Cyber Security and Resilience (Network and Information Systems) Bill Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Alison Griffiths
Main Page: Alison Griffiths (Conservative - Bognor Regis and Littlehampton)Department Debates - View all Alison Griffiths's debates with the Department for Digital, Culture, Media & Sport
Cyber Security and Resilience (Network and Information Systems) Bill
Alison Griffiths ExcerptsTuesday 6th January 2026
(1 month, 3 weeks ago)
Commons ChamberRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
I refer the House to my entry in the Register of Members’ Financial Interests. I commend my right hon. Friend the Member for Hertsmere (Sir Oliver Dowden) and my hon. Friend the Member for Exmouth and Exeter East (David Reed) for their excellent speeches. I particularly associate myself with their comments on the Computer Misuse Act 1990 and the need for an extension to our cyber-skills in this country. Before entering this place, I worked professionally in cyber-security and operational resilience, advising businesses of all sizes on how to reduce the risk of cyber-attacks and helping them to understand how far-reaching the consequences of a cyber-breach can be from a commercial perspective, and not just a technical one.
I am vice-Chair of the Business and Trade Committee, and we have heard direct evidence for our report on economic security from Marks & Spencer, Co-op and Jaguar Land Rover, all of which suffered catastrophic breaches last year. Although the attacks were different in form and impact, as the shadow Secretary of State, my hon. Friend the Member for Hornchurch and Upminster (Julia Lopez), said, they shared a common feature: they were driven by social engineering, not technical failure. Human access was exploited, trust was abused, and controls failed further up the chain. The outcomes, however, were very different.
At Co-op, a more modern, secure-by-design IT infrastructure enabled an early containment strategy, limiting the impact on customers, stores and the bottom line. Marks & Spencer, which had not prioritised early replacement of legacy infrastructure, suffered months of major disruption to customer-facing services and retail logistics. The financial impact alone for M&S is in the region of £300 million, or 45% of its prior year pre-tax profits. Jaguar Land Rover was in a different category altogether. There, the attack cut into operational technology systems tightly integrated with manufacturing operations, bringing production lines to a standstill and disrupting just-in-time supply chains. That shutdown cascaded far beyond a single company, directly impacting numerous suppliers in the midlands regional economy, as many Members have already mentioned, as well as contributing to a measurable fall in UK GDP, estimated to be in the region of £2 billion.
Those cases demonstrate that cyber-risk manifests in three ways: operational risk, financial risk and reputational risk. Too often, even at FTSE level, businesses and boards fail to grasp that this is a potentially devastating combination. I hear the same message repeatedly from industry, including at the Financial Times Cyber Resilience Summit in London, where I spoke at the end of last year. There is frustration from CISOs—chief information security officers—and security vendors that it can be difficult to develop conversations with boards and audit chairs to assign the appropriate resources and strategic prioritisation. Businesses accept that standards must rise, but they want regulation that is targeted, proportionate and focused on prevention, rather than paperwork.
The Bill does some things well. Updating the 2018 NIS framework, expanding coverage where it is genuinely needed and strengthening enforcement powers are all sensible in principle. Faster incident reporting has value, but reporting alone is not resilience. There are gaps that matter. First, the Bill does not go far enough on governance. Cyber failures are governance failures. Responsibility sits not only at board level, but clearly and specifically with chairs and audit and risk committees, yet the Bill stops short of driving meaningful accountability there. Without that pressure, cyber will continue to be delegated downward to IT and operations teams, rather than being owned at the top.
Secondly, there is a risk of confusing activity with preparedness. Increasing reporting obligations after an incident does nothing to prevent the incident from occurring. Prevention is always better than cure, and this legislation needs a stronger emphasis on baseline capability, risk maturity and early intervention.
Thirdly, we must be careful about cost, capacity and particularly enforcement. The implications for SMEs are significant, particularly those that are pulled into scope through supply chains. At the same time, regulators cannot enforce what they are not resourced to oversee. Without credible enforcement, the Bill risks becoming a paper exercise and boards will respond accordingly.
Fourthly, the Bill needs to recognise the connection between, and draw a clear distinction between, IT and operational technology. What works for enterprise IT systems may be inappropriate or even dangerous in OT environments such as manufacturing, critical national infrastructure, energy and logistics. Segregation, architecture and the configuration of security devices must be assessed. Risk profiles differ; controls differ. That nuance matters.
I want to be clear that the Opposition support the aims of this Bill in principle. Cyber-resilience requires a whole-of-society approach involving Government, regulators, businesses and boards working together, but if this legislation is to drive real change, it must be enforceable, proportionate and grounded in how organisations actually operate. Boards and audit committees must feel the weight of responsibility, regulators must have the tools and resources to act, and prevention must be prioritised over post-incident form filling. The National Cyber Security Centre has produced clear, practical guidance for boards, and that should sit at the heart of our approach. We need smarter regulation, properly enforced, not just more of it.
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Alison Griffiths
Main Page: Alison Griffiths (Conservative - Bognor Regis and Littlehampton)Department Debates - View all Alison Griffiths's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Alison Griffiths ExcerptsTuesday 3rd February 2026
(3 weeks, 3 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Freddie van Mierlo (Henley and Thame) (LD)
Q
Jen Ellis: You have covered a lot of territory there; I will try to break it down. If you look at the attacks last year, all the companies you mentioned were investing in cyber-security. There is a difficulty here, because there is no such thing as being bullet-proof or secure. You are always trying to raise the barriers as high as you can and make it harder for attackers to be successful. The three attacks you mentioned were highly targeted attacks. The example of Volt Typhoon in the US was also highly targeted. These are attackers who are highly motivated to go after specific entities and who will keep going until they get somewhere. It is really hard to defend against stuff like that. What you are trying to do is remove the chances of all the opportunistic stuff happening.
So, first, we are not going to become secure as such, but we are trying to minimise the risk as much as possible. Secondly, it is really complex to do it; we saw last year the examples of companies that, even though they had invested, still missed some things. Even in the discussions that they had had around cyber-insurance, they had massively underestimated the cost of the level of disruption that they experienced. Part of it is that we are still trying to figure out how things will happen, what the impacts will be and what that will look like in the long term.
There is also a long tail of companies that are not investing, or not investing enough. Hopefully, this legislation will help with that, but more importantly, you want to see regulators engaging on the issue, talking to the entities they cover and going on a journey with them to understand what the risks are and where they need to get to. If you are talking about critical providers and essential services, it is really hard for an organisation—in its own mind or in being answerable to its board or investors—to justify spend on cyber-security. If you are a hospital saying that you are putting money towards security programmes rather than beds or diagnostics, that is an incredibly difficult conversation to have. One of the good things about CSRB, hopefully, is that it will legitimise choices and conversations in which people say, “Investing time and resources into cyber-security is investing time and resources into providing a critical, essential service, and it is okay to make those pay-off choices—they have to be made.”
Part of it is that when you are running an organisation, it is so hard to think about all the different elements. The problem with cyber-security—we need to be clear about this—is that with a lot of things that we ask organisations to do, you say, “You have to make this investment to get to this point,” and then you move on. So they might take a loan, the Government might help them in some way, or they might deprioritise other spending for a set period so that they can go and invest in something, get up to date on something or build out something; then they are done, and they can move back to a normal operating state.
Security is not that. It is expensive, complex and multifaceted. We are asking organisations of all sizes in the UK, many of which are not large, to invest in perpetuity. We are asking them to increase investment over time and build maturity. That is not a small ask, so we need to understand that there are very reasonable dynamics at play here that mean that we are not where we need to be. At the same time, we need a lot more urgency and focus. It is really important to get the regulators engaged; get them to prioritise this; have them work with their sectors, bring their sectors along and build that maturity; and legitimise the investment of time and resources for critical infrastructure.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Q
David Cook: The legislation talks about secondary legislation, so it allows for an agile, flexible programme whereby organisations can be brought within scope very quickly if concerns make that necessary. What that leaves us with, though, is that although legislation can be changed quickly, organisations often cannot. Where there is a definition, as we see with NIS2, as to which entities are in scope, organisations can embark on a multi-year programme to get into a compliant position. They can throw money at it, effectively.
What this legislation talks about, through the secondary legislation, is bringing organisations into scope and mandating specific security controls or specific requirements on those organisations in terms of security, but while the law might come in over a weekend, organisational change will not necessarily follow. There is a potential issue there. I can see the benefit and attractiveness of secondary legislation being used to achieve that aim, but having a clearer baseline as to what that sort of scope might look like—it could be ramped up or down, and the volume could be turned up or down, depending on need—would be more helpful. Reducing scope while diverging from NIS2 might be a benefit in terms of the commercial reality, but it might be a misstep in terms of security and the long tail that it takes to get more secure.
