The Minister for Digital Government and Data (Ian Murray)

- View Speech - Hansard -

Copy Link

- - Excerpts

I beg to move, That the Bill be now read a Second time.

A happy new year to you, Mr Speaker, and to all the House staff. This is the first opportunity I have had to say that to you.

On 3 June 2024, a busy Monday morning in south-east London, criminals attacked Synnovis, an organisation that processes blood tests on behalf of our national health service. They did not turn up physically, but logged on to computers thousands of miles away and set off ransomware—malicious software that encrypts files from afar, making them unusable. The attack had a ripple effect across London hospitals. It delayed 11,000 appointments, blood transfusions had to be suspended and the company lost tens of millions of pounds.

This was not an isolated case. In the year leading up to September 2025, the National Cyber Security Centre dealt with 204 “nationally significant” incidents, meaning that they seriously disrupted central Government or our critical public services. That is more than double the 89 incidents in 2024. No one disputes that we must do everything we can to protect the UK from these attacks. The UK is the most targeted country by cyber-attacks in Europe, and it was the fifth most targeted nation in 2024 by nation state-affiliated threat actors. In 2024, it is estimated that UK businesses experienced over 8.5 million cyber-crimes in the 12 months preceding the survey, and that in that year more than four in 10, or 43%, of UK businesses were subject to a cyber-attack, affecting more than 600,000 businesses in total.

Significantly, cyber-attacks are estimated to cost UK businesses almost £15 billion each year, equivalent to 0.5% of the UK’s annual GDP, notwithstanding the wider economic effects of intellectual property theft or the experience of patients, as in the first example. The average cost of a significant cyber-attack for an individual business in the United Kingdom is estimated to be just over £190,000. There has been a 200% increase in global cyber-attacks on rail systems in the past five years, increasing the likelihood of severe disruption to the economy and to people’s daily lives.

Ian Murray

- Hansard -

Copy Link

- - Excerpts

I could not agree more. I gave the example of the Synnovis incident that brought blood transfusions in London to a halt, affecting thousands of patients. Our everyday lives are affected by this. As we modernise and digitise our economy and our Government, we have to ensure that our systems are as secure as possible, and cyber-security is right at the heart of that. This is not just a defensive issue; it is very much an economic growth issue as well, as we can see from the impact it has on our economy, our public services and the day-to-day lives of people, as in the example of our train systems that I just mentioned.

Ian Murray

- Hansard -

Copy Link

- - Excerpts

This is about making sure that we extend the scope of the 2018 regulations into other parts of the economy, and I will come on to that later in my contribution. It is about reporting things more quickly to ensure that the attacks can be seen and action can be taken more quickly. It is also about reporting to the regulators to give the regulators confidence and powers across a wider scope of sectors in the economy, and to give businesses the confidence that those sectors have to report to the regulators when things are going wrong so that swifter action can be taken. We can see from the host of recent high-profile issues, including at Hackney council, that it is important to ensure that this legislation goes through quickly and does the job that it is intended to do.

Ian Murray

- Hansard -

Copy Link

- - Excerpts

While physical security and national security are issues for all of us, so is cyber-security. The Bill builds on the 2018 regulations to widen the scope into other areas of the economy where such issues have become much more prevalent—for example, data centres. I hope that doing so will give industries and sectors, including their employees, the confidence to report things to the regulators. Giving powers to the regulators will give businesses the confidence that they can report stuff; it is not a regulatory heavy hand dampening businesses. I hope that I can assure my hon. Friend and the rest of the House on that.

Before that significant number of interventions, I was talking about why this issue matters and gave statistics for recent cyber-security activity in the United Kingdom. As a result of all that, one of the very first things we did as a new Government after the election was announce this new cyber-security Bill, just 10 working days in. Since then, the Department has been talking to cyber experts, businesses and regulators to turn these proposals into the comprehensive, serious and proportionate piece of legislation that we present for Second Reading today—one that protects the public and strengthens national security without placing undue burdens on businesses. I appreciate that that is a fine balance, but I think that this Bill finds that balance, so I am confident that the whole House will support it.

