Cyber Security and Resilience (Network and Information Systems) Bill
(Limited Text - Ministerial Extracts only)
Read Full debateTuesday 6th January 2026
(2 days, 20 hours ago)
Commons ChamberCyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Watch Debate
This text is a record of ministerial contributions to a debate held as part of the Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
The Minister for Digital Government and Data (Ian Murray)
I beg to move, That the Bill be now read a Second time.
A happy new year to you, Mr Speaker, and to all the House staff. This is the first opportunity I have had to say that to you.
On 3 June 2024, a busy Monday morning in south-east London, criminals attacked Synnovis, an organisation that processes blood tests on behalf of our national health service. They did not turn up physically, but logged on to computers thousands of miles away and set off ransomware—malicious software that encrypts files from afar, making them unusable. The attack had a ripple effect across London hospitals. It delayed 11,000 appointments, blood transfusions had to be suspended and the company lost tens of millions of pounds.
This was not an isolated case. In the year leading up to September 2025, the National Cyber Security Centre dealt with 204 “nationally significant” incidents, meaning that they seriously disrupted central Government or our critical public services. That is more than double the 89 incidents in 2024. No one disputes that we must do everything we can to protect the UK from these attacks. The UK is the most targeted country by cyber-attacks in Europe, and it was the fifth most targeted nation in 2024 by nation state-affiliated threat actors. In 2024, it is estimated that UK businesses experienced over 8.5 million cyber-crimes in the 12 months preceding the survey, and that in that year more than four in 10, or 43%, of UK businesses were subject to a cyber-attack, affecting more than 600,000 businesses in total.
Significantly, cyber-attacks are estimated to cost UK businesses almost £15 billion each year, equivalent to 0.5% of the UK’s annual GDP, notwithstanding the wider economic effects of intellectual property theft or the experience of patients, as in the first example. The average cost of a significant cyber-attack for an individual business in the United Kingdom is estimated to be just over £190,000. There has been a 200% increase in global cyber-attacks on rail systems in the past five years, increasing the likelihood of severe disruption to the economy and to people’s daily lives.
Chris Vince (Harlow) (Lab/Co-op)
Does the Minister agree that, as we become more and more reliant on IT systems—I am thinking in particular about the new patient registration system at the Princess Alexandra hospital in my constituency—it is more and more important that we combat potential cyber-attacks, particularly from foreign powers and enemies of this country? That is why the Bill is so crucial.
Ian Murray
I could not agree more. I gave the example of the Synnovis incident that brought blood transfusions in London to a halt, affecting thousands of patients. Our everyday lives are affected by this. As we modernise and digitise our economy and our Government, we have to ensure that our systems are as secure as possible, and cyber-security is right at the heart of that. This is not just a defensive issue; it is very much an economic growth issue as well, as we can see from the impact it has on our economy, our public services and the day-to-day lives of people, as in the example of our train systems that I just mentioned.
Mr Toby Perkins (Chesterfield) (Lab)
I am grateful to my hon. Friend for giving way, and it is great to see him in his post. On economic growth, how has he sought in the Bill to balance the absolute need for a regulatory framework that businesses can have confidence in alongside the ability to attract continued investment, and to ensure that we do not end up with an over-regulatory framework that stifles investment? How did he find that balance?
Ian Murray
The Bill builds on the 2018 regulations, which were a hangover from the EU when we adopted them in this country. The Bill expands on those. As my hon. Friend the Member for Harlow (Chris Vince) just suggested, this is about economic growth as well as protecting our systems, so we have to find a balance between ensuring that our regulators have the powers and tools to regulate properly and giving businesses and our public services the confidence to use digital technology knowing that we have the most secure cyber-security in Europe, if not the world. We are very good at this stuff, and that is the balance to be sought. This Bill is about economic growth rather than about the over-regulation of businesses. I do not say this flippantly, but cyber-security is one of those areas where if everything is working, nobody notices, but when it is not working, suddenly everyone notices and it is everyone’s problem. That is why we are bringing the Bill forward and extending the scope of the powers.
Jim Shannon (Strangford) (DUP)
I thank the Minister very much for what he is saying and bringing forward. There is much in the Bill that we should encourage. I know that he is a regular visitor to Northern Ireland, and Northern Ireland is home to 130 cyber-security companies with some 2,750 employees. It is therefore essential that this legislation protects those jobs and enhances the capacity for more. Does he believe that the Bill both protects us and provides the opportunity for growth in Northern Ireland and, indeed, across the whole of the United Kingdom?
Ian Murray
Indeed it does. It is one of a number of provisions that the Government are bringing forward to create growth across the country, not just in Northern Ireland. The Secretary of State’s passion is to make sure that those jobs are everywhere, right across the United Kingdom, including in Northern Ireland. The Under-Secretary of State for Science, Innovation and Technology, my hon. Friend the Member for Vale of Glamorgan (Kanishka Narayan), has been in Belfast recently discussing this legislation and wider cyber-security issues with the industry in Northern Ireland, so I can assure the hon. Member for Strangford (Jim Shannon) that that is indeed the case.
Dame Meg Hillier (Hackney South and Shoreditch) (Lab/Co-op)
Hackney council was the subject of a major cyber-attack in 2020. It did a good job, though it was very slow because of the nature of the challenge of getting things back up and running. The Bill is therefore very welcome but, pursuant to the answer to my hon. Friend the Member for Chesterfield (Mr Perkins), there are challenges for some of the smaller companies. I represent Shoreditch, which has many tech companies that need to maintain a standard on cyber-security but are small. How is the Minister going to balance the regulation for those smaller companies to ensure that they can keep abreast of things but are not so dampened down that they cannot progress and grow?
Ian Murray
This is about making sure that we extend the scope of the 2018 regulations into other parts of the economy, and I will come on to that later in my contribution. It is about reporting things more quickly to ensure that the attacks can be seen and action can be taken more quickly. It is also about reporting to the regulators to give the regulators confidence and powers across a wider scope of sectors in the economy, and to give businesses the confidence that those sectors have to report to the regulators when things are going wrong so that swifter action can be taken. We can see from the host of recent high-profile issues, including at Hackney council, that it is important to ensure that this legislation goes through quickly and does the job that it is intended to do.
Chris Vince
I thank the Minister for giving way; I apologise for intervening again. Is there a piece of work we need to do on culture? When businesses or the public sector are victims of cyber-crime, there is a danger that employees may feel embarrassed or nervous about reporting their concerns. We need to encourage people if they are victims of cyber-crime to come forward quicker and to recognise the challenges, rather than trying to hide them away and the issue becoming worse.