The Chair
Thank you. I am going to bring Allison Gardner in, because she has been waiting. You have two minutes, Allison.
Lincoln Jopp (Spelthorne) (Con)
Q
Stuart McKean: I do not think the cyber-criminal really cares, to be blunt. They will attack anywhere. You can, of course—
Alison Griffiths
I am so sorry. Could you possibly speak into the microphone? I cannot hear you.
Stuart McKean: Sorry. I was saying that the cyber-criminal does not care about lines, geographies or standards. They do not care whether you have an international standard or you follow the legislation of a certain country. They will attack where they see the weak link.
Lincoln Jopp
Q
Stuart McKean: It is probably across all three, to be quite honest with you. It is very dependent on what they want to achieve, whether it be an economic attack or a targeted attack on a corporate entity. I do not think it has those boundaries—I genuinely think it is across the whole industry and the whole globe. The reality is that cyber-attacks everybody. We are being attacked every day. I do not see it as an international boundary, or a UK thing or a US thing. It is generally across the globe.
Sarah Russell (Congleton) (Lab)
Q
Jill Broom: We can assume that it will, because if you are in the supply chain or come within scope, you will have certain responsibilities and you will have to invest, not just in technology but in the skills space as well. How easy it is to do that is probably overestimated a bit; it is quite difficult to find the right skilled people, and that applies across regulators as well as business.
Generally speaking, yes, I think it will be costly, but there are things that could probably help smaller organisations: techUK has called for things such as financial incentives, or potentially tax credits, to help SMEs. That could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first.
Dr Sanjana Mehta: If I may expand on that, we have been consulting our members and the wider community, and 58% of our respondents in the UK say that they still have critical and significant skills needs in their organisations. Nearly half of the respondents—47%—say that skills shortages are going to be one of the greatest hurdles in regulatory compliance. That is corroborated by evidence, even in the impact assessment that has been done on the previous regulatory regime, where I think nearly half of the operators of essential services said that they do not have access to skills in-house to support the regulatory requirements. Continuing to have sustained investment in skills development is definitely going to require funding. Taking it a step back, we need first of all to understand what sort of skills and expertise we have to develop to ensure that implementation of the Bill is successful.
Alison Griffiths
Q
Stuart McKean: I am not an expert on the detail, but I would say that there is currently very little detail in the Bill regarding IT and OT.
Alison Griffiths
Q
Stuart McKean: The devil is always in the detail, so any more clarity that can be put in the Bill is always going to be a good thing.
Alison Griffiths
Does anyone have anything else?
Jill Broom: I think that I will need to come back to you in writing on the specifics of operational technology.
The Chair
Feel free to write in, secondary to this session, if you feel that you want to expand on any answers.
The Chair
Very briefly—yes.
Matt Houlihan: My first point is on the scale of the challenge. From Cisco’s own research, we released a cyber-security readiness index, which was a survey of 8,000 companies around the world, including in the UK, where we graded companies by their cyber maturity. In the UK, 8% of companies—these are large companies—were in the mature bracket, which shows the scale of the challenge.
The other point I want to make relates to its being a cyber-security and resilience Bill, and the “resilience” bit is really important. We need to focus on what that means in practice. There are a lot of cyber measures that we need to put in place, but resilience is about the robustness of the technology being used, as well as the cyber-security measures, the people and everything else that goes with it. Looking at legacy technology, for example—obsolete technology, which is more at risk—should also be part of the standards and, perhaps, the regulatory guidance that is coming through. I know that the public sector is not part of the Bill, but I mention the following to highlight the challenge: over a year ago, DSIT published a report that showed, I think, that 28% of Government systems were in the legacy, unsupported, obsolete bracket. That highlights the nature of the challenge in this space.
Alison Griffiths
Q
Chris Anley: On the OT versus IT question, we have mentioned specificity versus flexibility. The benefit of the UK sectoral regulator model is that regulators that are in areas where OT is predominant can set specific measures that can reinforce those environments, whereas if you try a one-size-fits-all approach, you run the risk of certain critical OT-based systems becoming subject to successful attacks.
Ben Lyons: The broad approach that the UK is taking is sensible, in that the existing guidance has a range of principles around OT, as well as IT, security. Manufacturing is not in the scope of the Bill, which is probably appropriate, but it is worth looking at what could be done to improve the security of the manufacturing sector, more broadly, probably through non-legislative means. In light of recent attacks, it is important to ensure that guidance and incentives are in place to support that sector.
Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Alison Griffiths
Main Page: Alison Griffiths (Conservative - Bognor Regis and Littlehampton)Department Debates - View all Alison Griffiths's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
Alison Griffiths ExcerptsThursday 5th February 2026
(3 weeks, 1 day ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Stringer. I thank all hon. Members on both sides of the Committee for taking part, and the officials for their work on the Committee stage of this important Bill.
The Bill will significantly update and expand the Network and Information Systems Regulations 2018 by bringing new services within scope of regulation, giving sector regulators the power to designate critical suppliers, updating and expanding the reporting regime for cyber-security incidents and making significant changes to the regulatory funding model and regulators’ information-gathering and sharing powers. The Bill will also grant extensive powers to the Secretary of State to respond to emerging cyber-threats, including the power to bring further sectors within the scope of regulation, giving directions to regulated entities and issuing a code of practice that sets out measures for compliance with duties under the NIS regulations. Recognising the increasing role of malicious cyber-activity as a threat to our national security, part 4 will give the Secretary of State far-reaching powers to issue directions to regulated entities for reasons of national security.
Covid turbocharged the digitalisation of all aspects of the economy and our daily lives, bringing new opportunities but at the same time heightening the exposure of digital systems to exploitation by malicious actors. The previous Government recognised that in their post-implementation reviews of the NIS regulations and in a subsequent series of consultations on proposals to improve the cyber-resilience of the entities that are most important to the UK economy. Those consultations included a review of information security risks relating to outsourced IT provision, data centres and organisations controlling large amounts of electrical load. The last Government’s work assessing those threats has informed this Government’s decision to bring data centres, managed service providers and large load controllers within the scope of the NIS regulations.
Industry stakeholders have welcomed the Bill as essential for bringing the cyber rules governing critical infrastructure in line with modern threats, economic realities and technological developments, and for moving our cyber-security regulatory framework into closer alignment with international partners to ease cross-border operations for businesses that provide services overseas.
In some respects, at least, the Bill identifies the right problems, but, crucially, it falls short of providing workable solutions. In embarking on our scrutiny of the Bill, the Committee should be acutely aware of the raft of digital legislation with which businesses and regulators have been asked to grapple in recent years. Many of those new regulations are necessary, but as lawmakers we should be conscious of the burden that we are placing on industries and particularly on small and medium-sized enterprises, which are the lifeblood of the UK economy and which have fewer resources to navigate complex layers of regulation. It is therefore incumbent on all of us to enact laws that are clear and capable of practical implementation.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Does my hon. Friend agree that, although we support the intent behind the Bill, clause 2 does a lot of framing work but does not necessarily consider the extensive perimeter that is coming through and how proportionality will be applied in practice? I suggest that the Committee keep that in mind as we move through the detail.
Dr Spencer
I thank my hon. Friend for her intervention. I am reminded of the Committee’s evidence session earlier this week, in which expert after expert lined up to raise concerns around the scope of the definition. Although they acknowledged the importance of and appreciated the reasons for leaving some things to secondary legislation in a climate as fast-moving as the IT and digital sector’s, they raised concerns about the uncertainty that is coming for business and the need for extensive consultation so that businesses can feed into and have some degree of influence over the regulations that they will have to abide by.
Kanishka Narayan
Clause 4 of the Bill amends the NIS regulations by creating a new regulated sector, data infrastructure, and designating the Secretary of State for Science, Innovation and Technology and Ofcom as joint regulators. We have received clear feedback from the data infrastructure sector expressing concerns that a dual regulator model could create unnecessary complexity and limit accountability. Amendments 11 and 12 will remove the Secretary of State for Science, Innovation and Technology as a regulator, leaving Ofcom as the sole regulator, which will streamline the regulatory model for data infrastructure and resolve the concerns raised by stakeholders.