Julia Lopez (Hornchurch and Upminster) (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

Happy new year, Mr Speaker, and thank you for putting the heating on. I am grateful to the Minister for setting out the Government’s rationale for this legislation in the Secretary of State’s stead. I do not know why the Minister was demoted either, but I want him to know that we appreciate him.

The official Opposition recognise the scale of the cyber-security challenge that the country faces. If the pandemic accelerated the adoption of digital technology at a pace we had never before seen, then the advent of artificial intelligence will embed that technology into our economy in wholly new ways that bring not only opportunity but unprecedented risk. AI and automation will not only transform productivity but equip hostile states, criminal gangs and opportunists alike with tools capable of eroding our national defences at speed and at scale. It is right that Parliament legislates to raise the collective security bar. We on the Conservative Benches support that principle. However, legislation of this kind does not come around often. Cyber law takes time to develop, and once the Bill passes, it is unlikely that Parliament will return to this territory for some years. That means that we must ask two simple but very serious questions today: will this law work and is it enough?

Before we answer those questions, it is worth reminding ourselves of the real-world consequences of failure. Cyber risk is neither abstract nor theoretical. Last year, the UK experienced what is widely regarded as our most economically damaging cyber-incident to date when Jaguar Land Rover suffered a major attack. That was not a sophisticated act of cyber-warfare against the state—although such acts are happening with increasing regularity—but was carried out by a band of hackers. The consequences were enormous, however. For five weeks, Jaguar Land Rover was unable to operate its automated manufacturing lines, cyber-related costs mounted to nearly £200 million, and national economic output was visibly affected in that month alone. The real damage did not stop at the factory gates: hundreds of small and medium-sized enterprises in the supply chain—many of them operating on thin margins—were pushed to the brink, workers faced uncertainty and contractors had their work paused.

Ultimately, the Government had to step in with a £1.5 billion loan guarantee to prevent wider economic fallout. When we consider the Bill, we must ask whether it would do anything to strengthen our collective resilience. That is one of the tests that this legislation ought to meet, and it is not yet clear that it does. Indeed, the attack on JLR would not have been stopped, as the Minister himself has made clear, because it would not have been in scope.

The cyber-threat landscape is evolving at an extraordinary pace. New research shows that cyber-attacks now cost our economy nearly £15 billion every year. High-profile breaches of businesses such as Marks and Spencer and the Co-op have demonstrated how quickly consumer confidence, jobs and supply chains can be put at risk. Last year alone, insurers paid out £197 million to help businesses recover from cyber-incidents. In fact, the collective cyber insurance bill of the FTSE 100 is now larger than the defence research and development budget. The Bill seeks to respond to one aspect of that reality by expanding the scope of regulation. Data centres, managed service providers, load controllers and designated critical suppliers will now fall within its ambit. That is a welcome acknowledgment that digitisation has introduced systemic risks that the original NIS regulations of 2018 did not adequately cover.

The Bill also strengthens the powers of regulators, introduces cost recovery mechanisms and tightens incident reporting requirements. Those measures are intended to modernise our cyber framework and address clear shortcomings identified in reviews of the NIS regime in 2020 and 2022. On paper, that all sounds sensible, but intent alone is not enough, which brings me back to our central concern: whether this law will work in practice in raising the standard of our collective resilience. The uncomfortable truth is that, in some of the most high-profile cases of cyber-attack, the penetration of systems was carried out by attackers using valid credentials. That means systems behaved normally. The breaches looked like legitimate access until it was too late. Human frailties were exploited: help desks were persuaded to reset passwords, and staff and contractors were impersonated. This Bill would help mainly after an attack—not before—by mandating reporting, improving intelligence sharing and increasing accountability.

Julia Lopez

- Hansard -

Copy Link

- - Excerpts

Absolutely. The hon. Gentleman is correct: this is fundamentally about culture—that is the point that I am making. We can pass as many regulations as we like, but a lot of the holes in our cyber-security systems come down to human frailties. That means this challenge is not just about new laws but about changing a number of things to make us more resilient.