Ian Murray
While physical security and national security are issues for all of us, so is cyber-security. The Bill builds on the 2018 regulations to widen the scope into other areas of the economy where such issues have become much more prevalent—for example, data centres. I hope that doing so will give industries and sectors, including their employees, the confidence to report things to the regulators. Giving powers to the regulators will give businesses the confidence that they can report stuff; it is not a regulatory heavy hand dampening businesses. I hope that I can assure my hon. Friend and the rest of the House on that.
Before that significant number of interventions, I was talking about why this issue matters and gave statistics for recent cyber-security activity in the United Kingdom. As a result of all that, one of the very first things we did as a new Government after the election was announce this new cyber-security Bill, just 10 working days in. Since then, the Department has been talking to cyber experts, businesses and regulators to turn these proposals into the comprehensive, serious and proportionate piece of legislation that we present for Second Reading today—one that protects the public and strengthens national security without placing undue burdens on businesses. I appreciate that that is a fine balance, but I think that this Bill finds that balance, so I am confident that the whole House will support it.
Pete Wishart (Perth and Kinross-shire) (SNP)
We support this Bill and its efforts to tackle cyber-security, but it does not address the mass unauthorised scraping of trusted news content by generative AI systems. That content, as the Minister knows, is often taken without consent or compensation. As the Bill progresses, will he be prepared to look at some measures—maybe something like a bot register where people have to declare their intent when it comes to this type of activity? Will the Government look at this seriously so that news can be protected in this new environment?
Ian Murray
The hon. Gentleman is ingenious in the way in which he uses interventions on pieces of legislation. I know AI copyright is close to his heart as a former, or perhaps current, professional musician and, indeed, one of the key musicians in MP4—let’s not push that to a Division! AI copyright is, of course, a key issue that the Government are looking at. The Secretary of State for Science, Innovation and Technology and the Secretary of State for Culture, Media and Sport are working closely together on this issue. I think the legislation means that there has to be a report to Parliament in March—I am sure the hon. Gentleman will be very interested in that. We are bringing together the industry and tech companies to try to find a way through that particular issue. We know that it is a huge issue. It is not in the scope of this Bill, which has been kept very tight to deal with these specific and serious cyber-security issues.
As we know, the first duty of Government is to keep people safe. The question is how precisely the Bill will achieve that goal. The answer is simple. The UK’s main cyber-rules—the Network and Information Systems Regulations 2018, or the NIS regime—were first introduced seven years ago and have not been updated since. Those rules require operators of essential services such as energy, water and hospitals, as well as some digital service providers such as online search engines, to take steps to protect the services they provide and the data they hold from cyber-threats.
As Members might expect, a lot has changed in the cyber-landscape in the past eight years. We have had the rise of AI, which cyber-criminals are using to their advantage. Data centres have become a firm fixture of modern life, and we want to see more of them. Since the rules were introduced, criminals tactics have evolved to exploit loopholes in the regulations, as they did in the attack on the NHS supplier that I mentioned, which revealed how hackers can target third parties, such as IT companies, or supply chains as a back-door way to bringing down a wider system. As always, the story is one of technology and cyber-threats moving faster than policymakers can possibly keep up with.
Dave Robertson (Lichfield) (Lab)
My right hon. Friend is right to mention the impact on supply chains. In the west midlands, we recently had the cyber-attack on Jaguar Land Rover. That had a significant impact not just on that company, but on the supply chain, which has its roots right through the west midlands. That essential part of our economy was brought to a grinding halt by a cyber-attack. Will he confirm that this Bill will help prevent such instances from happening in the future?
Ian Murray
I thank my hon. Friend for all he did on the issues facing Jaguar Land Rover. I know that the matter is close to his heart and, indeed, it was a really big issue across the country, showing how a cyber-attack can affect not just one company, but has a ripple effect throughout the economy. Of course, the Government stepped in to unlock a £1.5 billion bolster to Jaguar Land Rover’s cash reserves to help it through that problem.
I should say to my hon. Friend, and I will come to it later, that Jaguar Land Rover and other private organisations are not in the scope of this Bill. The reason is that individual private companies should take their own cyber-security seriously and ensure that the risks of such incidents and threats are minimised as much as possible. The Bill widens the scope of the existing regulations, which do not include that, but of course the Government are working closely with Jaguar Land Rover, Marks & Spencer and other high-profile cases, because we know the impact they can have on our economy. Indeed, had the Government not stepped in and resolved that issue, the impact on Jaguar Land Rover, and the tens of thousands of employees at the plants and in the supply chain, would have been catastrophic and is not worth thinking about. I thank my hon. Friend for raising that issue.
As I said, as always, the story is one of technology and cyber-threats moving faster than policymakers can possibly keep up with, but today we are fixing that. The first change in the Bill is to widen the scope of the 2018 regulations. To keep up with the changes of the past eight years, we are adding a few new things to that list, starting with large-load controllers. That includes any organisation that manages a significant flow of electricity to or from a smart appliance. It might be a company that supports electric car charging, for example. Bringing these entities into scope will safeguard our power supply and give consumers confidence in using energy-smart appliances, all of which are critical as we advance towards our clean power 2030 mission and net zero.
The second change is that we are adding large data centres in recognition of their growing importance to our day-to-day lives and to the economy. These are vast digital warehouses for the United Kingdom, home to servers that host everything from patient records to their bank details. This is the data that underpins modern life and all our lives and communities, and it must be protected.
We are expanding the scope of the regulations to include managed service providers as well. Those are organisations that provide ongoing functions, such as an IT help desk, to an outside client. Their access makes them an attractive target for cyber-attacks as criminals can find one weak spot and bring countless organisations down. For example, in 2014, an attack on a service provider for the Ministry of Defence compromised the personal data of around 270,000 people—military personnel, reservists and veterans. As organisations rely more and more on outsourced tech, we have to close this gap. In fact, weaknesses in the supply chain have become such a risk that we will go even further by allowing regulators to designate certain organisations as critical suppliers. That includes certain suppliers to essential services that could have a significant impact on the economy or society as a whole—for example, key suppliers to water companies, grid operators or air traffic control. These critical suppliers will be subject to cyber-security duties, which we will set out in secondary legislation.
Dame Meg Hillier
Last year, the Treasury Committee wrote to the top 10 banks in the UK because there had been a number of outages. There was no suggestion that cyber-security attacks were involved in most cases. A trend in the responses was that third-party software providers are often the source of the issue. What is the Minister’s thinking about how to involve the banking sector in the scope of the Bill?
