Cyber Security and Resilience (Network and Information Systems) Bill
Andrew Cooper ExcerptsTuesday 6th January 2026
(1 week, 4 days ago)
Commons ChamberRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Julia Lopez
Absolutely. The hon. Gentleman is correct: this is fundamentally about culture—that is the point that I am making. We can pass as many regulations as we like, but a lot of the holes in our cyber-security systems come down to human frailties. That means this challenge is not just about new laws but about changing a number of things to make us more resilient.
It is right not to dictate technical standards in primary law that will soon be outdated in the fast-moving world of technology, so the question is whether this law has the right mix of carrot and stick to make affected firms act in a way that raises the security bar—there are several areas where we fear it may not.
First, there is potentially an enforcement paradox. The Bill expands regulatory powers and increases the scale of potential fines, but the evidence from the existing regime does not suggest definitively that fines and new regulations deliver us greater cyber-resilience. Under the current NIS regulations, enforcement has been slow, inconsistent and often toothless. Very few significant penalties have been issued. Where they have been issued, the delay between incident and sanction has sometimes stretched beyond two years. That delay matters, because it actively undermines deterrence and disconnects accountability from operational reality. Simply widening the scope of regulation without ensuring that regulators are properly resourced, empowered and required to act quickly risks creating obligations that exist on paper but lack any real-world bite.
We also have concerns about the Bill’s cost recovery model. Funding regulators through levies on the organisations that they oversee risks unintended consequences in terms of improving our resilience. For large firms, the cost burden may be manageable, but for smaller enterprises it amounts to an additional operational tax that could divert scarce capital away from cyber-defence, staff training and innovation.
There is also a structural risk here. Regulators that are reliant on fee income might face incentives to expand scope and complexity unnecessarily, creating bureaucratic drag that crowds out voluntary, market-led initiatives, which often raise standards more effectively than prescriptive regulation.
More generally, I worry that this Bill will play into tech monopolies. The companies that thrive in this kind of environment are those with big compliance and legal departments. That concentrates risk and makes our tech economy less diverse, with serious implications that I shall come on to.
There may be reporting challenges too. A two-stage reporting process within 24 and 72 hours may be achievable for large, well-resourced organisations with in-house cyber teams, but for smaller operators it risks creating a compliance culture focused on speed, not substance.
There is also the danger of duplication. Many organisations already face overlapping reporting obligations under UK GDPR, sectoral rules and existing legislation. Without simplification and proportionality, the administrative load could be significant, once again diverting attention and resource from the very cyber-threat management that the Bill seeks to improve. We need to avoid this legislation becoming a “something must be done” Bill that totally misses the mark.
The Bill also fails to grapple properly with the human factor in cyber-security, which has already been talked about by the hon. Member for Harlow (Chris Vince). Technology alone does not keep organisations safe; governance matters. Yet board-level ownership of cyber-risk is moving in the wrong direction. Only 27% of businesses now have a board member explicitly responsible for cyber-security, down from 38% just three years ago. Without mechanisms to ensure senior accountability, fines risk becoming little more than a cost of doing business. Directors remain insulated while operational teams are left to carry the can. National cyber-resilience depends not just on systems and software, but on leadership, culture and accountability at the very top.
For those reasons, ahead of Committee consideration, we on the Opposition Benches are examining how the legislation can be strengthened, while continuing to support its core objectives. In the meantime, regulators must be properly equipped with the right powers, resources and clarity from Parliament on the intent of the law. Sanctions must be applied swiftly and consistently, and guidance must be clear, so that enforcement is credible and deterrence is real.
The Government should also look at how reporting obligations are calibrated. A one-size-fits-all approach might place disproportionate burdens on smaller firms, and it might be better to ensure that reporting thresholds reflect the size, complexity and risk profile of an organisation.
Equally, the funding of regulators must be transparent and predictable. There have to be safeguards against regulatory expansion for its own sake and firm assurances that funds raised are reinvested directly into improving national cyber-resilience, not absorbed by administrative overheads. While the Bill rightly prioritises critical national infrastructure, it cannot afford to ignore high-risk sectors that sit beyond its immediate scope.
