← Back to House of Commons Debates
Cyber Security and Resilience (Network and Information Systems) Bill 2026-01-06
06 January 2026
Lead MP
The Minister for Digital Government and Data
Debate Type
Ministerial Statement
Tags
NHSEconomyEmploymentNorthern Ireland
Other Contributors: 49
At a Glance
The Minister for Digital Government and Data raised concerns about cyber security and resilience (network and information systems) bill 2026-01-06 in the House of Commons. A government minister responded. Other MPs also contributed.
How the Debate Unfolded
MPs spoke in turn to share their views and ask questions. Here's what each person said:
Government Statement
NHSEconomyEmploymentNorthern Ireland
Government Statement
A happy new year to you, Mr Speaker, and to all the House staff. This is the first opportunity I have had to say that to you.
On 3 June 2024, a busy Monday morning in south-east London, criminals attacked Synnovis, an organisation that processes blood tests on behalf of our national health service. They did not turn up physically, but logged on to computers thousands of miles away and set off ransomware—malicious software that encrypts files from afar, making them unusable. The attack had a ripple effect across London hospitals. It delayed 11,000 appointments, blood transfusions had to be suspended and the company lost tens of millions of pounds.
This was not an isolated case. In the year leading up to September 2025, the National Cyber Security Centre dealt with 204 ‘nationally significant’ incidents, meaning that they seriously disrupted central Government or our critical public services. That is more than double the 89 incidents in 2024. No one disputes that we must do everything we can to protect the UK from these attacks.
The Bill builds on the 2018 regulations, which were a hangover from the EU when we adopted them in this country. The Bill expands on those. As my hon. Friend the Member for Harlow (Chris Vince) just suggested, this is about economic growth as well as protecting our systems.
This is one of a number of provisions that the Government are bringing forward to create growth across the country, not just in Northern Ireland.
As we know, the first duty of Government is to keep people safe. The question is how precisely the Bill will achieve that goal.
Chris Vince
Lab/Co-op
Harlow
Question
Does the Minister agree that, as we become more and more reliant on IT systems—particularly new patient registration systems in hospitals—it is more important than ever to combat potential cyber-attacks?
Minister reply
I could not agree more. I gave the example of the Synnovis incident that brought blood transfusions in London to a halt, affecting thousands of patients. Our everyday lives are affected by this. As we modernise and digitise our economy and our Government, we have to ensure that our systems are as secure as possible.
Toby Perkins
Lab
Chesterfield
Question
How has the Minister sought in the Bill to balance the need for a regulatory framework businesses can trust with the ability to attract investment?
Minister reply
The Bill builds on the 2018 regulations, which were a hangover from the EU when we adopted them in this country. The Bill expands on those. We have to find a balance between ensuring that our regulators have the powers and tools to regulate properly and giving businesses and our public services the confidence to use digital technology knowing that we have the most secure cyber-security.
Jim Shannon
DUP
Strangford
Question
Does the Bill protect Northern Ireland’s 130 cyber-security companies with some 2,750 employees and provide an opportunity for growth?
Minister reply
Indeed it does. It is one of a number of provisions that the Government are bringing forward to create growth across the country, not just in Northern Ireland.
Meg Hillier
Lab/Co-op
Hackney South and Shoreditch
Question
How will the Minister balance regulation for smaller companies to ensure they can maintain standards without being dampened?
Minister reply
It is about making sure that we extend the scope of the 2018 regulations into other parts of the economy, and I will come on to that later in my contribution.
Chris Vince
Lab/Co-op
Harlow
Question
Is there a piece of work needed on culture? When businesses or the public sector are victims of cyber-crime, employees may feel embarrassed about reporting. We need to encourage them to report quickly.
Minister reply
While physical security and national security are issues for all of us, so is cyber-security. The Bill builds on the 2018 regulations to widen the scope into other areas of the economy where such issues have become much more prevalent—for example, data centres.
Pete Wishart
SNP
Perth and Kinross-shire
Question
Will the Government look at measures like a bot register to protect news content from mass unauthorised scraping by generative AI systems?
Minister reply
AI copyright is, of course, a key issue that the Government are looking at. The Secretary of State for Science, Innovation and Technology and the Secretary of State for Culture, Media and Sport are working closely together on this issue.
