Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
Debate between Dave Robertson and Ben SpencerThursday 5th February 2026
(1 day, 13 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Dr Spencer
The hon. Member for Lichfield may be aware that my background is in medicine; I used to be a doctor before I came to this place. One of the skills and challenges in medicine is that any medical intervention—apart from a small handful—always has a risk of harm or side effects to the patient. It is always a balancing act between the harm and the benefit. My bread and butter before I came to this place was balancing harms and risks in the best interests of the person in front of me.
Although I have never been a businessperson, and I have certainly never owned or run a data centre, my approach to business burdens is to see the extra things that the Government make businesses do—which are not necessarily what businesses would normally do or see as in their direct interests—as a prima facie harm. I will expand my words a bit if that helps in explaining the logic. The starting point is that it is an extra burden and a harm, but then benefits from other angles can outweigh that harm. It is getting businesses to do something more; if they were doing it anyway, we would not need regulations. It is an additional thing that business is being asked to do. It might be that we have decided that overall it is in the best interests of the sector. Individual businesses cannot regulate and change the sector themselves, so we have decided, “For the good of society, we think businesses should do this.”
I am always a little careful when we politicians say that we know what is better for business in terms of what they are doing. I take the point about how regulatory certainty can be helpful in itself. I also take the point about the overall benefit to society and the business network of having confidence that there are secure and working data centres and that the large load controllers—which we will talk about presently—have control. This Bill is a full-fat compendium of cross-regulations and links. I feel for any business looking through the later chapters and finding themselves subject to those requirements. We have to keep that in mind: all of us in this Committee want our businesses to succeed and do well, and we also want stable and flourishing infrastructure.
Going back to my medical roots, the starting point should be, “Primum non nocere”. That is often misinterpreted as, “First, do no harm”; actually, not doing harm is the main thing that we should do. As a legislator, you should have quite a high threshold before you start saying, “The solution is putting in another law. Let’s create another regulation,” or, “Let’s put another burden on business.”
One of the challenges I had when looking at the Bill when it was first published was understanding why we need it in the first place. What is its starting point? That is something that I have been exploring and thinking about as we have been preparing for this Committee stage. Why is our industry not doing it itself and sorting this out? Why is the Minister here today bringing forward these regulations on business and why is that necessary in the first place as opposed to business sorting it out?
I am sure that this is something that the Committee are going to come back to and explore in more detail when we discuss some of the more high-profile cyber-security impacts, particularly on Jaguar Land Rover and M&S. The hon. Member for Lichfield makes a very good point, and I do not think that this debate is settled in some ways—and I am sure we are going to come back to it quite a few times during the passing of this Bill.
Dr Spencer
I am certainly going to come back to it a few times—if not other Members—and I will invite the Minister to come back to it a few times.
Returning to the point about the dependency on particular sectors, I mentioned the impact that Amazon Web Services had on our society and systems; interestingly, the AWS outage was caused not by a cyber-attack, but it demonstrates the disruption to our lives and businesses that could occur in the event of such an attack. The last Government recognised the vital and growing importance of data centres to the UK economy and people’s lives, as well as the risks of serious interruption to these services. That led to a public consultation on enhancing the security and resilience of UK data infrastructure.
The Conservatives therefore welcome that this vital element of our national infrastructure will be subject to cyber-security regulation. However, for regulation to be robust for cyber-resilience and regulator data centres it is essential that there are high rates of industry compliance. The Government stated in their impact assessment for this Bill that there is an ongoing engagement with the data centre sector. Could the Minister lay out what feedback he has received on the sector’s preparedness to meet the cyber-resilience standards set by the NIS regulations?
Likewise, in terms of ensuring effective regulation, Ofcom will have a dramatically increased role in terms of cyber-security regulation when these provisions come into effect. In view of Ofcom’s current regulatory workload and the challenges with recruitment, which I mentioned earlier and highlighted in the evidence session this week, what ongoing engagement is the Minister having with Ofcom more broadly to make sure that it is sufficiently resourced to play its role?
