Cyber Security and Resilience (Network and Information Systems) Bill (First sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Ben Spencer
Main Page: Ben Spencer (Conservative - Runnymede and Weybridge)Department Debates - View all Ben Spencer's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Ben Spencer ExcerptsTuesday 3rd February 2026
(1 day, 14 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
The Chair
We are now sitting in public again. We have heard declarations of interest. If there are any other others, please say. We will now hear oral evidence from Jen Ellis, associate fellow for cyber and tech at the Royal United Services Institute, who is joining us online, and David Cook, who is a partner at DLA Piper. Thank you for coming.
Before calling the first Member to ask a question, I remind Members that questions should be limited to matters within the scope of the Bill. We must stick to the timings in the programme order that the Committee has agreed to. For this session, we have until 10 am. I call the shadow Minister.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
Q
Jen Ellis: There is a thing that you always hear people say in the cyber-security industry which is, “There are no silver bullets”. There is no quick fix or one easy thing, and that definitely applies when looking at policy as well. I cannot give you a nice, easy, pat answer to how we solve the problem of attacks like the ones we saw last year. What I can say is that, looking at the Cyber Security and Resilience Bill specifically, I think it could include companies above a certain size or impact to the UK economy. The Bill currently goes sector by sector— which makes lots of sense, to focus on essential services—but I think we could say there is another bucket where organisations beyond a certain level of impact on the economy would also be covered. That could be something like the FTSE350. Including those might be one way to go about it, but it is worth noting that it would not simply solve the problem because the problem is complex and multi-faceted, and this is just one piece of legislation.
David Cook: With respect to NIS2, that is an example of a whole suite of laws that have come in across the European Union—the Digital Decade law; I think there is something like 10 or 15 of these new laws. They do all sorts of different things, and NIS2 sits within that. NIS2 is the reform of the NIS directive, which is the current state of play in UK law. NIS2 gives certainty and definition, by way of the legislation itself and then the implementing legislation, which means that organisations have had a run-up at the issue and a wholesale governance programme, which takes a number of years, but they know where they are headed, because it is a fixed point in the distance, on the horizon.
The Bill we are talking about today has the same framework as a base. The plan then is that secondary legislation can be used in a much more agile way to introduce changes quickly, in the light of the moving parts within the geopolitical ecosystem outside the walls. For global organisations with governance that spans jurisdictions, a lack of certainty is unhelpful. Understanding where they need to get to often requires a multi-year programme of reform. I can see the benefits of having an agile, flexible system, but organisations—especially global ones, which are the sort within the scope of this Bill—need time to prepare, recruit people, get the skillset in place, and understand where they need to get to. That fixed future point needs to be defined.
Chris Vince (Harlow) (Lab/Co-op)
Q
David Cook: There is reform all over the world. At its core, we have got a European law that is transposed in UK national legislation, the General Data Protection Regulation. That talks about personal data and has been seen as the gold standard all over the world. Different jurisdictions have implemented, not quite a copycat law, but one that looks a lot like the GDPR, so organisations have something that they can target, and then within their territory they are often going to hit a compliance threshold as well. Because of changes in the geopolitical environment, we are seeing—for example in Europe, but also in Australia and the United States—specific laws coming in that look at the supply chain in different sectors and provide for more onerous obligations. We are seeing that in the environment. NIS2 is being transposed into national laws. Organisations take a long time to get to the point of compliance. We are probably behind the curve, but this is not a new concept. Adapting to change within tech and change within how organisations themselves are relying on a supply chain that is more vulnerable and fragile is common.
The Chair
Good morning, everyone, and welcome. We will now hear oral evidence from Jill Broom, head of cyber-resilience at techUK, from Stuart McKean, chairman of Nine23, and from Dr Sanjana Mehta, senior director for advocacy at ISC2. We must stick to the timings in the programme motion that the Committee has agreed for this session; we have until 10.40 am. Will the witnesses please briefly introduce themselves for the record?
Dr Sanjana Mehta: Good morning. My name is Sanjana; I work as senior director, advocacy, at ISC2.
Jill Broom: Good morning. My name is Jill Broom; I am head of cyber-resilience at techUK, the trade association for the technology industry in the UK.
Stuart McKean: Good morning. I am Stuart McKean; I am the founder and chairman of Nine23. We are a small MSP, based in the UK.
