Cyber Security and Resilience (Network and Information Systems) Bill (First sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Freddie van Mierlo
Main Page: Freddie van Mierlo (Liberal Democrat - Henley and Thame)Department Debates - View all Freddie van Mierlo's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Freddie van Mierlo ExcerptsTuesday 3rd February 2026
(1 month ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Emily Darlington (Milton Keynes Central) (Lab)
Q
David Cook: The original NIS regulations came out of a directive from 2016, so this is 10 years old now, and the world changes quickly, especially when it comes to technology. Not only is this supply chain vulnerability systemic, but it causes a significant risk to UK and global businesses. Ransomware groups, threat actors or cyber-criminals—however you want to badge that—are looking for a one-to-many model. Rather than going after each organisation piecemeal, if they can find a route through one organisation that leads to millions, they will always follow it. At the moment, they are out of scope.
The reality is that those organisations, which are global in nature, often do not pay due regard to UK law because they are acting all over the world and we are one of many jurisdictions. They are the threat vector that is allowing an attack into an organisation, but it then sits with the organisations that are attacked to deal with the fallout. Often, although they do not get away scot-free, they are outside legislative scrutiny and can carry on operating as they did before. That causes a vulnerability. The one-to-many attack route is a vulnerability, and at the moment the law is lacking in how it is equipped to deal with the fallout.
Jen Ellis: In terms of what the landscape looks like, our dialogue often has a huge focus on cyber-crime and we look a lot at data protection and that kind of thing. Last year, we saw the impact of disruptive attacks, but in the past few years we have also heard a lot more about state-sponsored attacks.
I do not know how familiar everyone in the room is with Volt Typhoon and Salt Typhoon; they were widespread nation-state attacks that were uncovered in the US. We are not immune to such attacks; we could just as easily fall victim to them. We should take the discovery of Volt Typhoon as a massive wake-up call to the fact that although we are aware of the challenge, we are not moving fast enough to address it. Volt Typhoon particularly targeted US critical infrastructure, with a view to being able to massively disrupt it at scale should a reason to do so arise. We cannot have that level of disruption across our society; the impacts would be catastrophic.
Part of what NIS is doing and what the CSRB is looking to do is to take NIS and update it to make sure that it is covering the relevant things, but I also hope that we will see a new level of urgency and an understanding that the risks are very prevalent and are coming from different sources with all sorts of different motivations. There is huge complexity, which David has spoken to, around the supply chain. We really need to see the critical infrastructure and the core service providers becoming hugely more vigilant and taking their role as providers of a critical service very seriously when it comes to security. They need to think about what they are doing to be part of the solution and to harden and protect the UK against outside interference.
David Cook: By way of example, NIS1 talks about reporting to the regulator if there is a significant impact. What we are seeing with some of the attacks that Jen has spoken about is pre-positioning, whereby a criminal or a threat actor sits on the network and the environment and waits for the day when they are going to push the big red button and cause an attack. That is outside NIS1: if that sort of issue were identified, it would not be reportable to the regulator. The regulator would therefore not have any visibility of it.
NIS2 and the Bill talk about something being identified that is caused by or is capable of causing severe operational disruption. It widens the ambit of visibility and allows the UK state, as well as regulators, to understand what is going in the environment more broadly, because if there are trends—if a number of organisations report to a regulator that they have found that pre-positioning—they know that a malicious actor is planning something. The footprints are there.
Freddie van Mierlo (Henley and Thame) (LD)
Q
Jen Ellis: You have covered a lot of territory there; I will try to break it down. If you look at the attacks last year, all the companies you mentioned were investing in cyber-security. There is a difficulty here, because there is no such thing as being bullet-proof or secure. You are always trying to raise the barriers as high as you can and make it harder for attackers to be successful. The three attacks you mentioned were highly targeted attacks. The example of Volt Typhoon in the US was also highly targeted. These are attackers who are highly motivated to go after specific entities and who will keep going until they get somewhere. It is really hard to defend against stuff like that. What you are trying to do is remove the chances of all the opportunistic stuff happening.
