← Back to House of Commons Debates
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting) 2026-02-03
03 February 2026
Lead MP
Ben Spencer
Runnymede and Weybridge
Con
Debate Type
General Debate
Tags
Economy
Other Contributors: 66
At a Glance
Ben Spencer raised concerns about cyber security and resilience (network and information systems) bill (second sitting) 2026-02-03 in the House of Commons. A government minister responded. Other MPs also contributed.
How the Debate Unfolded
MPs spoke in turn to share their views and ask questions. Here's what each person said:
Government Response
Asked about the impact of the Police CyberAlarm programme on cyber-security and resilience of organisations. Interested in future developments and improvements to be made. Responded to questions about the definitions in the Bill. Acknowledged differing views on definitional points from industry experts but emphasised that the intent behind these definitions is clear. Mentioned previous consultations and ongoing engagement with regulators and industry during implementation. Engaged with companies extensively; guardrails are integral part of the Bill; balance struck between flexibility and certainty is deemed necessary. Emphasised the need to focus on essential services, discussed detailed criteria for identifying critical third party suppliers. Minister Kanishka Narayan explained that the Bill provides legal permission for deeper information sharing among sectoral regulators. He also mentioned ongoing engagement with the National Cyber Security Centre and other relevant authorities to ensure effective cross-regulatory cooperation and timely reporting.
Ben Spencer
Con
Runnymede and Weybridge
Asked about Ofcom's preparation for expanded cyber-security regulations under the Bill, focusing on skills and recruitment. Also questioned ICO and Ofgem regarding incident reporting and enforcement changes due to the Bill.
Chris Vince
Lab/Co-op
Harlow
Asked about the importance of giving regulators flexibility in implementing guidance for different sectors, highlighting the need for customised approaches like operational technology versus IT systems.
Allison Gardner
Lab
Stoke-on-Trent South
Discussed challenges faced by businesses dealing with multiple regulators and conflicting guidance. Inquired about the benefits and challenges of having a single cyber regulator across sectors.
Bradley Thomas
Con
Bromsgrove
Asked for additional resources needed to implement and enforce the requirements of the Bill.
Explained that moving from a reactive footing to a proactive one will need significant uplift in skills, capability, and system development. Estimated team sizes may double during transition, but will be self-funding eventually.
Noted the importance of quality over quantity in hiring expert regulators who understand cyber-security. Suggested that Ofcom's resources are siloed but well-positioned to handle additional responsibilities due to pre-existing duties under NIS and Telecommunications (Security) Act 2021.
Indicated a smaller expected resourcing uplift for Ofgem compared to other organisations, as the scope changes proposed in the Bill do not significantly increase their workload. Emphasised clear lines of responsibility between Ofgem and NCSC.
Tim Roca
Lab
Macclesfield
Asked about concerns regarding secondary legislation clarity, specifically on incident reporting definitions and significant impact definitions. Sought to understand if there are any preferred changes that could be made in the primary legislation.
Brecon, Radnor and Cwm Tawe
Questioned the importance of having a single regulator for cyber security, citing the Netherlands' recent merger of cyber-security organisations as an example. He expressed concern that fragmented reporting requirements could prevent government and regulators from forming a coherent cross-sector picture of emerging threats.
Stressed the importance of information sharing and the positive impact of the Bill on pre-positioning attacks. She highlighted the NCSC's role in consolidating information and providing threat leadership, emphasising that Ofcom is a regulator rather than an operational organisation.
Supported Natalie Black's position, stating that the NSCS will be the hub for threat intelligence and communications. He emphasised the importance of gateways in facilitating communication regarding risks such as pre-positioning attacks.
Emphasised the need to consolidate incident reporting across 14 competent authorities, pointing out that current regulations do not allow for information sharing between organisations. He highlighted the ICO's role in data security and the importance of resilient networks.