Ian Murray
The banking sector is obviously in the regulators’ scope for cyber-security, and there have been a number of outages, as my hon. Friend mentions. The general principle is that cyber-attacks no longer come in through the front door, but through third parties and suppliers. We have seen that, for example, in the recent incidents at Heathrow and in cloud outages with Amazon Web Services and other such companies. They are covered by their own regulations. As I said in answer to my hon. Friend the Member for Lichfield (Dave Robertson) about Jaguar Land Rover, those companies will not be in the scope of the Bill, but we hope that the financial services sector, which is a leader in cyber-security for a whole host of fairly obvious reasons, will take that forward.
The recent attacks on British icons such as Marks & Spencer and Jaguar Land Rover will loom large in people’s minds. Many Members across the Chamber have already mentioned them. Supply chains were thrown into chaos, with small businesses paying the price, which clearly shows the ripple effect across the economy—on other businesses, smaller businesses and patients, such as in the public service examples mentioned earlier—when one part of the system is attacked.
We are clear that all businesses—that covers financial services, Jaguar Land Rover, Marks & Spencer and others—must take immediate steps to protect themselves. That is why, in October, members of the Cabinet wrote to the FTSE 350 companies urging them to strengthen their defences by doing three things: first, to make cyber risk a board priority; secondly, to require suppliers to have a cyber essentials certificate; and thirdly to sign up to the early warning service. That was followed by a similar letter to entrepreneurs and small businesses in November with bespoke advice for smaller teams. We know that those actions work. Organisations with cyber essentials are 92% less likely to claim on cyber insurance than those that do not. Businesses know best how to protect themselves; we are not here to regulate for the sake of regulating.
Government are taking action too. As I announced this morning, the Government cyber action plan sets a radically new model for how Government will strengthen their cyber-resilience and is backed by over £210 million of investment. Government Departments will be held to standards equivalent to those set out in the Bill. That is why the public sector and the Government are not included in the scope of the Bill. The Government should not need to legislate for themselves; we should just get on with making sure that we are leading the charge and that the cyber action plan strengthens the Government’s cyber-resilience. [Interruption.] I do not know if that was an attempt at an intervention from the Opposition Front Bench, but I am happy to take it.
Sir Oliver Dowden (Hertsmere) (Con)
I welcome the Minister’s comments about the obligation on the public sector. However, I caution him that, in my experience, cyber-security is one of those things that Ministers talk about, but then other priorities overtake it. The advantage of legislative requirements is that they force Ministers to think about it. I urge the Minister to look at that point again as the Bill passes through Parliament. There is a case for putting more stringent requirements on the public sector in order to force Ministers’ minds on the point.
Ian Murray
The right hon. Gentleman would have had some involvement in this when he was in government; indeed, the 2018 regulations came from the previous Government. We are all trying to make sure that we are catching up with the technology as quickly as it moves. He makes a very interesting point that I am very conscious of and happy to take away. We are determined to deliver the cyber-security action plan, which is backed by £210 million.
The actions that the previous Government took did not come to fruition in terms of their 2030 target, which is why we have refreshed the action plan and brought it forward with some significant cash. It is important for Ministers to take that forward. I hope that the right hon. Gentleman will hold us to account to ensure that we are fulfilling that promise in the cyber-security action plan. Public services, and indeed central Government, must take the leading role to show businesses that the approach to take is to ensure that all our systems are as secure as possible, not just on economic grounds, but for the people that we all seek to represent.
Dame Chi Onwurah (Newcastle upon Tyne Central and West) (Lab)
I thank the Minister for the excellent points he is making on the importance of cyber-security and the cyber-security action plan. Can he say a little bit about how the success of the cyber-security action plan will be measured, monitored and communicated to the House? He is probably aware that only 33,000 cyber essentials certificates were issued in 2024, for example, so an increased take-up of cyber essentials and the guidance in the action plan are essential.
Ian Murray
There are some key dates to monitor progress in the action plan itself. I wrote to my hon. Friend, the Chair of the Science, Innovation and Technology Committee, this morning on the publication of the action plan to lay out some of those issues; the letter will be landing soon. I would be happy to discuss that in front of the Committee in more detail. I hope that the Committee, and indeed the Opposition and our own Labour Members, hold us to account for delivering on this, because it is fundamentally important to Government, whether it be digitisation, modernising Government or winning the case with the public about why digitisation is so important and why Government should be as secure as possible and lead the charge on that across the whole economy. I hope that we and the Committee can take that forward in the weeks and months ahead.
As I said, the Government cyber action plan launched this morning is backed by over £210 million of investment and Government Departments will be held to standards equivalent to those set out in the Bill. I hope that that partially answers the question from my hon. Friend the Chair of the Science, Innovation and Technology Committee. Although the focus of the Bill is on essential services, it will also indirectly help businesses, including those damaged by the recent attacks, and Government. Almost all organisations today rely on data centres, outsourced IT or some kind of external supplier. By extending the Bill’s oversight, we are preventing attacks that could, in theory, reach thousands of organisations.
The Bill also gives new powers to regulators responsible for enforcing the NIS framework. Effective compliance is crucial to the success of any regime. These reforms could be world-leading on paper, but without proper enforcement they are meaningless.
David Reed (Exmouth and Exeter East) (Con)
We have talked about the regulators having new powers to designate critical national infrastructure in regard to cyber-security threats, but who actually has accountability? The Bill refers to
“regulations made by the Secretary of State.”
Which Secretary of State is that, given that this is a cross-departmental and cross-Government approach?
Ian Murray
Cyber-security is the responsibility of the Department for Science, Innovation and Technology, but the Cabinet Office has a clear resilience issue as well, as we heard from the right hon. Member for Hertsmere (Sir Oliver Dowden), who was in the Cabinet Office previously. The DSIT Secretary of State will make those regulations, but a plethora of regulators are involved in this process—energy, water and data centres all have different regulators. The regulators that regulate those sectors are being empowered through the expanded number of sectors being brought into the legislation to take the responsibility.
Sir Julian Lewis (New Forest East) (Con)
I am extremely grateful to the Minister for giving way. On the point about regulators, the industry has issued a brief, which points out, quite sensibly, that these regulators are going to have a lot of extra duties to perform and they will therefore need extra resources to be able to perform those duties, but the extra resources they require will only be unlocked when the Bill has passed. Is there not a danger of a transition period where duties will be laid on regulators to fulfil their role before they have the resources to carry it out?
Ian Murray
We have to pass the legislation first. It may be amended during its passage through both Houses. Therefore, the regulators will not know what they are regulating until the Bill has passed. However, as I mentioned at the start of my contribution, we have been working with regulators, businesses, organisations and cyber-security experts in the run-up to producing the Bill to make sure that it is in the right place—that it is proportionate on businesses and regulators—and that it is effective, which is the most important thing. I am sure that we will have debates on those kinds of issues as we go through Committee and on to Third Reading, but I very much acknowledge what the right hon. Gentleman said.
