesses in South East Cornwall work hard to provide those services, create local jobs and support our local communities, and there are practical steps that businesses can take. The National Cyber Security Centre provides excellent guidance, but it also matters that businesses know that their Government are acting to protect them as they navigate the growing risks involved in working online. That is why I welcome the action this Bill takes to strengthen our cyber-resilience. May I ask the Minister what is being done on recovery and response planning should incidents occur, as the reality for rural and coastal communities is that outages often last longer and impacts are felt more sharply?
The Bill also presents an opportunity to grow skills, learning and employment across the country. Improving cyber-security standards increases demand for skilled professionals, and it creates pathways into good jobs and long-term careers. That matters for us in South East Cornwall, where we want our young people to see a future locally, without needing to leave to succeed.
This issue also matters for diversity. Our services are stronger when they are designed and protected by people with different backgrounds, experiences and perspectives. Work in this area can open doors for young girls and women into STEM—science, technology, engineering and maths—careers, and help break down the long-standing barriers felt by women under-represented in tech, whether at entry level, in mid-career progression or in leadership roles. The Secretary of State for Science, Innovation and Technology recently welcomed the launch of the women in tech taskforce to bring Government and industry together to identify and dismantle exactly those barriers, and I look forward to seeing the benefits reach the women and girls in South East Cornwall.
It is also important to recognise that cyber-resilience is now a key element of our national security and defence readiness. Staying up to date and agile is essential, particularly as advances in Al and quantum computing not only create new methods for testing, strengthening and securing our systems, but present new challenges that we must face. We have world-class research facilities in the UK, with brilliant minds that can support our national security and ensure that the UK is at the forefront and prepared for future attacks.
The work the Government are doing through the Bill updates the UK’s existing frameworks so that we can respond to new and emerging threats and better protect our communities, as well as safeguarding sensitive information and personal data, but of course there is room for further work in future. With the nationally important Devonport dockyard just across the river from South East Cornwall, many of my local residents cross the Tamar each day to work on site. A serious cyber-attack could disrupt supply chains, compromise secure communications and undermine operational readiness, with real consequences for local safety, local livelihoods and national defence. Supply chain resilience is especially important in South East Cornwall, as many Cornish businesses support larger providers in defence, energy and infrastructure. Ensuring that our services and local systems are resilient protects both local suppliers and national partners. It is essential that the UK defends itself and protects security at home and abroad, so how will the Minister create clear expectations on wider supply chain cyber-resilience, practical support for smaller suppliers such as those in South East Cornwall, and strong incident recovery planning, so that both major defence infrastructure and the SMEs that support it are protected?
For South East Cornwall, the Bill speaks to resilience in the broadest sense. It supports secure services, a stronger economy, new opportunities for skills and jobs, new opportunities for women and girls, and the confidence that the systems we rely on every day are protected. I am glad to support it and the action the Government are taking to keep our digital future safe.
David Reed (Exmouth and Exeter East) (Con)
I very much welcome the opportunity to speak on Second Reading. The Bill addresses one of the most defining national security challenges of our age and we have heard many valuable contributions from right hon. and hon. Members across the House.
Before entering Parliament, I spent several years working to protect our country from cyber-risks. My background in software engineering gave me a rare view under the bonnet of the systems that now underpin almost every aspect of our daily lives. I saw first-hand how our digital infrastructure works and just how vulnerable much of it remains. I really loved that work, and I am proud to say that as a country we are genuine world leaders, but I would be dishonest if I said that it did not leave me deeply worried at times. That is not because of any single threat or actor, but because of the sheer scale, complexity and relentlessness of the cyber-risks we face. Those risks are only accelerating with advances in artificial intelligence, automation and the advent of quantum computing. Those technologies will, as we have heard today, revolutionise our lives in ways that we are only just beginning to understand. We must adapt alongside them if we are to remain a serious technological and economic power.
Our lives are now dependent on digital systems at every level. From water treatment plants and electricity networks, to transport, financial markets, healthcare and the wider economy, it is fair to say that we are no longer merely supported by digital infrastructure, but built upon it. And when those systems fail, the consequences are not abstract. They are immediate, they are human and they can be devastating.
We have already seen that reality play out in this country. If we cast our minds back to May 2017, the WannaCry ransomware attack tore through the national health service. Tens of thousands of computers were infected, and staff were locked out of patient records, diagnostic systems and telephony. Ambulances were diverted, and thousands of appointments and operations were cancelled, including urgent cancer referrals. The estimated cost to the NHS was £92 million, but the human cost—the stress, disruption and loss of confidence—cannot be measured in pounds and pence. The crucial point, which we have heard made in contributions today, is that while the attack was not targeted at the NHS, it was particularly vulnerable, because it was reliant on outdated and unpatched systems, and on the fragmented digital assets it owned. It was a warning shot that should never be forgotten.
More recently, the private sector has faced similarly sobering lessons. Capita was recently fined £14 million following a cyber-attack that compromised the data of more than 6 million people. British Airways and Marriott International suffered major breaches affecting hundreds of thousands of customers, resulting in substantial penalties and lasting reputational damage. These are not small firms, but sophisticated organisations with scale, expertise and resources, yet still they were exposed. That is why the Bill matters and why I want to work constructively with the Government to ensure that we get it right first time.
Crucially, we must build the ability to adapt and update the framework as technology and threats continue to evolve, while—I refer to the point made by my right hon. Friend the Member for Hertsmere (Sir Oliver Dowden)—not making that burdensome on businesses and organisations.
As the UK’s first piece of legislation to include the words “Cyber Security” in its title, the Bill represents an important step forward. It modernises the network and information systems framework; brings new sectors into scope, including data centres, managed service providers and critical suppliers; strengthens incident reporting requirements; enhances enforcement powers; and allows Government to act decisively—I hope—where national security is at risk. I welcome those objectives and, in particular, the recognition that managed service providers and supply chains are now critical attack vectors. That is absolutely correct. Cyber-threats do not respect organisational boundaries, and our regulatory framework must reflect that reality.
However, the Bill must not be treated as some sort of elixir. Cyber-security is not solved by regulation alone. The Bill strengthens protections for critical national infrastructure but leaves significant questions unanswered—questions that we must address if we are serious about national resilience. One of the most pressing concerns raised by industry is the growing complexity of incident reporting. Organisations already face overlapping obligations under data protection law, sector-specific regulation and, soon, economy-wide ransomware reporting requirements. Add to that multiple voluntary reporting channels, and the landscape becomes fragmented and very confusing. Having been a small business owner, I know that, when dealing with marketing, advertising and payments to staff, having extra layers of complexity, with reporting added on, is a difficult position to be in.
The first hours of a cyber-incident are chaotic: systems are down, decisions are time-critical and staff are under immense pressure. Forcing organisations to navigate multiple reporting regimes in that moment risks distracting them from the most important task, which, as we all know, is containing the attack and restoring services. A unified reporting framework with a single point of contact and aligned timelines would reduce burdens on businesses, while improving the quality of information available to Government. The Bill should move us closer to that outcome, not further away from it. I look forward to working with the Government at the next stage of the Bill to ensure that happens.
We must be honest about the limits of sector-based regulation—the Minister referred to this in his opening remarks. The Bill focuses, rightly, on critical national infrastructure, but many of the most damaging attacks in recent years have occurred outside its scope. Manufacturing, retail and consumer services have been heavily targeted. The attack on Jaguar Land Rover, which many right hon. and hon. Members have referred to today, is estimated to have caused up to £2 billion in economic damage across the company and its supply chain. That is a stark example.
I want to put on the record my deep concern about the precedent being set: the British taxpayer is effectively being required to act as insurer of last resort for major companies that have failed to adequately defend themselves. For large firms that are critical to our economy, the expectation that the public will step in cannot become the norm. Responsibility must sit squarely with the boards and executives to invest properly in cyber-security resilience or face the consequences. I am glad to see that the Government have taken the initial steps to have that conversation with industry.
At the same time, small and medium-sized enterprises, which make up the vast majority of our economy, are particularly exposed. They often lack the skills, budgets and capacity to implement proportionate cyber-defences, yet they sit deep within critical supply chains. A single weak link can have cascading consequences far beyond the organisation directly attacked. If cyber-security is economic security—I think we all agree that it is—we need a whole-of-economy approach. That means combining regulation with incentives, and support and standards that uplift resilience across UK plc, not just at the very top. That should include stronger, secure-by-design requirements for technology products, embedded through procurement and standards, and practical, accessible support for smaller businesses, potentially including consideration of a national first responder model to help small firms recover quickly from cyber-attacks.
We must also address the skills challenge head-on, as cyber skills shortages are already undermining resilience and compliance. If we are to give them more investigatory powers, the regulators themselves will need additional technical and enforcement capacity to deliver the expanded responsibilities set out in the Bill. That capacity cannot be assumed; it must be planned for, funded and developed far in advance.
Finally, I want to raise the issue of cyber-crime law. The Computer Misuse Act 1990 dates from a time when fewer than 1% of the population had access to the internet. Its blanket prohibition on unauthorised access fails to distinguish between malicious attackers and legitimate cyber-security professionals acting in the public interest. That matters: vulnerability research and threat intelligence are essential to defending our systems, yet many professionals in the industry operate in a legal grey area when carrying out work that ultimately strengthens our national security. Updating that framework, including by introducing protections for reasonable research, would modernise the law without weakening it.
In conclusion, the Bill is an important foundation. It strengthens protections for critical services and sends a clear signal that cyber-security is a core responsibility of the modern state. However, legislation alone will not deliver that resilience; it requires co-ordination, clarity, capability and sustained investment, as well as an honest understanding of where the Bill must be strengthened as it moves through Parliament.