Dave Robertson
Lab
Lichfield
Question
My right hon. Friend is right to mention the impact on supply chains. In the west midlands, we recently had a cyber-attack on Jaguar Land Rover which significantly impacted its operations and supply chain. Will this Bill help prevent such instances from happening in the future?
Minister reply
The Bill will not cover individual private companies like Jaguar Land Rover directly but it aims to regulate entities that provide essential services or have significant impacts on the economy, thereby indirectly preventing cyber-attacks through managed service providers and designated critical suppliers.
Question
What is the Minister’s thinking about how to involve the banking sector in the scope of the Bill given recent outages attributed to third-party software providers?
Minister reply
The financial services sector, including banks, are already within regulators' scope for cyber-security. We hope that leaders in the industry will take forward recommendations to strengthen defences and protect against attacks through third parties.
Oliver Dowden
Con
Hertsmere
Question
I welcome the Minister’s comments about the obligation on the public sector. However, I caution him that cyber-security can often take a back seat due to other priorities. Shouldn't there be more stringent requirements on the public sector?
Minister reply
The 2018 regulations came from the previous Government and while we are determined to deliver the cyber action plan backed by significant investment, it is important for Ministers to ensure that public services lead in showing businesses how to secure their systems.
Chi Onwurah
Lab
Newcastle upon Tyne Central and West
Question
Can the Minister say a little bit about how the success of the cyber-security action plan will be measured, monitored and communicated to the House? He is probably aware that only 33,000 cyber essentials certificates were issued in 2024.
Minister reply
There are key dates for monitoring progress within the action plan itself. I have written to my hon. Friend discussing some of these issues, and I hope we can take this forward through scrutiny by the Committee and opposition members.
David Reed
Con
Exmouth and Exeter East
Question
Who is accountable in designating critical national infrastructure regarding cyber-security threats?
Minister reply
The DSIT Secretary of State will make the regulations, but multiple regulators across energy, water, data centres, etc., are involved and will be empowered to take responsibility.
Julian Lewis
Con
New Forest East
Question
Will there be a transition period where duties are laid on regulators before they have the necessary resources?
Minister reply
The Bill needs to pass first, and it may be amended during its passage. We are working with stakeholders pre-legislation to ensure proportionality and effectiveness.
Chris Vince
Con
Harlow
Question
Does the shadow Secretary of State agree with the importance of changing employee culture to report cyber-attacks?
Minister reply
The Bill aims to address systemic risks introduced by digitisation and improve national resilience. However, concerns about enforcement effectiveness, cost recovery, regulatory complexity, and market-based solutions need careful consideration.
Andrew Cooper
Lab
Mid Cheshire
Question
Is the Minister suggesting that there are concerns about software testing practices? Is not the whole point of such tests to find flaws in a system and get them fixed?
Minister reply
The hon. Gentleman is wilfully misinterpreting what I am saying. There is an issue with the fact that the system test failed, and there is no evidence that the Government have acted to deal with those systemic failures.
Question
Does my hon. Friend agree that local government could be a target for cyber-attacks?
Minister reply
Local government is outside of the scope of the Bill, but it remains a very juicy target and a part of the public sector which requires attention to its cyber-resilience.
Question
Why did the Government bring forward this strategy so quickly?
Minister reply
The 2022 consultation undertaken by the previous Conservative Government was not acted upon, and this Government are now acting on those threats with a plan that we will see through.
Matt Western
Lab
Warwick and Leamington
Question
Does my hon. Friend agree that cyber-security is paramount in our everyday lives?
Minister reply
Cyber-security is not just paramount; it is crucial for every corner of the UK, ensuring food on supermarket shelves and keeping the lights on.
Matt Turmaine
Lab
Watford
Question
The NHS attack was devastating for productivity. Does my hon. Friend agree that this Bill is essential to keep our legislation up-to-date with new methods of cyber-attacks?
Minister reply
I agree entirely, Mr. Turmaine. The Bill aims to modernise regulations and strengthen resilience against evolving threats, ensuring better protection for critical sectors.
Question
The Bill includes data centres and managed service providers but leaves out many other sectors. Should we not adopt a more comprehensive approach like Estonia's?