The Bill will strengthen the powers of the NIS regulators, ranging from Ofgem to the Civil Aviation Authority, which work together to uphold the UK’s cyber rules across those different sectors—I may have taken the previous intervention 10 seconds too early! We are raising the maximum fine that they can impose, for example, while simplifying the penalty bands to make them clearer. The key driving force for this measure is not to punish rulebreakers or raise revenue, but to incentivise firms to be vigilant. Our goal is 100% compliance and zero fines.
We will also ask regulated organisations to change the way they report attacks and expand both the types of instance they have to report and the timeframe in which they have to report them. This is a small but crucial change. Under the current rules, regulators get notified about a breach only once it has already caused significant disruption—when traffic lights have failed or the heating has shut off. The system does not include cases with the potential to cause a crisis much later, like a hospital’s computer system quietly being spied on as hackers wait for their moment to strike. Under the Bill, if an organisation is within scope, it will have to tell its regulator and the National Cyber Security Centre about these types of breaches within 24 hours and provide a full report within three days. Pace and speed are of the essence. This will not only give us better information, but help agencies to warn others, should they need to, before they become the next targets.
The Bill will also allow the Government to set clear and consistent outcomes for regulations to work towards. One of the virtues of having a regime enforced by different agencies is that each has sector-specific expertise—Ofgem understands the complex digital systems that underpin the national grid, and the Civil Aviation Authority knows the precise threats to air traffic control, for example—but that approach has sometimes led to inconsistencies in how the regime is applied. Some bodies interpret the rules differently from others. The Bill aims to fix that with a single set of objectives issued by central Government and applied across the board. That will send the message that no sector is an easy target in the UK.
We will also improve the way in which regulators, intelligence agencies and law enforcement share information with each other by providing greater clarity on what regulators can share and receive. It is important that regulators have the resources to do their job, as the right hon. Member for New Forest East (Sir Julian Lewis) said. The Bill will also give them new powers to cover the full costs associated with their regulatory duties. To ensure transparency, regulators will consult on how fees are calculated and publish a statement each year to show how the funds are being used. Together, the measures add up to a much more consistent and effective regime with better reporting and much clearer guidance for all involved.
The Bill ensures that the UK’s cyber-security regime is not only fit for today but flexible enough to head off future threats as well. I have mentioned a few things that have changed in the past eight years—shifts in technology and the nature of cyber-attacks, artificial intelligence, data centres and the economy—but one of the biggest changes was, of course, Brexit. Since our exit from the European Union in January 2020, we have been unable to amend the NIS regulations without primary legislation, because the rules were originally part of European Union law. That has slowed the process and made it difficult for us to keep pace with new emerging threats and technology. Meanwhile, Brussels is pressing ahead with NIS2—its forward-looking update—while we lag behind.
That procedural quirk has left essential UK services more exposed, which perhaps tells us something about why the UK has such appalling figures compared with some of our EU counterparts, as hackers and cyber criminals exploit gaps in our dated laws. That is an unacceptable risk, so the Bill includes new powers for the Government to update the NIS regime via secondary legislation, to make it quicker and more agile for dealing with evolving technologies—we might need to respond quickly to a new type of cyber-threat, for example. That is not in order to override Parliament; in almost all cases, the Government will still be required to consult on any changes, and Parliament will have the final say on any legislation made under the power. However, delegated powers are essential for keeping us as responsive as possible. When national security is on the line, we need the ability to act fast and decisively.
In fact, in extreme cases some threats emerge so rapidly that even secondary legislation is too slow; if an ally were to be invaded by a hostile state, for example, the cyber risk to the UK would suddenly escalate. The Government will therefore also be given powers to direct regulators or regulated entities where national security is threatened—to issue specific cyber-security guidance in a crisis, for example. Those powers are intended as a last resort to protect our national security, and safeguards will go into the Bill to ensure that they are used accordingly.
The UK’s cyber sector is the third largest in the world, as we heard from our friend from Northern Ireland, the hon. Member for Strangford (Jim Shannon). It achieves double-digit growth year on year. We have fast-growing clusters of expertise in Cheltenham and Manchester. This legislation will supercharge that success, doubling down on one of our nation’s greatest assets. At its core, the Bill is about protecting the essential services that we all rely on, so that the lights always stay switched on, clean water always runs in our taps, and hospitals are always safe and secure. Those are the real life community issues that we and our constituents all encounter every single day.
This is more than a technical upgrade; it is a bold commitment from the Government to protect one of our biggest economic strengths and keep the UK safe in a rapidly evolving digital world. Together, we are working towards a future in which security is not a hope but a guarantee. I commend the Bill to the House.
Julia Lopez
As my right hon. Friend is aware, local government is outside of the scope of the Bill, but it is a very juicy target—much of the public sector remains a very juicy target. In acknowledgment of that, the Government whipped out a strategy very quickly this morning that is meant to give us assurances about the public sector’s cyber-resilience. I am not sure that that strategy will provide much reassurance, which is why it is important to understand that this Bill can only be one part of a much wider arsenal to tighten gaps where they exist, in both the private and public sectors.
Ian Murray
It is worth clarifying for the House that we brought forward the Government cyber-security strategy this morning because the 2022 consultation undertaken by the previous Conservative Government was not acted upon. This Government are acting on those threats, bringing forward a plan that we will subsequently see through, and I think the hon. Lady should acknowledge that.
Julia Lopez
I welcome the strategy, but I have not yet had a chance to have a good look at it, because the Government always seem to publish these sorts of documents right at the last minute. The only way to get any information out of this Government is to apply some pressure in this House, and then, remarkably, things come flying out of the cupboard.
I will be very interested to see what the strategy looks like and whether it is up to the challenge we now face. The problems and risks of cyber have increased markedly since we were in Government because of the advent of AI technology—that technology is changing the picture very rapidly, just as the defence picture is changing very rapidly. My concern is that this Government are not taking seriously enough the various defence and security challenges that this House faces; they are prioritising spending on welfare payments, union payments and all manner of other things. It is one thing to get a strategy out of the door; it is another to put in place the measures that will implement that strategy. Basically, all we have seen over the past 18 months is strategy documents, without a great deal of delivery. That is one of the reasons why the Government are so rapidly losing public confidence.
In conclusion, we support this cyber Bill in principle—the threat is real and growing, and it demands action. However, it is only a tool, not a cure-all. A Government who are trying to close down gaps in one place while wilfully opening up huge new risks in a different corner are being negligent in their approach. Furthermore, if this legislation is to command confidence, it must be practical, proportionate and genuinely effective. Without meaningful improvements, the Bill risks placing new burdens on business while delivering only marginal gains for our national resilience. Cyber-security is a shared responsibility between Government, regulators, industry and the public, but leadership must come from the top, and that is where this Bill currently falls short.