Dr Spencer
Q
My second question is a bit more technical. Do you consider that the definition in the Bill of a managed service provider is sufficiently clear and certain for businesses to understand whether they are in scope or out of scope of the Bill?
Dr Sanjana Mehta: I appear before the Committee today on behalf of ISC2, which is the world’s largest not-for-profit membership association for cyber-security professionals. We have 265,000 members around the world and 10,000-plus members in the UK.
On your question about sectoral scope, our central message is that we welcome the introduction of the Bill and we believe that it will go a long way towards improving the cyber-resilience of UK plc. Yes, there are certain sectors that are outside the scope of the Bill, and we believe that there are a number of non-legislative measures that could be used to enhance the cyber-security of other industries and parts of the sector. In particular, the forthcoming national cyber action plan should be used as a delivery vehicle for improving the resilience of UK plc as a whole.
On the previous panel, I think Jen mentioned that there are voluntary codes of practice. As an organisation, we have piloted the code of practice for cyber governance, and we have signed up to the ambassadors scheme for the code of practice for secure software development. We think that the upcoming national cyber action plan can further encourage the uptake of such schemes and frameworks. Most importantly, we call upon Government to focus on skills development as a non-legislative measure, because ultimately that will be the key enabler of success, whether it is for organisations that are within or outside the scope of the Bill.
The Chair
The witnesses need not feel obliged to answer every question; if colleagues could direct their questions to individual witnesses, we will get through quicker.
Stuart McKean: I think that the MSP definition is quite broad at the moment, so adding some clarity to it will help. At the moment, the key definition of an MSP is based on size, and whether you are a small, medium, large or even microenterprise. The reality is that only11%, I think, of MSPs are the large and medium-sized enterprises that are going to fall in scope of the Bill as a managed service provider. Although the definition might be quite broad, the clarity on the size of MSP is actually quite particular, and you will lose a lot of MSPs that will not be in scope.
Jill Broom: Although some of our members are content with the definition of managed service provider, others feel that, as Stuart said, it is too broad. It continues to cause a little bit of confusion, since it is likely to encompass virtually any IT service. Probably some further work needs to be done and further consultation. There will be some further detail in the secondary legislation around that definition. I wanted to highlight that a lot of detail is coming in secondary legislation, which can make it quite difficult to scrutinise the primary legislation. A broad call-out for ensuring mandatory and meaningful consultation on that secondary legislation and associated guidance would be really welcome.
We are already working with the Bill team to put some of the pre-consultation engagement sessions in place, but we would call for the consultation to be brought forward to help us to understand some of the detail. The consultation period on the secondary legislation is currently estimated to happen towards the end of the summer, but we would like that to be brought forward, where possible. That consultation is going to cover a lot of detail, so it needs to be a substantial amount of time to allow us to comment. We are keen to be involved in that process as much as possible.
Bradley Thomas
Q
Stuart McKean: It needs more detail, even if that is about providing some boundaries so that we have something to say, “If it is going to do the following, what is a ‘significant economic impact’?”. I would like to think that none of our services would have a significant economic impact, but they may well affect a person, so I would bring it more on to the citizen and the impact on people. We heard this a number of times in relation to the JLR incident: the impact on the supply chain was huge, it was economically very costly and directly impacted people’s lives. Anything that can provide more clarity in the definition of an impact at that level can only help.
Jill Broom: I agree. More clarity is needed. The Bill should be tighter in terms of defining that sort of systemic risk.
Dr Sanjana Mehta: The Bill as it stands requires competent authorities and regulators to designate an organisation as a critical supplier rather than the regulated entity. Organisations work with complex multi-tier supply chains, and the concern is that competent authorities that are one step further removed from those complex supply chains, and have even less visibility, transparency and control over those supply chains, might find it difficult to determine true criticality and risk within the supply chains. We ask for greater collaboration and co-ordination between the regulated entities and the competent authorities in designating an organisation as a critical supplier.
Dr Spencer
Q
Jill Broom: There is probably a broader point around legal certainty, which is not given on the face of the Bill. Some of our members have highlighted language that could create some pretty significant legal jeopardy for regulated entities. The Bill needs to go a bit further. It could and should do more to provide some legal certainty, because the cost to companies could be quite significant. To the point on consistency across regulators and things like that, we need more frameworks around how that is going to work. Leaving all the detail to secondary legislation is what makes it slightly difficult to examine what is on the face of the Bill, so making sure that everything is consulted on in a mandatory and meaningful way will be important.
