Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting)
Debate between Lincoln Jopp and Alison GriffithsThursday 5th February 2026
(3 days, 21 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Alison Griffiths
The clause merits close scrutiny, because it is the point in the Bill where risk is supposed to be addressed beyond the individual operator and into the supply chain. In plain terms, clause 12 will allow the regulator to designate a supplier as critical where disruption to that supplier would have a significant impact on the delivery of an essential or digital service. The trigger is impact, not size or sector. That approach is sensible, but I want to stress-test how it works in the context of operational technology.
Across power, telecoms, transport, water and industry, many essential services rely on the same family of industrial control equipment. Substations, signalling systems and industrial plants may look different, but they often run on identical controlled devices and firmware supplied by a very small number of manufacturers.
The risk is not hypothetical. A single vulnerability in widely deployed OT equipment can create a common mode failure across multiple sectors at the same time, even where each operator is individually compliant with its duties. At the moment, the Bill places obligations squarely on operators of essential services, but in OT environments, operators do not control the design of equipment, the firmware, the vulnerability disclosure process or the remote access arrangements that vendors often require as a condition of support.
As Rik Ferguson highlighted in written evidence to this Committee, uncertainty about how and when suppliers might be brought into scope can lead to defensive behaviour and late engagement. The risk is amplified in OT, where suppliers may discover vulnerabilities before operators do, and where one operator may report an issue, while others in different sectors, using identical equipment, remain unaware.
There is also a traceability problem. OT equipment is frequently sold through integrators and distributors. Manufacturers may not have a clear picture of where the equipment is ultimately deployed. Without that visibility, national-scale vulnerability notification and co-ordinated response become very difficult.
UK Finance has also drawn attention to the complexity of multi-tier supply chains and the need for clear accountability when regulatory reach extends upstream. The clause recognises that reality, but its effectiveness will depend on how consistently and predictably designation decisions are made across sectors.
My concern is not about the existence of the power. It is about whether, in practice, the power will be used early enough and clearly enough to address shared OT risks before they become cross-sector incidents. Operational resilience today depends less on individual sites and more on the security practices of a relatively small— I would say very small—number of OT suppliers that sit behind them. The clause has the potential to address that, but only if its application is focused on genuine systemic risk and supported by clear signals to suppliers and operators alike. For those reasons, the clause warrants careful consideration as the Bill progresses.
Lincoln Jopp
To understand the impact of what we are discussing, we obviously look at the impact assessment. We in this place are often accused of simply making rules and passing laws with no real sense of the impact downstream, particularly on small businesses. Having worked in the tech sector for 10 years, with data centres and managed service providers, and worked to try to grow many small and medium-sized enterprises, I am acutely conscious of the need not to overburden them. It is clearly hugely important that the Government take account of the impact of the measures they are taking and the burdens they are imposing on small and medium-sized enterprises.
To understand the impact of this measure, it is important to know two things: first, how many companies will be impacted and, secondly, how much it is going to cost. While I am sure that the Minister will say that this provision on critical suppliers is great, and all very clear, it cannot really be that clear. Page 110 of the impact assessment states:
“DSIT is not able to estimate at this stage the number of SMEs or SME DSPs that will be designated as critical suppliers”;
so we cannot tell how many there are. The same page also states:
“Specific duties will be set through secondary legislation so the exact cost of security measures is not possible to estimate.”
We do not know how many there are or how much the measure is going to cost, but Government Members will be whipped to say, “That’s okay—that can be done by someone else at another time.” We do not really have a strong sense of the impact on real-world businesses of what we are doing here. We also talked about the legal costs in an earlier sitting. I look forward to hearing the Minister’s reassuring words about how very clear the clause is and how it is not just a blank cheque, even though we do not know how many people it will affect or how much it will cost them.
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Debate between Lincoln Jopp and Alison GriffithsTuesday 3rd February 2026
(5 days, 21 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Lincoln Jopp (Spelthorne) (Con)
Q
Stuart McKean: I do not think the cyber-criminal really cares, to be blunt. They will attack anywhere. You can, of course—
Alison Griffiths
I am so sorry. Could you possibly speak into the microphone? I cannot hear you.
Stuart McKean: Sorry. I was saying that the cyber-criminal does not care about lines, geographies or standards. They do not care whether you have an international standard or you follow the legislation of a certain country. They will attack where they see the weak link.
Lincoln Jopp
Q
Stuart McKean: It is probably across all three, to be quite honest with you. It is very dependent on what they want to achieve, whether it be an economic attack or a targeted attack on a corporate entity. I do not think it has those boundaries—I genuinely think it is across the whole industry and the whole globe. The reality is that cyber-attacks everybody. We are being attacked every day. I do not see it as an international boundary, or a UK thing or a US thing. It is generally across the globe.