Ofcom already has proven regulatory expertise and is well placed to oversee the new data infrastructure sector effectively. By adopting a single regulator for data infrastructure, the amendments will reduce administrative burden, simplify engagement, and strengthen accountability. This will ensure a clearer, more effective regulatory framework for this rapidly growing sector.
Clause 4 brings qualifying data centre services into the scope of the NIS regulations, recognising both their vital role in underpinning our economy and public services, and that disruption to them can significantly impact productivity, service delivery, and revenue.
Alison Griffiths
Clause 4 relies heavily on capacity as the trigger for regulation. I understand why that is attractive: it is measurable. But capacity is not the same as criticality, and a high-capacity facility used for redundancy can present less systemic risk than a smaller, highly concentrated one. I simply put on record that the way this threshold is applied in practice will matter more than the number itself.
Kanishka Narayan
I thank the hon. Member for that thoughtful point. One assurance I will offer her is that the direct definition of data centres in scope here rely on capacity as a proxy for their essential independent nature, but when data centres below the capacity threshold but high on the criticality threshold are suppliers to essential services, they would be covered in part by the critical suppliers framework in the Bill. I take her point into account.
Dr Spencer
I am certainly going to come back to it a few times—if not other Members—and I will invite the Minister to come back to it a few times.
Returning to the point about the dependency on particular sectors, I mentioned the impact that Amazon Web Services had on our society and systems; interestingly, the AWS outage was caused not by a cyber-attack, but it demonstrates the disruption to our lives and businesses that could occur in the event of such an attack. The last Government recognised the vital and growing importance of data centres to the UK economy and people’s lives, as well as the risks of serious interruption to these services. That led to a public consultation on enhancing the security and resilience of UK data infrastructure.
The Conservatives therefore welcome that this vital element of our national infrastructure will be subject to cyber-security regulation. However, for regulation to be robust for cyber-resilience and regulator data centres it is essential that there are high rates of industry compliance. The Government stated in their impact assessment for this Bill that there is an ongoing engagement with the data centre sector. Could the Minister lay out what feedback he has received on the sector’s preparedness to meet the cyber-resilience standards set by the NIS regulations?
Likewise, in terms of ensuring effective regulation, Ofcom will have a dramatically increased role in terms of cyber-security regulation when these provisions come into effect. In view of Ofcom’s current regulatory workload and the challenges with recruitment, which I mentioned earlier and highlighted in the evidence session this week, what ongoing engagement is the Minister having with Ofcom more broadly to make sure that it is sufficiently resourced to play its role?
Before I move on to clause 6, on large load controllers, I feel I need to go back to the discussion about proportionality and the purpose and need for these regulations in the Bill. One of the biggest criticisms of the NIS regulations is that they have not really been enforced. I am not saying that a certain rate of enforcement is a marker of efficacy or compliance, but it is curious, and it has been raised to me, that the level of enforcement indicates that the NIS regulations have not really had teeth or changed anything.
In one bad world, we have regulations that are completely disproportionate and place a huge and unnecessary burden on industry. But in some ways the worst of all worlds, or rather another problem that we would need to deal with, would be for us to legislate, produce this wonderful cyber-security Act, and go away happy as legislators—“Hey-ho, it’s all sorted and finished; we can sleep well in our beds about the cyber-security of the UK.” But if the companies cannot follow the legislation, will not follow it or do not have the resources to do so, then all we will have done is waste our time. Worse, we will have given ourselves a false sense of security, rather than delving into some of the real challenges and problems in the sector, which include overall education, encouraging businesses to take the issue more seriously and encouraging people to do Cyber Essentials.
Alison Griffiths
My hon. Friend is making a very good point, which also applies to improving board awareness and ensuring that the enforcement of the regulations incentivises boards to take the issue seriously and make sure that they are equipped to understand the commercial reality of cyber-security for their businesses. Enforcement is an important part of that.
Dr Spencer
That is something that I know will come up in debate as we go through the Bill. It is curious that we are receiving consistent feedback that some boards are not taking the issue of cyber-security seriously, in terms of allocating resource to it, especially in the light of the very high-profile cyber-attacks on businesses. Obviously, I am all over this issue, given my role as shadow Minister, but I think it is completely insane, certainly for larger companies, not to focus on the challenge of cyber-security. It is a challenge for businesses of all sizes, but I am mindful that implementation is particularly problematic for very small businesses.
Alison Griffiths
Clause 7 is definition-heavy, and rightly so; these terms decide who is regulated and who is not. My only observation is that cloud models are, as the Minister knows, evolving quickly because of the AI revolution. Definitions that track architecture too closely will age fast, so the Committee should be alert to whether these terms will still make sense in five years’ time and not just today.
Kanishka Narayan
I very much welcome that point. In talking about broad architecture characteristics—being able to scale compute and to be elastic to multi-tenants by being shareable—rather than setting out the specific nature of resources, we capture both commercial cloud and AI deployments. However, I am keen to ensure that we keep this under review and, where possible, use the flexibilities provided by the Bill to adapt it to changes in technology.
Although the policy intention behind the definition has not changed, amendment 13 will provide certainty for industry, support effective regulatory oversight and ensure that services whose disruption could significantly impact the UK economy and society are properly captured. In addition, the drafting is more aligned with that of our international partners, which will improve efficiency for providers operating across borders.
This targeted, technical improvement will bring greater clarity, consistency and fairness to the NIS regulations. I urge Members to support both the clause and this important amendment.
Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Alison Griffiths
Main Page: Alison Griffiths (Conservative - Bognor Regis and Littlehampton)Department Debates - View all Alison Griffiths's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting)
Alison Griffiths ExcerptsThursday 5th February 2026
(3 weeks, 1 day ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Kanishka Narayan
What a pleasure it is to serve with you in the Chair. Clause 9 brings large and medium-sized managed service providers—MSPs—into the scope of the Network and Information Systems Regulations 2018. MSPs are organisations that provide an ongoing IT function, such as an IT help desk or cyber-security support, to an outside client. In doing so, MSPs often have widespread and trusted access to clients’ networks and systems. A single targeted attack can ripple outward, disrupting thousands of other systems. That makes MSPs attractive targets for cyber-attacks. Last year an attack on Collins Aerospace halted check-in and boarding systems at major European airports, causing international disruption. Such attacks highlight what can happen if a single point of failure is compromised, and the importance of managed service providers implementing robust cyber-protections. Despite that, MSPs are not currently regulated for their cyber-security in the UK. As organisations rely more and more on outsourced technology, we must close that gap. The clause provides essential definitions of a “managed service” and of a “relevant managed service provider” to clearly set out which organisations are in scope of the regulations.
Clause 10 imposes new duties on MSPs that have been brought into scope by clause 9. For the first time, such businesses must identify and manage risks posed to the network and information systems that they rely on to provide their managed services. As part of that duty, MSPs must have
“regard to the start of the art”,
meaning that they must consider new tools, technologies, techniques and methods that threat actors may employ. That includes artificial intelligence, and means that providers must deploy the right tools to mitigate the risks and take action to minimise the impact of incidents if they occur. By bringing MSPs into scope of the regulations and imposing such security duties on them, we will strengthen cyber-security and resilience across supply chains, reduce vulnerabilities in outsourced IT services and better protect businesses and services across the UK.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Bringing MSPs into scope is the right direction of travel, and MSPs sit at points of concentrated risk, but they are not all the same and the real risk is not size alone but the level of privileged access and cross-customer dependency. Proportionality will be critical under these provisions if we want better security, not just box-ticking.
Kanishka Narayan
I agree very much with the hon. Member’s point, and a similar sentiment is expressed elsewhere in the Bill, in that it ensures that the focus is primarily on large and medium-sized MSPs, and that small businesses and microbusinesses are dealt with in a deeply proportionate way. That is an important point to take into account.
Clause 11 defines what it means for a digital or managed service provider to be
“subject to public authority oversight”
under the NIS regulations. Public authority oversight is defined as “management or control” by “UK public authorities” or by a board where the majority of members are appointed by those authorities. Such MSPs are already subject to requirements in the Government cyber-security strategy, which is mandatory for Government organisations. That ensures that cyber-resilience standards remain strong for services linked to public functions, while preventing disproportionate burdens on providers already subject to public authority governance.