So, first, we are not going to become secure as such, but we are trying to minimise the risk as much as possible. Secondly, it is really complex to do it; we saw last year the examples of companies that, even though they had invested, still missed some things. Even in the discussions that they had had around cyber-insurance, they had massively underestimated the cost of the level of disruption that they experienced. Part of it is that we are still trying to figure out how things will happen, what the impacts will be and what that will look like in the long term.
There is also a long tail of companies that are not investing, or not investing enough. Hopefully, this legislation will help with that, but more importantly, you want to see regulators engaging on the issue, talking to the entities they cover and going on a journey with them to understand what the risks are and where they need to get to. If you are talking about critical providers and essential services, it is really hard for an organisation—in its own mind or in being answerable to its board or investors—to justify spend on cyber-security. If you are a hospital saying that you are putting money towards security programmes rather than beds or diagnostics, that is an incredibly difficult conversation to have. One of the good things about CSRB, hopefully, is that it will legitimise choices and conversations in which people say, “Investing time and resources into cyber-security is investing time and resources into providing a critical, essential service, and it is okay to make those pay-off choices—they have to be made.”
Part of it is that when you are running an organisation, it is so hard to think about all the different elements. The problem with cyber-security—we need to be clear about this—is that with a lot of things that we ask organisations to do, you say, “You have to make this investment to get to this point,” and then you move on. So they might take a loan, the Government might help them in some way, or they might deprioritise other spending for a set period so that they can go and invest in something, get up to date on something or build out something; then they are done, and they can move back to a normal operating state.
Security is not that. It is expensive, complex and multifaceted. We are asking organisations of all sizes in the UK, many of which are not large, to invest in perpetuity. We are asking them to increase investment over time and build maturity. That is not a small ask, so we need to understand that there are very reasonable dynamics at play here that mean that we are not where we need to be. At the same time, we need a lot more urgency and focus. It is really important to get the regulators engaged; get them to prioritise this; have them work with their sectors, bring their sectors along and build that maturity; and legitimise the investment of time and resources for critical infrastructure.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Q
David Cook: The legislation talks about secondary legislation, so it allows for an agile, flexible programme whereby organisations can be brought within scope very quickly if concerns make that necessary. What that leaves us with, though, is that although legislation can be changed quickly, organisations often cannot. Where there is a definition, as we see with NIS2, as to which entities are in scope, organisations can embark on a multi-year programme to get into a compliant position. They can throw money at it, effectively.
What this legislation talks about, through the secondary legislation, is bringing organisations into scope and mandating specific security controls or specific requirements on those organisations in terms of security, but while the law might come in over a weekend, organisational change will not necessarily follow. There is a potential issue there. I can see the benefit and attractiveness of secondary legislation being used to achieve that aim, but having a clearer baseline as to what that sort of scope might look like—it could be ramped up or down, and the volume could be turned up or down, depending on need—would be more helpful. Reducing scope while diverging from NIS2 might be a benefit in terms of the commercial reality, but it might be a misstep in terms of security and the long tail that it takes to get more secure.
Bradley Thomas
Q
Dr Sanjana Mehta: May I weigh in on the second question first? It is good to note that the definition of reportable incident has expanded in the current legislation. One of the concerns that the post-implementation reviews had from the previous regulatory regime was that the regulated entities were under-reporting. We note that the Bill has now expanded the definition to include incidents that could have an adverse impact on the security and operations of network and information systems, in addition to those incidents that are having or have had a negative impact.
While that is clear on the one hand—some factors have been provided, such as the number of customers affected, the geographical reach and the duration of the incident—what is not clear at the moment is the thresholds linked with those factors. In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators.
We must think about regulatory capacity to deal with all the reports that come through to them, and to understand what might be the trade-offs on the regulated entities, particularly if an entity is regulated by more than one competent authority. For those entities, it would mean reporting to multiple authorities. For organisations that are small or medium-sized enterprises, there is a real concern that the trade-offs may result in procedural compliance over genuine cyber-security and resilience. We call on the Government for immediate clarification of the thresholds linked to those factors.
Jill Broom: I would like to come in on that point. Our members would agree with it. Companies need to be clear about what needs to be reported, when it needs to be reported and where they need to report it. A bit of clarity is required on that, certainly around definitions. As Sanjana said, it is good to see that the definition is expanding, but definitions such as “capable of having” a significant impact remain unclear for industry. Therefore, we need a bit more clarity, because again, it means that we could risk capturing absolutely everything that is out there, and we really want to focus on: what is most important that we need to be aware of? Determining materiality is essential before making any report.