Emily Darlington
Lab
Milton Keynes Central
Asked about additional powers provided by the Bill to address coordinated cyber-attacks through AI or foreign actors, expressing concerns over data protection and breaches across sectors. She questioned whether these measures would be sufficient for future threats.
Lincoln Jopp
Con
Spelthorne
Discussed the importance of creating a culture within organisations that encourages openness and trust, highlighting Amazon Web Services' call to treat companies as victims during cyber-attacks. He emphasised the need for regulators to provide guidance rather than heavy fines.
Sarah Russell
Lab
Congleton
Questioned how regulatory bodies would manage risks in the supply chain, expressing concern that smaller organisations might be left holding major risks and liabilities without effective management capabilities. She asked about enforcement capabilities and the adequacy of legislation in this context.
Henley and Thame
Asked how UK regulators would manage companies operating cross-border, emphasising the challenges posed by digital service providers not being geographically bound.
Ian Hulme
Constituency not given
Not specified
Discussed the challenges of regulating international data service providers within UK laws. Emphasised the importance of focusing on outcomes and understanding the UK side of operations.
Natalie Black
Constituency not given
Not specified
Acknowledged the challenge in ensuring UK requirements are clear to foreign companies with multiple footprints around the world. Welcomed the opportunity for secondary legislation to hold these companies accountable.
Provided evidence on how hostile state actors, particularly China, use pre-positioning strategies within UK critical infrastructure instead of traditional espionage methods. Highlighted that Chinese entities are legally obligated under Chinese law to cooperate with the state and gather information at its request.
Chung Ching Kwong
Witness
Expressed concerns about the potential risk to privacy and civil liberties from allowing remote access for maintenance, patches, updates, etc., under clause 9. Highlighted worries that data might fall into wrong hands if dealing with Chinese vendors. Suggested regulating hardware as well due to state-sponsored attacks targeting hardware vulnerabilities.
Tim Roca
MP
Asked about the risk of overreach and potential threat to privacy from the legislation, considering the Hong Kong activist's perspective.
Inquired whether hardware should be covered by the Bill, especially regarding vulnerabilities from integrating Chinese technology into SIPs.
Discussed the need for effective collaboration between industry and cyber-security researchers to increase resilience. Emphasised the importance of decriminalising basic practices necessary for cyber-security professionals to document and report activities accurately without fear of prosecution under the Computer Misuse Act.
Inquired about the necessity of legal reform concerning the Computer Misuse Act, emphasising that overcriminalisation discourages proper reporting and professionalization in cyber-security.
The Bill modernises and allows flexibility through secondary legislation. He supports the concept of board-level responsibility but emphasises that current law does not empower individuals working on cyber-security effectively.
Gardner
MP
Asked about measures to enhance cyber-resilience for critical national infrastructure, questioning Professor Child on requirements for failsafes and risk management.
Inquired about international comparators and whether the UK is lagging behind in building a thriving sector of cyber-security due to differing approaches towards criminalisation.
Asked about the main threat actors in cyber-attacks on UK networks and information systems, focusing on state actors, organised crime groups, and ransomware threats. Also questioned about the scale of ransomware attacks and primary targets within sectors and businesses.
DCS Andrew Gould
Programme Lead for the National Police Chiefs’ Council cyber-crime programme
Discussed various threat actors including state actors, organised crime groups, hacktivists, terrorists, and script kiddies. Mentioned the diversification of UK threats post-pandemic with more online crimes. Addressed ransomware attacks focusing on less critical national infrastructure due to disincentives from media attention or law enforcement intervention. Discussed challenges in investigating global threats due to international jurisdiction issues.
Asked about the effectiveness of UK police forces working with international partners to investigate and prosecute overseas criminals involved in online fraud targeting British citizens. Highlighted significant losses from such attacks, especially impacting elderly victims.