There is also a major role for market-based solutions. Cyber insurance, sector-wide intelligence sharing and collaborative resilience initiatives can all complement regulation. These tools can reduce risk and improve preparedness without adding unnecessary legislative complexity.
The review cycle set out in the Bill may be too slow for the threat landscape we face and the pace of technological change. Annual or biannual reviews might allow Parliament to scrutinise effectiveness, respond to emerging threats and ensure that the legislation remains fit for purpose.
Let me make some more general points about the Government’s approach to cyber-security and resilience, and issues about the risk of dependence and threat from adversaries. I see no evidence from this Government that they are thinking with any clarity about the risks of long-term technological dependency and lock-in—quite the opposite, in fact. Large parts of our economy now depend on secure, high-quality digital infrastructure, and that reliance will only increase as AI advances. Whoever provides that infrastructure will wield huge future leverage. It was that reality that ultimately drove the change of heart over Chinese tech sitting at the core of our 5G telecom networks a few years ago.
However, the Government are seemingly betting every chip on US hyper-scalers. They provide our data centres, supply the platforms on which Government Departments are run and, more often than not, are the ones winning all the Government contracts. These investments will provide our companies with things that they need, from compute power to increasingly sophisticated AI platforms, but the UK is doing little simultaneously to mitigate our increased technological dependency. When I say “technological”, we need to understand that technology is what we now run our defence systems, factories, energy networks and communications on. Technology is the plumbing of our nation.
During September’s much crowed-about state visit by President Trump, this Government were visibly begging for good economic headlines after the humiliating resignations of the Deputy Prime Minister and the ambassador to the US, not to mention the uncontainable mess of the Chancellor’s first Budget and the threat of her second Budget. The US-UK tech partnership was the result, with a huge amount of smoke and mirrors deployed over what it actually contained. Whatever substance lay within it, we heard just before Christmas that it had been paused, used as leverage by the US while other trade negotiations were under way.
I am not criticising the US Administration for skilfully playing their hand in their national interest; I am asking this Government rapidly to wake up to the reality of a new world in which the post-war settlement is coming to an end—one that has been giving clues to its existence for many years, since long before President Trump came into office. The United States remains a vital ally, but in this new era Britain must be very clear-eyed about risk, the reality of hard power and the need to protect our sovereign interests.
Cyber-risk requires as much thought about the fundamentals of plumbing as it does about the laws that try to manage how humans use or exploit technology. The UK Government have a vast procurement budget for which our own firms ought to be able to make a successful bid, but UK tech tells me consistently that, for all the talk in the Government’s AI strategy of sovereign tech capability, it has not got a look-in since Labour has been in power. I am concerned that this Bill should not introduce new, burdensome regulation for UK firms in a way that benefits non-UK incumbents with giant compliance teams and legal resources in a way that would exacerbate the risk of vendor lock-in.
Let us turn to another risk. The private sector will have noticed that the new obligations in this Bill broadly do not touch the public sector, where cyber-risk remains red-light-flashingly large, notwithstanding the public cyber strategy that was thrown out today in implicit acknowledgment of that gaping hole. Knowing that the public sector holds such enormous cyber-risk, this Labour Government choose not to minimise it, but to create a brand-new one—a hulking great identity system mandated for anyone who wants a job and, we now hear, possibly for new-born babies. It is mandatory identity by stealth, not consent, and with no honesty about it.
It is not to be against the ability of people to verify themselves digitally for banking, to access certain online services or to stop fraud to think that Labour’s mandated digital identity plan is a complete rotter. The Association of Digital Verification Professionals called what Labour inherited on digital identity a
“world-leading model for data sovereignty that digitised liberty rather than diluted it”.
The citizen, not Government, would be in control. This naive Government are crowding out private sector expertise and making everyone have one of these identities by stealth. They have no idea what this system will cost, and they will not be honest about what it will be used for.