In terms of the where and the how, we are also in favour of a single reporting platform, because that reduces friction around the process, and it allows businesses, ultimately, to know exactly where they are going. They do not need to report here for one regulator and there for another. It is a streamlined process, and it makes the regime as easy as possible to deal with, so it helps incentivise people to act upon it.
I have another point to add about the sequencing of alignment with other potential regulation. We know that, for example, the Government’s ransomware proposals include incident-reporting requirements, and they are expected to come via a different legislative vehicle. We need to be careful not to add any additional layers of complexity or other user journeys into an already complex landscape.
Freddie van Mierlo
Q
Secondly, Dr Mehta, you spoke earlier about what is not in scope in this legislation. I am particularly interested in the fact that local government is not included in it, because it has a critical role in electoral services and in local and national democracy. What do you think are the threats from leaving local government out of scope?
Jill Broom: I think that generally, our members would always call for alignment, where possible, in any kind of legislation that spans the geographies. But we understand that the Bill focuses on a particular sector—the critical national infrastructure in the UK—and we welcome the intent of it.
Dr Sanjana Mehta: On sectoral scope, with the way that the Bill is currently drafted, there is obviously flexibility to introduce new sectors, and to bring in more provisions and guidance through secondary legislation and additional guidance. That being said, our recommendation is certainly to expand the sectoral scope at this stage by bringing in public administration.
There are a number of key reasons for that. First, public administration needs to be role model of good cyber-security to the rest of the economy. I think it was the 2025 state of digital government review that pointed out that the risk of cyber-attacks on Government is critical. You mentioned local government, but there are also central Government Departments that hold and process vast amounts of personal and sensitive information; I think, for example, DWP administered £288 billion of benefits over the past year. More than 23 million people claimed some sort of benefits from DWP and, in responding to those claims, DWP must have processed huge amounts of very sensitive medical and financial information on individuals. We think it is an omission to leave it out, and we recommend that the Government consider bringing it into scope.
Lincoln Jopp (Spelthorne) (Con)
Q
Stuart McKean: I do not think the cyber-criminal really cares, to be blunt. They will attack anywhere. You can, of course—
Freddie van Mierlo
Q
Dr Ian Levy: In October 2025, we had an incident that had quite a widespread impact. We have engaged with regulators around the world, including multiple regulators in the UK, to explain what happened. We published, quite transparently, what had happened during the incident and afterwards. Explaining how the part of the organisation that had built that particular system works is very time-consuming. It is also almost certainly out of date by the time we have finished. In that particular case, it was something called a “race condition”, which is a well understood computer-science hard problem. No amount of regulation or legislation would have made a difference, because it was a race condition, and they are incredibly hard to find in software.
I think that regulating outcomes is the right answer, and making sure that we are doing due diligence, and that our view of appropriate risk management is broadly the same as yours, without making us a national security entity. That is the challenge. How we run our business is not really relevant; it is the outcomes that matter.
Matt Houlihan: It is increasingly important that businesses, parliamentarians and Government officials work together on these issues. As we said earlier, the pace of change in terms of the technology, and indeed the business environment—at both the UK and global levels—is moving very quickly. Having that exchange of information will be important.
It is important—from an international business point of view—that regulation is as aligned as is practicable with the other jurisdictions that a lot of the companies here will be working in. That will not only benefit companies that are headquartered elsewhere and operate in the UK; it will benefit UK-headquartered companies that are looking to expand abroad. It must also be proportionate and targeted. I think that at the nub of your question, there is clearly a need, going forward, for strong co-operation and the sharing of expertise and experiences.
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Freddie van Mierlo
Main Page: Freddie van Mierlo (Liberal Democrat - Henley and Thame)Department Debates - View all Freddie van Mierlo's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Freddie van Mierlo ExcerptsTuesday 3rd February 2026
(1 month ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Freddie van Mierlo (Henley and Thame) (LD)
Q
Ian Hulme: Certainly from an ICO perspective, many IDSPs that we currently regulate are operating across boundaries. From our perspective, the focus is on the outcome. If they have operations in other jurisdictions that are providing services into the UK, our focus is on the outcome and getting to understand the UK side of things more than anything else.