With the private sector taking the lion’s share of the load while gaping holes remain in public sector cyber-defences, the Bill begs obvious questions about the confidence that citizens should have in flagship Government projects such as the Prime Minister’s mandatory digital identity system. As it stands, the Bill would not have prevented high-profile cyber-shutdowns such as Jaguar Land Rover’s, it does little to address the chronic vulnerabilities in the public sector, and it certainly will not make Labour’s dodgy ID database any more secure. That is why, as the Bill progresses through Parliament, we will be pressing this Government to ensure that it delivers genuine security, proper accountability and raised cyber-defences across the board, while taking them to task on major mistakes such as mandatory ID. Cyber-security is no longer a niche compliance exercise; it is about protecting the fundamental economic and defence interests of our nation.
Anneliese Dodds (Oxford East) (Lab/Co-op)
I wish you, Madam Deputy Speaker, all parliamentary staff and all Members in this Chamber a very happy new year.
It is a real pleasure to rise to speak in favour of this crucial Bill, which I am pleased to see having its Second Reading. It is also a pleasure to follow the hon. Member for Exmouth and Exeter East (David Reed), who set out many of the stakes that are so critical here. We also heard that in the opening speech by my right hon. Friend the Minister for Digital Government and Data, who described a number of disturbing cases, as others have done during the debate. He also set out the scale of the impact of cyber-attacks with some concerning figures, as did my hon. Friend the Member for Warwick and Leamington (Matt Western). I was particularly struck by the 0.5% hit to GDP from cyber-attacks and the fact that our country has been the third most severely impacted worldwide by cyber-attacks. It is therefore welcome that the Bill focuses on a faster and more joined-up approach to deter and deal with cyber-attacks.
I believe that that approach has gone alongside a really strong grip from the new Government on the need for a sectoral approach to dealing with cyber-attacks. Of course, we unfortunately had to see that, given the attack on JLR. I was pleased to see the previous Secretary of State really engaging with the automotive sector—work that has been continued by the current Secretary of State—on the challenges and lessons that need to come out of that attack, which has been particularly important in my constituency given the significance of BMW Cowley for employment in Oxford East.
I believe it is critical that we assess cyber-security alongside other forms of cyber-criminality, as the head of MI5 has argued for us to do. Cyber-attacks are increasingly being carried out by quasi-non-state actors that operate in the grey zone that the right hon. Member for Hertsmere (Sir Oliver Dowden) talked about, often implicitly backed by Russia or other adversaries. Those attacks are taking place at the same time as a rise in cryptocurrency laundering and disinformation operations.
I am sadly forced to share the assessment of GLOBSEC, the security-focused think-tank, that the pattern of Russia’s hybrid war
“has persisted without an effective Western response”.
There has been an escalation in cyber-attacks, sabotage, disinformation and political interference, but we have not seen the kind of joined-up approach across like-minded democracies that is needed. I was assured recently by my right hon. Friend the Paymaster General that the Government are working with the EU on combating foreign interference. That work clearly needs to be intensified, especially when we see what is happening to other democracies not so very far away from us.
I saw the threat for myself directly in Moldova, where cyber-criminals’ methods are often being used in combination: a cyber-attack on the election regulator coincided with a disinformation campaign sponsored by Russia and disruptions like bomb hoaxes in real life. So while I welcome this legislation, it must be co-ordinated with broader work to protect our country’s resilience and digital sovereignty, and to secure transparency on foreign interference.
In that regard, I will end by mentioning a concerning development: the sanctioning of two British citizens by the United States over the Christmas period, both of whom have worked to deliver transparency, including on foreign interference—clearly relevant to this Bill. Imran Ahmed is from the Centre for Countering Digital Hate, whose dispassionate, evidence-based analysis has uncovered the spread of disinformation, violent racism and material that poses harms to children. Clare Melford is from the Global Disinformation Index, which provides information about the extent of polarisation and disinformation so that companies can make informed choices about where to advertise—a free market approach to providing transparency.
The Minister stated at the beginning of this debate that when national security is on the line, we must be ready to act, and I strongly agree. A number of Members in the Chamber have said how important it is that we have a cross-economy and cross-society approach to these issues. I believe that the sanctioning of these individuals risks chilling transparency, including potentially transparency that can uncover foreign interference. I hope the Government will resist all attempts to reduce transparency. The welcome efforts in this Bill on cyber-resilience must be accompanied by work to counter other cyber and information-related threats to our national digital sovereignty and, more broadly, threats to our national security and interest.
Mike Reader (Northampton South) (Lab)
I start with a story; it is a real story, but I have changed the names for obvious reasons. It was a Tuesday afternoon and I had a call from our CEO, David, who said to me, “Mike, I am jumping on a plane, but I need you to speak to a law firm we have been working with. This lady called Sandra will ring you from A&A law firm. I want you to speak to her. She will talk to you about a project we have been working on. Sorry I have not been able to read you in until now.” I think, “This is a bit strange. David’s a very busy man, but why would he ring me jumping on a plane?”
Sandra rang me, and it seemed pretty legit. We had a chat and it turns out we may know someone in common. I looked her up on LinkedIn: her firm is legit, she is there, and she has connections similar to mine. She tells me, “I need you to sign a non-disclosure agreement so we can talk to you about the opportunity we are working on with David.” I said that was fine and signed the NDA. I was sent a Teams link and joined a call with Sandra and some of her colleagues. Also on the call was David, my chief exec, whose signal was not good. He said, “Mike, I’m on a plane, but I’ve tried to join just to say thanks so much for being a part of this. We’re looking at an acquisition in your business area. I want you to work with A&A legal partners to ensure they have got the information they need. This is a real opportunity for us to grow. You know that we have been looking to grow the business.” Then his signal dropped off.
I carried on the conversation with Sandra and her partners. They started asking for information that perhaps they did not need—for example, about operational matters and how the business worked. They followed up with another call, in which they started asking for financial information about some of our clients. They followed up with another call in which they asked for financial information about the business. At that point, I thought, “I had better ring David and just make sure this is legit.” When I rang David, I found that he had no idea this was going on. Our business was being attacked through a deepfake intrusion. They had mirrored our chief exec, and used his voice for a call and his image for a Teams call. Had I—this story is actually about a friend of mine—not called my boss to say, “Is this legit?” they could have got away with goodness knows what. That seems quite far-fetched, but Arup, another big British firm, got done by a very similar deepfake scam; it lost £20 million to scammers.