Cyber-threats do not stand still, and neither can we. I support the direction of travel set out in the Bill and urge the Government to engage constructively as it progresses so that we can deliver a framework that provides real, lasting protections for our country, our economy and the British citizens.
Anneliese Dodds (Oxford East) (Lab/Co-op)
I wish you, Madam Deputy Speaker, all parliamentary staff and all Members in this Chamber a very happy new year.
It is a real pleasure to rise to speak in favour of this crucial Bill, which I am pleased to see having its Second Reading. It is also a pleasure to follow the hon. Member for Exmouth and Exeter East (David Reed), who set out many of the stakes that are so critical here. We also heard that in the opening speech by my right hon. Friend the Minister for Digital Government and Data, who described a number of disturbing cases, as others have done during the debate. He also set out the scale of the impact of cyber-attacks with some concerning figures, as did my hon. Friend the Member for Warwick and Leamington (Matt Western). I was particularly struck by the 0.5% hit to GDP from cyber-attacks and the fact that our country has been the third most severely impacted worldwide by cyber-attacks. It is therefore welcome that the Bill focuses on a faster and more joined-up approach to deter and deal with cyber-attacks.
I believe that that approach has gone alongside a really strong grip from the new Government on the need for a sectoral approach to dealing with cyber-attacks. Of course, we unfortunately had to see that, given the attack on JLR. I was pleased to see the previous Secretary of State really engaging with the automotive sector—work that has been continued by the current Secretary of State—on the challenges and lessons that need to come out of that attack, which has been particularly important in my constituency given the significance of BMW Cowley for employment in Oxford East.
I believe it is critical that we assess cyber-security alongside other forms of cyber-criminality, as the head of MI5 has argued for us to do. Cyber-attacks are increasingly being carried out by quasi-non-state actors that operate in the grey zone that the right hon. Member for Hertsmere (Sir Oliver Dowden) talked about, often implicitly backed by Russia or other adversaries. Those attacks are taking place at the same time as a rise in cryptocurrency laundering and disinformation operations.
I am sadly forced to share the assessment of GLOBSEC, the security-focused think-tank, that the pattern of Russia’s hybrid war
“has persisted without an effective Western response”.
There has been an escalation in cyber-attacks, sabotage, disinformation and political interference, but we have not seen the kind of joined-up approach across like-minded democracies that is needed. I was assured recently by my right hon. Friend the Paymaster General that the Government are working with the EU on combating foreign interference. That work clearly needs to be intensified, especially when we see what is happening to other democracies not so very far away from us.
I saw the threat for myself directly in Moldova, where cyber-criminals’ methods are often being used in combination: a cyber-attack on the election regulator coincided with a disinformation campaign sponsored by Russia and disruptions like bomb hoaxes in real life. So while I welcome this legislation, it must be co-ordinated with broader work to protect our country’s resilience and digital sovereignty, and to secure transparency on foreign interference.
In that regard, I will end by mentioning a concerning development: the sanctioning of two British citizens by the United States over the Christmas period, both of whom have worked to deliver transparency, including on foreign interference—clearly relevant to this Bill. Imran Ahmed is from the Centre for Countering Digital Hate, whose dispassionate, evidence-based analysis has uncovered the spread of disinformation, violent racism and material that poses harms to children. Clare Melford is from the Global Disinformation Index, which provides information about the extent of polarisation and disinformation so that companies can make informed choices about where to advertise—a free market approach to providing transparency.
The Minister stated at the beginning of this debate that when national security is on the line, we must be ready to act, and I strongly agree. A number of Members in the Chamber have said how important it is that we have a cross-economy and cross-society approach to these issues. I believe that the sanctioning of these individuals risks chilling transparency, including potentially transparency that can uncover foreign interference. I hope the Government will resist all attempts to reduce transparency. The welcome efforts in this Bill on cyber-resilience must be accompanied by work to counter other cyber and information-related threats to our national digital sovereignty and, more broadly, threats to our national security and interest.
Bradley Thomas (Bromsgrove) (Con)
I start by putting on the record my broad support for the principles in the Bill. Cyber-threats are among the biggest threats that our country faces. We are living in the grey zone right now—every day, thousands of cyber-attacks take place on private companies, publicly owned companies and infrastructure. This is probably the most profound wave of attacks and hostility that we face; they are in plain sight, but the vast majority of the country and our constituents are unaware of them. That is for good reason: there are many good people working at the National Cyber Security Centre, in the intelligence agencies and the military, across Government and across private industry who do so much to keep us safe. However, that does not mitigate the fact that the threat is real, present and only ever increasing.
It is only ever increasing not just because of criminality in a cyber form, but because of the threats that come from nefarious states, particularly Russia, China, Iran and others that have been mentioned. The Jaguar Land Rover attack is particularly prominent in everyone’s minds. It affected the whole country and affected global supply chains, but it had a particularly profound effect in my constituency, where many of the JLR workforce are based. We have seen what happens if we fail to invest sufficiently in our cyber-defences—such a deficiency in investment only enables those who seek to do us harm. The point has been made that our lives are not somewhat digital; they are fundamentally digital in almost every facet of life.
I would like to emphasise a couple of points in particular. One that I have not heard spoken about much, which I think is both within the scope of the Bill and, at the same time, somewhat adjacent to it, is the role of foreign technology in our supply chains, particularly kill switches. We are seeing increasing numbers of news articles about these switches, particularly relating to energy installations. Questions have been raised on numerous occasions on the Floor of the House about the prevalence of kill switches in Chinese technology in particular and the risk of exposure to an adversarial state abroad that could destabilise our energy systems. I would particularly like to see a joined-up, whole-of-Government approach to tackling the broader threat, instead of it being viewed through a single lens. I know that Ministers will be looking at it across the board, but I would appreciate if the Minister could address how it is being looked at across Government.
Another case is the rise of Chinese-made cars. It struck me that around 12 months ago I rarely saw a Jaecoo or Omoda car on our streets, but now they seem to be everywhere. I cannot help but suspect, given the links that those manufacturers have to the Chinese Communist party, that there are potentially kill switches within those vehicles and, more importantly, that the vehicles are sending data on users’ mobility habits to a foreign adversarial state. The implications of that are profound.
My final point is about the reporting regime. I introduced a ten-minute rule Bill a couple of months ago that touched on the broad principles within reporting, calling on the Government to have a pragmatic approach with regard to the reporting obligations on particularly small companies. I suggested a threshold of £25 million of turnover before a company would be within the scope of my proposed Bill. I chose that threshold because it would omit the vast majority of small or family-owned businesses unless they are designated within one of the 13 critical industries. The reason for that was simply a fear that reporting obligations on small businesses are ever-growing, and for many businesses additional cyber-security obligations could result in significant additional head count that they may not be able to afford. I encourage the Minister to engage as much as possible with representatives of small business to ensure that the reporting obligations are as minimal as possible while capturing the broad principle of the Bill.
I support the broad principle of the Bill; I think it is a step in the right direction. I hope that the Government will adopt a cross-Government approach. This is a wider societal issue that all of us have an obligation and duty to fulfil. I look forward to seeing the Bill’s progress and contributing as it makes its way through Parliament.
Sarah Russell (Congleton) (Lab)
Happy new year to you, Madam Deputy Speaker, your team and everyone else in the House.
It is no overstatement to say that this is one of the most pressing issues of our time. I suspect that if we were not bringing forward this legislation it would only become apparent quite how pressing it had been when there was a major incident that lay it bare. I think it is one of the marks of successful government that we are, hopefully—I touch wood as I say this—managing to stay ahead of the curve on these incidents. There is nothing more important than national security relating to critical infrastructure. I think it is exactly what our constituents want to see us acting on, and I wish they saw more of us discussing issues on a cross-party basis, with broad agreement. It is welcome to see the Government taking these steps.
I particularly want to discuss the enhanced incident reporting duties on the digital service providers and the duties to inform customers. In short, I have real concerns about how those duties will play out in practice. From my experience of having advised whistleblowers in the financial sector, when there are obligations of this nature, some corporations unfortunately make more effort to avoid complying with them than to comply with them. It is an excellent piece of legislation, and I am not suggesting that the Government should have drafted it in any other way, but we need to look at our whistleblowing laws alongside it, because at the moment we do not have strong enough protections for whistleblowers within UK law. That applies both inside and outside employment settings—for example in relation to contractors and other third parties.
If we do not ensure that people have mechanisms by which they can anonymously report breaches of those sorts of obligations, and if we do not have the right protections for them when they are raising the concerns internally in the first place, we will not be able to make adequate use of the Bill’s excellent provisions. I want to impress upon the Minister how important it is that this legislation is looked at in that wider context.
Also within the wider context is a broader debate—lots of us have touched on this without specifically identifying it—about how we balance the risk across society and the cost of the risk. It is about the risk to individuals, national security, individual businesses and individuals within those businesses, such as directors or other senior leaders. It is about how we ensure that in our country we do not have large tech companies, major data centres and other big private sector businesses taking economic benefits without carrying risk. We need those businesses and they are crucial to us, but we do not want them taking the economic benefits of operating in our advanced economy while the Government and therefore the taxpayer carry all the risk and burden of the regulation.