Natalie Black: This is a challenge for us every day. Many of the companies that we regulate have a footprint in the UK or multiple footprints around the world. The issue is in making sure that the UK requirements are as clear as possible to give them no excuse to argue exceptionalism. That is why we really welcome the opportunity to get into the detail through secondary legislation, which will be very important in holding all the companies to account that we think need to be held to account.
The Chair
That brings us the end of the allotted time for the Committee to ask questions. On behalf of the Committee, I thank our witnesses for their evidence.
Examination of Witness
Chung Ching Kwong gave evidence.
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Freddie van Mierlo
Main Page: Freddie van Mierlo (Liberal Democrat - Henley and Thame)Department Debates - View all Freddie van Mierlo's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Freddie van Mierlo ExcerptsTuesday 24th February 2026
(1 week, 3 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 24 February 2026 - (24 Feb 2026)
Freddie van Mierlo (Henley and Thame) (LD)
I rise to speak to new clauses 13 and 15, standing in my name.
New clause 13 would require the Secretary of State to publish, within 12 months, a comprehensive statement on how the Government intend to manage the risks of foreign interference in our critical systems. It calls for steps to be taken to assess the need for a digital sovereignty strategy. We need to know not just how we will fight cyber-threats but whose technology we will rely on to do it. The new clause would force the Government to set out a plan to explicitly assess risks in hardware, software and supply chains.
We should ask what is being done to support UK tech and home-grown cyber-security. We cannot claim to be serious about national resilience if the very infrastructure protecting our critical systems is outsourced abroad to vendors we cannot fully trust. New clause 13 would require the Government to explain how they intend to mitigate the risks associated with reliance on foreign technologies. It would also require the Government to assess the need to encourage and support the use of domestic technologies. That would turn cyber-security into an engine for growth. By identifying high-risk foreign vendors, and pivoting to trusted, home-grown alternatives, we could improve our security and create high-skilled jobs here in the UK. For those reasons, I will press new clause 13 to a vote.
I now turn to new clause 15. How can we be serious about national resilience when the very infrastructure protecting our critical systems could be entirely outsourced abroad? New clause 15 would ensure transparency and force the Government to look at the threat of foreign ownership. The threat to British democracy from foreign interference is clear and present. From Russian money flooding into politics, and Chinese surveillance and intimidation, to foreign oligarchs buying influence, our democratic institutions are under sustained attack. The previous Conservative Government failed the UK. They failed to take the threat posed by Russia seriously, they weakened the Electoral Commission and they allowed foreign money to distort our politics. They withdrew from international commitments at precisely the wrong moment.
This Government have made some welcome moves, but they do not go far enough. Over the last few years, we have seen a rise in cyber-attacks on critical infrastructure. Across the country, schools have closed, airports have been shut, local councils have been hacked and retail stores have been crippled. New clause 15 would require the Government to review the security risks posed by critical suppliers and essential service providers, and to flag which of those are linked to foreign states. It would also push the Government to evaluate whether current powers are sufficient to address these threats. I intend to push new clause 15 to a vote.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
In our previous sitting, the hon. Member for Runnymede and Weybridge set out clearly the cyber-threat posed by China, and argued that, through new clause 2, China should be explicitly recognised as a foreign power presenting a significant risk to the United Kingdom. He rightly highlighted the precedent in UK legislation for maintaining registers of hostile or high-risk state actors to protect national security. I agree that Parliament should be unequivocal in recognising the Chinese Communist party as a strategic cyber-threat, particularly given evidence of state-linked cyber-espionage, infrastructure compromise and the targeting of critical national infrastructure.
We have seen data from the Cabinet Office last week indicating that the Government plan to drastically reduce the integrated security fund spending on domestic cyber and tech to counter cyber-attacks. It will be cut from £113.3 million to £95 million by 2028-29, which is a reduction of 16%. Domestic spending to counter Russian threats in the same period will incur a drop of more than 20%. Those reductions leave us dangerously exposed and are in direct opposition to the Government’s promises to support the UK’s national security priorities. New clause 2 offers the chance to identify and monitor state actors that pose a threat to UK cyber-security.