In response to points raised by hon. Members in prior Committee sittings, I flag the engagement that we have conducted in coming to the definition of MSPs in question. In particular, beyond the provisions of the 2022 consultation, prior to the introduction of the Bill, we conducted a range of bilateral meetings. We have had multiple conversations with the industry body techUK, roundtables with digital firms, and we engaged through the National Cyber Security Centre-led MSP information exchange with 40 providers in this context, and undertook market research mapping the MSP market. As a consequence, adjustments to the definitions at the heart of this provision have been agreed with incredibly deep and broad engagement across the industry to arrive at a widely-welcomed definition.
Alison Griffiths
I think my hon. Friend is about to reference the commercial impacts on MSPs. We have already referenced the fact that they are of many different sizes. One of the concerns the Committee will need to consider is whether new contracts will need to be written. The level of uncertainty being created may render the existing frameworks within which they operate redundant.
Dr Spencer
I thank my hon. Friend for that pertinent intervention. The burden she talks about is not just financial; companies could also find themselves in legal jeopardy should they become subject to overlapping and competing duties without realising when the Bill becomes an Act. More than anything else—perhaps even more than a low taxation regime—businesses want certainty about the regulatory environment they operate in. This is made even more complicated by the fact that many organisations operate in different jurisdictions and have to contend with different, competing regulatory frameworks. My understanding is that the majority try to take an approach in one jurisdiction that will also cover them in the other so that they have an overlap, but those are the big companies. They have more capacity and resource to do that. The problem will be for the companies on the margins that are struggling.
Dr Spencer
The cloud providers tell me that the energy costs are crippling, which is highly problematic, and that is why we need to drive those costs down. They talk about the challenges of getting data centres built and about planning considerations, which are a concern across the country. They talk about the taxation environment and costs on businesses more generally, particularly when they are footloose, and they talk about the regulatory framework. Pretty much all of those things are not specifically in the Bill, with the exception of the regulatory framework, so there is a lot that is suppressing the opportunities for cloud providers and others in the sector and hindering them from doing business and succeeding.
There is a broader point to make about the Bill and the philosophy behind it, because there is something that we have to avoid. There is a sense in the UK that we are getting gummed up by regulation and obsessing more and more about limitations and restrictions to businesses. In that environment, people and organisations that do well financially, succeed and grow are seen as either targets or cheats—as something that we can go for, tax and punish. We have lost or diminished our can-do attitude when it comes to supporting the risk takers and the entrepreneurs, who are the people and organisations building the MSPs and data centres on which our economy relies.
Over and above that, there is a cultural issue that is impacting our IT and tech sector. As legislators we should ensure that the thing we have direct control over, which is the legislation in front of us, imposes as small a regulatory burden as possible while still ensuring that it is sufficient to meet our aims. We must listen to businesses and hear their concerns. We hear time and again that the lack of clarity, particularly in this part of the Bill, is putting them at financial and legal risk. That is a very substantial concern.
Alison Griffiths
On my hon. Friend’s point about the lack of clarity in the Bill, there is a real possibility that firms will find that an MSP has one view of an issue while their client has another. Unless there is sufficient clarity in the wording of the Bill, we will have issues.
Dr Spencer
I thank my hon. Friend for her intervention. Legal clarity is important. I have absolutely no issue with lawyers, but we do not want to make a load of money for lawyers as a consequence of the definitional challenges around the Bill’s implementation. That is not good for businesses, which need certainty as to how to apply the regulatory framework under which they operate. Regulatory uncertainty will not help a business to make decisions. My assumption is that the default position will be for businesses to assume that they are not regulated entities, which means that they will not take actions that we would like them to take as a result of the Bill. Again, we will be making laws under which everybody loses out.
My final point is about the carve-out in respect of public authority oversight. It is all well and good for the Government to say, “We have an action plan and we’re going to sort out Government IT and the cyber-security risk for Government services,” but it is not playing out that way. Our biggest risks, and the most vulnerable components of our digital IT infrastructure, are those that are linked to Government services. Change is needed. My sense is that when a company interacts and shares data with Government and public sector services, the biggest-cyber security risk is likely to be in the aspects that are provided by Government services. We are making legislation that puts a host of burdens on the private sector, yet we are largely silent about what is happening in the public sector. Putting people at risk in that way is really not good enough. We need to support our overall cyber-security.
Kanishka Narayan
Clause 12 will introduce a new power for regulators to designate critical suppliers to organisations as in scope of the NIS regulations. These are suppliers that are so pivotal to the provision of essential digital or managed services that a compromise or outage in their systems can cause a disruption that would have serious cascading impacts for our society and economy; I am thinking in particular of the Synnovis incident in 2024, when 11,000 medical appointments were cancelled across London hospitals as a result of an attack on a pathology service provider.
The clause will ensure that the power to designate can be exercised only where suppliers pose a credible risk of systemic disruption and when the regulator has considered whether the risks to the supplier cannot be managed via other means. In other words, it is a very high bar indeed.
The clause provides safeguards for suppliers, which must be consulted and notified during the designation process. It also requires regulators to consult other relevant NIS regulators when they are considering whether to designate, or decide to do so, ensuring that they have an accurate understanding of how suppliers are already regulated.
Finally, the clause provides for designations to be revoked when risks no longer apply or when a supplier has met the thresholds for regulation as a relevant digital service provider or relevant managed service provider. It should be noted that the clause does not set out the security duties on critical suppliers; these will be defined in secondary legislation following an appropriate period of consultation.
By addressing supply chain vulnerabilities, this measure will strengthen the resilience of the UK’s essential and digital services on which the public rely every day. I commend the clause to the Committee.
Alison Griffiths
The clause merits close scrutiny, because it is the point in the Bill where risk is supposed to be addressed beyond the individual operator and into the supply chain. In plain terms, clause 12 will allow the regulator to designate a supplier as critical where disruption to that supplier would have a significant impact on the delivery of an essential or digital service. The trigger is impact, not size or sector. That approach is sensible, but I want to stress-test how it works in the context of operational technology.
Across power, telecoms, transport, water and industry, many essential services rely on the same family of industrial control equipment. Substations, signalling systems and industrial plants may look different, but they often run on identical controlled devices and firmware supplied by a very small number of manufacturers.
The risk is not hypothetical. A single vulnerability in widely deployed OT equipment can create a common mode failure across multiple sectors at the same time, even where each operator is individually compliant with its duties. At the moment, the Bill places obligations squarely on operators of essential services, but in OT environments, operators do not control the design of equipment, the firmware, the vulnerability disclosure process or the remote access arrangements that vendors often require as a condition of support.
As Rik Ferguson highlighted in written evidence to this Committee, uncertainty about how and when suppliers might be brought into scope can lead to defensive behaviour and late engagement. The risk is amplified in OT, where suppliers may discover vulnerabilities before operators do, and where one operator may report an issue, while others in different sectors, using identical equipment, remain unaware.
There is also a traceability problem. OT equipment is frequently sold through integrators and distributors. Manufacturers may not have a clear picture of where the equipment is ultimately deployed. Without that visibility, national-scale vulnerability notification and co-ordinated response become very difficult.
UK Finance has also drawn attention to the complexity of multi-tier supply chains and the need for clear accountability when regulatory reach extends upstream. The clause recognises that reality, but its effectiveness will depend on how consistently and predictably designation decisions are made across sectors.
My concern is not about the existence of the power. It is about whether, in practice, the power will be used early enough and clearly enough to address shared OT risks before they become cross-sector incidents. Operational resilience today depends less on individual sites and more on the security practices of a relatively small— I would say very small—number of OT suppliers that sit behind them. The clause has the potential to address that, but only if its application is focused on genuine systemic risk and supported by clear signals to suppliers and operators alike. For those reasons, the clause warrants careful consideration as the Bill progresses.
Lincoln Jopp
To understand the impact of what we are discussing, we obviously look at the impact assessment. We in this place are often accused of simply making rules and passing laws with no real sense of the impact downstream, particularly on small businesses. Having worked in the tech sector for 10 years, with data centres and managed service providers, and worked to try to grow many small and medium-sized enterprises, I am acutely conscious of the need not to overburden them. It is clearly hugely important that the Government take account of the impact of the measures they are taking and the burdens they are imposing on small and medium-sized enterprises.
To understand the impact of this measure, it is important to know two things: first, how many companies will be impacted and, secondly, how much it is going to cost. While I am sure that the Minister will say that this provision on critical suppliers is great, and all very clear, it cannot really be that clear. Page 110 of the impact assessment states:
“DSIT is not able to estimate at this stage the number of SMEs or SME DSPs that will be designated as critical suppliers”;
so we cannot tell how many there are. The same page also states:
“Specific duties will be set through secondary legislation so the exact cost of security measures is not possible to estimate.”