It is great to see that the Bill contains provisions allowing for financial recovery in the enforcement action that we want to take. It is also fantastic that when it comes to the enforcement provisions and finances associated with it, we are looking at up to 4% of global turnover in terms of potential fines for not complying. My position as a former lawyer is always that I want to know that things are enforceable. There are good enforcement mechanisms in the Bill, and there is plenty of money that could potentially be at risk, which incentivises the kind of compliance that we want to see, but we need to look at the broader societal piece about how we balance the risks and opportunities in relation to tech in general.
I was going to talk quite a bit about my concerns about my local public services and how they can better manage cyber-security. The Legal Aid Agency cyber-attack enabled criminals to steal the details of anyone who had applied for legal aid between 2007 and 2025. The scale of the financial risks to those individuals cannot be overstated; the amount of personal data that that involved was absolutely huge. Six out of 10 secondary schools are now subject to cyber-attacks. The Cheshire Cyber Security Programme is in place to help local small businesses manage their cyber-risk. It provides training for up to five members of staff in small businesses. Our local police powers are being used to try to take proactive steps to improve the situation for our local small businesses.
Schools in academy trusts are spending quite a lot of money on cyber-insurance to try to protect against these risks. We have seen schools across the country shut down because they are unable to open following cyber-attacks. The public sector action plan that the Government published this morning is incredibly welcome in terms of cyber-risk, and I really look forward to the opportunity to go through it in more detail. We again need to look at the balance of cost within our society.
I would like to add to the comments of those who have suggested that we should review the Computer Misuse Act 1990 and the lack of current protections for researchers doing important work in this area. We obviously have several institutions that are currently engaged in cyber-security work, including the Alan Turing Institute and the National Cyber Security Centre. We need to make sure that they have the right remit, because this area is only going to expand when the complexities of AI are added. We must ensure that everyone is protected to do their job effectively. That means protecting individuals, businesses and our wider society.
Lastly, we need to move as quickly as we can on this. It is great that we are maintaining our EU alignment, because realistically the only way that we can continue to be a major player and have considerable influence over companies, many of which now have much larger budgets than major economies, is if we work in conjunction with other countries. That is what our ongoing relationship with the EU should be about.
I thank everyone who has been involved with work on the Bill. I think it is excellent, and it is completely the right direction of travel. It is a shame that the Government doing the right thing every day does not get more publicity, even when it is not likely to grab many headlines. It is about doing the work, getting the right structures in place and moving forward productively in a cross-party way where possible. It is about securing our nation and ensuring that our economy is on a strong footing. There is everything to be said in favour of that.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Cyber-attacks are a growing menace for British businesses. They cause chaos for all types of businesses and organisations, both small and large. The consequences of those attacks have hit our economy hard. The disruption caused by the cyber-attacks on Jaguar Land Rover, M&S and the Co-op were felt by many businesses further down their supply chains; for instance, the disruption that hit JLR resulted in a freeze for its steel supply chain, much of it in Wales.
So much of our economy relies on well-functioning digital platforms. Last year, many Lloyds bank customers found themselves unable to access money or pay their bills due to app outages, with that problem compounded by its decision to close high street branches. Yet, bizarrely, Lloyds decided still to pay its chief executive officer Charlie Nunn £5 million in 2024. I make that point to illustrate the lack of accountability we see in positions at the top of these organisations despite massive numbers of people being reliant on those services.
A successful cyber-attack often ends in people having their personal data stolen. That is why it is welcome that the Bill highlights sensible requirements to ensure that businesses properly consider supply-chain risks and their usage of managed service providers, as well as many others. On the other hand, it will be a mystery to many why sectors such as finance, food and drink and retail have not been included, particularly considering how those sectors have been hit hard recently.
The Government would clearly like to achieve security. To do that, it would help if the Bill could be improved to provide greater certainty and clarity for businesses. For instance, how are businesses supposed to manage relationships with managed service providers? For five years, I worked in the cyber-security industry, starting with the introduction of the GDPR, which happened at the same time as the original NIS directive. I found that the cyber-security sector is a well-connected community underpinned by a welcome commitment to sharing knowledge and best practice. For instance, Cyber Wales is a representative body that brings together the Welsh cyber-community. It is an industry that requires input from academia, law enforcement agencies, defence and businesses. There are clusters of success across Wales, including in my constituency. Partnerships built in academia often create spin-off companies that generate jobs. For instance, in Wales, the University of South Wales and Swansea University have done a lot to build up our local cyber-security ecosystem. As the Bill progresses, the Government would be wise to continue to consult regularly with this very engaged community.
It would be helpful to hear what sort of consultations, and how many, have taken place so far. It would also be helpful to hear the Government respond to the Information Systems Audit and Control Association’s proposals, particularly around giving regulators the power to suggest mandatory penetration testing.
The growing cyber-security sector should be a route for much needed economic growth and well-paid jobs in Wales. Many such jobs can be done remotely from anywhere with an internet connection. Recent research from Infosecurity suggests that there are 17,000 vacancies in the cyber-security industry right now, with that figure growing at 10% to 12% a year. That is a huge opportunity for a country like Wales.
Having an effective skills base is one way in which we can guard ourselves against cyber-attacks. Keeping Britain safe from cyber-attacks requires a trained workforce who can marry technical expertise with regulatory competence. I have seen in my professional experience how many people from many other sectors were able to retrain and upskill to work in cyber-security. People with experience in project management or managing processes are very capable of retraining to work in the cyber-security industry. Special thought should be paid to military veterans in particular, who are well suited to those jobs.
One of the questions for the Government should be about how to help more British people into those jobs while ensuring that our education system is equipped to help children pick the sector. That is why I call on the Government to ensure that funding is available for all schools in Wales to take part in the highly successful CyberFirst Wales scheme.
Mike Reader (Northampton South) (Lab)
I start with a story; it is a real story, but I have changed the names for obvious reasons. It was a Tuesday afternoon and I had a call from our CEO, David, who said to me, “Mike, I am jumping on a plane, but I need you to speak to a law firm we have been working with. This lady called Sandra will ring you from A&A law firm. I want you to speak to her. She will talk to you about a project we have been working on. Sorry I have not been able to read you in until now.” I think, “This is a bit strange. David’s a very busy man, but why would he ring me jumping on a plane?”
Sandra rang me, and it seemed pretty legit. We had a chat and it turns out we may know someone in common. I looked her up on LinkedIn: her firm is legit, she is there, and she has connections similar to mine. She tells me, “I need you to sign a non-disclosure agreement so we can talk to you about the opportunity we are working on with David.” I said that was fine and signed the NDA. I was sent a Teams link and joined a call with Sandra and some of her colleagues. Also on the call was David, my chief exec, whose signal was not good. He said, “Mike, I’m on a plane, but I’ve tried to join just to say thanks so much for being a part of this. We’re looking at an acquisition in your business area. I want you to work with A&A legal partners to ensure they have got the information they need. This is a real opportunity for us to grow. You know that we have been looking to grow the business.” Then his signal dropped off.
I carried on the conversation with Sandra and her partners. They started asking for information that perhaps they did not need—for example, about operational matters and how the business worked. They followed up with another call, in which they started asking for financial information about some of our clients. They followed up with another call in which they asked for financial information about the business. At that point, I thought, “I had better ring David and just make sure this is legit.” When I rang David, I found that he had no idea this was going on. Our business was being attacked through a deepfake intrusion. They had mirrored our chief exec, and used his voice for a call and his image for a Teams call. Had I—this story is actually about a friend of mine—not called my boss to say, “Is this legit?” they could have got away with goodness knows what. That seems quite far-fetched, but Arup, another big British firm, got done by a very similar deepfake scam; it lost £20 million to scammers.
I start with that real story about something that happened to one of my colleagues, because this Bill is really important. It is a framework Bill that will set out how we put in place better standards, procedures and controls, but actually where many businesses—be they data centre providers, managed service providers or those already covered by legislation—fall down is at the point when a human is in the loop. We heard from my hon. Friend the Member for Harlow (Chris Vince) about how to get the culture right, and how to ensure that people are considered in future legislation and guidance that will come off the back of the Bill. I wanted to open up and make that point, because through the Bill, we can do all we can on technical processes and procedures, but it is really important that we focus on the human in the loop and the human aspect, as that is often where these major attacks start.
I am really pleased to support the Bill. Cyber-security and cyber-crime impact our daily lives. I will not repeat the stats, which we have heard from many hon. Members on both sides of the House. They impact the businesses that support our economy, our public services and our banking sector—things that we use every day. It is therefore right that the Bill has been brought forward, although there was a considerable delay following the work done in 2022 by the previous Government. I am pleased that the Bill seems to have cross-party support.
The Bill recognises that attacks involve a wide range of methods, and may involve data centres, outsourced IT providers and complex supply chains working in the sector. That is critical for my constituents in Northampton, who are on the northbound data super-highway from London. In the last six months, we have heard announcements of over £1 billion of investment in new data centres, in both the public and private sectors. I thank the Minister and his Department for all their hard work in securing that investment, which will create new jobs in my constituency. Without improved regulation and clarity, that investment remains slightly uncertain. The Bill will definitely improve that clarity and certainty for the sector, as well as for the many businesses in my constituency that rely on a managed service provider for their IT or provide data centres. That is particularly important for all hon. Members, because the control centre that looks after our security is in my constituency. That data security is therefore particularly important for our personal wellbeing.
