Cyber Security and Resilience (Network and Information Systems) Bill
Debate between Ian Murray and David ReedTuesday 6th January 2026
(2 days, 14 hours ago)
Commons ChamberRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts
Ian Murray
There are some key dates to monitor progress in the action plan itself. I wrote to my hon. Friend, the Chair of the Science, Innovation and Technology Committee, this morning on the publication of the action plan to lay out some of those issues; the letter will be landing soon. I would be happy to discuss that in front of the Committee in more detail. I hope that the Committee, and indeed the Opposition and our own Labour Members, hold us to account for delivering on this, because it is fundamentally important to Government, whether it be digitisation, modernising Government or winning the case with the public about why digitisation is so important and why Government should be as secure as possible and lead the charge on that across the whole economy. I hope that we and the Committee can take that forward in the weeks and months ahead.
As I said, the Government cyber action plan launched this morning is backed by over £210 million of investment and Government Departments will be held to standards equivalent to those set out in the Bill. I hope that that partially answers the question from my hon. Friend the Chair of the Science, Innovation and Technology Committee. Although the focus of the Bill is on essential services, it will also indirectly help businesses, including those damaged by the recent attacks, and Government. Almost all organisations today rely on data centres, outsourced IT or some kind of external supplier. By extending the Bill’s oversight, we are preventing attacks that could, in theory, reach thousands of organisations.
The Bill also gives new powers to regulators responsible for enforcing the NIS framework. Effective compliance is crucial to the success of any regime. These reforms could be world-leading on paper, but without proper enforcement they are meaningless.
David Reed (Exmouth and Exeter East) (Con)
We have talked about the regulators having new powers to designate critical national infrastructure in regard to cyber-security threats, but who actually has accountability? The Bill refers to
“regulations made by the Secretary of State.”
Which Secretary of State is that, given that this is a cross-departmental and cross-Government approach?
Ian Murray
Cyber-security is the responsibility of the Department for Science, Innovation and Technology, but the Cabinet Office has a clear resilience issue as well, as we heard from the right hon. Member for Hertsmere (Sir Oliver Dowden), who was in the Cabinet Office previously. The DSIT Secretary of State will make those regulations, but a plethora of regulators are involved in this process—energy, water and data centres all have different regulators. The regulators that regulate those sectors are being empowered through the expanded number of sectors being brought into the legislation to take the responsibility.