We do not know how many there are or how much the measure is going to cost, but Government Members will be whipped to say, “That’s okay—that can be done by someone else at another time.” We do not really have a strong sense of the impact on real-world businesses of what we are doing here. We also talked about the legal costs in an earlier sitting. I look forward to hearing the Minister’s reassuring words about how very clear the clause is and how it is not just a blank cheque, even though we do not know how many people it will affect or how much it will cost them.
Alison Griffiths
The clause is drafted broadly, which is understandable, but in practice many of the supply chains, as my hon. Friend has ably demonstrated, involve several layers of providers and sub-providers. I would welcome clarity on how regulators are expected to approach designation in these cases, so that responsibility is clear and preparation can happen upstream, rather than only after an incident.
Dr Spencer
My hon. Friend has figured out what I am going to say in a moment, when it comes to the scoping of the regulator and that communication process. Such is the depth of the rabbit hole that the provision creates that, even though my hon. Friend’s intervention did not go where I thought she was going, another problem has just come to mind.
What happens in the circumstance where a critical supplier that acts as a proxy for multiple critical suppliers? How does designation operate in that fashion? There are suppliers that essentially operate as a marketplace to a certain provision of services. Is it the marketplace that is regulated, or is it each supplier within the marketplace? A locum agency could hypothetically be an umbrella company for multiple different smaller locum agencies, each of which would share the corporate risk as part of that.
Going back to my first point, the idea that access to the IT network or system will somehow be discriminatory, or dichotomise between people who are in scope of this measure and people who are not, seems to me complete nonsense. It is difficult to see what organisations, if they provide a service to a modern OES, will be in scope of it.
Secondly, there is systemic or significant disruption. I often say that, if someone wanted to cripple a hospital, the best way to do that would be to stop the cleaners cleaning rooms, and to stop the porters pushing people around the hospital to get them to their appointments and moving beds. There is often a focus on doctors and on the rest of the core medical and nursing staff— I myself often focus perhaps a bit too much on doctors—but it really is a whole-team effort. In fact, the most critical people are often the people who might not be the subject of the most focus, such as the cleaners and porters.
If the cleaners stop work or do not turn up to work, the hospital grinds to a halt. If taxis are not taking people to and from hospital out of hours, or if the patient transport is not taking people to hospital, out-patient departments grind to a halt. If the locum companies that fill gaps in staff rotas are not available to do that, and there are substantial rota gaps that make the provision of services unsafe, the hospital also grinds to a halt. If it is not possible to get access to critical medicines, if staff cannot maintain the blood gas machine or the blood pressure machine, or if the boiler breaks down, the hospital grinds to a halt.
It is not just something as obvious as the tragic situation with blood and pathology testing that causes a hospital to grind to a halt. Indeed, I cannot think of many private sector provisions that would not have a substantial impact on a hospital if they were to be removed; if any other Member can, I will be very happy to stand corrected. However, just skimming through them, I can see that the removal of most of them would cause the hospital to grind to a halt. The idea that the significant impact definition will be a discriminatory factor regarding suppliers just does not work. Someone might say: “Ben, you’re completely wrong. We found some providers.”, but, if that situation arises, how will the arbitration occur in terms of the threshold?
Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Alison Griffiths
Main Page: Alison Griffiths (Conservative - Bognor Regis and Littlehampton)Department Debates - View all Alison Griffiths's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting)
Alison Griffiths ExcerptsTuesday 10th February 2026
(2 weeks, 3 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
Kanishka Narayan
I thank the hon. Member for those two thoughtful points. On the first, in terms of retrospective regulatory action on the adequacy of notification, I expect that the regulators will set out—in their guidance and by working closely with the entities in scope—their expectations about the nature and timeliness of the notification. That will be one input into a regulator’s broader assessment of entities’ compliance with the regime. I expect that timely notification will be assessed on an ongoing basis by the regulator, but I would not expect it to be an exclusive or primary aspect.
On the question of customer notifications being proportionate, I share the hon. Member’s concern about ensuring that it is timely and efficient and at the same time meaningful for the relevant customers. I hope that exactly those principles are embodied in the guidance that regulators share about notification requirements.
Customers being notified is all the more important given that in many cases, those customers will themselves be operators of essential services and other critical national infrastructure. The Bill therefore places new transparency requirements on managed service providers, relevant digital service providers and operators of data centres. Similar requirements were introduced under the NIS2 regulations in the European Union.
Clause 16 requires those regulated entities to take steps to establish which of their customers, if any, are likely to be adversely affected by a reported incident. It then sets out the information that the entity must share with those identified customers. These new requirements will support the overall resilience of the UK’s essential services and economy, which depend so heavily on these services, and reduce the overall impact of disruptive cyber-attacks.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
New clauses 6 and 7 sit together and are linked by the same practical concern regarding clarity and workability when an incident is unfolding.
I will start with new clause 6. Ransomware is no longer an occasional or unusual cyber-event; it is now one of the most common and disruptive threats facing essential services, digital providers and their supply chains. Written evidence to this Committee was clear that ransomware incidents are now routine, high-impact events, and that uncertainty at the outset of an attack often makes the consequences worse. The Bill rightly broadens the definition of an incident to capture events that are capable of causing harm, not just those that already have. That is the right direction of travel, but when organisations are under pressure, particularly in the first 24 hours of an incident, uncertainty slows action. Time is lost debating definitions rather than focusing on containment, escalation and reporting.
New clause 6 addresses that problem directly. It makes it explicit that a ransomware attack is an incident for the purposes of the NIS regulations, and sets out clearly what is meant by ransomware attack. It would not create a new duty; it would remove doubt from an existing one. Clear definitions support better behaviour when organisations are operating under real pressure.
New clause 7 follows naturally from that point. If we want faster and clearer reporting, the system into which organisations are reporting has to work in practice, not just on paper. The Bill expands reporting requirements and introduces new notification duties. That is understandable, but UK Finance told the Committee that many firms already support cyber-incidents under multiple regulatory regimes and that additional reporting layers risk duplication rather than resilience. When an incident is live, that duplication causes friction, slows the response and increases costs. It can reduce the quality of information being shared because teams are stretched across parallel processes rather than focused on managing the incident itself.
We do not seek in new clause 7 to reopen the policy intent of the Bill; the new clause would require a review, once these changes are in force, of how the reporting requirements are working in practice. That review would consider costs and interactions with other reporting frameworks. The new clause would also require that proposals for a single cyber-incident reporting channel be published. That is not a bureaucratic exercise; it reflects concerns raised in evidence that resilience is undermined, not strengthened, when reporting becomes fragmented at moments of stress.
Taken together, new clauses 6 and 7 are about making the system clearer at the front end and more usable overall. Clear definitions encourage timely reporting and coherent reporting channels make that reporting effective. I hope that the Committee will give serious consideration to both new clauses.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Dr Murrison, and it is always a pleasure to follow my hon. Friend the Member for Bognor Regis and Littlehampton. I will speak to clauses 15 and 16 and to new clauses 6 and 7, tabled in my name on behalf of His Majesty’s loyal Opposition.
The previous Government stated in their consultation covering the subject of cyber-incident reporting that security breaches that did not result in a successful attack could still leave organisations open to follow-up attacks. It was identified that reporting how the breach took place would also allow regulators and other organisations to prepare for similar attacks in the future. It is therefore a welcome development that clause 15 significantly increases the scope and speed of cyber-incident reporting by regulated entities to competent authorities and the NCSC.
That increase in scope is achieved by broadening the definition of reportable incidents from the current position, where only cyber-attacks having an actual adverse effect are reportable, to a position to where cyber-incidents that are capable of having an adverse effect on the operation or security of network and information systems must also be reported. The Government’s explanatory notes for the Bill state that this change in definition
“is designed to include incidents that have compromised the integrity or security of a system without causing significant disruption yet, but that could have potential significant impacts in the future.”
This has been broadly welcomed by industry stakeholders as a measure that should provide regulators with greater intelligence about emerging threats, leading to improved risk management and hardened resilience in their sectors.
On the importance of intelligence gathering, we heard evidence from David Cook of DLA Piper and Chung Ching Kwong of the Inter-Parliamentary Alliance on China, among others, about the increasing use of prepositioning and “live off the land” technologies deployed by malicious actors. Once systems are infiltrated, attackers remain in systems, sometimes harvesting data, waiting for the moment when they can cause maximum harm and disruption. Those serious risks should be flagged to regulators wherever they are identified.