I start with that real story about something that happened to one of my colleagues, because this Bill is really important. It is a framework Bill that will set out how we put in place better standards, procedures and controls, but actually where many businesses—be they data centre providers, managed service providers or those already covered by legislation—fall down is at the point when a human is in the loop. We heard from my hon. Friend the Member for Harlow (Chris Vince) about how to get the culture right, and how to ensure that people are considered in future legislation and guidance that will come off the back of the Bill. I wanted to open up and make that point, because through the Bill, we can do all we can on technical processes and procedures, but it is really important that we focus on the human in the loop and the human aspect, as that is often where these major attacks start.
I am really pleased to support the Bill. Cyber-security and cyber-crime impact our daily lives. I will not repeat the stats, which we have heard from many hon. Members on both sides of the House. They impact the businesses that support our economy, our public services and our banking sector—things that we use every day. It is therefore right that the Bill has been brought forward, although there was a considerable delay following the work done in 2022 by the previous Government. I am pleased that the Bill seems to have cross-party support.
The Bill recognises that attacks involve a wide range of methods, and may involve data centres, outsourced IT providers and complex supply chains working in the sector. That is critical for my constituents in Northampton, who are on the northbound data super-highway from London. In the last six months, we have heard announcements of over £1 billion of investment in new data centres, in both the public and private sectors. I thank the Minister and his Department for all their hard work in securing that investment, which will create new jobs in my constituency. Without improved regulation and clarity, that investment remains slightly uncertain. The Bill will definitely improve that clarity and certainty for the sector, as well as for the many businesses in my constituency that rely on a managed service provider for their IT or provide data centres. That is particularly important for all hon. Members, because the control centre that looks after our security is in my constituency. That data security is therefore particularly important for our personal wellbeing.
I have also looked at this issue from the perspective of the many businesses in my constituency who use managed service providers for their IT. They include large businesses. In my previous business—a business of 7,000 or 8,000 people—an MSP provided our help desk; when I had a problem, I would ring it up. The inclusion of managed service providers is critical to give us better protection and improve standards and resilience, and therefore reduce burdens on the businesses that use them, particularly their cyber insurance costs. I have two asks of Government on this. First, as other Members have done, I ask that we do this proportionately, as change in this area may have a considerable impact on small businesses—both on their MSP costs and their direct costs. I also ask that we work hard to consider how the legislation works with international law, particularly as my experience is that a lot of MSPs, such as HelpDesk, use overseas workforces.
I welcome the stronger reporting requirements. I recognise the point made by the hon. Member for Bromsgrove (Bradley Thomas) about his ten-minute rule Bill on regulation and reporting. From a business perspective, as long as there is clarity—the Bill sets out that there will be greater clarity for business—we get honesty, trust and a business environment in which people understand what they have to do and when they have to do it. The Bill moves us towards that.
I also welcome the much stronger enforcement powers in the Bill. That sends a real message to criminals that there are significant risks to them. To businesses, I say that money talks, and when there are stronger enforcement risks to someone’s business, all of a sudden cyber-security ends up higher up the corporate risk register.
As the Bill is implemented, I ask for genuine consultation with industry. It is particularly important to note that this is a framework Bill.
Kit Malthouse (North West Hampshire) (Con)
The hon. Gentleman is making a very interesting and pertinent speech. I hope he will welcome the fact that the Bill strengthens the requirement on companies to not only look at prevention but have an adequate recovery plan. Does he think that there is adequate sanction in the Bill for those companies that are deemed not to have an adequate recovery plan? My reading is that regulators cannot necessarily fine for a negligent recovery. As the hon. Gentleman said, the human factor so often matters, but surely that matters as much in recovery as it does in prevention.
Mike Reader
I think the Bill goes some way on that, and it is clear that future legislation and guidance will start to frame those issues. There are other ways that we can drive businesses to improve their business resilience planning. It is part of the standard Government procurement process to require business continuity planning to be demonstrated, and many large businesses in our constituencies will be trying to transact with Government, whether local or national, with the NHS or others. Business resilience is also required at other times when the state interacts with business; I think of procurement particularly. My background is in one of those key areas.
I was just saying to the Minister that one concern I have is that this is a framework Bill. There is to be a lot of future guidance, so we need continued consultation—this message has been made by others as well—so that the standards are really clear. The legislation was getting quite messy. We want to make it a lot clearer. We want to be really clear with business, and we want to give organisations early notice, so that they can adjust, rather than springing this on business as we push to address a real threat that has been recognised right across industry.
I come back to my original point: we should consider the human in the loop. When we set guidance and requirements, we should look at how businesses think about the human aspect, as well as the technocratic solutions that would be in a business continuity plan or similar. This is a necessary Bill. I support its aims and focus. It signals real confidence to the market—to those already operating in it, and to those who are coming to invest in great places like Northampton, to build the data centres and other infrastructure that we need.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
First and foremost, I thank all Members for their contributions to the debate. I am glad that the House has welcomed the Bill, with deep expertise shown by Members on both sides of the House. Of course, Members have asked questions and I will try to share the Government’s approach. Before that, let me set out what is at stake.
The UK is the most cyber-attacked country in Europe. In 2024, more than 600,000 businesses were subject to a cyber-attack, the average cost of which was just over £190,000. The cost of cyber-attacks to UK businesses in aggregate is estimated to be £14.7 billion a year. The personal experience of my hon. Friend the Member for Northampton South (Mike Reader) is on my mind, as well the facts that my hon. Friend the Member for Warwick and Leamington (Matt Western) shared, such as the most common password in this country being “password”, and, indeed, the comments of my hon. Friend the Member for Mid Cheshire (Andrew Cooper) about Buffy the Vampire Slayer being an effective name deployed in some contexts. The combination of aggregate impacts and such personal experiences is the motivation for the Bill.
National security is the first responsibility of any Government. Cyber-threats have grown and the previous Government failed to move fast enough in the light of that. This Government are acting robustly to ensure that the British public are secure. The big message is, “Let’s ditch legacy systems and platforms and move to a more secure future.” We have done that by ditching the Conservative party; it is time to do it across our economy.
Let me deal with some of the themes that hon. Members raised, especially threats from AI that will emerge in future. The right hon. Member for Hertsmere (Sir Oliver Dowden) and my hon. Friend the Member for Congleton (Sarah Russell) mentioned those threats. AI will almost certainly continue to make elements of cyber-intrusion operations more effective and efficient, and cyber-threats more frequent and intense. That is why it is important that organisations take steps to bolster their cyber-defences. Under the Bill, organisations must have regard to the state of the art when maintaining the security of their network and information systems. That applies not only to cyber-defences, but to cyber-threats.