Before I move on to clause 6, on large load controllers, I feel I need to go back to the discussion about proportionality and the purpose and need for these regulations in the Bill. One of the biggest criticisms of the NIS regulations is that they have not really been enforced. I am not saying that a certain rate of enforcement is a marker of efficacy or compliance, but it is curious, and it has been raised to me, that the level of enforcement indicates that the NIS regulations have not really had teeth or changed anything.
In one bad world, we have regulations that are completely disproportionate and place a huge and unnecessary burden on industry. But in some ways the worst of all worlds, or rather another problem that we would need to deal with, would be for us to legislate, produce this wonderful cyber-security Act, and go away happy as legislators—“Hey-ho, it’s all sorted and finished; we can sleep well in our beds about the cyber-security of the UK.” But if the companies cannot follow the legislation, will not follow it or do not have the resources to do so, then all we will have done is waste our time. Worse, we will have given ourselves a false sense of security, rather than delving into some of the real challenges and problems in the sector, which include overall education, encouraging businesses to take the issue more seriously and encouraging people to do Cyber Essentials.
Dr Spencer
I thank my hon. Friend for his interesting proposal, which attempts to crack the nut of one of the problems subsumed in the Bill.
The Bill cherry-picks certain sectors that need to be regulated entities, and there is a whole host of definitions. Then the Secretary of State can allocate some of the bits that they want to tag on through secondary legislation or the designation of a critical supplier. Then we have the MSP component. But there is something the Bill does not deal with. If I were to ask to the man in the street to identify the biggest cyber-security attack they have heard of in the past year or so, their answer would probably depend on where they live. If they live in the west midlands, they would talk about JLR, which has had a catastrophic effect on the local economy. In other parts of the country, the focus might be on Marks & Spencer or the Co-op. The Bill does not fix that, so what needs to be done? Should there be a threshold based on turnover, so that the process is not so onerous on certain companies, or something to support the insurance industry?
The Bill is silent on this issue, and the Government need to come up with some answers. I totally understand what they are trying to do with the Bill and how it is taking us forward—of course the NIS regulations need updating—but it does not fix the big stuff that has had a huge impact on people’s lives and required a massive bail-out of several billions of pounds-worth of taxpayers’ money. How many more JLRs can the Government afford to bail out until they have to do something to resolve the issue? I suspect we will come back to that, but I am glad that my hon. Friend introduced his ten-minute rule Bill.
We need to have a solution, but at the same time, we should not put onerous burdens on companies that are already struggling because of the Government’s anti-growth agenda and the punitive taxes being imposed on them to pay for profligate spending. This goes back to the discussion about prima facie harms. Taxation is the best example of a prima facie harm.
Dave Robertson
I fear I am about to repeat what I said a moment ago. I am aware that nobody gets up in the morning and is excited to pay tax, but tax pays for our roads, for our infrastructure, for our hospitals, which keep our workforce in good health, for the education of the next round of employees, for our security services, and for the police, who help to prevent crime. It pays for a whole variety of things that are essential for business to succeed, so taking an evangelical view that tax is bad is just not—
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Debate between Dave Robertson and Ben SpencerTuesday 3rd February 2026
(3 days, 13 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Dr Spencer
Q
Chung Ching Kwong: There is not a lot of publicly available information on the sensitive cabling that is around the area, so I cannot confidently say what is really going to happen if they start to build the embassy and have such close contact with those cables. The limit of this Bill when it comes to the Chinese embassy is that it cannot mitigate the risks that are posed by this mega-embassy in the centre of London, because it regulates operators and not neighbours or any random building in the City. If the embassy uses passive interception technology to harvest data from local wi-fi or cellular networks, no UK water or energy company is breached. There is no breach if they are only pre-positioning there to collect information, instead of actually cutting off the cables, so when they do cut off the cables, it will be too late. There will be no report filed under the Bill, even if it is under the scope of the Bill when it comes to regulation. The threat in this case is environmental and really bypasses the Bill’s regulatory scope.