What of the cyber-security of this system? The system on which this digital identity will be run was breached during red team testing last year. When I asked the Secretary of State if that system has now met the National Cyber Security Centre’s cyber-security standard, no answers came. Whistleblowers have continued to speak out about the vulnerabilities of the system, and there is no sense whatsoever from Government that the dodgy digital identity plan will be paused until such a point when they are confident about cyber-security.
Andrew Cooper (Mid Cheshire) (Lab)
I am absolutely staggered to hear the shadow Secretary of State talk about standard software testing practices as though someone is doing wrong by trying to penetrate systems and find flaws in them. Is not the whole point of software testing to find the flaws in a system and get them fixed, rather than parading them in front of the House of Commons as though they are some sort of failure?
Julia Lopez
The hon. Gentleman is wilfully misinterpreting what I am saying. There is not an issue with having systems tested; there is an issue with the fact that the system test failed. There is no evidence that the Government have therefore acted to deal with those systemic failures.
Julia Lopez
The whistleblowers continue to raise serious concerns about the structures upon which the Government’s digital identity platform will be built. The hon. Member looks absolutely outraged that I might suggest there are some concerns about the cyber-security risk of a national, mandated digital identity platform. I find it extraordinary that he suggests that I am expressing concerns that a system might be tested. Of course every system must be robustly tested—that is not the point I am trying to make, and the hon. Member is being wilfully ludicrous in suggesting otherwise. This Prime Minister cannot run an economy, keep promises or control his Back Benchers, or his Front Benchers, so how on earth does anybody think he can run a secure digital identity system?
At the same time as risking technological lock-in by friendly allies, we are creating new vulnerabilities for adversaries to attack. Just before Christmas, UK intelligence agencies warned about increasing, large-scale cyber-espionage from China, targeting commercial and political information. We discovered from Ministers that the Foreign Office itself was the subject of a major cyber-attack in October, which officials believe was carried out by Chinese hackers, and this came in the midst of a major row between the Government and the Crown Prosecution Service about the prosecution of spies operating here in Parliament.
We will be looking closely at this legislation to identify where the Government should be addressing this cyber-reality with much greater force. An approach to cyber-resilience that looks only at introducing new regulations and compliance burdens without thinking through risks such as a mandated identity scheme, dependence on non-sovereign suppliers, the malign intent of other nations, and a failure to build up our own workforce and skills is one that will fail.
Andrew Cooper (Mid Cheshire) (Lab)
It is a privilege to follow my hon. Friend the Member for Milton Keynes Central (Emily Darlington), who made a fantastic speech. I do not think mine will be of quite the same quality, but I will do my best.
Having spent my career prior to entering this place as a software developer, it is perhaps not so much a pleasure as a blast of nostalgia to be speaking on this Bill today. The Bill provides for an important and long-overdue update to the NIS regulations, and provides the means to keep those regulations up to date more quickly as new threats emerge. That was a massive gap in our capability left behind by the rather haphazard and cavalier manner of our departure from the EU, and it is absolutely right that we resolve it as soon as we can.
It is a cliché to say that the nature of the threats we face has changed. Whether it is state-sponsored cyber-attacks, hacktivism, identity theft or ransomware attacks, those threats can have a widespread and significant impact on people’s lives, on the wider economy, and on our safety and security. Many Members from across the House have noted the cyber-attack on Jaguar Land Rover —which led to that company posting a loss of £485 million last year and, as I think we heard earlier, to a £2 billion impact on the wider economy—and the Co-op infiltration, which cost that retailer at least £206 million. However, this is not a new issue, and virtually no area of the economy has not experienced attempts to penetrate its systems and cause disruption or steal data.
Cameron Thomas
The hon. Member speaks of the cyber-attacks on Jaguar Land Rover and the Co-op. Those who pay council tax to Gloucester city council have concerns that following a Russian cyber-attack in 2021, that council recently discovered a £17.5 million deficit. Will the hon. Member recognise that too?
Andrew Cooper
I thank the hon. Member for his intervention. I confess that I am not an expert on the IT of Gloucester city council, but I am sure the Minister has heard his intervention, and may wish to respond in his summing up.