It is right not to dictate technical standards in primary law that will soon be outdated in the fast-moving world of technology, so the question is whether this law has the right mix of carrot and stick to make affected firms act in a way that raises the security bar—there are several areas where we fear it may not.

First, there is potentially an enforcement paradox. The Bill expands regulatory powers and increases the scale of potential fines, but the evidence from the existing regime does not suggest definitively that fines and new regulations deliver us greater cyber-resilience. Under the current NIS regulations, enforcement has been slow, inconsistent and often toothless. Very few significant penalties have been issued. Where they have been issued, the delay between incident and sanction has sometimes stretched beyond two years. That delay matters, because it actively undermines deterrence and disconnects accountability from operational reality. Simply widening the scope of regulation without ensuring that regulators are properly resourced, empowered and required to act quickly risks creating obligations that exist on paper but lack any real-world bite.

We also have concerns about the Bill’s cost recovery model. Funding regulators through levies on the organisations that they oversee risks unintended consequences in terms of improving our resilience. For large firms, the cost burden may be manageable, but for smaller enterprises it amounts to an additional operational tax that could divert scarce capital away from cyber-defence, staff training and innovation.

There is also a structural risk here. Regulators that are reliant on fee income might face incentives to expand scope and complexity unnecessarily, creating bureaucratic drag that crowds out voluntary, market-led initiatives, which often raise standards more effectively than prescriptive regulation.

More generally, I worry that this Bill will play into tech monopolies. The companies that thrive in this kind of environment are those with big compliance and legal departments. That concentrates risk and makes our tech economy less diverse, with serious implications that I shall come on to.

There may be reporting challenges too. A two-stage reporting process within 24 and 72 hours may be achievable for large, well-resourced organisations with in-house cyber teams, but for smaller operators it risks creating a compliance culture focused on speed, not substance.

There is also the danger of duplication. Many organisations already face overlapping reporting obligations under UK GDPR, sectoral rules and existing legislation. Without simplification and proportionality, the administrative load could be significant, once again diverting attention and resource from the very cyber-threat management that the Bill seeks to improve. We need to avoid this legislation becoming a “something must be done” Bill that totally misses the mark.

The Bill also fails to grapple properly with the human factor in cyber-security, which has already been talked about by the hon. Member for Harlow (Chris Vince). Technology alone does not keep organisations safe; governance matters. Yet board-level ownership of cyber-risk is moving in the wrong direction. Only 27% of businesses now have a board member explicitly responsible for cyber-security, down from 38% just three years ago. Without mechanisms to ensure senior accountability, fines risk becoming little more than a cost of doing business. Directors remain insulated while operational teams are left to carry the can. National cyber-resilience depends not just on systems and software, but on leadership, culture and accountability at the very top.

For those reasons, ahead of Committee consideration, we on the Opposition Benches are examining how the legislation can be strengthened, while continuing to support its core objectives. In the meantime, regulators must be properly equipped with the right powers, resources and clarity from Parliament on the intent of the law. Sanctions must be applied swiftly and consistently, and guidance must be clear, so that enforcement is credible and deterrence is real.

The Government should also look at how reporting obligations are calibrated. A one-size-fits-all approach might place disproportionate burdens on smaller firms, and it might be better to ensure that reporting thresholds reflect the size, complexity and risk profile of an organisation.

Equally, the funding of regulators must be transparent and predictable. There have to be safeguards against regulatory expansion for its own sake and firm assurances that funds raised are reinvested directly into improving national cyber-resilience, not absorbed by administrative overheads. While the Bill rightly prioritises critical national infrastructure, it cannot afford to ignore high-risk sectors that sit beyond its immediate scope.

There is also a major role for market-based solutions. Cyber insurance, sector-wide intelligence sharing and collaborative resilience initiatives can all complement regulation. These tools can reduce risk and improve preparedness without adding unnecessary legislative complexity.