I have also looked at this issue from the perspective of the many businesses in my constituency who use managed service providers for their IT. They include large businesses. In my previous business—a business of 7,000 or 8,000 people—an MSP provided our help desk; when I had a problem, I would ring it up. The inclusion of managed service providers is critical to give us better protection and improve standards and resilience, and therefore reduce burdens on the businesses that use them, particularly their cyber insurance costs. I have two asks of Government on this. First, as other Members have done, I ask that we do this proportionately, as change in this area may have a considerable impact on small businesses—both on their MSP costs and their direct costs. I also ask that we work hard to consider how the legislation works with international law, particularly as my experience is that a lot of MSPs, such as HelpDesk, use overseas workforces.
I welcome the stronger reporting requirements. I recognise the point made by the hon. Member for Bromsgrove (Bradley Thomas) about his ten-minute rule Bill on regulation and reporting. From a business perspective, as long as there is clarity—the Bill sets out that there will be greater clarity for business—we get honesty, trust and a business environment in which people understand what they have to do and when they have to do it. The Bill moves us towards that.
I also welcome the much stronger enforcement powers in the Bill. That sends a real message to criminals that there are significant risks to them. To businesses, I say that money talks, and when there are stronger enforcement risks to someone’s business, all of a sudden cyber-security ends up higher up the corporate risk register.
As the Bill is implemented, I ask for genuine consultation with industry. It is particularly important to note that this is a framework Bill.
Kit Malthouse (North West Hampshire) (Con)
The hon. Gentleman is making a very interesting and pertinent speech. I hope he will welcome the fact that the Bill strengthens the requirement on companies to not only look at prevention but have an adequate recovery plan. Does he think that there is adequate sanction in the Bill for those companies that are deemed not to have an adequate recovery plan? My reading is that regulators cannot necessarily fine for a negligent recovery. As the hon. Gentleman said, the human factor so often matters, but surely that matters as much in recovery as it does in prevention.
Mike Reader
I think the Bill goes some way on that, and it is clear that future legislation and guidance will start to frame those issues. There are other ways that we can drive businesses to improve their business resilience planning. It is part of the standard Government procurement process to require business continuity planning to be demonstrated, and many large businesses in our constituencies will be trying to transact with Government, whether local or national, with the NHS or others. Business resilience is also required at other times when the state interacts with business; I think of procurement particularly. My background is in one of those key areas.
I was just saying to the Minister that one concern I have is that this is a framework Bill. There is to be a lot of future guidance, so we need continued consultation—this message has been made by others as well—so that the standards are really clear. The legislation was getting quite messy. We want to make it a lot clearer. We want to be really clear with business, and we want to give organisations early notice, so that they can adjust, rather than springing this on business as we push to address a real threat that has been recognised right across industry.
I come back to my original point: we should consider the human in the loop. When we set guidance and requirements, we should look at how businesses think about the human aspect, as well as the technocratic solutions that would be in a business continuity plan or similar. This is a necessary Bill. I support its aims and focus. It signals real confidence to the market—to those already operating in it, and to those who are coming to invest in great places like Northampton, to build the data centres and other infrastructure that we need.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
I refer the House to my entry in the Register of Members’ Financial Interests. I commend my right hon. Friend the Member for Hertsmere (Sir Oliver Dowden) and my hon. Friend the Member for Exmouth and Exeter East (David Reed) for their excellent speeches. I particularly associate myself with their comments on the Computer Misuse Act 1990 and the need for an extension to our cyber-skills in this country. Before entering this place, I worked professionally in cyber-security and operational resilience, advising businesses of all sizes on how to reduce the risk of cyber-attacks and helping them to understand how far-reaching the consequences of a cyber-breach can be from a commercial perspective, and not just a technical one.
I am vice-Chair of the Business and Trade Committee, and we have heard direct evidence for our report on economic security from Marks & Spencer, Co-op and Jaguar Land Rover, all of which suffered catastrophic breaches last year. Although the attacks were different in form and impact, as the shadow Secretary of State, my hon. Friend the Member for Hornchurch and Upminster (Julia Lopez), said, they shared a common feature: they were driven by social engineering, not technical failure. Human access was exploited, trust was abused, and controls failed further up the chain. The outcomes, however, were very different.
At Co-op, a more modern, secure-by-design IT infrastructure enabled an early containment strategy, limiting the impact on customers, stores and the bottom line. Marks & Spencer, which had not prioritised early replacement of legacy infrastructure, suffered months of major disruption to customer-facing services and retail logistics. The financial impact alone for M&S is in the region of £300 million, or 45% of its prior year pre-tax profits. Jaguar Land Rover was in a different category altogether. There, the attack cut into operational technology systems tightly integrated with manufacturing operations, bringing production lines to a standstill and disrupting just-in-time supply chains. That shutdown cascaded far beyond a single company, directly impacting numerous suppliers in the midlands regional economy, as many Members have already mentioned, as well as contributing to a measurable fall in UK GDP, estimated to be in the region of £2 billion.
Those cases demonstrate that cyber-risk manifests in three ways: operational risk, financial risk and reputational risk. Too often, even at FTSE level, businesses and boards fail to grasp that this is a potentially devastating combination. I hear the same message repeatedly from industry, including at the Financial Times Cyber Resilience Summit in London, where I spoke at the end of last year. There is frustration from CISOs—chief information security officers—and security vendors that it can be difficult to develop conversations with boards and audit chairs to assign the appropriate resources and strategic prioritisation. Businesses accept that standards must rise, but they want regulation that is targeted, proportionate and focused on prevention, rather than paperwork.
The Bill does some things well. Updating the 2018 NIS framework, expanding coverage where it is genuinely needed and strengthening enforcement powers are all sensible in principle. Faster incident reporting has value, but reporting alone is not resilience. There are gaps that matter. First, the Bill does not go far enough on governance. Cyber failures are governance failures. Responsibility sits not only at board level, but clearly and specifically with chairs and audit and risk committees, yet the Bill stops short of driving meaningful accountability there. Without that pressure, cyber will continue to be delegated downward to IT and operations teams, rather than being owned at the top.
Secondly, there is a risk of confusing activity with preparedness. Increasing reporting obligations after an incident does nothing to prevent the incident from occurring. Prevention is always better than cure, and this legislation needs a stronger emphasis on baseline capability, risk maturity and early intervention.
Thirdly, we must be careful about cost, capacity and particularly enforcement. The implications for SMEs are significant, particularly those that are pulled into scope through supply chains. At the same time, regulators cannot enforce what they are not resourced to oversee. Without credible enforcement, the Bill risks becoming a paper exercise and boards will respond accordingly.
Fourthly, the Bill needs to recognise the connection between, and draw a clear distinction between, IT and operational technology. What works for enterprise IT systems may be inappropriate or even dangerous in OT environments such as manufacturing, critical national infrastructure, energy and logistics. Segregation, architecture and the configuration of security devices must be assessed. Risk profiles differ; controls differ. That nuance matters.
I want to be clear that the Opposition support the aims of this Bill in principle. Cyber-resilience requires a whole-of-society approach involving Government, regulators, businesses and boards working together, but if this legislation is to drive real change, it must be enforceable, proportionate and grounded in how organisations actually operate. Boards and audit committees must feel the weight of responsibility, regulators must have the tools and resources to act, and prevention must be prioritised over post-incident form filling. The National Cyber Security Centre has produced clear, practical guidance for boards, and that should sit at the heart of our approach. We need smarter regulation, properly enforced, not just more of it.
Amanda Martin (Portsmouth North) (Lab)
I want to start by saying happy new year to you, Madam Deputy Speaker, to the staff, to all in this House and to the residents of Portsmouth.
I thank the Minister for his introduction to the Bill and for highlighting some of the major concerns that cyber-insecurity has caused and continues to cause for this country. I welcome the Cyber Security and Resilience (Network and Information Systems) Bill because it reflects a clear change of direction under a Labour Government, moving from a fragmented and often reactive approach to a cyber-security approach that is strategic, cross-Government, resilient and focused on national capability and everyday solutions. We have heard it said many times in this House that the first duty of any Government is to protect their citizens, and in the modern world that duty must extend to the digital systems we all rely on.
Cyber-attacks now pose a daily threat, not just to Government systems but to the livelihoods and security of people in Portsmouth, where major employers, manufacturers, ports and supply chains are attacked and the consequences are immediate and personal. Production can stop overnight, wages can be put at risk and sensitive personal data can be exposed. Constituents in my city who work for, supply or depend on companies such as Jaguar Land Rover have seen this reality at first hand. When large engineering, retail and manufacturing firms are targeted, the impact ripples far beyond their head offices, reaching workers on the shop floor, contractors, small local suppliers and customers whose orders are delayed or cancelled.
For a city like Portsmouth, which is built on defence, maritime work, engineering skills and complex supply chains, cyber-resilience is not an abstract policy or a technical exercise; it is about protecting jobs, safeguarding family incomes, maintaining confidence in the systems that keep our city working, ensuring the security of the public services people depend on every day, and ensuring that our city’s residents are kept safe. Portsmouth city council has been a target. In late 2024, its website was hit by a cyber-attack called a distributed denial of service—DDOS—attack by a pro-Russian hacking group. The attack made it difficult for residents to access council services online for a period of time. Fortunately, no personal or council services were compromised, but the attack demonstrated that even local public infrastructure in places such as Portsmouth is a target for cyber-actors. This is not just an abstract risk.
Local crime statistics show that cyber-crime is a lived experience for Portsmouth residents. About 16% of residents reported experiencing cyber-crime in a 12-month period, including phishing attempts, online fraud and accounts being hacked. As my hon. Friend the Member for Harlow (Chris Vince) noted, not all these crimes are reported as people feel embarrassed, alone or foolish. That is how these crimes continue to proliferate through our society. Local police crime figures also show significant levels of harassment, malicious communications and other online offences that are often instigated through cyber-attacks. These are not just techie problems; they translate into financial losses, practical inconveniences and, most alarmingly, psychological harms and in some cases people attempting to take their own lives because of the damage that has been caused.