The right hon. Member for Hertsmere mentioned agentic AI, and I am conscious that it will be a particular risk. A significant source of mitigation must be the quality of our capability in the private sector, but also in the public sector. I pay tribute to the work of the AI Security Institute, which is right at the frontier of understanding the risk of agentic AI.
Several Members asked questions about scope. Of course, there is a significant risk across our economy, but we have chosen to focus, as NIS regulations have historically done, on essential services, the failure of whose network and information systems poses imminent threat to life to the British public. For that reason, the scope of the Bill is tight. That is not to say that other businesses should not do a great deal to protect themselves against cyber-attacks. However, the Government need assurances that the resilience to cyber-attack of essential services, the disruption of which would have the most profound consequences for public safety, national security and economic stability, is prioritised. Of course, businesses outside the scope of the Bill should make it a critical business priority to gain the same assurance without the need for as much Government intervention.
I am aware of the points made by my hon. Friends the Members for Lichfield (Dave Robertson) and for Warwick and Leamington, the Chair of the Joint Committee on the National Security Strategy, as well as by my hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), the Chair of the Science, Innovation and Technology Committee, on Jaguar Land Rover. In that instance, the Government acted swiftly in exceptional circumstances by providing a £1.5 billion loan guarantee to protect jobs, support businesses in the supply chain, and preserve this vital part of British industry. However, as the hon. Member for Exmouth and Exeter East (David Reed) noted, that should not be the expectation on Government; businesses must look to their own defences as a matter of corporate responsibility.
Kanishka Narayan
I might just make a bit of progress.
My hon. Friend the Member for Warwick and Leamington mentioned the food sector and food retailers, given recent attacks. Following the attacks on Marks & Spencer and Harrods, my hon. Friend the Minister for Food Security and Rural Affairs has written to and engaged deeply with the chief executive officers of major food retailers to advise on how the food sector can best protect itself from cyber-threats.
There is a broader question about sectors that are not regulated by this Bill, which has been raised by numerous Members from across the House. The fact that a sector is not regulated under the Bill does not mean that organisations in it cannot protect themselves against cyber-attacks. As I said, the Bill is not designed to cover every sector. Where sectors are covered by existing regulations, and where the Government do not consider it essential to regulate a sector through the Bill, we have taken a proportionate approach. Introducing blanket coverage for whole new sectors would create extensive regulatory burdens for more of our economy, stifling economic growth. At the same time, this Bill will enable the Government to bring more sectors into scope in the future, and to take swift action if national security is at risk.
The Bill sits alongside a series of actions that the Government have taken. I highlight in particular the fact that the Government have written to UK businesses and trade bodies across sectors to make sure that they are embedding cyber essentials across their supply chains, that they are making cyber-resilience a board-level priority, and that the NCSC’s early warning system and advice is heeded.
Both Conservative Front Benchers, the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted (Victoria Collins), and my hon. Friend the Member for Congleton spoke about coverage of the public sector. The public sector requires a significant step change in cyber and digital resilience. As has been mentioned numerous times, today we have published the Government’s cyber action plan, backed by £210 million of investment. The plan takes decisive action and holds Government Departments accountable for their cyber-security and resilience, as well as providing them with more direct support and services, and co-ordinating responses to fast-moving incidents.
I will take up the point made by the right hon. Member for New Forest East (Sir Julian Lewis) about the juiciness of local government digital provision. I share his enthusiasm. The Government’s cyber action plan takes into account wider Government and public sector coverage. In fact, it strengthens, clarifies and joins up how lead Government Departments hold the wider public sector, including local government, to account for improved and equivalent cyber-resilience.
I will make an observation about the points raised about not just reporting and assessment, but recovery and resilience. I flag to hon. Members from right across the House that our proposals for security and resilience requirements are being prepared for secondary legislation. They will align with the NCSC’s cyber assessment framework, which relates to effective response and recovery. A consultation is likely in the year ahead.
There were a series of questions and comments about regulators, and proportionate and effective regulation. The Bill allows regulators to make sure that they are well resourced to carry out their duties, and can charge reasonable fees to cover more of the cost of their activities under the regime. It will enhance the regulators’ impact by ensuring clearer information gateways and increased incident reporting, and establishes a unified set of objectives. The shadow Secretary of State talked about regulators not finding enough incidents, and about them finding too many, but I will let her work out the obvious contradiction in her position.
I say in response to the right hon. Member for Hertsmere that there is clear scope for AI capability to be used in triage. I very much hope that the reviews that the Secretary of State must undertake—they are embedded in the Bill’s requirements—will ensure that we look at efficient ways that regulators can do that.
The Chair of the Science, Innovation and Technology Committee, my hon. Friend the Member for Newcastle upon Tyne Central and West, made a point about the frequency and quality of the reviews of the regime in this Bill. The Department for Science, Innovation and Technology will monitor and evaluate the new framework in reviewing the effectiveness of the regime. The Bill requires the Secretary of State to lay before Parliament a report on the operation of certain NIS legislation, and to publish one at least every five years. It will be an extensive review, so we want to make sure that it is proportionate, rather than overly frequent. The commitments made by the Secretary of State to the Chair relate primarily to the Bill.
In response to the points made by my hon. Friends the Members for Warwick and Leamington, and for Mid Cheshire, about the possibility of a cross-sectoral cyber regulation approach, I flag that 12 regulators are responsible for enforcing this regime, because different sectors rely on different technologies, and have very different risk attitudes and responses to vulnerabilities. It is right that we use sector expertise to address sector-specific issues.
The hon. Member for Bognor Regis and Littlehampton (Alison Griffiths) made an appropriate point about enterprise IT and operational technology being differentiated. That is why we have used a sectoral lens; it is a very tractable way of differentiating the risk factors. We have set out a sectoral approach, but that does not preclude the Secretary of State from setting out, in a statement of strategic priorities, the possibility of co-ordination and information sharing across regulators.
In response to the points made by the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted, as well as the hon. Member for Exmouth and Exeter East, about making sure that incident thresholds are clear and proportionate, the 24-hour light-touch notification requirement is proportionate. All that is needed is information alerting the regulator and the National Cyber Security Centre to the nature of the incident; the system does not rely on over-regulation. With the exception of data centres, reportable incidents that affect operators of essential services would need to have affected the operation of significant network and information systems right across the entity, and to have a significant national security impact. That is extremely unlikely to include minor matters, such as the receipt of a phishing email.
