Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Chris Vince
Main Page: Chris Vince (Labour (Co-op) - Harlow)Department Debates - View all Chris Vince's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting)
Chris Vince ExcerptsTuesday 10th February 2026
(4 days, 9 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
Chris Vince
I thank the shadow Minister for remembering my consistency—I have not mentioned Harlow. How is the new clause helpful, given the potential confusion it causes with listing a specific kind of incident as well as the generic one?
Dr Spencer
The Opposition are trying to make it clear that ransomware needs to be in the scope of the reporting. It is really for the Minister to answer if he thinks there are problems with the new clause, and if so, how the Government will go about taking that forward. The widespread and highly damaging nature of ransomware attacks—which are often perpetrated by criminal groups at scale and speed—means that regulators need to have a detailed oversight of this area to prevent those attacks from being deployed more widely. Therefore, the new clause is intended to ensure that all ransomware attacks on regulated entities are reported, regardless of severity or potential severity, so that the risks are picked up.
In tabling new clause 6, I am acutely aware of the existing reporting burden for regulated entities and regulators. Since tabling it, we have heard impactful evidence from Carla Baker from Palo Alto, who highlighted the number of cyber incidents and false positives that many companies encounter each day. As I said in response to an intervention, in the absence of measures brought forward by the Government to address the widespread and urgent risks presented by ransomware attacks—and as the Government themselves identify as part of the Home Office’s review—it would be proportionate to make specific reference to ransomware in the reporting requirements on regulated entities in the Bill.
New clause 7 reflects the concerns of regulated bodies and industry representatives who have set out many, many times—in oral evidence and beyond—the need to ensure that reporting obligations are clear and, as far as possible, simplified across the many different incident reporting regimes that exist for providers of digital services. The new clause would compel the Secretary of State to publish an assessment of the impact of the new reporting regime on regulated entities in the Bill within 12 months of Royal Assent. Importantly, in line with the clear requests articulated by many stakeholders who gave evidence last Tuesday, it requires the Government to publish proposals for the creation of a single cyber incident reporting channel for relevant bodies.