Yes, there is an economic cost to cyber-crime, but there is also a human cost, and that is why this Bill matters. It modernises the UK cyber-security framework by strengthening baseline requirements, improving instant reporting and extending protections to a wider range of essential services and supply chains. Its three pillars are welcome. It recognises that weaknesses in one organisation can rapidly cascade across the entire economy, whether it is through the actions of cyber-criminals or hostile foreign actors. It recognises that cyber-crime is real and its effects devastating.
This is not just about big business; as we have heard, cyber-attacks disrupt NHS appointments, threaten energy and water supplies, and prevent people from living their daily lives. Last year alone, 11,000 NHS appointments were lost due to cyber-attacks, and since 2024 at least five direct cyber-attacks have been targeted at UK water supplies—one of them targeted at Southern Water. In 2025, it was reported that 62% of UK energy organisations experience cyber-attacks.
Crucially, Labour recognises that cyber-security is not only a technical issue, but a workforce and economic one. Clearer standards and stronger oversight give businesses the confidence to invest, raise resilience across the economy and ensure that organisations are not left to face increasingly sophisticated threats alone. The Bill rightly ensures that breaches are reported swiftly within 24 hours, because pace and speed are vital if we are to minimise the domino effect of cyber-crime.
The Bill rightly gives regulators the flexibility and powers they need to act as new threats emerge. That comes with the assurance of resources and transparency, as well as a more consistent strategy, evidence and wider clarity. That is particularly important for Portsmouth. Our city is home to the Royal Navy, with one of Europe’s most significant naval bases sitting alongside a major commercial port, advanced engineering and manufacturing activity and a university that recognises expertise in cyber-crime and digital security. When our city was blitzed in the second world war, we could see it and act on it. Cyber-crime needs to be brought into the light in the same way, so that we can all act on the attacks that are happening and create a different culture in which people do not hide and are not embarrassed to say what has happened to them, their businesses or their community.
Portsmouth already plays a vital role in our national security and industrial base. It is not just a target, but a part of the solution. I am proud that the University of Portsmouth is recognised as a centre of cyber-expertise, with leading research and collaboration on cyber-crime, digital security and economic crime. Its centre for cyber-crime and economic crime brings together multidisciplinary experts studying cyber-crime courses, prevention and resilience, and it works with community groups, schools and local businesses to raise awareness and protect people from cyber-crime. The university also conducts advanced research into cyber-security systems and threat detection through computing and behavioural science, helping to develop real-world solutions that improve organisation and national resilience. These efforts not only support local households and employees, but grow the skilled cyber workforce that the UK needs, which links directly to the economic and security objectives of the Bill.
The Bill lays the foundations for a more secure and resilient Britain, and I am pleased to support its Second Reading. In doing so, I seek reassurances and clarity from the Minister on four key points. First, how will the whole of Government work together to ensure that Portsmouth, with its defence, maritime and manufacturing base alongside thousands of small businesses, local services and the public sector, is supported to benefit fully from the Bill? Secondly, how will the Government work with and reach all employers to strengthen knowledge and skills, long-term economic resilience, accountability and responsibility? Thirdly, how will the Bill be linked to investment in cyber-skills and training, so that we are not left without the people needed to make the changing world an easier place to live?
Finally, how can we ensure that this is just the start of the conversation? How can we use the Bill to help change the culture around cyber-attacks so that individuals and organisations can, yes, take responsibility and ownership, but in a supportive environment, rather than one that lays blame? How can we as MPs across the House encourage openness among our constituents, small businesses, large employers and the public sector alike, so that together we can carry out the Government’s first duty, which is to protect their citizens in a modern, ever-changing world?
Ben Lake (Ceredigion Preseli) (PC)
It is a pleasure to speak on Second Reading of the Bill. I am very pleased to say that I support the Government’s introduction of the Cyber Security and Resilience (Network and Information Systems) Bill and welcome it as a very important first step in strengthening the protections of the UK’s critical national infrastructure and because it addresses many of the gaps that have been identified in numerous implementation reviews in recent years.
Other right hon. and hon. Members have made the point that the risk and harm inflicted by cyber-attacks are significant and very real. Others have cited their impact on a whole host of businesses and industrial sectors and on society. We have heard about the harm inflicted on NHS services, for example, and many Members have referred to the attacks on JLR, the Co-op and Marks & Spencer. The impact that the attacks had on not only those businesses, but the wider supply chains and local economies, is significant. As the Minister said when he opened the debate, it is estimated that some £14.7 billion is lost to the UK economy annually due to cyber-attacks, which is the equivalent of 0.5% of GDP, so it is right that the Government act to address these risks and harms.
In doing so, the Government comply with one of the calls of the strategic defence review, which stated that the world has changed and, in listing the other, more conventional threats that the country faces, specified that daily cyber-attacks at home are something we need to take very seriously. The Government are right to bring forward the Bill. As other Members have made very clear, the nature of cyber-crime and cyber-attacks and the threat that they pose are ever evolving, so I have a great deal of sympathy with the Government as they endeavour to keep up with what is a very rapidly developing industry and nature of threat.
Although I support the Bill and look forward to working with Ministers as it passes through the House, there are two points on which I would welcome clarity or further consideration by Ministers. A few Members have mentioned the importance of looking at our cyber-resilience in a more holistic manner. Although technical security and safety are very important, and the Bill goes a long way to addressing those matters, it could perhaps be strengthened by looking at our digital sovereignty. Other Members have made the important point that we need to consider supplier concentration in this field and domestic capability. If we fail to do so, we risk long-term dependency.
There are a few examples that I could draw on, but I will use that of Microsoft deciding to suspend the use of some of its services for justices in the International Criminal Court. I am not saying that Microsoft is going to threaten the UK Government or any of our services, but that example illustrates the risk that if we, or aspects of our economy or businesses, are overly dependent on certain suppliers, we are vulnerable. It is right that the Government have a way of preparing contingency plans for that or, at the very least, that they consider the potential impact of over-dependence on certain suppliers.
I wonder whether that consideration could be included as part of the statement of strategic priorities that part 3 of the Bill stipulates will be made by Ministers. The statement could then look not only at technical security as part of its cyber-resilience approach, but at digital sovereignty and domestic capability. In that regard, it would be not too dissimilar to some of the efforts we are starting to see from European partners. France and Germany are starting to undertake similar strategies and reviews of their domestic capability and potential over-reliance on certain suppliers.
My second and final point is to seek clarity from the Minister when he sums up on the directions to certain bodies and persons for national security purposes in part 4 of the Bill. If we accept that the nature of the cyber-threat and the risk to cyber-security are ever evolving, it will be impossible for any one piece of legislation to encompass all the possible dangers we may face. In order to try to future-proof the Bill, especially against national emergencies or crises, I wonder whether Ministers should consider even further last-resort powers, particularly to enable them to direct the shutdown of any domestic data centres or AI systems in the event of a security or operational emergency. I ask that because I am not entirely clear whether the powers already listed in the Bill allow Ministers to do that. If they do not, I ask the Government to consider such powers, so that they are able to intervene appropriately in the event of a future national crisis or emergency caused by AI systems in particular data centres. Such events could cause large-scale harm to the public, especially in the very rare but hopefully unlikely scenario in which the designated persons who are otherwise responsible for those systems refuse to co-operate with the Government.
Having raised those two points, I wish to underline my support for the Government’s efforts in this regard. I very much welcome the Bill and its Second Reading.
Emily Darlington (Milton Keynes Central) (Lab)
I welcome the Bill and the cyber action plan for public services, which was published today. As we have heard from right hon. and hon. Members’ many great speeches today, this is so important to the UK economy and public.
Despite being one of the smaller countries in the world, we are still one of the biggest targets for cyber-attacks. In the past 12 months, there has been some good news: only four in 10 businesses and three in 10 charities have had cyber-security breaches—the figures are down on the previous year. However, there has been a huge increase in nationally significant cyber-incidents, which have more than doubled in the past year, including the malicious cyber-attacks on critical infrastructure by Russia and China.
These matters are important to companies based in Milton Keynes Central, where one in three jobs are in technology. Milton Keynes is a leader in the development of AI and tech services, including in legal services, financial services and autonomous vehicles. Those companies have experienced cyber-attacks, so the Bill is very welcome. The difficulty is that it misses a huge portion of the discussion, and Ministers have somewhat neglected to mention sovereign technology in their comments or in the strategy. I hope that they will do so in the wind-up.
One role of sovereign technology is to fight cyber-crime. There are many definitions of sovereign technology, so what does it actually mean? To me, most of the public and the industry, it means UK innovation and technology. It is developed in the UK and is UK-owned intellectual property. It means a company paying UK taxes. Most importantly, it means a UK company being accountable to the UK. The Government have talked a lot about their commitment to developing and securing sovereignty, but that needs to be extended to all critical technology and infrastructure. Not only is that important in cyber-security terms, but it has other advantages, too: it is good for the economy, creates innovation and sets the highest standards, and it thereby gets public support and confidence and achieves small business support for absorbing the innovation. It achieves growth by creating not only UK customers, but—ambitiously—worldwide customers.