Dr Sanjana Mehta of ISC2 described problems of underreporting in relation to the existing NIS regulations regime, and welcomed the principle of expanding reporting, as did Jill Broom of techUK. However, both cautioned that while some high-level factors have been provided as to the criteria indicating whether an attack should be reported, such as the number of users, impact, duration of interruption and geographical reach, what is not clear at present are the thresholds that are linked to those criteria. Those details are vital if reporting is to be successful in ensuring that regulators are kept appraised of the most serious threats.
Dr Mehta summarised that concern succinctly in her comment:
“In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators”. ––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 16, Q14.]
Likewise, techUK has stated in its written briefings on the Bill that
“technically any phishing email is ‘capable of’ having a significant impact if the organisation lacks adequate detection or response capabilities. This will lead to over-reporting of low-level incidents and potentially overwhelm regulators, thereby distracting attention from genuinely significant threats.”
As in many aspects of the Bill, the problem is not on the principle but in the detail. We heard in oral evidence about the concerns of industry and regulators regarding the availability of suitably qualified personnel to build capacity for effective regulatory oversight. We must be alive to that important consideration in ensuring that thresholds are proportionate and risk-based.
The Government have stated in their factsheets on the Bill that they intend
“to introduce thresholds through secondary legislation before this measure is brought into in force”
and after a period of consultation. They have also said that those thresholds will
“clarify the points at which we would consider the impact of an incident to be ‘significant’, and therefore reportable to regulators”.
What discussions has the Minister had to date with regulated entities and regulators about the approach to consultation on these thresholds? What is the feedback on what those organisations consider to be reporting priorities?
Kanishka Narayan
Clause 24 defines key terms for this part of the Bill, and in doing so introduces two delegated powers. Those powers enable the Government to bring new sectors into the scope of the NIS regime and to designate regulators to oversee them. The power will be used only in relation to activities that are truly essential to our society and economy—in other words, where disruption could pose risks to life or the economic stability of the UK.
The powers are essential in the rapidly changing world we occupy. As we have seen with data centres and managed service providers, our society and economy can quickly become reliant on new services that are acutely vulnerable to cyber-attacks and system outages. Our legislation must be able to keep up with those changes and protect the services that matter most to our country.
Alison Griffiths
I want to use new clause 1 as a lens to view a wider question that sits underneath clause 24, rather than as a verdict on the clause itself. That question is how we decide, in a disciplined and credible way, which activities are sufficiently critical to be brought into the scope of the regime, and how that judgment is applied consistently over time.
New clause 1 would bring much of the food supply chain directly into scope through primary legislation. I understand the instinct behind that. Food supply is fundamental to public confidence, and disruption would be felt very quickly. However, if the underlying test for inclusion is systemic impact, food is not the only sector that raises these questions. I am vice-Chair of the Business and Trade Committee, and over the past year we have taken evidence on economic security from major UK firms that have experienced serious cyber-incidents. One example everyone here will be familiar with is Jaguar Land Rover. Evidence to our Committee indicated that the cyber-incident there contributed to UK GDP being around 0.1% lower than expected in the third quarter last year, which was not a marginal effect. That reflected disruption to tightly integrated manufacturing systems, with production lines brought to a halt and knock-on impacts across just-in-time supply chains and regional economies.
I make that point to underline something simple: cyber-risk presents simultaneously as operational, financial and reputational risk, and in combination those effects can be felt economy-wide. If that is the rationale for bringing food into scope early, it inevitably raises questions about other high-value sectors where a single incident can have national economic consequences.
That brings us back to clause 24 and the role of the Secretary of State. The Bill is clearly designed to allow scope for provisions to evolve through secondary legislation as risks change. That flexibility is sensible, but flexibility works only if the criteria for widening scope are clear, predictable and capable of being explained to industry, regulators and Parliament. If decisions appear to be reactive or driven by the most recent or most visible incident, confidence in the regime will suffer rather than strengthen.
That concern is reflected in the written evidence we have received. The Association of British Insurers, for example, supports higher standards of cyber-resilience, but it also emphasises the importance of clear definitions and coherence between regimes, particularly where firms are already subject to overlapping regulatory requirements. Its point is not about resisting regulation, but about avoiding uncertainty and duplication, which do not improve resilience.
My questions are ones of principle rather than position. First, what is the settled test that the Secretary of State will apply when deciding to bring a sector into scope under the clause 24 powers, and how will that judgment be made transparent to Parliament? Secondly, if Parliament were to require rapid expansion of scope, how confident are the Government that regulators would have the capacity to supervise a much larger and more diverse population without diluting oversight elsewhere?
I am not seeking to land a conclusion on new clause 1 today—I understand why it has been tabled and I recognise the seriousness of the issues that it highlights—but if we are going to widen scope, to food or otherwise, the Committee is entitled to press the Government on the discipline and guardrails that will sit behind those decisions. This needs to remain a targeted and credible regime, rather than one that expands without a clear and consistent logic.
Cyber Security and Resilience (Network and Information Systems) Bill (Sixth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Alison Griffiths
Main Page: Alison Griffiths (Conservative - Bognor Regis and Littlehampton)Department Debates - View all Alison Griffiths's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Sixth sitting)
Alison Griffiths ExcerptsTuesday 10th February 2026
(2 weeks, 3 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
Kanishka Narayan
Clause 25 introduces a power for the Secretary of State to designate a statement of strategic priorities for the implementation of the NIS regulations. The NIS regulations are enforced by 12 different sectoral regulators. Although that allows each regulator to apply its sectoral expertise, it also means that at times they have taken divergent approaches to their regulatory responsibilities. Clause 25 addresses that by allowing the Secretary of State to set overarching objectives for regulators in the wider context of a statement of strategic priorities. The statement will replace the NIS national strategy, which the Government were previously required to produce under the NIS regulations. It will set out the Government’s priorities for the security and resilience of essential services.
To ensure that the objectives remain stable enough to enable regulators to plan their work, the clause will prevent a statement from being withdrawn or amended within three years of its designation. However, that three-year rule will not apply if there has been a general election, or a significant change in the threat landscape or in Government policy. That will allow for flexibility where appropriate. In sum, clause 25 empowers the Government to drive a more effective and consistent application of the NIS regulations.
Clause 26 establishes the process through which a statement of strategic priorities can be designated. It requires that there must be consultation with regulators, and that the statement be laid before Parliament, where it will be subject to the negative procedure. It establishes that the Government must share a draft of a proposed statement with the NIS regulators, and that the regulators must be given at least 40 days to provide comments to the Government on that draft statement. The Government must consider whether it is appropriate to make any changes to the draft statement in the light of that consultation. Once any changes have been made, they must lay the statement before Parliament, where it will be subject to the negative procedure. Following that, the Secretary of State may designate the statement.
Clause 27 establishes the legal duties that regulators will have in relation to a statement of strategic priorities. It sets out that regulators must
“have regard to the statement”
when carrying out their NIS functions, as introduced by parts 3 and 4 of the Bill. It also introduces a requirement for regulators to “seek to achieve” the objectives included in the statement.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
As we heard in written evidence from the ABI, clarity about roles really matters. Can the Minister confirm that the statement of strategic priorities is not intended to operate as indirect instruction, and that regulators will retain clear discretion where sector evidence points in a different direction?
Kanishka Narayan
I thank the hon. Member for her point. Perhaps I can give a flavour of the objectives I might expect in a statement and assure her of the independence of sector regulators. Subject to consultation, which we would expect in the build-up to any such statement, a statement might include objectives such as encouraging regulators to seek to ensure that their sectors have plans in place to increase security, or focusing on regulatory activity in areas of greatest horizontal risk. To the hon. Member’s point about sector-specific expertise and the independence of regulators, the statement is intended to set objectives to be achieved within the parameters of regulators’ existing statutory duties, and what the overarching risks are. Of course, regulators will be free to do that in the ways they think most appropriate for their sectors, in the light of their own expertise and experience. I hope that gives the hon. Member some assurance.
Clause 28 requires the Secretary of State to publish an annual report setting out, in general terms, how NIS regulators have complied with their duties in relation to a statement of strategic priorities over the previous 12 months, and how they intend to meet their duties in the following 12 months.
Alison Griffiths
As the Minister is saying, clause 28 is meant to help Parliament understand how regulators are responding to the statement of strategic priorities. Can he say a little about how substantive that reporting will be, and whether it will genuinely allow Parliament to assess how those duties are being exercised in practice?