The Chair
Q
Dr Ian Levy: Good morning. I am Ian Levy, and I am a vice-president and distinguished engineer at Amazon. That job allows me to look across everything that Amazon does, including Amazon Web Services, the bookshop, our new satellite system and everything in between. Prior to that, I spent 23 years in GCHQ, and I was the founding technical director and designer of the National Cyber Security Centre.
Chris Anley: I am Chris Anley, chief scientist at NCC Group. We are a multinational cyber-security company, listed on the London Stock Exchange and headquartered in Manchester.
Matt Houlihan: Hi everyone. I am Matt Houlihan, and I am the vice-president for government affairs in Europe for Cisco, which is a technology company specialising in networking, security and collaboration technologies.
Ben Lyons: Good morning. I am Ben Lyons, and I am senior director for policy and public affairs at Darktrace. We are a company that uses AI for cyber-security, headquartered up in Cambridge.
Dr Spencer
Q
Starting with Ben from Darktrace, how are developing and emerging technologies such as AI and post-quantum crypto changing the nature of cyber-security threats? Do you think the Bill responds adequately to that changing threat landscape?
Moving on to Matt from Cisco, what further guidance and consultation from the Government and the Information Commissioner is needed for MSPs to comply effectively with their obligations under the Bill?
Chris from NCC Group, the National Audit Office report last year highlighted lots of serious deficiencies in Government cyber-resilience. Do you think the cyber action plan goes far enough? How can Government Departments be overseen and held to account in a way that will deliver meaningful improvements in cyber-resilience?
Finally, Ian from Amazon, a core feature of your business model is extensive exposure to supply chain partners. Do you think that the designation of critical suppliers by regulators under the Bill is the correct approach? What further consultation is needed to make sure that that is proportionate, prioritises the most critical suppliers and, crucially, gives a degree of certainty, whether legal or financial?
Ben Lyons: AI is significantly changing cyber-security. You can think about it at three levels: first, the way in which attackers are using AI to mount cyber-attacks; secondly, the need to secure AI systems and AI within companies and organisations; and thirdly, the question of how AI is changing cyber-security on the defensive side.
In brief, we see significant use of AI by attackers. Today, we are releasing the results of a survey in which 73% of surveyed security professionals say that AI-powered threats are having a significant impact on their organisation. These are things like phishing, reconnaissance, and lowering the barriers to being able to launch attacks and review more targets more effectively. Last month, the chief executive officer of Anthropic, which is one of the main frontier AI labs, warned that he sees AI-led cyber-attacks as potentially being the main way in which cyber-attacks are conducted in the future.
At the level of the enterprise, you have a challenge of how you secure the enterprise, in terms of not only developing and deploying AI, but visibility of AI used in an organisation. We are certainly seeing AI transform how cyber-security vendors and organisations manage the threat: they have greater visibility, can detect threats more quickly and the like. On how the Bill responds to that, one positive in its approach is that it is setting out an agile, outcomes-based approach that means that the regulatory regime can be capable of evolving as the threat evolves. It is sensible not to talk about AI in depth on the face of the Bill, but through mechanisms such as the code of practice, it will be possible for expectations to evolve over time as the threat and the technology mature.
The Chair
I should say to the witnesses: do not feel obliged to answer each question if you do not feel that you have anything material to add.
Matt Houlihan: It is very tempting to answer the question on AI, but thank you for the question on managed service providers. It is right that managed service providers are looked at in this Bill. An increasing amount of the work of managing IT services is clearly now outsourced to managed service providers. There needs to be some scrutiny and some baseline of cyber-security with those. I would say a couple of things on what guidance is needed. We broadly support the definition in the Bill. I appreciate the comments in the previous session that suggested that the definition was a little too broad and could be refined, which I think is fair, but when you compare the definition in the CSRB with the definition of managed service providers used in the NIS2 legislation, a couple of bits of clarity are provided in the CSRB. First, the managed service provider needs to provide an
“ongoing management of information technology systems”.
We feel that word “ongoing” is quite important. Secondly, it has to involve
“connecting to or…obtaining access to network and information systems relied on by the customer”.
We feel that
“connecting to or…obtaining access to”
the network is an important part of the definition that should be put forward. One area where more tightness can be provided is where, in the Bill, there is a non-exhaustive list of activities that an MSP could be involved in, such as
“support and maintenance, monitoring, active administration”.