The Government have done that quite well in the past. They have created safe and secure solutions. Crown Hosting Data Centres is a really good example of a joint venture between the Government and Ark Data Centres. Unfortunately, only 3% to 4% of Government servers actually use it, and we must ask why. What are we doing to promote safe and secure solutions in the UK that would help us to fight for cyber-security and ensure that it is promoted across the public sector, and to ensure that those solutions gain support in the private sector? Instead of using Crown Hosting Data Centres, many are using ones run by foreign firms with securities and standards developed outside the UK. Outages at Amazon Web Services in cloud hosting have cost business millions.
Let us look at other areas where the public rightly worry about cyber-attacks and cyber-security, such as NHS data. We have heard about the impact of cyber-crimes on the NHS and on lives, but it also impacts public confidence. Palantir has a £330 million contract to bring together all NHS data. That is a fantastic initiative and really important, and the public support it because they do not want to have to repeat their health story to each and every doctor, nurse or other health professional that they meet. The difficulty is that using a foreign firm with some questionable alliances has led to an erosion of public trust and to a lack of trust among doctors, slowing the take-up of this important innovation in NHS services. That is partly because the co-founder of Palantir called our pride in the NHS “Stockholm syndrome”. Unfortunately, he misunderstands the very body to which he is selling services and is thereby eroding public trust. I know many UK firms that could have done just as good a job—and probably better, because trust among the public and doctors would have increased.
We hear that Palantir has just won a £240 million contract with the Ministry of Defence for
“data analytics capabilities supporting critical strategic, tactical and live operational decision making across classifications”.
Again, it is hugely important that we are using the latest technology to promote our MOD and that we are tying all that up. I do not think anybody in this House has concerns about the MOD making these kinds of investments; it is who we choose to partner with that drives the concern.
As I have already argued, the reality is that cyber-security has to be UK-focused. We have to protect our national interest and ensure that our partners put our national interest and cyber-security first and foremost. The views of organisations such as Palantir on the NHS and its integration into US Immigration and Customs Enforcement—otherwise known as ICE—lead us to worry that it does not share UK values. It creates a strategic vulnerability. That is what the sector is saying to us, and we should listen to it. Cyber-security is not just about reporting; it is about the investments we make ahead of time. Imagine if those two contracts and their economic opportunities had been given to UK firms. There would be enhanced UK-based cyber-security and greater confidence in our most critical areas of health and the military.
Let me raise another example which, if The Daily Telegraph is correct, I am sure will raise significant public trust concerns. It has reported today that the Government are considering using Starlink for the emergency services network, replacing the existing radio set-up that is used by ambulances, police and the fire service in an emergency—our most critical infrastructure. This company is controlled by a man who has shown his willingness to turn off satellites in Ukraine at his own political whim.
Cameron Thomas (Tewkesbury) (LD)
The hon. Lady is making a really important point about Elon Musk’s Starlink system, but will she go a little further and recognise that not only has Elon Musk switched off Starlink in Ukraine at will, but he has done so on occasions that might have turned the tide of the war?
Emily Darlington
I thank the hon. Member for raising that point. It is important to note that Elon Musk turned off Starlink at very strategic points for the Ukrainian military when it was advancing on Russian-held territory. It is not just that he chose to turn it off; he chose to turn it off at a critical time for the Ukrainian military. I worry that somebody who chooses to do that, and who encourages violence among the UK public at a far-right rally, at which he said,
“Whether you choose violence or not, violence is coming to you. You either fight back or you die”,
is not an appropriate or safe partner for our emergency services.
I absolutely support the comments made by my right hon. Friend the Member for Oxford East (Anneliese Dodds) about transparency, and about some of the actions being taken by those who have been willing to stand up to these companies and demand transparency. While that is probably not the subject of today’s debate, I think we must take those actions as a warning for what is to come.
I welcome the Bill and the action plan, but to truly make the UK safe and secure from state-sponsored or criminal cyber-attacks, we need to ensure that there is a UK sovereign infrastructure, capacity and capability. The Government can lead the way through their own procurement practices by making sure we are partnering with UK sovereign firms. That is good for security, good for protecting us against cyber-attacks, and good for the economy and public trust.
Andrew Cooper (Mid Cheshire) (Lab)
It is a privilege to follow my hon. Friend the Member for Milton Keynes Central (Emily Darlington), who made a fantastic speech. I do not think mine will be of quite the same quality, but I will do my best.
Having spent my career prior to entering this place as a software developer, it is perhaps not so much a pleasure as a blast of nostalgia to be speaking on this Bill today. The Bill provides for an important and long-overdue update to the NIS regulations, and provides the means to keep those regulations up to date more quickly as new threats emerge. That was a massive gap in our capability left behind by the rather haphazard and cavalier manner of our departure from the EU, and it is absolutely right that we resolve it as soon as we can.
It is a cliché to say that the nature of the threats we face has changed. Whether it is state-sponsored cyber-attacks, hacktivism, identity theft or ransomware attacks, those threats can have a widespread and significant impact on people’s lives, on the wider economy, and on our safety and security. Many Members from across the House have noted the cyber-attack on Jaguar Land Rover —which led to that company posting a loss of £485 million last year and, as I think we heard earlier, to a £2 billion impact on the wider economy—and the Co-op infiltration, which cost that retailer at least £206 million. However, this is not a new issue, and virtually no area of the economy has not experienced attempts to penetrate its systems and cause disruption or steal data.
Cameron Thomas
The hon. Member speaks of the cyber-attacks on Jaguar Land Rover and the Co-op. Those who pay council tax to Gloucester city council have concerns that following a Russian cyber-attack in 2021, that council recently discovered a £17.5 million deficit. Will the hon. Member recognise that too?
Andrew Cooper
I thank the hon. Member for his intervention. I confess that I am not an expert on the IT of Gloucester city council, but I am sure the Minister has heard his intervention, and may wish to respond in his summing up.
I welcome the measures in the Bill to bring managed service providers and data centre infrastructure into scope. When I began my career working on hotel reservation systems, legacy on-premise infrastructure was the standard operating practice. Some organisations would develop their own line of business systems and some would buy in, but virtually all would be hosted on their own servers, often with clever names such as Spartacus, Xena or Buffy the Vampire Slayer—names that I worked with over the years.
That situation changed for a whole pile of reasons, such as the need to support more public access, the requirement to facilitate more home working, huge increases in the speed of domestic and business broadband, the need to provide failover, redundancy and scaling, the shift away from big capital investment towards infrastructure as a service, and wanting to benefit from more rapid roll-out of features and applications that require significant server infrastructure behind them, such as we have seen more recently with AI. Systems have been moving virtually wholesale to those that are managed remotely and sandboxed to multiple organisations, and towards virtual servers or services in data centres, rather than on-premise tin.
Bringing these two areas into scope is obvious, and it is long overdue. I offer a note of caution about this part of the Bill, and it relates to the threshold at which the regulations apply. For managed service providers, we need to ensure that we are providing appropriate levels of cyber-security without blocking new entrants to the market. That applies to critical suppliers, too. The risk is that we end up boosting the hegemony of the big outsourcers and IT suppliers, rather than being able to support new domestic entrants. There is a risk of vendor lock-in, as we have heard several times today. Equally, the threshold on data centres appears to have been set so high that only larger ones will be in scope. I hope that the Minister will keep both of those points under review as the Bill progresses and think about how we can strengthen this provision to strike the right balance.
The other area of the Bill that I want to talk about relates to the regulators. The Minister set out in his opening remarks why he believes a sectoral approach is appropriate, and there is merit to that argument. Sectoral regulators have deep, long-standing institutional knowledge and they understand how the processes work in their sector. However, as I touched on earlier, the consequences of failure are enormous, with real-world impacts on people’s everyday lives. We should not expect an overarching cyber regulator to have the domain-specific knowledge of the water sector or the air traffic control sector, and nor should we expect every sectoral regulator to carry the expertise of how modern scalable data centres that detect faults automatically and automatically failover to different regions or different jurisdictions work. We just need to think about what the priority of an individual sectoral regulator will be, because it will not necessarily be cyber-security. We have to get the balance right, and we need to listen to the sectoral expertise on that.
In conclusion, this Bill is an important and long-overdue update to the UK’s cyber-security framework. I look forward to working with the Government to get the scope and scale of these regulations right and to ensure that all the systems that we rely on every day are secure in the face of current and emerging threats.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
The cyber Bill should be one of the most fundamentally important pieces of legislation the House will consider in this Parliament, because the UK’s cyber-resilience is a cornerstone of the foremost duty of Government: the protection of the people.
The shadow Secretary of State has already made clear that His Majesty’s official Opposition appreciate the urgent need to act to protect our society, our economy and our security in the face of growing and evolving cyber-security risks. The cyber Bill, however, is a Bill of missed opportunities. It would not have stopped the JLR or Marks & Spencer cyber-attacks. It is silent on the threats from hostile state actors, and it does not answer the fundamental question of: if NIS1 was not enforced, what difference will further regulations make?
Cyber-security is key to our national security. It is too important an issue to play partisan politics with. As a responsible Opposition, we will work with the Government to get the approach to this legislation correct.
Many Members have made insightful contributions today. My right hon. Friend the Member for Hertsmere (Sir Oliver Dowden), who has great experience in this regard, raised the issue of hostile state actors and gave the Ministers some practical advice on which I hope they will reflect. My hon. Friend the Member for Exmouth and Exeter East (David Reed) spoke about his professional experience and about the need for proportionate regulations and modification of the Computer Misuse Act 1900, which was mentioned by several other Members. My hon. Friend the Member for Bromsgrove (Bradley Thomas) made an important point about physical technology and the risk of threats from cellular modules. My hon. Friend the Member for Bognor Regis and Littlehampton (Alison Griffiths) also spoke about her own experience and, in particular, about the importance of the Government’s ensuring that the Bill has an impact. The hon. Member for Ceredigion Preseli (Ben Lake) mentioned digital sovereignty, another important issue which we have discussed on many occasions in this place.