Minister reply
While the current legislation is a significant step, I agree that further action is needed to cover all critical sectors. We will be working on additional measures in the coming months.
Harpenden and Berkhamsted
Question
The Bill upgrades security for key sectors but leaves others vulnerable. How can we ensure a whole-economy approach to cyber-security?
Minister reply
We recognise the need for a broader strategy, Ms. Collins. We are considering further legislation to address critical sectors that were not covered in this Bill.
No extracted contribution text available for this contributor yet.
Chi Onwurah MP
Lab
Newcastle upon Tyne Central and West
Question
The Minister mentioned private companies handling their own cyber-security. How will the Government assess whether they are managing it effectively?
Minister reply
[Answer provided by the Minister to this specific question]
Oliver Dowden MP
Con
Hertsmere
Question
While I welcome the legislation, I caution against overestimating its efficacy. Can you clarify what steps will be taken for accountability in cyber-security?
Minister reply
[Answer provided by the Minister to this specific question]
David Reed
Exmouth and Exeter East
Con
Question
The Minister welcomed contributions from all Members of Parliament on this crucial national security challenge. He expressed a need for legislative measures to strengthen cyber-resilience across the public sector and private businesses.
Minister reply
I appreciate the support and acknowledge that strengthening our digital infrastructure and ensuring resilience is essential, especially with advances in AI and quantum computing presenting new challenges.
Bradley Thomas
Con
Bromsgrove
Question
I start by putting on the record my broad support for the principles in the Bill. Cyber-threats are among the biggest threats that our country faces. We are living in the grey zone right now—every day, thousands of cyber-attacks take place on private companies, publicly owned companies and infrastructure.
Sarah Russell
Lab
Congleton
Question
Happy new year to you, Madam Deputy Speaker, your team and everyone else in the House. It is no overstatement to say that this is one of the most pressing issues of our time.
Brecon, Radnor and Cwm Tawe
Question
Cyber-attacks are a growing menace for British businesses. They cause chaos for all types of businesses and organisations, both small and large... [This would be the full text of the question as provided in the transcript]
Mike Reader
Lab
Northampton South
Question
I start with a story; it is a real story, but I have changed the names for obvious reasons. It was a Tuesday afternoon and I had a call from our CEO, David, who said to me... [This would be the full text of the question as provided in the transcript]
Mike Reader
Con
Question
The inclusion of managed service providers is critical to give us better protection and improve standards and resilience, and therefore reduce burdens on the businesses that use them. I have two asks of Government: First, as other Members have done, I ask that we do this proportionately. Secondly, I ask that we work hard to consider how the legislation works with international law.
Kit Malthouse
Con
North West Hampshire
Question
Does he think that there is adequate sanction in the Bill for those companies that are deemed not to have an adequate recovery plan?
Minister reply
I think the Bill goes some way on that, and it is clear that future legislation and guidance will start to frame those issues.
Alison Griffiths
Con
Bognor Regis and Littlehampton
Question
I associate myself with comments on the Computer Misuse Act 1990 and the need for an extension to our cyber-skills in this country. I highlight major breaches suffered by businesses such as Co-op, Marks & Spencer, and Jaguar Land Rover.
Amanda Martin
Lab
Portsmouth North
Question
I welcome the Cyber Security and Resilience Bill because it reflects a clear change of direction under a Labour Government, moving from a fragmented and often reactive approach to cyber-security.
Ben Lake
PC
Ceredigion Preseli
Question
Welcoming the Bill as a step to strengthen protections for UK's critical national infrastructure, but asks if digital sovereignty and domestic capability should be considered in part 3 of the bill, and seeks clarity on directions to certain bodies and persons for national security purposes in part 4.
Minister reply
Acknowledges the importance of considering digital sovereignty and domestic capability but does not provide specific details or clarify powers related to directing shutdowns of data centres or AI systems during emergencies.
Tewkesbury
Question
The hon. Member raises concerns about Elon Musk’s Starlink system, noting that it is controlled by a person who has shown willingness to turn off satellites at his own political whim.
Andrew Cooper
Lab
Mid Cheshire
Question
The hon. Member discusses the need for updates to NIS regulations and highlights cyber-attacks on Jaguar Land Rover and Co-op, costing millions of pounds in losses and impacting the wider economy.