I welcome the measures in the Bill to bring managed service providers and data centre infrastructure into scope. When I began my career working on hotel reservation systems, legacy on-premise infrastructure was the standard operating practice. Some organisations would develop their own line of business systems and some would buy in, but virtually all would be hosted on their own servers, often with clever names such as Spartacus, Xena or Buffy the Vampire Slayer—names that I worked with over the years.
That situation changed for a whole pile of reasons, such as the need to support more public access, the requirement to facilitate more home working, huge increases in the speed of domestic and business broadband, the need to provide failover, redundancy and scaling, the shift away from big capital investment towards infrastructure as a service, and wanting to benefit from more rapid roll-out of features and applications that require significant server infrastructure behind them, such as we have seen more recently with AI. Systems have been moving virtually wholesale to those that are managed remotely and sandboxed to multiple organisations, and towards virtual servers or services in data centres, rather than on-premise tin.
Bringing these two areas into scope is obvious, and it is long overdue. I offer a note of caution about this part of the Bill, and it relates to the threshold at which the regulations apply. For managed service providers, we need to ensure that we are providing appropriate levels of cyber-security without blocking new entrants to the market. That applies to critical suppliers, too. The risk is that we end up boosting the hegemony of the big outsourcers and IT suppliers, rather than being able to support new domestic entrants. There is a risk of vendor lock-in, as we have heard several times today. Equally, the threshold on data centres appears to have been set so high that only larger ones will be in scope. I hope that the Minister will keep both of those points under review as the Bill progresses and think about how we can strengthen this provision to strike the right balance.
The other area of the Bill that I want to talk about relates to the regulators. The Minister set out in his opening remarks why he believes a sectoral approach is appropriate, and there is merit to that argument. Sectoral regulators have deep, long-standing institutional knowledge and they understand how the processes work in their sector. However, as I touched on earlier, the consequences of failure are enormous, with real-world impacts on people’s everyday lives. We should not expect an overarching cyber regulator to have the domain-specific knowledge of the water sector or the air traffic control sector, and nor should we expect every sectoral regulator to carry the expertise of how modern scalable data centres that detect faults automatically and automatically failover to different regions or different jurisdictions work. We just need to think about what the priority of an individual sectoral regulator will be, because it will not necessarily be cyber-security. We have to get the balance right, and we need to listen to the sectoral expertise on that.
In conclusion, this Bill is an important and long-overdue update to the UK’s cyber-security framework. I look forward to working with the Government to get the scope and scale of these regulations right and to ensure that all the systems that we rely on every day are secure in the face of current and emerging threats.
Oral Answers to Questions
Andrew Cooper Excerpts(1 month, 3 weeks ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Stephanie Peacock
The Chancellor set out the Budget yesterday. We believe that we have made fair choices. The Minister responsible for gambling will have heard the hon. Gentleman’s question, and I will relay it to her.
Andrew Cooper (Mid Cheshire) (Lab)
The Minister for Creative Industries, Media and Arts (Ian Murray)
Strong evidence from the city of culture programme proves that supporting local culture pays both economic and social dividends for those areas and the wider public. The town of culture is a new competition to ensure that smaller places can share that real impact, by shining a spotlight on places and enabling them to tell their stories. The winner of the new town of culture competition will receive £3.5 million and, for the first time ever, as confirmed from the outset, the city of culture winner will receive £10 million. There has been much excitement about the new town of culture competition and I look forward to those bids coming in.
Andrew Cooper
Northwich and Winsford, in my constituency, have long punched well above their weight when it comes to cultural vibrancy and creativity. Winsford, in particular, has earned a proud reputation as an incubator for musical talent, with emerging acts, such The Luka State and The Voke, making waves on the national indie music scene. Meanwhile, Northwich has firmly established itself as the events capital of Cheshire, hosting standout occasions including the Now Northwich International Street Dance festival, The Charlatans’ North by Northwich takeover and, of course, the world-famous Piña Colada festival. Does my hon. Friend agree that Mid Cheshire makes an outstanding contribution to the UK’s cultural landscape, and will he consider supporting a joint bid from Northwich and Winsford for the town of culture competition?
