Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Allison Gardner
Main Page: Allison Gardner (Labour - Stoke-on-Trent South)Department Debates - View all Allison Gardner's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting)
Allison Gardner ExcerptsTuesday 10th February 2026
(4 days, 9 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
Dr Spencer
The Opposition are trying to make it clear that ransomware needs to be in the scope of the reporting. It is really for the Minister to answer if he thinks there are problems with the new clause, and if so, how the Government will go about taking that forward. The widespread and highly damaging nature of ransomware attacks—which are often perpetrated by criminal groups at scale and speed—means that regulators need to have a detailed oversight of this area to prevent those attacks from being deployed more widely. Therefore, the new clause is intended to ensure that all ransomware attacks on regulated entities are reported, regardless of severity or potential severity, so that the risks are picked up.
In tabling new clause 6, I am acutely aware of the existing reporting burden for regulated entities and regulators. Since tabling it, we have heard impactful evidence from Carla Baker from Palo Alto, who highlighted the number of cyber incidents and false positives that many companies encounter each day. As I said in response to an intervention, in the absence of measures brought forward by the Government to address the widespread and urgent risks presented by ransomware attacks—and as the Government themselves identify as part of the Home Office’s review—it would be proportionate to make specific reference to ransomware in the reporting requirements on regulated entities in the Bill.
New clause 7 reflects the concerns of regulated bodies and industry representatives who have set out many, many times—in oral evidence and beyond—the need to ensure that reporting obligations are clear and, as far as possible, simplified across the many different incident reporting regimes that exist for providers of digital services. The new clause would compel the Secretary of State to publish an assessment of the impact of the new reporting regime on regulated entities in the Bill within 12 months of Royal Assent. Importantly, in line with the clear requests articulated by many stakeholders who gave evidence last Tuesday, it requires the Government to publish proposals for the creation of a single cyber incident reporting channel for relevant bodies.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
I worked for the AI and digital regulations service in the NHS. We were linking with all of the regulators to try to have a one stop, one shop door approach to how we do things. It was incredibly difficult, and three years on we were still ironing out all the glitches. New clause 7 is laudable, but because I know how difficult it is, a 12-month proposal is a very tight timeframe in which to try to get this right.
Dr Spencer
I thank the hon. Lady for her intervention. New clause 7 puts forward an assessment of the impact. It is not intended to make definitive changes, but to give time. I have confidence in the Government and the Minister that within 12 months—it is the kiss of death to say that one has confidence at the minute, is it not? [Laughter.] I apologise to the Minister.
Dr Gardner
I will defend myself: my point was not a criticism of the Government. I just know how hard it is for regulators to work together and iron out cross-working. They were very confident in their information-sharing skills, but it is more difficult than that. It was just a kindly meant reminder that there is not an easy solution, and that 12 months is a bit of a tight timeframe.
Dr Spencer
I very much take the hon. Lady’s point and the constructive spirit in which it was presented. Twelve months is a long time for the operations of Government to function, and I have faith—I will change my words—in the Government and all of their powers if they wanted to put their minds to bringing this forward. If there are concerns about the ability of the Department for Science, Innovation and Technology to take this forward, those concerns would spill over into all of the consultation requirements that have to be met to make sure that this Bill functions in the correct way. The argument on what we are debating today could swing both ways.
Industry stakeholders have expressed strong concerns regarding the diverse incident reporting requirements that exist in several pieces of legislation, including UK GDPR, sector-specific regulation and the Telecommunications (Security) Act 2021. As we have already discussed, the Home Office may also bring forward guidelines for reporting ransomware incidents in future. Additional reporting requirements and procedures included in the Bill are viewed as adding a further layer of complexity to a legislative environment that is already very challenging to navigate. Stakeholders report that the current approach, with multiple different reporting procedures and platforms, increases regulatory compliance costs on businesses and detracts from the resources available to implement effective improvements in cyber-resilience. In view of that, will the Minister support this urgently needed review clause to assure industries that the Government have heard their serious and vital concerns on the matter?