Andrew Cooper extracts from Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting) (3rd February 2026)

Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)

Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)

Andrew Cooper Excerpts

Railways Bill (Ninth sitting)

Tuesday 3rd February 2026

(1 day, 9 hours ago)

Public Bill Committees

Share Debate

Read Full debate Read Hansard Text Read Debate Ministerial Extracts

Lincoln Jopp

- Hansard - - - Excerpts

Q I want to come back to that point. Chris, you said something like, “SMEs find it very difficult, if not impossible, to bear the regulatory burden, so we have to be very careful when designating SMEs as operators of essential services.” To me, that says that you think the Bill, as currently drafted, will place too much of a regulatory burden on SMEs. Is that correct?

Chris Parker: I was referring to strategic and critical suppliers, which is a list of Government suppliers. We are advocating that the level of governance and regulatory requirement inside an organisation is difficult, and it really is. It requires quite a lot of work and resource, and if we are putting that on to too small a supplier, on the basis that we think it is on the critical path, I would advocate a different system for risk management of that organisation, rather than it being in the regulatory scope of a cyber-resilience Bill. The critical suppliers should be the larger companies. If we start that way in legislation and then work down—the Bill is designed to be flexible, which is excellent—we can try to get that way.

As a last point on flexibility—this is perhaps very obvious to us but less so to people who are less aware of the Bill—there is a huge dynamic going on here where you have a continuum, a line, at one end of which you have the need for clarity, which comes from business. At the other you have a need for flexibility, which quite rightly comes from the Government, who want to adjust and adapt quite quickly to secure the population, society and the economy against a changing threat. That continuum has an opposing dynamic, so the CRB has a big challenge. We must therefore not be too hard on ourselves in finding exactly where to be on that line. Some things will go well, and some will just need to be looked at after a few years of practice—I really believe that. We are not going to get it all right, because of the complexities and different dynamics along that line.

Carla Baker: This debate about whether SMEs should be involved or regulated in this space has been around since we were discussing GDPR back in 2018. It comes down to the systemic nature of the supplier. You can look at the designation of critical dependencies. I am sure you have talked about this, but for example, an SME software company selling to an energy company could be deemed a critical supplier by a regulator, and it is then brought into scope. However, I think it should be the SMEs that are relevant to the whole sector, not just to one organisation. If they are systemic and integral to a number of different sectors, or a number of different organisations within a sector, it is fair enough that they are potentially brought into scope.

It is that risk-based approach again. But if it is just one supplier, one SME, that is selling to one energy company up in the north of England, is it risk-based and proportionate that they are brought into scope? I think that is debatable.

Andrew Cooper (Mid Cheshire) (Lab)

- Hansard - -

Q Carla, I want to come back on the potential for unnecessary over-reporting of incidents. I cannot speak for the Minister, but I am sure it is not his intention that every phishing email is reported. I was listening carefully to what you said about your proposed tiered approach, and I can imagine, say, a situation where you are United Utilities and you intercept somebody trying to put a pre-emptive virus on to one of your industrial control systems. There has been no impact on customers or your infrastructure, because you have caught it. However, I would argue that it is quite important that United Utilities share that information with the regulator and that that information is disseminated to Severn Trent, Thames Water and whoever else needs to know, so they can patch their systems, look out for the virus or find out whether they have been infected already.

I can imagine that the legislation has been worded as it is to try to capture that situation where activity might occur, but not have an impact. Would you accept that that is important, and how would that fit in with the tiered approach that you described?

Carla Baker: I completely get your point. We have looked at that; my legal colleagues have looked at things such as spyware, where you have malware in the system that is not doing anything but is living there, for example, or pre-emptive, where they are waiting to launch an attack, and we think this amendment would still cover those scenarios. It is not necessarily cause and impact: the lights have not gone out, but if there is, for example, a nation state actor in your network, we think the amendment would still cover that.

Dr Spencer

- Hansard - - - Excerpts

Q I would also like to ask some questions on this definition of critical supplier. I know you will have heard the questions I had for the other panel. Is there a danger, in the way this Bill is approaching definitions of critical suppliers, that a supplier may end up being deemed critical solely by virtue of supplying to a critical industry, rather than the criticality of that particular supplier in the ecosystem?

Chris Parker: Yes, absolutely.

Carla Baker: Yes, completely. That is similar to my point, which was probably not explained well enough: how you are deemed critical should be more about your criticality to the entire ecosystem, not just to one organisation.

--- Later in debate ---

Lincoln Jopp

- Hansard - - - Excerpts

Q To be very clear, the three regulators we had here today were the Information Commissioner, Ofgem and Ofcom. If they thought that they had a locus because of something that that hospital did, all three would do the step test, they would come up with their bucket of SMEs that they wanted to bring into scope, and those would be added together and that would be the impact.

Kanishka Narayan: Yes, I guess, added together in the sense that they would be separately regulated, but they would all come within the scope of the regulations. Where there is an overlap in the party being regulated, my hope is that the Bill provides for individual regulation, but is very much open to the prospect of a lead regulator engaging in a softer way with the other regulators, as long as each regulator feels that that has assured them of the risk.

Andrew Cooper

- Hansard - -

Q We have heard evidence today about the appropriateness of individual sectoral regulators being responsible for this, versus a single regulator. Perhaps unsurprisingly, the sectoral regulators were in favour of a sectoral approach, and we heard differing views from other people. The hon. Member for Bromsgrove already covered the point about whether there are sufficient skills available to staff up all the sectoral regulators to the appropriate level to adequately cover this function.

We have heard quite a bit about how important it will be, if taking a sectoral approach, to make sure that sharing information between regulators works smoothly, and that there are no information silos. The witness from Ofcom talked about an annual report to the National Cyber Security Centre. That sent chills down my spine, though I am sure she did not mean it quite in that way. How will you ensure that there is an adequate flow of information between regulators in a timely manner? They might not realise that there is cross-sectoral relevance, but when that information is provided to another regulator, it might turn out that there is. How do you address the importance of a single point of reporting that we heard about time and again from witnesses today?

Kanishka Narayan: Those are really important points. In terms of supporting the quality, frequency and depth of information sharing, first, the Bill provides the legal possibility of doing that in a deeper way. It gives the permission and the ability to do that across regulators.

Secondly, in the light of the implicit expectation of that information sharing, the National Cyber Security Centre already brings together all the relevant regulators for deeper conversation and engagement on areas of overlap, best practice sharing, and particularly the sharing of information related to incidents and wider risk as a result. I hope that will continue to be systematic.

On the question of a single reporting avenue, the National Cyber Security Centre, from an incident and operational point of view, is clearly the primary and appropriate location during the implementation of the Bill. From my conversations with the centre and its conversations with the regulators, I know there has been engagement to ensure that it remains a prompt venue for regulators to feed in their information.

Andrew Cooper

- Hansard - -

Q With respect, Minister, that sounds like quite a lot of, “This is what I hope will happen and this is what I wish to happen.” How will you mandate that it happens? Does there need to be something in the legislation to ensure that there is a duty of candour between regulators?

Kanishka Narayan: The Bill currently says, “We are now giving you the power to be able to do information sharing.” The Bill, as well as other specific bits of wider legislation, has clear expectations on regulators to carry out their regulatory duty. If there appears to be a challenge in the frequency and quality of information sharing, we will of course look at whether we need to go further, but at the moment, giving them substantive permission and the fact that they have clear regulatory responsibilities individually is a very powerful combination.

The Chair

- Hansard -

I think this might be the last question to the Minister.