Dave Robertson (Lichfield) (Lab)
Q
Chung Ching Kwong: I think that to a certain extent they will. For hackers or malicious actors aiming for financial gain with more traditional hacking methods, it will definitely do a job in protecting our national security. But the Bill currently views resilience through an IT lens. It is viewing this kind of regulatory framework as a market regulatory tool, instead of something designed to address threats posed by state-sponsored actors. It works for cyber-criminals, but it does not work for state actors such as China, which possess structural leverage over our infrastructure.
As I said before, we have to understand that Chinese vendors are legally obliged to compromise once they are required to. The fine under the Bill is scary, but not as scary as having your existence threatened in China—whether you still have access to that market or you can still exist as a business there. It is not doing the job to address state-sponsored hackers, but it really does help when it comes to traditional hacking, such as phishing attempts, malware and those kinds of things.
Dave Robertson
Q
Professor John Child: Yes. As I understand it, it does. This is part of the reason, incidentally, why my organisation, which focuses very much on criminal law aspects, ended up doing some collaborative work with the CyberUp campaign. That is because, from the industry perspective, they can do that kind of business modelling in a way that we do not. Whereas we can make the case for sensible criminal law reform, they can talk about how that reform translates into both the security environment and the commercial environment. Their perspective on this is, first, that we can see that there is already outsourcing of these kinds of services, particularly to the US, Israel and other more permissive jurisdictions. That is simply because, if you are a cyber-security expert in one of those jurisdictions, you are freer to do the work companies would like you to do to make sure their systems are safe here.
There are also the sectoral surveys and so on, and the predictions about what it is likely to do to the profession if you allow it to do these kinds of services in this jurisdiction. That is about the security benefits, but they are also talking about something like a 10% increase in the likely projection of what cyber-security looks like in this jurisdiction—personnel, GDP and so on.
Dr Spencer
Q
Professor John Child: There are obviously a number. It is always more comfortable when you have a beginning point of criminalisation. The argument to decriminalise in an environment where you want to protect against threats is sometimes a slightly unintuitive sell. Is the criminalisation that we have doing the necessary work in terms of actually fighting the threats? To some extent, yes, but it is limited. Is it doing harms? There is an argument to say that it is doing harms.
This comes back to the point that was made earlier, which was perfectly sensible. When you speak to the CPS and others, their position as prosecutors is to say, “Very few people are being prosecuted, and we certainly don’t want to be prosecuting legitimate cyber-security experts, so there is no problem.” Admittedly, that means there is no problem in terms of actual criminalisation and prosecution, but that is the wrong problem. If you focus on the problem being the chilling effect of the existence of the criminalisation in the first place, you simply cannot solve that through prosecutorial discretion, and nor should you, when it comes to identifying what a wrong is that deserves to be criminalised. You certainly cannot resolve it through sentencing provisions.
The only way that you can sensibly resolve this is either by changing the offence—that is very difficult, not least because, from a position of criminalisation, it might be where other civil jurisdictions begin—or by way of defence, which realistically is the best solve from the point we are at now. If you have a defence that can be specifically tailored for cyber-security and legitimate actors, you can build in reverse burdens of proof. You can build in objective standards of what is required in terms of public interest.
The point here is that the worry is one of bad actors taking advantage. The reality is that that is very unlikely. The idea that the bad actors we identify within the system would be able to demonstrate how they are acting in the public best interest is almost ridiculous. Indeed, the prospect of better threat intelligence, better securities and so on provides more information and better information-sharing to the NCSC and others and actually leads to more potential for prosecution of nefarious actors rather than less.
It is a more complicated story than we might like in terms of a standard case for changing the criminal law, but it is nevertheless an important one.