DCS Andrew Gould
Ind
Metropolitan Police Service
Andrew Gould discussed the challenges of promoting cybersecurity initiatives and introduced the Police CyberAlarm, a Home Office-funded tool aimed at small and medium-sized enterprises. He highlighted its role in monitoring attacks, providing threat intelligence for operational activities, and offering monthly vulnerability scans to member organisations. He also mentioned the need for scaling these services and creating market growth by improving cyber-resilience centres. Additionally, Gould addressed the nature of ransom payments and extortion attempts, noting that financial gain is usually the primary motive.
Thomas inquired about ransom payments and extortion attempts, focusing on whether they are for monetary gain or intellectual property data. DCS Andrew Gould responded by explaining that financial gain is typically the primary motive, though there can be instances of double dipping with both encryption and extraction of personal data.
Vince expressed concern about the pace of technological change for hackers and asked how flexible or inflexible the Bill should be in tackling these challenges. Gould responded by emphasising that effective cybersecurity often comes down to basic practices like regular updates, multi-factor authentication, and robust patch management.
Richard Starnes
Ind
Chair of Information Security Panel for Worshipful Company of Information Technologists
Starnes discussed the effectiveness of the NIS1 regulatory enforcement regime and highlighted the benefits of information sharing and analysis centres, such as FS-ISAC, in improving cyber-resilience. He also addressed the challenges faced by chief information security officers, including their short tenures due to stress and conflicts of interest when reporting to a CIO.
Spencer inquired about the effectiveness of NIS1 regulatory enforcement and how information sharing and analysis centres could improve cyber-resilience. Starnes responded by noting that the deterrent effect is not always visible due to non-public disclosure, but information sharing across industries can be beneficial.
Chadwick asked about the challenges faced by chief information security officers and what they need from the Bill to strengthen their position. Starnes emphasised the importance of stringent regulatory application and suggested discussing board-level liability for cyber-risk governance.
Gardner followed up by questioning whether there should be a statutory responsibility at company level for a board member to be responsible for cyber-risk. Starnes responded that this responsibility should flow from the board to C-level executives, with the risk committee chair being a natural place.
Under the Companies Act, liability for cyber-security is already in place but not enforced. The code of practice should be made part of annual Companies House registrations to address the societal issue of cyber-security awareness among small businesses.
Gardner
not specified constituency
Asked questions about the effectiveness and enforcement of regulations, the importance of simplicity in applying regulations, and the need for clear definitions regarding incident reporting.
Emily Darlington
not specified constituency
Inquired about how the code of practice could help smaller businesses without imposing a heavy burden. Emphasised the necessity to address cyber-security at the micro-level companies with fewer than 25 employees.
David Chadwick
not specified constituency
Asked about the definitions within the Bill regarding incident reporting, and highlighted concerns over potential false positives leading to unnecessary regulatory intervention.
Head of IT security and compliance at NHS Greater Glasgow and Clyde. Discussed the importance of risk assessment for third-party service providers in relation to critical services such as patient transport, cleaning, food provision, medical devices, and locum agencies.
Data protection officer at NHS Greater Glasgow and Clyde. Highlighted the need for a framework that improves processes between health boards and suppliers, and discussed reporting requirements to multiple regulators including the Information Commissioner’s Office and Scottish Health Competent Authority.
Brian Miller
Organisation
NHS Scotland
Supports the Bill, particularly for managed service provision. Addresses concerns about the designation of critical suppliers by regulators.
Stewart Whyte
Organisation
NHS Scotland
Concerned with data protection and sensitive information processing. Identifies unique challenges in the NHS due to the nature of their data.
Chris Parker MBE
Company
Fortinet
Supports SME-friendly cyber-resilience measures, highlighting the collaborative nature of the cybersecurity sector and the availability of free training. Advocates for a fair system that considers the technological, commercial, and human factors.
Carla Baker
Company
Palo Alto Networks
Opposes broad incident reporting requirements as they would generate excessive noise and burden regulators. Proposes a tiered approach with measurable thresholds to identify high-risk incidents effectively.