The Chair of the Treasury Committee, my hon. Friend the Member for Hackney South and Shoreditch (Dame Meg Hillier), made a point about financial services organisations, and I respond simply by flagging that UK financial services are resilient against cyber-threats. The threats are of course growing, but the regulatory approach taken by the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England were some of the sources for the approach we have taken in this Bill. Regulatory overlap was mentioned; this Government will make sure that businesses that have to navigate multiple regulatory frameworks with multiple services will face minimal burdens. We will work with our regulators and international authorities, including those in the EU, on the implementation of the Bill.
Turning to the impact on business, and the Bill ensuring a proportional approach to security, the Government will regulate only when that is necessary to protect our economy and our country from serious harm. A single attack can disrupt hospitals, transport and vital services, putting lives at risk, and we will not gamble with our economy or our people’s safety. The cost of doing nothing is, of course, too great. As I have mentioned, cyber-attacks drain almost £15 billion a year from UK businesses. At the same time, this Bill takes a proportionate approach to ensuring the safety of British people.
Board-level responsibility was brought up by a number of Members from across the House. I simply say that all business leaders need to take responsibility for their organisation’s cyber-resilience. On 13 October last year, the Government wrote to chief executives, requesting that they make cyber-security a board-level responsibility. The Government’s new cyber governance code of practice focuses on the governance of cyber risk specifically, and we will consider using secondary legislation to require companies to clarify their cyber-security responsibilities at board level.
A number of Members raised the issue of the effect on small and medium-sized businesses. Growth is the Government’s No. 1 mission, and small businesses are the engine room of that growth. They provide many of our most important services. That is exactly why small and, particularly, micro-sized managed or digital services are exempt from regulation under this Bill. They can be regulated only if they are designated as critical suppliers, and there will be an extremely high bar for designation. That should answer the question from my hon. Friend the Member for Mid Cheshire about companies meeting the bar for designation. A point was made about the ability of small businesses to tell quickly whether they are in scope. The regulator will complete an investigation process, which will include giving notices and having consultations with relevant businesses, prior to confirming whether an organisation meets the criteria for being in scope. That process needs to be robust, but we hope to make sure that those regulatory processes are proportionate, too.
I turn to a critical question from my hon. Friend the Member for Milton Keynes Central (Emily Darlington), my right hon. Friend the Member for Oxford East (Anneliese Dodds) and the hon. Member for Ceredigion Preseli (Ben Lake) on long-term sovereignty and capability in this country. Over the last decade and a half, the Conservative party in government sold this country’s strategic leverage over the primary sector, software and digital infrastructure. We will not repeat that mistake. We have already committed, right across the board, to extremely robust digital sovereignty measures. We have committed £500 million to a sovereign AI fund. We have made sure that there are tens of billions of pounds pouring into this country as capital infrastructure for AI, and British firms like Nscale are right at the heart of that. There is an advanced market commitment to cloud compute, to make sure that British companies are right at the heart of the provision of core infrastructure in future. Through the British Business Bank, we are committing tens of billions.
David Reed
We talk about sovereign capability, but how can we have fully sovereign capability when we do not own the means of production of most advanced chips?
Kanishka Narayan
I point the hon. Member to a thriving compound semiconductor cluster in south Wales, as well as chip manufacturing companies. If he doubts how advanced Arm is—the primary chip design company in the world—I would advise him to read a primer on the chip company supply chain.
The Government are pursuing a clear sense of digital sovereignty. On China, I flag that we are taking stronger action to protect our national security, including our critical national infrastructure, as well as making sure that, where appropriate, we look for opportunities for co-operation. The national security strategy, the independent review of state threat legislation and our new powers on counter-terrorism will make sure that we do that.
I am conscious that I am testing your patience, Madam Deputy Speaker, so I will simply flag a final point. The “whole society” approach was mentioned by a number of right hon. and hon. Members. We are making a series of investments in skills to ensure that young people are inspired to pursue careers in cyber-security. On the points made by my hon. Friends the Members for South East Cornwall (Anna Gelderd), and for Portsmouth North (Amanda Martin), I am deeply passionate about ensuring that young people—young women and girls, in particular—in their areas, Wales and across the country pursue thriving careers in cyber-security.
National security is the first responsibility of this Government. The Bill could not be more necessary for confronting developments in global cyber-threat. I thank all right hon. and hon. Members for their engagement with the Bill as it progresses. I encourage them to engage deeply. To all rogue organisations with hackers at the helm—I do not just mean the Conservative party—I say this: your time is up. With this Bill, we will make sure that the British public are secure.
Question put and agreed to.
Bill accordingly read a Second time.
Cyber Security and Resilience (Network and Information Systems) Bill: Programme
Motion made, and Question put forthwith (Standing Order No. 83A(7)),
That the following provisions shall apply to the Cyber Security and Resilience (Network and Information Systems) Bill:
Committal
(1) The Bill shall be committed to a Public Bill Committee.
Proceedings in Public Bill Committee
(2) Proceedings in the Public Bill Committee shall (so far as not previously concluded) be brought to a conclusion on Thursday 5 March 2026.
(3) The Public Bill Committee shall have leave to sit twice on the first day on which it meets.
Consideration and Third Reading
(4) Proceedings on Consideration shall (so far as not previously concluded) be brought to a conclusion one hour before the moment of interruption on the day on which those proceedings are commenced.
(5) Proceedings on Third Reading shall (so far as not previously concluded) be brought to a conclusion at the moment of interruption on that day.
(6) Standing Order No. 83B (Programming committees) shall not apply to proceedings on Consideration and Third Reading.
Other proceedings
(7) Any other proceedings on the Bill may be programmed.—(Jade Botterill.)
Question agreed to.
Cyber Security and Resilience (Network and Information Systems) Bill (Money)
King’s recommendation signified.
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Cyber Security and Resilience (Network and Information Systems) Bill, it is expedient to authorise the payment out of money provided by Parliament of:
(1) any expenditure incurred under or by virtue of the Act by the Secretary of State or another public authority, and
2) any increase attributable to the Act in the sums payable under or by virtue of any other Act out of money so provided.—(Jade Botterill.)
Question agreed to.
Cyber Security and Resilience (Network and Information Systems) Bill (Ways and Means)
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Cyber Security and Resilience (Network and Information Systems) Bill, it is expedient to authorise:
(1) the imposition of charges under or by virtue of the Act; and
(2) the payment of sums into the Consolidated Fund.—(Jade Botterill.)
Question agreed to.
Cyber Security and Resilience (Network and Information Systems) Bill (Carry-over)
Motion made, and Question put forthwith (Standing Order No. 80A(1)(a)),
That if, at the conclusion of this Session of Parliament, proceedings on the Cyber Security and Resilience (Network and Information Systems) Bill have not been completed, they shall be resumed in the next Session.—(Jade Botterill.)
Question agreed to.