Kanishka Narayan
The hon. Member raises a very important point. We want Parliament to play an important role in the scrutiny of the overarching regime as a whole, but particularly in the operation of the statement. Perhaps I can break it into two parts: scrutiny of the statement in the first instance, and scrutiny of regulators’ compliance with the statement. Once a draft statement has been consulted on, the Government will be required to lay it before Parliament, and that will be subject to the negative procedure. Parliament will have 40 days to scrutinise the proposed statement and express disagreement with it, which is very similar to the procedure for statements of strategic priorities in other areas—not least online safety. In terms of confidence in Parliament about actions that regulators have taken, the Secretary of State will be required to publish an annual report setting out, in general terms, the activity undertaken by regulators in the prior 12 months, alongside activity planned for the following 12 months. My expectation is that, very similarly, Parliament will have sight of that, and have the ability to scrutinise it and ask questions of the Secretary of State in the usual way.
Kanishka Narayan
I thank the shadow Minister for raising an important point. His broader question is one of the most important in this context: Bills are only as good as the ultimate enforcement capability, capacity and framework in which regulators enforce them. Particular aspects of the Bill are focused on that question. One ensures that regulators have not just the resource through the cost recovery and charging schemes that the Bill allows for, but the information through the information-gathering powers—and not just the information, but a statement of strategic priorities as new horizontal risks emerge across sectors. So regulators are armed with resource, information and strategic priorities that emerge from time to time.
Alongside all those resources, data and information powers, regulators need also to have accountability, of course. In that context, the statement of strategic priorities is intended to be one vehicle through which regulators’ compliance with overarching objectives of the Bill will be looked at as well, alongside ongoing oversight of each of the regulators through the usual departmental channels.
Alison Griffiths
Having worked in business, I know that the words we use to ensure that the capabilities are there are easy to say but not always easy to deliver. How will the Minister ensure that when we have a multi-sector issue, which could easily come up—particularly, as we have already discussed, around OT and the use of IEDs across multiple sectors—the National Cyber Security Centre and other regulators will have access to the skills, people and resources necessary to manage what could be a catastrophic incident? We already know that cyber-skills are in short supply as it is, even in the commercial sector.
Kanishka Narayan
The hon. Member raises an important point. Two or three things are really important channels of impact when it comes to skills. First, the NCSC as a convening body across regulatory areas will be able to make sure that different regulators come together and learn by being able to share information not just between themselves, but through the NCSC itself as the convening body for sharing good and prompt understanding of emerging risks.
Secondly, on broader skills, the cost recovery schemes allowed under the Bill create a way for regulators to ensure they are resourced up and have the ultimate financial firepower to be able to enforce the requirements of the Bill.
Alison Griffiths
I thank the Minister for his patience. He mentions a specific example of where he will ensure that the NCSC is resourced up. Do we have specific examples that have happened already of those powers having been put in place successfully? From conversations with the NCSC, I understand that it is reliant on its accredited bodies across the country, but we have not yet—I am touching the wood of my desk, as I speak—had to respond to a complex multi-sector issue. I challenge the Minister on whether he is confident about our capability to respond to one.
Kanishka Narayan
I share the hon. Member’s recognition and her gratitude that we have not experienced the sort of incident that she described. The NCSC has told her, me and other Committee members that it brings regulators together and has done so on a number of occasions in the past to share cross-sectorally an understanding of emerging risks as well as incident-specific impacts. I take no sense of complacency from that precedent, but I do take some confidence from it. As the Minister in charge, I will ensure that the Department keeps a close eye on the ongoing implementation of the co-ordination powers under the Bill.
Kanishka Narayan
Clause 29 is the key pillar of the Bill’s future-proofing powers. It allows the Secretary of State to update, amend or replace the NIS regulatory framework by creating new regulations. This is a critical provision. Due to the way in which the NIS regulations were transposed into UK law, the Government lack a way of updating the framework other than through primary legislation. As a result, our regulations have remained static amid a rapidly evolving threat landscape, leaving our essential and digital services vulnerable to attack and our resilience falling behind the EU. The clause is an important response to that problem. It will ensure that the Government can take swift action so that our cyber regulations remain relevant. It is a more proportionate and effective approach than always relying on primary legislation.
I know the use of delegated powers can be a source of concern, so I will be clear that the clause is not a carte blanche—or a blank cheque, which the hon. Member for Spelthorne might be worried about—to smuggle in anything and everything under the guise of cyber-security. It is tightly constrained to ensure that any new regulations align with the original purposes of the NIS regulations. New regulations can be made only for the purposes of strengthening the cyber-security and resilience of the UK’s most critical activities, and only where they are genuinely essential to the functioning of the UK’s society and economy. Cyber-criminals will always find ways around regulations, but with this power we can stop them in their tracks.
I have already explained the critical role that clause 29 plays in enabling new regulations to be made for the purposes of cyber-security and resilience. However, I want to be clear about how those regulations will be used and reassure the Committee of their checks and balances. Clauses 30 to 35 set out what the regulations can do.
Clause 30 enables the Secretary of State to use the regulation-making powers to impose requirements on regulated persons. It clarifies who can be made subject to requirements and the types of requirement that can be imposed on them.
Alison Griffiths
My question relates to clause 29 but also clause 30. As the Minister says, the powers are deliberately wide. The Institution of Engineering and Technology noted in evidence that predictability matters more than compliance. Will the Minister explain exactly how the Government will judge when risks require new statutory duties rather than updated guidance, so that businesses are not left guessing?
Kanishka Narayan
Any legislation made under clause 29 will need to align with the Bill’s clearly specified purposes to protect the systems that underpin our vital services. In any case, secondary legislation will require deep consultation to ensure that businesses have the sense of clarity that they require. There is a specific bar to pass for the scope of any further provisions, and it is a high bar given the definition of the sectors and the activities covered in the Bill.
Clause 30 has been designed with some clear use cases in mind. It will enable the security duties on regulated organisations to be updated with appropriate technical details. It will also ensure that more detailed thresholds for incident reporting can be set, and it is the mechanism through which we will set out the regulatory requirements for designated critical suppliers. In other words, the clause will help us to operationalise the provisions of the Bill and update the technical details of regulatory requirements in response to new risks or technology.
Clause 31 enables the Secretary of State to confer functions on regulators through the Bill’s regulation-making powers. These may be existing NIS regulators or newly appointed regulators. The types of functions that can be conferred are those concerned with compliance: monitoring and securing compliance, and investigating and managing non-compliance. To carry out such functions effectively, regulators must be able to impose penalties. Clause 31 also provides for that while putting in place important safeguards so that regulated organisations have a means of appealing penalties. The clause is essential for future-proofing the regulatory regime. It ensures that regulators can be equipped with the functions and powers they need to ensure the compliance and security of the UK’s most essential services.
Clause 32 sets out details and safeguards for how the regulation-making powers can be used when they impose or amend financial penalties. Crucially, it establishes upper limits on what the penalties can be—the greater of £17 million or 10% of turnover for an undertaking, or £17 million for a non-undertaking, or £17 million for an undertaking adjusted as needed to account for inflation. The 10% threshold has been chosen as a defensible outer limit for a regulatory regime concerned with national resilience and security. It aligns with penalties for non-compliance in legislation regulating critical national infrastructure and with the Bill’s own national security powers.
The clause further clarifies that regulations can define “turnover” and “undertaking”, where needed, to calculate a penalty. Together, these provisions create important safeguards and flexibility. They establish proportionate and transparent parameters within which penalty amounts can be set. They also enable the Secretary of State to define and consult on terms that are essential for operationalising the Bill’s new turnover-based penalties.
Like clause 31, clause 33 enables the Secretary of State to make regulations conferring functions on regulators. The functions specified in clause 33 complement the core compliance functions outlined in clause 31. They relate to the disclosure of information, issuing of guidance, record-keeping, preparation of reports, undertaking of reviews, and co-operation. The clause also enables the Secretary of State to impose functions on organisations that are not regulators but that play a public role related to the cyber-security and resilience of essential services. GCHQ, in its capacity as the UK’s computer security incident response team and technical authority, is the most important. Like clause 31, this clause is essential for future-proofing NIS regulations. It allows organisations that oversee and facilitate the cyber-security and resilience of essential services to be equipped with the tools and functions they need.
Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs using the powers under clause 29(1). These are the costs incurred through their functions under the NIS regulations or other obligations imposed through parts 3 and 4 of the Bill.
