All 1 Debates between David Chadwick and Emily Darlington

Share Page

Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)

Debate between David Chadwick and Emily Darlington
Committee stage
Tuesday 3rd February 2026

(5 days, 19 hours ago)

Public Bill Committees
Share Debate
Read Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
David Chadwick Portrait David Chadwick
- Hansard -
-

Q Do you know how you would do that information sharing at the moment?

Ian Hulme: As we have already explained, the current regs do not allow us to share the information, which is a bit of a barrier for us. In the future, certainly, we will be working together to try to figure it out. I think that there is also a role for DSIT in that.

Natalie Black: First, we currently have a real problem in that information sharing is much harder than it should be. The Bill makes a big difference in addressing that point, not only among ourselves but with DSIT and NCSC. Secondly, we think that there is an opportunity to improve information reporting, particularly incident reporting, and we would welcome working with DSIT and others—I have mentioned the Digital Regulation Cooperation Forum—to help us find a way to make it easier for industry, because the pace at which we need to move means that we want to ensure that there is no unnecessary rub in the system.

Emily Darlington Portrait Emily Darlington (Milton Keynes Central) (Lab)
- Hansard -
- - Excerpts

Q I have a question for Ian Hulme. In your role at the ICO, you are clearly looking at data security. Data is obviously one of the main goals of cyber-attacks. Data issues cut across every sector, and you are looking at a really broad sector of data, from individual identifiers to names, addresses, bank accounts or whatever it might be. This could happen in any sector. How does the Bill give you additional powers to take action, particularly on those co-ordinated through AI or foreign actors, and do you think it is sufficient for what you feel we will be facing in the next five years?

Ian Hulme: We need to think about this as essentially two different regimes. The requirements under data protection legislation to report a data breach are well established, and we have teams, systems and processes that manage all that. There are some notable cases that have been in the public domain in recent months where we have levied fines against organisations for data breaches.

The first thing to realise is that we are still talking about only quite a small sub-sector—digital service providers, including cloud computing service providers, online marketplaces, search engines and, when they are eventually brought into scope, MSPs. A lot of MSPs will provide services for a lot of data controllers so, as I explained, if you have the resilience and security of information networks, that should help to make data more secure in the future.

--- Later in debate ---
Emily Darlington Portrait Emily Darlington
- Hansard -
- - Excerpts

Q I note your interest in how the Bill will affect smaller businesses. There is not much detail in the Bill, but how do you think the code of practice could create an environment that lifts everyone’s security up without prescribing too great a burden?

Richard Starnes: You just stepped on one of my soapbox issues. I would like to see the code of practice become part of the annual Companies House registrations for every registered company. To me, this is an attestation that, “We understand cyber-security, we’ve had it put in front of us, and we have to address it in some way.”

One of the biggest problems, which Andy talked about earlier, is that we have all these wonderful things that the Government are doing with regard to cyber-security, down to the micro-level companies, but there are 5.5 million companies in the United Kingdom that are not enterprise-level companies, and the vast majority of them have 25 employees or fewer. How do we get to these people and say, “This is important. You need to look at this”? This is a societal issue. The code of practice and having it registered through Companies House are the way to do that. We need to start small and move big. Only 3% of businesses are involved in Cyber Essentials, which is just that: the essentials. It is the baseline, so we need to start there.

David Chadwick Portrait David Chadwick
- Hansard -
-

Q We have heard concerns about definitions, particularly regarding incident reporting. What are your observations on the Bill as it stands, and those definitions?

Richard Starnes: Throughout my career, I have been involved in cyber incidents from just about day one. One of the biggest problems that you run into in the first 72 hours, for example, is actually determining whether you have been breached. Just because it looks bad does not mean it is bad. More times than not, you have had indicators of compromise, and you have gone through the entire chain, which has taken you a day, or maybe two or three days, of very diligent work with very clever people to determine that, no, you have not been breached; it was a false positive that was difficult to track down. Do you want to open the door to a regulator coming in and then finding out it is a false positive?

You are also going to have a very significant problem with the amount of alerts that you get with a 24-hour notification requirement, because there is going to be an air of caution, particularly with new legislation. Everybody and his brother is going to be saying, “We think we’ve got a problem.” Alternatively, if they do not, then you have a different issue.

Return to start of debate - Return to top of page