The Bill then says, “or other activities”, which adds quite a bit of uncertainty on what is and is not an MSP.
The other area I would like to highlight and link to Ben’s answer on AI is that the “active administration” activity raises a question about the extent to which AI-enabled managed services would come under that definition. I am sure that lots of managed service providers will use AI more and more in the services that they provide to their end customers; to what extent does “active administration” involve an AI-related service?
To end on that specific question, the Information Commissioner’s Office will, I believe, issue guidance for managed service providers once the Bill is passed. That guidance will be the critical thing to get right, so there should be consultation on it, as my colleague from techUK suggested earlier. I would also suggest that that guidance cannot be a simple check-box list of things that have to be done. We should shift our thinking to have more of an ongoing appreciation of what cyber-security involves in practice for MSP or other regulated entities under the Bill. Making sure there is an ongoing process and that there is effective enforcement will be important.
Chris Anley: On the NAO report , the cyber action plan and public sector cyber-security, you are absolutely right to point out that the NAO report identifies serious issues. The Government recently acknowledged that they are likely to miss their 2030 cyber-resilience targets. It is also important to point out that the cyber action plan lays out an approach with many very positive elements such as an additional £210 million in central funding. There are many benefits to that, including a centralised provision of services at scale, a concentration of expertise and a reduction of costs.
Then there are other broader initiatives in the cyber action plan. The UK software security code of practice, which has been mentioned several times in these sessions, is a voluntary code that organisations can use as a tool to secure their supply chain. Cisco and NCC Group are ambassadors for that scheme and voluntarily comply with it, and it improves our own resilience.
Whether the cyber action plan goes far enough is a very difficult question. The NAO report also points out the extreme complexity of the situation. Within the budgetary constraints, I think it is fair to say that the steps in the plan seem reasonable, but there is a broader budgetary conversation to be had in this area. Two of the most significant issues identified in the report are the skills shortage, which has come up in these sessions—almost a third of cyber-security posts in Government are presently unfilled, which is dangerous—and the fact that Departments rely on vulnerable, outdated legacy IT systems, which may be the cause of an incident in their own right and would certainly make an incident much more severe were one to occur. The problem is that those are both largely budgetary issues. Successive Governments have obviously focused on delivering taxpayer value, as they should—we are all taxpayers—but over a period of a decade or more, that has led to a position where Departments find it difficult to replace legacy IT systems and fill these high-skill, high-cost cyber-security positions. There is very much a broader discussion to be had, as has been raised in these sessions, about where we should be in terms of the budget. You are absolutely right to raise the public sector issues. Although the Bill focuses on the private sector, the public sector obviously must lead by example.
Dr Ian Levy: We think the current definitions of critical suppliers are probably overly broad and risk bringing in SMEs, when you really do not want to do that. That said, we need to think about the transitive nature of supply chains. With previous regulations that talk about cyber-security, we have seen a flow-down of requirements through contracting chains. There is a question about how far it is reasonable to go down those contracting chains. In my experience, the value of the contract and the potential impact are not necessarily correlated. We certainly saw that when we were giving evidence for the Telecommunications (Security) Act 2021.
There is a real question about how you define what supply chain you mean. You mentioned that AWS has a complex supply chain. We certainly do—it is astoundingly complex—but the important thing is that we control the really important parts of that. For example, we build our own central processing units, graphics processing units, servers, data centres and so on. The question then becomes: how does that translate out to customers? If a customer is using a partner’s service running on AWS, where does the liability accrue? I do not think that is adequately covered in the Bill.
In terms of certainty and foreseeability, the Bill as it stands admits a single entity being regulated multiple times in multiple different ways. We are subject today to at least four different sets of regulations and regulators. Some of them conflict, and some of them are ambiguous. As this expands out, a single reporting regime—a lead regulator model—would take some of that ambiguity away so that you have more foreseeability and certainty about what you are trying to do.
There are things in the current drafting of the Bill that we think need some consultation. There are things in primary legislation, such as the Secretary of State’s powers, that seem to be unbounded—that is probably the best way to describe it—and that seems dangerous. We understand the necessity for powers around national security, but we think there need to be some sort of safeguards and consultation about how they are used in practice. For any multinational company, something that is effected in the UK is likely to affect all our customers, so some real constraint is needed around that.