The register must also reflect the evolving nature of cyber-risk. Threats do not arise solely from formally hostile states, but also from jurisdictions where hostile cyber-actors operate at scale, using digital infrastructure to target UK systems and citizens. We have seen that in countries such as India and Nigeria, where organised cyber-criminal networks have run sophisticated international operations against the UK, exploiting cloud services and telecommunications infrastructure. In India, law enforcement has dismantled major cyber-crime hubs linked to international targeting, including operations specifically affecting large numbers of British victims.
In 2025, the National Crime Agency worked in partnership with India’s Central Bureau of Investigation to raid an organised crime group in Uttar Pradesh, which had targeted more than 100 UK citizens with pop-ups stating that their devices had been compromised, losing them more than £390,000. That is not only an unacceptable financial loss for our citizens, but a significant waste of resources. In Nigeria, long-established cyber-criminal networks continue to conduct large-scale digital fraud campaigns aimed at overseas targets including the United Kingdom. Interpol’s Operation Serengeti in 2025 tackled high-impact cyber-crimes in Nigeria and 17 other nations, arresting 1,209 suspects and recovering nearly $100 million that had been stolen through cyber-fraud.
Although these states might not be hostile in a geopolitical sense, hostile cyber-actors operating within their borders are none the less inflicting sustained harm and placing heavy burdens on our cyber-defence and law enforcement resources. I support the aims of new clause 2, but urge Ministers to ensure that the framework is flexible enough to capture not only hostile states but jurisdictions that consistently serve as bases for large-scale hostile cyber-activity. Data from the Cabinet Office shows that integrated security fund spending on Russia is set to fall over 20% between 2026 and 2029, which shows that the Government are not taking threats from Russia, or other hostile nations, seriously enough.
Freddie van Mierlo
I beg to move, That the clause be read a Second time.
The new clause would place a statutory duty on the Secretary of State to establish a support service dedicated to improving the resilience of small and medium-sized enterprises and, crucially, to provide them with assistance when the worst happens. SMEs are the backbone of our economy. Their growth and continue operation are essential to a strong economy. We heard evidence that even large corporations find it hard to justify the investment in cyber-security and resilience when faced with competing priorities and investment needs. It forms the rationale of the Bill putting this need on a statutory footing, but small and medium-sized businesses undoubtedly find it even harder to make the investments required in cyber-security.
I know from having worked in SMEs at the start of my career that companies experience growing pains and need support in navigating complex statutory requirements. It is not just support for SMEs before an attack takes place that the clause would provide for, but also after. For SMEs, a cyber-attack is not just a disruption; it can be an existential threat to their existence. The clause would ensure that when an SME is hit, they have access to the support they need.
Bradley Thomas
Given that the threshold for a significant impact event will likely be much lower for an SME than for a larger corporation, and while acknowledging and agreeing that SMEs are the backbone of the economy and make up the vast majority of companies that employ people in this country, how does the hon. Gentleman propose to strike the relevant balance between ensuring that SMEs are supported, and at the same time that they are not inundated and overwhelmed as a result of that significant impact threshold likely being much lower for SMEs?
Freddie van Mierlo
The thresholds have been set out in the new clause. Australia already provides support for small businesses during and after attacks. The clause would simply bring the UK up to speed with international partners, ensuring our businesses are not at a competitive disadvantage on cyber-security support. If Australia can support its SMEs, why can we not? It is only fair that if we are increasing the regulatory burden, the Government provide the support required to navigate it. I will press the new clause to a vote.
Dr Spencer
New clause 14, tabled by the hon. Member for Henley and Thame, addresses concerns regarding the capacity of SMEs to comply with their regulatory obligations, should they be brought within the scope of the Bill. That matter has been discussed on several occasions by the Committee. That is only right given that, according to figures provided by NCC Group, SMEs make up over 99% of businesses in the UK but too often lack the skills and budgets to implement proportionate cyber-protections, leaving them particularly exposed.
SME cyber assistance schemes akin to the one proposed by the new clause have been rolled out in Scotland on a limited basis and in Australia, where the Government are investing 8 million Australian dollars over three years to provide free person-to-person support for small businesses during and after a cyber-attack. Those schemes have enjoyed some success in hardening cyber-resilience among SMEs that have been able to access them. That can only be welcomed.