Emphasises that there is an ongoing collaborative effort in the cyber sector, and suggests that the UK can play a unique role in standard harmonisation. He also highlights challenges such as regulatory load for SMEs and the importance of public-private partnerships.
Highlights three key areas for improvement: incentivising organisations to improve their cyber security posture, using government purchasing power to mandate enhanced security requirements, and addressing the void in information sharing through initiatives such as the national cyber action plan.
Asks about workforce expansion, suggesting that there is a need for more awareness around available jobs in the sector beyond high-tech roles. Also mentions the importance of improving lecture quality and standards through industry-academia collaboration.
Questions the balance between mandating board-level accountability for cyber risks and ensuring that regulatory burden is proportionate, especially for SMEs designated as critical suppliers. She also raises concerns about information sharing across regulators.
Discussed the precedents set by legislation such as the Corporate Manslaughter and Corporate Homicide Act 2007. Believes there will be a future requirement for liability, ideally driven by methodology rather than tragedy. Advocates careful approach to regulating SMEs in the Bill to avoid placing too much burden on small suppliers.
Asked Chris Parker about the regulatory burden on SMEs as currently drafted, suggesting that Parker's comments imply concern over excessive regulation for smaller firms.
Supported a risk-based approach to determining whether SMEs should be regulated. Suggested systemic and integral suppliers should be brought into scope, but debated the proportionality of bringing in single supplier relationships into regulatory oversight.
Andrew Cooper
Lab
Mid Cheshire
Questioned Carla Baker about over-reporting incidents under the legislation. Argued for reporting pre-emptive malware threats even without immediate impact, stressing importance of information dissemination across sectors to prevent potential impacts.
Asked about definitions in the Bill concerning critical suppliers and the potential risk that a supplier may be deemed critical solely by supplying to a critical industry. Raised concerns about the entire economy falling within the scope of the Bill.
Inquired about adequacy of consultation process between Government and business during legislative development, noting that while efforts were made, more collaborative work like modelling and testing could be beneficial for future legislation.
Asked the Minister about her engagement with companies and regulators, sought information on guardrails for extensive powers in the Bill.
Explored the balance between flexibility required by businesses and certainty they desire. Praised the broad support for the bill from industry and regulatory contexts, emphasised the need to strike a balance within the Bill.
Inquired about specific cyber-attacks on JLR and M&S falling under this Bill's scope. Questioned whether the Bill should go further in terms of scope, particularly with respect to skill shortages.
Discussed tackling legacy systems alongside safeguarding essential services as outlined by the Bill. Highlighted the importance of technology-agnostic approaches while focusing on risk-based outcomes.
Questioned how the definition of 'critical suppliers' would work in practice, particularly within an NHS context and its relationship to operators of essential services. Sought clarity on overlap between multiple regulators applying these tests.
Asked about the potential for triple regulation by different sectoral regulators (Information Commissioner, Ofgem and Ofcom) if they all deemed it necessary. He wanted to understand whether there was a mechanism in place to prevent this from happening.
Questioned how information sharing would work between individual sectoral regulators under the new regulatory framework. He expressed concerns about ensuring that there is an adequate flow of relevant information and highlighted the need for a single point of reporting to avoid silos and ensure timely responses.
Asked why electoral services were not considered as critical infrastructure under this proposed legislation. He also inquired about board-level responsibility regarding cyber security measures within organisations, advocating for stronger mandates on boards to take these responsibilities seriously.
Expressed concerns over the potential for conflicting guidelines and oversight issues when dealing with cross-regulatory themes among different sectoral regulators. She asked who would oversee ensuring that these regulators align their regulations in a consistent manner.
▸
Assessment & feedback
Summary accuracy
About House of Commons Debates
House of Commons debates take place in the main chamber of the House of Commons. These debates cover a wide range of topics including government policy, legislation, and current affairs. MPs from all parties can participate, question ministers, and hold the government accountable for its decisions.