We also heard from the hon. Member for Warwick and Leamington (Matt Western), the Chair of the Select Committee; from the hon. Members for Newcastle upon Tyne Central and West (Dame Chi Onwurah) and for South East Cornwall (Anna Gelderd); from the right hon. Member for Oxford East (Anneliese Dodds); and from the hon. Members for Congleton (Sarah Russell), for Northampton South (Mike Reader), for Portsmouth North (Amanda Martin), for Milton Keynes Central (Emily Darlington), and for Mid Cheshire (Andrew Cooper).
The gravest and the most pernicious risks to UK cyber-security go completely unaddressed by this Bill. Cyber is the emerging battlefield of state security, with hostile state actors ramping up their efforts to disrupt our society, our economy and our democracy apace. Time and again in this Parliament, the Government have baulked at acknowledging the elephant—or, in this case, the dragon—in the room when it comes to matters of national security. Last year the director of GCHQ, the UK’s intelligence and cyber-security agency, confirmed that it devotes more resource to China than any other single mission.
The evidence is clear: the Chinese Communist party is one of the greatest national security threats that our country faces. In November last year, Mr Speaker took the exceptional step of circulating a briefing from MI5 warning of the widespread efforts of individuals and organisations working on behalf of the Chinese Ministry of State Security to target Parliament for intelligence gathering. In the intervening weeks we have learned that Home Office systems were accessed, apparently by a Chinese state-affiliate group. Reports have circulated that the attack is linked to the Chinese gang Storm 1849, previously connected with cyber-attacks on MPs and the Electoral Commission. Furthermore, in December 2025 the Government confirmed that they had sanctioned two Chinese companies for perpetrating what they described as indiscriminate cyber-attacks on the UK public and private sector IT systems.
These are not isolated incidents. They are evidence of a concerted and intensifying campaign on the part of the Chinese Communist party and its affiliates to undermine vital public services and UK businesses. How our country, and how our democratic allies and partners, face the threat of hostile state actors, working in concert, is an epoch-defining challenge. It is a challenge that we must meet, or we will live to regret it.
It is no coincidence that several recent cyber-incidents have targeted organs of Government, with malicious actors rightly perceiving that many of our Departments are the weakest links in the cyber-security ecosystem. The National Audit Office’s 2025 report on Government cyber-resilience laid bare the inconsistent, and in some cases glacial, progress of the Government in making effective improvements in cyber-resilience. Last month’s attack on Home Office IT systems is a stark reminder of the urgency of improving Government cyber-security. His Majesty’s official Opposition have received a clear message from cyber-industry stakeholders: the Government should be leading from the front and setting the standard for effective cyber-resilience. I am pleased that the Government managed, at the last moment, to push out the cyber action plan today. It acknowledges the challenge, but how it will ensure that change is delivered is unclear.
Attacks on household names such as Jaguar Land Rover, Marks & Spencer and the Co-op have raised public awareness of the risks we face, with consumer supply chains interrupted and jobs put in peril. However, the Bill would not have prevented those attacks had it been in force when they took place. Given the constraints on public finances as a result of the Chancellor’s reckless Budget decisions, the Government need to ask themselves how many cyber-attacks of the magnitude of that on JLR we can afford to bankroll. The Government must undertake an urgent review to identify companies whose failure as the result of a cyber-attack would present a comparable risk to the UK economy to that on JLR.
Failing to address all the urgent problems will leave an open goal for malicious cyber-actors to undermine the UK’s security and prosperity. The House is unlikely to revisit cyber-security legislation for some time. The threat to our economy and national security from malicious cyber-actors is one of the most serious we face as a country.
In the parliamentary debate after MI5’s China espionage briefing, the Minister for Security pledged to strengthen the legislative tools available to disrupt the threat. Why not use the opportunity presented by the Bill to address that head-on? We stand ready to work with the Government to stand up for and protect our country, and to prevent the Bill from becoming yet another missed opportunity.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
First and foremost, I thank all Members for their contributions to the debate. I am glad that the House has welcomed the Bill, with deep expertise shown by Members on both sides of the House. Of course, Members have asked questions and I will try to share the Government’s approach. Before that, let me set out what is at stake.
The UK is the most cyber-attacked country in Europe. In 2024, more than 600,000 businesses were subject to a cyber-attack, the average cost of which was just over £190,000. The cost of cyber-attacks to UK businesses in aggregate is estimated to be £14.7 billion a year. The personal experience of my hon. Friend the Member for Northampton South (Mike Reader) is on my mind, as well the facts that my hon. Friend the Member for Warwick and Leamington (Matt Western) shared, such as the most common password in this country being “password”, and, indeed, the comments of my hon. Friend the Member for Mid Cheshire (Andrew Cooper) about Buffy the Vampire Slayer being an effective name deployed in some contexts. The combination of aggregate impacts and such personal experiences is the motivation for the Bill.
National security is the first responsibility of any Government. Cyber-threats have grown and the previous Government failed to move fast enough in the light of that. This Government are acting robustly to ensure that the British public are secure. The big message is, “Let’s ditch legacy systems and platforms and move to a more secure future.” We have done that by ditching the Conservative party; it is time to do it across our economy.
Let me deal with some of the themes that hon. Members raised, especially threats from AI that will emerge in future. The right hon. Member for Hertsmere (Sir Oliver Dowden) and my hon. Friend the Member for Congleton (Sarah Russell) mentioned those threats. AI will almost certainly continue to make elements of cyber-intrusion operations more effective and efficient, and cyber-threats more frequent and intense. That is why it is important that organisations take steps to bolster their cyber-defences. Under the Bill, organisations must have regard to the state of the art when maintaining the security of their network and information systems. That applies not only to cyber-defences, but to cyber-threats.
The right hon. Member for Hertsmere mentioned agentic AI, and I am conscious that it will be a particular risk. A significant source of mitigation must be the quality of our capability in the private sector, but also in the public sector. I pay tribute to the work of the AI Security Institute, which is right at the frontier of understanding the risk of agentic AI.
Several Members asked questions about scope. Of course, there is a significant risk across our economy, but we have chosen to focus, as NIS regulations have historically done, on essential services, the failure of whose network and information systems poses imminent threat to life to the British public. For that reason, the scope of the Bill is tight. That is not to say that other businesses should not do a great deal to protect themselves against cyber-attacks. However, the Government need assurances that the resilience to cyber-attack of essential services, the disruption of which would have the most profound consequences for public safety, national security and economic stability, is prioritised. Of course, businesses outside the scope of the Bill should make it a critical business priority to gain the same assurance without the need for as much Government intervention.
I am aware of the points made by my hon. Friends the Members for Lichfield (Dave Robertson) and for Warwick and Leamington, the Chair of the Joint Committee on the National Security Strategy, as well as by my hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), the Chair of the Science, Innovation and Technology Committee, on Jaguar Land Rover. In that instance, the Government acted swiftly in exceptional circumstances by providing a £1.5 billion loan guarantee to protect jobs, support businesses in the supply chain, and preserve this vital part of British industry. However, as the hon. Member for Exmouth and Exeter East (David Reed) noted, that should not be the expectation on Government; businesses must look to their own defences as a matter of corporate responsibility.
Kanishka Narayan
I might just make a bit of progress.
My hon. Friend the Member for Warwick and Leamington mentioned the food sector and food retailers, given recent attacks. Following the attacks on Marks & Spencer and Harrods, my hon. Friend the Minister for Food Security and Rural Affairs has written to and engaged deeply with the chief executive officers of major food retailers to advise on how the food sector can best protect itself from cyber-threats.
There is a broader question about sectors that are not regulated by this Bill, which has been raised by numerous Members from across the House. The fact that a sector is not regulated under the Bill does not mean that organisations in it cannot protect themselves against cyber-attacks. As I said, the Bill is not designed to cover every sector. Where sectors are covered by existing regulations, and where the Government do not consider it essential to regulate a sector through the Bill, we have taken a proportionate approach. Introducing blanket coverage for whole new sectors would create extensive regulatory burdens for more of our economy, stifling economic growth. At the same time, this Bill will enable the Government to bring more sectors into scope in the future, and to take swift action if national security is at risk.
The Bill sits alongside a series of actions that the Government have taken. I highlight in particular the fact that the Government have written to UK businesses and trade bodies across sectors to make sure that they are embedding cyber essentials across their supply chains, that they are making cyber-resilience a board-level priority, and that the NCSC’s early warning system and advice is heeded.
Both Conservative Front Benchers, the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted (Victoria Collins), and my hon. Friend the Member for Congleton spoke about coverage of the public sector. The public sector requires a significant step change in cyber and digital resilience. As has been mentioned numerous times, today we have published the Government’s cyber action plan, backed by £210 million of investment. The plan takes decisive action and holds Government Departments accountable for their cyber-security and resilience, as well as providing them with more direct support and services, and co-ordinating responses to fast-moving incidents.
I will take up the point made by the right hon. Member for New Forest East (Sir Julian Lewis) about the juiciness of local government digital provision. I share his enthusiasm. The Government’s cyber action plan takes into account wider Government and public sector coverage. In fact, it strengthens, clarifies and joins up how lead Government Departments hold the wider public sector, including local government, to account for improved and equivalent cyber-resilience.