In practice, the clause ensures that the Secretary of State can make changes and updates to the way that regulators carry out their cost recovery function under the NIS regime. It could, for example, be used to specify further factors that regulators need to consider when establishing approaches for charging fees in the charging schemes, in addition to those already set out in clause 17. That might be needed to deliver greater consistency in how the cost recovery measures are being applied and is something that the Government will keep under review.
Alison Griffiths
As the Association of British Insurers has highlighted in its written evidence, the way cost recovery operates will shape behaviour on the ground. Can the Minister reassure the Committee that changes made under clause 34 will be transparent and proportionate and will not inadvertently discourage investment in cyber-resilience, particularly for smaller firms in supply chains?
On a personal point, could I ask him to speak more slowly? I am really struggling to hear him.
Kanishka Narayan
I apologise for the pace of my speech; I will try to make sure I am speaking more slowly.
On the particular point on transparency and ensuring that any amendments to cost recovery are both transparent and grounded in specific provisions, I can set out the sorts of expectations we have had for circumstances in which amendments might be made. In particular, the Bill’s powers will enable regulators to set up charging schemes, but it is not prescriptive—
Kanishka Narayan
The Bill’s new powers enable regulators to set up charging schemes, but it is not prescriptive about how it should do that beyond certain baseline requirements. More specific requirements, as provided for in the Bill, could become clear, such as if cost recovery mechanisms are not working effectively or if regulators are diverging unhelpfully.
All regulators must consult on charging schemes. In doing so, the industry should have ample opportunity to scrutinise the approach that regulators are taking and, importantly, Parliament should be able to add to that scrutiny as well. Like clause 31, clause 34 is essential for the future-proofing of NIS regulations.
Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs; I have mentioned examples of the sorts of factors we might specify in that context. Together with clauses 29 to 33, 35 and 41, clause 34 is necessary to ensure that the Secretary of State can update and amend the functions of regulators as needed in the future, and is an integral part of the Bill’s future-proofing powers.
Clause 35 is the final clause that clarifies the limits and prospective uses of the regulation-making power in clause 29. It confirms that the regulations may confer functions and allow certain functions to be delegated to others—for example, it could enable a regulator to delegate functions to inspectors. It also clarifies that regulations can be made to require a person to have regard to guidance or codes of practice, or that make provision by reference to another document or piece of guidance. In short, the clause provides helpful clarity about how the regulations could be applied.
The Chair
I thank the hon. Lady for her point of order. It is a convention, and if the hon. Lady or any other Member wishes to sit on the Front Bench to make life easier, they certainly have my permission to do so.
Alison Griffiths
Further to that point of order, Mr Stringer. Genuinely, I simply need the Minister to speak slowly and clearly. Yes, I am wearing hearing aids; I am sure that others wear them too. I am doing my very best to make sure that I can lip-read, but that is almost impossible given the speed the Minister is speaking at. One cannot lip read when he is looking down all the time either.
The Chair
I thank the hon. Lady for her point of order. I know the Minister is trying very hard; his normal rate of speech is much faster, so he is trying. If you catch my eye, I will interrupt the Minister, or anybody else who is speaking, and remind them. It is important that every Member can hear so that they can participate in the debate.
Kanishka Narayan
First, to ensure that the shadow Minister and I are representing the intent behind the code clearly, in legal terms it is not the case that an organisation that fails to follow the code of practice is automatically a regulated organisation that has broken the law. Clause 38 makes it clear that not following the code does not by itself constitute a breach of duty or mean that an organisation is automatically liable to legal action. Organisations can take different approaches to complying with security duties, but if they adopt an approach that is not within the code, they may need to explain why their approach still meets the required standards set out in the regulations, and regulators will be required to take the code into account when preparing guidance.
On the shadow Minister’s question about ensuring appropriate timing and preparation for companies, I would very much expect that the regulators in question would be closely regulated entities to ensure the proportionate implementation of codes.
Alison Griffiths
We heard from the Information Systems Audit and Control Association that codes work best when they reflect operational reality. Given their evidential status, can the Minister reassure the Committee that codes will remain practical and iterative and not quietly harden into rigid compliance rules?
Kanishka Narayan
I am very happy to give the broad assurance that we will keep codes under review from time to time, and that any changes to the code will require deep consultation with regulators and businesses to ensure that the codes keep in touch with moving technology.
Kanishka Narayan
Clause 41 gives further detail on the sorts of provisions that can be included in regulations made under clause 24 and chapter 3 as a whole. It confirms that regulations can make different provisions for different purposes, different categories of person or different areas; can make provisions for how those regulations apply to the Crown or UK territorial waters; and can include consequential, supplementary, incidental, transitional or saving provisions. The clause also defines how certain terms used in regulations should be interpreted, such as “relevant UK waters” or “primary legislation”. In summary, the clause provides important points of clarification about how the regulation-making powers in the Bill can operate. I propose that clause 41 stand part of the Bill.
Clause 42 sets out the consultation requirements and parliamentary procedure that apply where regulations are used to designate new essential services or regulators, to impose regulatory requirements or change regulator functions, or to amend requirements for the five-yearly legislative review.
Alison Griffiths
These procedures are standard, but the powers they apply to are significant. Where regulations under part 3 would materially expand duties or bring new actors into scope, have the Government considered whether those should receive deeper scrutiny in practice, even if the formal procedure remains the usual one?
Kanishka Narayan
I thank the hon. Member for that important point. The expectation is that the powers used here are scrutinised appropriately. If it helps, I can set out which uses of the power, particularly under clause 42, will trigger consultation requirements and the affirmative procedure, which will perhaps give her the assurance she seeks.
In essence, all changes that may have considerable impact on how the NIS regime operates will be subject to consultation and the affirmative procedure. In practice, this means that regulations concerning the designation of essential services, as well as changes to the duties of regulated entities and functions of regulators, will be subject to both consultation and affirmative procedure requirements.
In each of the cases I mentioned, clause 42 requires the Secretary of State to undertake consultation with appropriate persons before any regulations can be made. It also specifies that regulations of this kind can be approved only through the affirmative parliamentary procedure. These provisions ensure that any substantive regulations made through the Bill’s future-proofing powers will be properly tested. They provide the necessary checks and balances that such wide-ranging powers require, and they will ensure the credibility and legitimacy of future regulations made using these powers. For those reasons, I propose that clause 42 stand part of the Bill.
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Alison Griffiths
Main Page: Alison Griffiths (Conservative - Bognor Regis and Littlehampton)Department Debates - View all Alison Griffiths's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Alison Griffiths ExcerptsTuesday 24th February 2026
(3 days, 21 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 24 February 2026 - (24 Feb 2026)
Kanishka Narayan
My hon. Friend is right. Where the Conservative party did absolutely nothing and continues with its hypocrisy, I am glad to inform hon. Members that this Government have already adopted a duty to provide biannual reporting on progress against the recommendations of these two reports.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
New clause 5 simply asks the Government to commit to reporting back on meeting the milestones they have set themselves for increasing cyber-security standards. Is the Minister confident in the Government’s ability to deliver on their cyber strategy, or is the document not worth the paper it is written on?
Kanishka Narayan
I simply repeat my prior sentence: this Government have already adopted a duty to provide biannual reporting on progress against the recommendations of these two reports.
In addition, the Government’s cyber action plan was published in January this year. It sets out how the Government will rapidly improve the cyber-security and resilience of public services to deliver a step change in cyber and digital resilience across the public sector. The plan sets out clear accountability structures to ensure that cyber-risks at all levels of Government are actively owned and effectively managed, with those responsible held to account.
Alison Griffiths
The continued use of legacy IT equipment is a particular vulnerability across the Government estate. That will take some time to address entirely, but is there a strategy in place to prioritise the upgrading of this legacy equipment, given that it is one of the greatest areas of exposure?
Kanishka Narayan
The hon. Member makes a very important point. We have heard of two major sources of risk from a cyber point of view: legacy technology and technology debt, and frontier AI attacks. The Government’s cyber action plan is not technology-specific, but both those sources of risk are very much on my mind, and I will make sure they are also on the mind of those implementing the Government’s cyber action plan.
I assure Members that we will continue to work with Parliament to support oversight of the plan’s implementation and to explore additional avenues for scrutiny of the Government’s cyber-resilience to guarantee the right level of accountability. I therefore kindly ask the shadow Minister to withdraw his new clause.
Question put, That the clause be read a Second time.