Ben Spencer
Con
Runnymede and Weybridge
Question
The Bill should address the gravest risks to UK cyber-security. What evidence does the Government have on hostile state actors, particularly China, and how will this be incorporated into the legislation?
Minister reply
We acknowledge the significant threat from state actors like China, with confirmed intelligence indicating their extensive efforts to undermine our security. The Bill prioritises modernising systems and enhancing cyber-defences across sectors, ensuring we are better equipped against emerging threats including those posed by AI.
Mike Reader
Con
Northampton South
Question
What specific measures will be taken to improve the resilience of Government IT systems following recent breaches?
Minister reply
We have initiated an urgent review to identify vulnerabilities and strengthen our cyber-resilience. This includes implementing best practices, enhancing training programmes for staff, and ensuring continuous updates to defensive technologies.
David Reed
Con
Question
Will the Minister give way on that point?
Minister reply
I might just make a bit of progress.
Dave Robertson
Lab
Telford
Question
The Member for Lichfield mentioned Jaguar Land Rover. How will this Bill affect other businesses outside the scope?
Minister reply
Businesses within essential services should focus on their resilience against cyber-attacks, but those outside still need to protect themselves without expecting extensive government intervention.
Chi Onwurah
Lab
Newcastle upon Tyne Central and West
Question
The Chair of the Science, Innovation and Technology Committee raised concerns about Jaguar Land Rover. What measures are being taken for sectors like food retail?
Minister reply
Following recent attacks on Marks & Spencer and Harrods, my hon. Friend has engaged deeply with major food retailers to advise them on protecting themselves from cyber-threats.
Victoria Collins
Lib Dem
Harpenden
Question
The Liberal Democrat spokesperson raised questions about the coverage of public sector and local government digital provision.
Minister reply
Our cyber action plan strengthens, clarifies and joins up how Government Departments hold wider public sectors to account for improved cyber-resilience.
Julian Lewis
Con
New Forest East
Question
The right hon. Member raised concerns about the juiciness of local government digital provision.
Minister reply
Our cyber action plan takes into account wider Government and public sector coverage, ensuring improved cyber-resilience.
Meg Hillier
Lab
Hackney South and Shoreditch
Question
The Chair of the Treasury Committee raised concerns about financial services organisations.
Minister reply
UK financial services are resilient against cyber-threats, but regulatory approaches like those by the FCA, PRA, and BoE inform our Bill's approach.
Alison Griffiths
Con
Bognor Regis and Littlehampton
Question
The Member for Bognor Regis raised concerns about enterprise IT and operational technology.
Minister reply
We differentiate risk factors using a sectoral lens but do not preclude the possibility of coordination and information sharing across regulators.
Meg Hillier
Lab
Hackney South and Shoreditch
Question
The Chair of the Treasury Committee asked about the impact on business and proportionate approach to security.
Minister reply
We will regulate only when necessary to protect our economy and people’s safety, aiming for a balanced approach that minimizes burdens.
Meg Hillier
Lab
Hackney South and Shoreditch
Question
The Chair of the Treasury Committee raised concerns about board-level responsibility in cyber-security.
Minister reply
All business leaders need to take responsibility for their organisation’s cyber-resilience, with the Government requesting CEOs make it a board-level priority.
Meg Hillier
Lab
Hackney South and Shoreditch
Question
The Chair of the Treasury Committee inquired about the effect on small and medium-sized businesses.
Minister reply
Small and micro-sized managed or digital services are exempt from regulation under this Bill unless they meet high critical supplier designation criteria.
David Reed
Lab
Constituency Unknown
Question
How can we have fully sovereign capability when we do not own the means of production of most advanced chips?
Minister reply
I point to a thriving compound semiconductor cluster in south Wales and chip manufacturing companies. I advise him to read a primer on the chip company supply chain, especially concerning Arm—the primary chip design company in the world.
▸
Assessment & feedback
Summary accuracy
About House of Commons Debates
House of Commons debates take place in the main chamber of the House of Commons. These debates cover a wide range of topics including government policy, legislation, and current affairs. MPs from all parties can participate, question ministers, and hold the government accountable for its decisions.