Ian Murray
Mr Speaker, I would never presume to know your diary, but I feel as if we should go together to the Piña Colada festival, just to take one for the team and see what that is all about. Since I gave my answer to my hon. Friend’s substantive question, I have been lobbied by both Wigan and Scunthorpe for town of culture as I was sitting on the Front Bench. The culture and creativity celebrated by towns in Mid Cheshire is superb, as we have heard, and the examples my hon. Friend provided illustrate how the area is already showcasing local creativity and talent. We are thrilled that the UK town of culture competition will provide an excellent platform for towns like those, UK-wide, to highlight those causes, and we look forward to receiving bids from those towns, once the submission window opens shortly.
Sport: Team GB and ParalympicsGB
Andrew Cooper Excerpts(1 year, 3 months ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Andrew Cooper (Mid Cheshire) (Lab)
It is a pleasure to follow the hon. Member for North Cornwall (Ben Maguire), who gave a passionate if controversial maiden speech. It is also a pleasure to follow my hon. Friend the Member for Warrington South (Sarah Hall), whose father-in-law is one of my predecessors as MP for Northwich. I pay tribute to Mike Hall, whose contribution towards getting the funding we needed to stop the town sinking into a big hole of subsidence was vital.
I am grateful to you, Madam Deputy Speaker, and to the House for the opportunity to make my maiden speech in this important debate on sport, following the incredible achievements of our Olympians and Paralympians at this year’s games. We are lucky enough to have a great record of sporting success in Mid Cheshire. Our own Paula Radcliffe, who needs no introduction, achieved incredible feats in athletics over her long career, smashing the marathon world record.
Northwich rowing club’s Matt Langridge won gold at Rio in the men’s eight. The club, which has a proud tradition of breaking the perception of rowing as an elitist sport, told me about the “Matt Langridge” effect, as more young people have taken up the sport with that club than ever before.
And this year, the awe-inspiring Poppy Maskill, from Middlewich, who was mentioned by the shadow Minister, not only swam her way to five medals, a world record and the accolade of being the most successful British athlete at this year’s Paralympics, but was given the honour of being the GB flagbearer at the closing ceremony.
I cannot leave this list without mentioning my mum, who got the running bug after I was born—I do not think the two are related—and went on to win the gold medal in the 10,000 metres at the European veterans championships in 2013. All these athletes, and others like them, have been an inspiration to the next generation of runners, rowers and swimmers. It is fitting that we honour them and their achievements today.
It is a tremendous honour to have been elected to represent Mid Cheshire, and our three great and historic salt towns of Northwich, Winsford and Middlewich. The last constituency to bear the name—back then, a two-member constituency with a strong pedigree of electing men with beards and the same surname—was abolished in 1885. Thanks to 139 years of boundary changes, I now pay tribute to not one but four predecessors.
Mid Cheshire gained the village of Rudheath from the right hon. Member for Tatton (Esther McVey), who has represented the area since 2017. I thank her for her service. It seems that Rudheath’s loss is Lymm’s gain, and I am sure the people of Lymm can look forward to many years of common-sense solutions to the challenges they face.
Middlewich was transferred from Congleton, formerly represented by Fiona Bruce. She served as a Member of this House for 14 years and, prior to that, as a councillor in Warrington for six years, a remarkable 20 years of public service that is testament to Fiona’s character. I know her former constituents appreciated her hard work and advocacy on their behalf, and her focus in Parliament on championing the right to freedom of religion and belief. I pay tribute to her as a campaigner for better transport infrastructure in her constituency, something on which I hope to build in my time here.
I gained Winsford from the former constituency of Eddisbury, represented by Edward Timpson from 2019, who prior to that served as the Member for Crewe and Nantwich. Edward’s outstanding work on improving the life chances of fostered children will undoubtedly shape his political legacy. Edward said in an interview in 2014 that he would not have been Children’s Minister and he would not have been a family lawyer if his parents had not fostered. He may no longer be a Member of Parliament, but I am certain we have not seen the last of Edward’s contribution to public life.