There is a case for looking more closely at whether regulation is the appropriate first step to address the cyber-resilience of the smallest organisations that might be brought within the scope of regulation, as legal compliance efforts could detract from already pressured operational defence budgets. In giving evidence to the Committee, Jill Broom of techUK called for strategies
“such as financial incentives, or…tax credits”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 18, Q20.]
to help SMEs improve their cyber-resilience, and techUK has suggested that funding or relief could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first. In the light of those considerations, what analysis has the Minister’s Department conducted of the likely return on investment, in terms of sustainability and growth among smaller companies, of a cyber support service for UK SMEs?
The Chair
With this it will be convenient to discuss new clause 19—Vulnerability research: review of the merits of a statutory defence—
“(1) The Secretary of State must, within twelve months of the passing of this Act, review the extent to which an amendment to section 1 of the Computer Misuse Act, with the effect of introducing a statutory defence available to individuals undertaking ethical vulnerability research, would improve the security of the network and information systems of relevant bodies.
(2) A review under this section must consider whether a statutory defence would enable relevant bodies to improve the resilience of their network and information systems via enhanced vulnerability testing and research.
(3) For the purposes of this section—
(a) ‘ethical vulnerability research’ means access, whether authorised or otherwise, to computer material with the intention of identifying vulnerabilities to cyber attacks, where—
(i) the research is aimed at enhancing the resilience of the network and information system of a relevant body or relevant bodies, and
(ii) the findings of the research are kept securely, shared only with those responsible for the security or resilience of the network and information system concerned, and shared solely for the purpose of enhancing the security or resilience of the network and information system concerned;
(b) ‘relevant bodies’ means operators of essential services, critical suppliers, digital service providers or managed service providers, as defined by the NIS Regulations.”
This new clause would require the Government to review whether the resilience of relevant organisations could be enhanced by introducing a statutory defence to s1 of the Computer Misuse Act, so that a person could be deemed not guilty if they engage in vulnerability research in the public interest.
Freddie van Mierlo
New clause 18 would place a duty on the Government to review within 12 months whether our over-30-year-old Computer Misuse Act is holding back the very cyber-resilience that the Bill seeks to build. The Government’s own impact assessment for the Bill identifies a key market failure: imperfect information. It states that businesses lack awareness of their own cyber-risks, leading to under-investment in security. We must ask why that information is imperfect. We believe that it is partly because the Computer Misuse Act 1990 prevents cyber-security professionals from undertaking legitimate public interest activity to identify those risks, so ethical hackers cannot provide the necessary information.
New clause 18 ties the review specifically to the security and resilience of network and information systems regulated by the Bill. It asks a simple question: does the Computer Misuse Act 1990 help or hinder the resilience of our critical infrastructure? For that reason, I wish to seek a vote on new clause 18.
Kanishka Narayan
My hon. Friend is absolutely right to recognise the shared sense on the principle of reforming the Computer Misuse Act. Although I am not in a position to give him a specific timeline, I absolutely take into account his recognition that the work needs to proceed at pace. Having held an industry engagement recently on specific proposals, with more than 75 attendees from a range of cyber-security organisations, the Home Office is now reviewing specific feedback as a particular proposal. The question is not whether we will reform the Computer Misuse Act, but simply how.
Freddie van Mierlo
I am grateful to the Minister for his reassurances on the ongoing review of the Computer Misuse Act. On that basis, I would like to say that I will withdraw the new clause.
Kanishka Narayan
I thank the shadow Minister for his recognition of our shared approach on this question. Reform of the Computer Misuse Act is led by the Home Office. I have given my personal commitment to ensuring that reform, but I will also write to him and members of the Committee with as much detail as possible on the timeline to ensure that we are moving fast on it.
In that spirit, I thank hon. Members for their work on this question of the amendment to the Computer Misuse Act and use this opportunity to thank you, Ms McVey, the entire Committee staff and hon. Members for their expertise and perhaps for their sense of fun as well. I thank all staff members, in particular the Bill team in the Department, which has been fabulous throughout the entire process.
Freddie van Mierlo
I beg to ask leave to withdraw the clause.
Clause, by leave, withdrawn.
Bill, as amended, to be reported.