I will make an observation about the points raised about not just reporting and assessment, but recovery and resilience. I flag to hon. Members from right across the House that our proposals for security and resilience requirements are being prepared for secondary legislation. They will align with the NCSC’s cyber assessment framework, which relates to effective response and recovery. A consultation is likely in the year ahead.
There were a series of questions and comments about regulators, and proportionate and effective regulation. The Bill allows regulators to make sure that they are well resourced to carry out their duties, and can charge reasonable fees to cover more of the cost of their activities under the regime. It will enhance the regulators’ impact by ensuring clearer information gateways and increased incident reporting, and establishes a unified set of objectives. The shadow Secretary of State talked about regulators not finding enough incidents, and about them finding too many, but I will let her work out the obvious contradiction in her position.
I say in response to the right hon. Member for Hertsmere that there is clear scope for AI capability to be used in triage. I very much hope that the reviews that the Secretary of State must undertake—they are embedded in the Bill’s requirements—will ensure that we look at efficient ways that regulators can do that.
The Chair of the Science, Innovation and Technology Committee, my hon. Friend the Member for Newcastle upon Tyne Central and West, made a point about the frequency and quality of the reviews of the regime in this Bill. The Department for Science, Innovation and Technology will monitor and evaluate the new framework in reviewing the effectiveness of the regime. The Bill requires the Secretary of State to lay before Parliament a report on the operation of certain NIS legislation, and to publish one at least every five years. It will be an extensive review, so we want to make sure that it is proportionate, rather than overly frequent. The commitments made by the Secretary of State to the Chair relate primarily to the Bill.
In response to the points made by my hon. Friends the Members for Warwick and Leamington, and for Mid Cheshire, about the possibility of a cross-sectoral cyber regulation approach, I flag that 12 regulators are responsible for enforcing this regime, because different sectors rely on different technologies, and have very different risk attitudes and responses to vulnerabilities. It is right that we use sector expertise to address sector-specific issues.
The hon. Member for Bognor Regis and Littlehampton (Alison Griffiths) made an appropriate point about enterprise IT and operational technology being differentiated. That is why we have used a sectoral lens; it is a very tractable way of differentiating the risk factors. We have set out a sectoral approach, but that does not preclude the Secretary of State from setting out, in a statement of strategic priorities, the possibility of co-ordination and information sharing across regulators.
In response to the points made by the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted, as well as the hon. Member for Exmouth and Exeter East, about making sure that incident thresholds are clear and proportionate, the 24-hour light-touch notification requirement is proportionate. All that is needed is information alerting the regulator and the National Cyber Security Centre to the nature of the incident; the system does not rely on over-regulation. With the exception of data centres, reportable incidents that affect operators of essential services would need to have affected the operation of significant network and information systems right across the entity, and to have a significant national security impact. That is extremely unlikely to include minor matters, such as the receipt of a phishing email.
The Chair of the Treasury Committee, my hon. Friend the Member for Hackney South and Shoreditch (Dame Meg Hillier), made a point about financial services organisations, and I respond simply by flagging that UK financial services are resilient against cyber-threats. The threats are of course growing, but the regulatory approach taken by the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England were some of the sources for the approach we have taken in this Bill. Regulatory overlap was mentioned; this Government will make sure that businesses that have to navigate multiple regulatory frameworks with multiple services will face minimal burdens. We will work with our regulators and international authorities, including those in the EU, on the implementation of the Bill.
Turning to the impact on business, and the Bill ensuring a proportional approach to security, the Government will regulate only when that is necessary to protect our economy and our country from serious harm. A single attack can disrupt hospitals, transport and vital services, putting lives at risk, and we will not gamble with our economy or our people’s safety. The cost of doing nothing is, of course, too great. As I have mentioned, cyber-attacks drain almost £15 billion a year from UK businesses. At the same time, this Bill takes a proportionate approach to ensuring the safety of British people.
Board-level responsibility was brought up by a number of Members from across the House. I simply say that all business leaders need to take responsibility for their organisation’s cyber-resilience. On 13 October last year, the Government wrote to chief executives, requesting that they make cyber-security a board-level responsibility. The Government’s new cyber governance code of practice focuses on the governance of cyber risk specifically, and we will consider using secondary legislation to require companies to clarify their cyber-security responsibilities at board level.
A number of Members raised the issue of the effect on small and medium-sized businesses. Growth is the Government’s No. 1 mission, and small businesses are the engine room of that growth. They provide many of our most important services. That is exactly why small and, particularly, micro-sized managed or digital services are exempt from regulation under this Bill. They can be regulated only if they are designated as critical suppliers, and there will be an extremely high bar for designation. That should answer the question from my hon. Friend the Member for Mid Cheshire about companies meeting the bar for designation. A point was made about the ability of small businesses to tell quickly whether they are in scope. The regulator will complete an investigation process, which will include giving notices and having consultations with relevant businesses, prior to confirming whether an organisation meets the criteria for being in scope. That process needs to be robust, but we hope to make sure that those regulatory processes are proportionate, too.
I turn to a critical question from my hon. Friend the Member for Milton Keynes Central (Emily Darlington), my right hon. Friend the Member for Oxford East (Anneliese Dodds) and the hon. Member for Ceredigion Preseli (Ben Lake) on long-term sovereignty and capability in this country. Over the last decade and a half, the Conservative party in government sold this country’s strategic leverage over the primary sector, software and digital infrastructure. We will not repeat that mistake. We have already committed, right across the board, to extremely robust digital sovereignty measures. We have committed £500 million to a sovereign AI fund. We have made sure that there are tens of billions of pounds pouring into this country as capital infrastructure for AI, and British firms like Nscale are right at the heart of that. There is an advanced market commitment to cloud compute, to make sure that British companies are right at the heart of the provision of core infrastructure in future. Through the British Business Bank, we are committing tens of billions.
David Reed
We talk about sovereign capability, but how can we have fully sovereign capability when we do not own the means of production of most advanced chips?
Kanishka Narayan
I point the hon. Member to a thriving compound semiconductor cluster in south Wales, as well as chip manufacturing companies. If he doubts how advanced Arm is—the primary chip design company in the world—I would advise him to read a primer on the chip company supply chain.
The Government are pursuing a clear sense of digital sovereignty. On China, I flag that we are taking stronger action to protect our national security, including our critical national infrastructure, as well as making sure that, where appropriate, we look for opportunities for co-operation. The national security strategy, the independent review of state threat legislation and our new powers on counter-terrorism will make sure that we do that.
I am conscious that I am testing your patience, Madam Deputy Speaker, so I will simply flag a final point. The “whole society” approach was mentioned by a number of right hon. and hon. Members. We are making a series of investments in skills to ensure that young people are inspired to pursue careers in cyber-security. On the points made by my hon. Friends the Members for South East Cornwall (Anna Gelderd), and for Portsmouth North (Amanda Martin), I am deeply passionate about ensuring that young people—young women and girls, in particular—in their areas, Wales and across the country pursue thriving careers in cyber-security.
National security is the first responsibility of this Government. The Bill could not be more necessary for confronting developments in global cyber-threat. I thank all right hon. and hon. Members for their engagement with the Bill as it progresses. I encourage them to engage deeply. To all rogue organisations with hackers at the helm—I do not just mean the Conservative party—I say this: your time is up. With this Bill, we will make sure that the British public are secure.
Question put and agreed to.
Bill accordingly read a Second time.
Cyber Security and Resilience (Network and Information Systems) Bill: Programme
Motion made, and Question put forthwith (Standing Order No. 83A(7)),
That the following provisions shall apply to the Cyber Security and Resilience (Network and Information Systems) Bill:
Committal
(1) The Bill shall be committed to a Public Bill Committee.
Proceedings in Public Bill Committee
(2) Proceedings in the Public Bill Committee shall (so far as not previously concluded) be brought to a conclusion on Thursday 5 March 2026.
(3) The Public Bill Committee shall have leave to sit twice on the first day on which it meets.
Consideration and Third Reading
(4) Proceedings on Consideration shall (so far as not previously concluded) be brought to a conclusion one hour before the moment of interruption on the day on which those proceedings are commenced.
(5) Proceedings on Third Reading shall (so far as not previously concluded) be brought to a conclusion at the moment of interruption on that day.
(6) Standing Order No. 83B (Programming committees) shall not apply to proceedings on Consideration and Third Reading.
Other proceedings
(7) Any other proceedings on the Bill may be programmed.—(Jade Botterill.)
Question agreed to.
Cyber Security and Resilience (Network and Information Systems) Bill (Money)
King’s recommendation signified.
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Cyber Security and Resilience (Network and Information Systems) Bill, it is expedient to authorise the payment out of money provided by Parliament of:
(1) any expenditure incurred under or by virtue of the Act by the Secretary of State or another public authority, and
2) any increase attributable to the Act in the sums payable under or by virtue of any other Act out of money so provided.—(Jade Botterill.)
Question agreed to.
Cyber Security and Resilience (Network and Information Systems) Bill (Ways and Means)
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Cyber Security and Resilience (Network and Information Systems) Bill, it is expedient to authorise:
(1) the imposition of charges under or by virtue of the Act; and
(2) the payment of sums into the Consolidated Fund.—(Jade Botterill.)
Question agreed to.
Cyber Security and Resilience (Network and Information Systems) Bill (Carry-over)
Motion made, and Question put forthwith (Standing Order No. 80A(1)(a)),
That if, at the conclusion of this Session of Parliament, proceedings on the Cyber Security and Resilience (Network and Information Systems) Bill have not been completed, they shall be resumed in the next Session.—(Jade Botterill.)
Question agreed to.