Finally, I pay tribute to my good friend, my hon. Friend the Member for Runcorn and Helsby (Mike Amesbury), who has represented Northwich these past seven years. Colleagues from across the House will know of his loyalty and his diligence, as well as his successful campaign from Opposition to make school uniforms cheaper for all. He has been unfailingly kind and supportive towards me, and extremely generous with his time and sound advice. I was until recently a councillor in Northwich, so I know at first hand how assiduously my hon. Friend worked on behalf of his former constituents, and how highly regarded he is locally. He certainly leaves some big shoes to fill.
Each of my predecessors would have been a worthy custodian of the constituent parts that now form Mid Cheshire, but these areas are not just names on a map—they are vibrant communities, each with its own natural beauty, rich history and promising future. The towns of Northwich, Middlewich and Winsford were predicated on the salt industry. From the Roman era to the industrial revolution, these towns have been shaped by the salt deposits found beneath their foundations and their strategic location at the confluence of several waterways that have been exploited to support trade, transport and our communities’ growth.
In the best tradition of British innovation, the people of Mid Cheshire have found interesting things to do with the holes in the ground after the salt has been removed. The Adelaide mine in Northwich once hosted a banquet for Emperor Nicholas I of Russia, with over 10,000 candles illuminating the orange crystal banqueting hall, all 130 feet below the surface. Today, the Winsford salt mine keeps the nation’s secrets, with over 33 km worth of papers from the National Archives stored safely underground, while just outside Middlewich, preparations are well under way to store the hydrogen produced by Cheshire’s Hynet project in the salt seam below.
The salt mines, canals and rivers that run through my constituency have played a pivotal role in shaping the local economy and culture and each has left an indelible mark on our landscape and identity. But these towns are not just about salt and their storied past; today, they are thriving places that are built on resilience, innovation and community spirit.
Northwich is a vibrant town with an exciting and lively events programme. The Now Northwich international dance and street arts extravaganza has delighted visitors with giant insects, peacocks, princesses and rainbow butterflies, while the annual Piña Colada festival, inspired by Northwich-born Rupert Holmes’s song “Escape”, which I will not provide a rendition of now, has become an important fixture of life in the town centre.
These events and dozens more like them would not be possible without the council, local businesses, rotarians and community groups all pulling together and supporting the town centre to make it the events capital of Cheshire. There is pride in our community, with people willing it to succeed in the face of 14 years of managed decline under the previous Government.
It was in Northwich in 1933 that polythene was accidently discovered by ICI researchers, and, in Winsford today, we have companies dealing with that industrial legacy, eliminating single-use plastics and recycling them. Indeed, Winsford is home to more than 200 innovative companies, from creators of advanced tissue-healing technologies to developers of a sophisticated AI model to keep people safe from plant and equipment on construction projects all over the world. But the true lifeblood of Mid Cheshire lies in its people. They are compassionate, friendly, and proud of their heritage. They are people like Julie, Diane or Matthew, running charities to help people with Down’s syndrome, autism, and muscular dystrophy. They are people like John, Alan or Janet, volunteering hours of their time to keep the parks and the streets of Winsford Northwich and Middlewich looking their best. They are people like Catherine and Ant who have kept our community fed, and people like Gale and Jess who have helped more people in Winsford than I could begin to count. They and hundreds like them are at the heart of our community. They are the custodians of our history, and the architects of our future, and, despite the challenging times that we are facing, I am convinced that it is a future filled with promise and possibility.
I have long believed that the people of our three great Mid Cheshire salt towns, and, indeed, our country, want a Government who are on their side. They want politics and politicians to serve them, to end the chaos and dysfunction of Westminster and to rebuild our country. The key mission of this Labour Government is to restore trust in politics, to show that politics can be a force for good, and to demonstrate that politics and politicians can deliver for people and change lives for the better.
I promise always to do my best to serve and represent my constituents, to work tirelessly to deliver the change that people have voted for, and to repay the trust that the people of Mid Cheshire have placed in me.