The review cycle set out in the Bill may be too slow for the threat landscape we face and the pace of technological change. Annual or biannual reviews might allow Parliament to scrutinise effectiveness, respond to emerging threats and ensure that the legislation remains fit for purpose.

Let me make some more general points about the Government’s approach to cyber-security and resilience, and issues about the risk of dependence and threat from adversaries. I see no evidence from this Government that they are thinking with any clarity about the risks of long-term technological dependency and lock-in—quite the opposite, in fact. Large parts of our economy now depend on secure, high-quality digital infrastructure, and that reliance will only increase as AI advances. Whoever provides that infrastructure will wield huge future leverage. It was that reality that ultimately drove the change of heart over Chinese tech sitting at the core of our 5G telecom networks a few years ago.

However, the Government are seemingly betting every chip on US hyper-scalers. They provide our data centres, supply the platforms on which Government Departments are run and, more often than not, are the ones winning all the Government contracts. These investments will provide our companies with things that they need, from compute power to increasingly sophisticated AI platforms, but the UK is doing little simultaneously to mitigate our increased technological dependency. When I say “technological”, we need to understand that technology is what we now run our defence systems, factories, energy networks and communications on. Technology is the plumbing of our nation.

During September’s much crowed-about state visit by President Trump, this Government were visibly begging for good economic headlines after the humiliating resignations of the Deputy Prime Minister and the ambassador to the US, not to mention the uncontainable mess of the Chancellor’s first Budget and the threat of her second Budget. The US-UK tech partnership was the result, with a huge amount of smoke and mirrors deployed over what it actually contained. Whatever substance lay within it, we heard just before Christmas that it had been paused, used as leverage by the US while other trade negotiations were under way.

I am not criticising the US Administration for skilfully playing their hand in their national interest; I am asking this Government rapidly to wake up to the reality of a new world in which the post-war settlement is coming to an end—one that has been giving clues to its existence for many years, since long before President Trump came into office. The United States remains a vital ally, but in this new era Britain must be very clear-eyed about risk, the reality of hard power and the need to protect our sovereign interests.

Cyber-risk requires as much thought about the fundamentals of plumbing as it does about the laws that try to manage how humans use or exploit technology. The UK Government have a vast procurement budget for which our own firms ought to be able to make a successful bid, but UK tech tells me consistently that, for all the talk in the Government’s AI strategy of sovereign tech capability, it has not got a look-in since Labour has been in power. I am concerned that this Bill should not introduce new, burdensome regulation for UK firms in a way that benefits non-UK incumbents with giant compliance teams and legal resources in a way that would exacerbate the risk of vendor lock-in.

Let us turn to another risk. The private sector will have noticed that the new obligations in this Bill broadly do not touch the public sector, where cyber-risk remains red-light-flashingly large, notwithstanding the public cyber strategy that was thrown out today in implicit acknowledgment of that gaping hole. Knowing that the public sector holds such enormous cyber-risk, this Labour Government choose not to minimise it, but to create a brand-new one—a hulking great identity system mandated for anyone who wants a job and, we now hear, possibly for new-born babies. It is mandatory identity by stealth, not consent, and with no honesty about it.

It is not to be against the ability of people to verify themselves digitally for banking, to access certain online services or to stop fraud to think that Labour’s mandated digital identity plan is a complete rotter. The Association of Digital Verification Professionals called what Labour inherited on digital identity a

“world-leading model for data sovereignty that digitised liberty rather than diluted it”.

The citizen, not Government, would be in control. This naive Government are crowding out private sector expertise and making everyone have one of these identities by stealth. They have no idea what this system will cost, and they will not be honest about what it will be used for.

What of the cyber-security of this system? The system on which this digital identity will be run was breached during red team testing last year. When I asked the Secretary of State if that system has now met the National Cyber Security Centre’s cyber-security standard, no answers came. Whistleblowers have continued to speak out about the vulnerabilities of the system, and there is no sense whatsoever from Government that the dodgy digital identity plan will be paused until such a point when they are confident about cyber-security.