← Back to House of Commons Debates
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting) 2026-02-03
03 February 2026
Lead MP
Ben Spencer
Runnymede and Weybridge
Con
Debate Type
General Debate
Tags
No tags
Other Contributors: 37
At a Glance
Ben Spencer raised concerns about cyber security and resilience (network and information systems) bill (first sitting) 2026-02-03 in the House of Commons. Other MPs contributed to the debate.
How the Debate Unfolded
MPs spoke in turn to share their views and ask questions. Here's what each person said:
Ben Spencer
Con
Runnymede and Weybridge
Asked about mitigating risks to out-of-scope businesses from major cyber-attacks, suggesting that the Bill could include larger organisations with significant impact on the UK economy. Sought lessons learned from implementing NIS2 regarding certainty in legislation.
Jen Ellis
Royal United Services Institute
Suggested including companies above a certain size or economic impact, beyond essential services covered by the Bill, to mitigate risks but noted that this would not solve all problems due to complexity of cyber threats.
David Cook
DLA Piper
Emphasised the importance of long-term certainty in legislation for global organisations, noting benefits of agile systems while stressing need for a fixed future point to prepare and recruit resources effectively.
Bradley Thomas
Con
Bromsgrove
Mr Thomas asked about ensuring privately owned companies of a certain scale are within the scope of the proposed legislation. He questioned how policymakers would determine which companies should be included, suggesting that it might depend on factors such as turnover or number of employees.
Jen Ellis
RUSI Fellow
Ms Ellis responded to Mr Thomas's question by emphasising that the focus should be on impact rather than public versus private ownership. She noted the challenge in measuring impact and highlighted the importance of looking down the supply chain, where it gets more complex.
Tim Roca
Lab
Macclesfield
Mr Roca asked Ms Ellis to compare the Bill with international legislation, particularly NIS2. She explained that while both laws aim at similar goals, there are differences in approach and flexibility, which could lead to varying experiences across different competent authorities.
Emily Darlington
Lab
Milton Keynes Central
Ms Darlington questioned the current cyber risks businesses face and how the Bill addresses those risks. She was seeking insight into whether the legislation adequately covers supply chain vulnerabilities and systemic risks faced by UK and global businesses.
Mr Cook further elaborated on the necessity of having prescriptive contract requirements for smaller entities to ensure compliance across their entire supply chain. He emphasised that without such regulations, small companies might face pushback from larger providers during negotiations and may not achieve desired outcomes.
Jen Ellis
Not specified
Expressed concerns about the effectiveness of current UK law in dealing with global organisations and highlighted the need for updated legislation to address emerging threats such as state-sponsored attacks. Mentioned examples like Volt Typhoon to illustrate the urgency needed for addressing cybersecurity risks.
David Cook
Not specified
Provided an example illustrating how NIS1's reporting requirements are insufficient in the face of pre-positioning attacks by threat actors, and emphasised that NIS2 aims to broaden visibility on potential threats through regulators. Highlighted the importance of early detection.
Henley and Thame
Asked about why companies need legislative mandates for cybersecurity, questioning whether commercial incentives are enough. Cited examples like JLR, M&S, and Co-op to illustrate the costs of failing to adhere to high cyber-security standards.
Alison Griffiths
Con
Bognor Regis and Littlehampton
Inquired about the Bill's adequacy in securing supply chains outside regulated industries, expressing concern over whether secondary legislation can swiftly mandate security controls for organisations that cannot quickly adapt.
Allison Gardner
Lab
Stoke-on-Trent South
Asked how the Bill could address human factors and skill shortages in implementing cybersecurity plans. Suggested cultural change is needed, starting from leadership levels within organisations to shift attitudes towards cybersecurity as a requirement rather than a tick-box exercise.
Sanjana Mehta
ISC2
Welcomes the introduction of the Bill and suggests non-legislative measures such as voluntary codes of practice to enhance cyber security in industries not covered by the Bill. Emphasises the importance of skills development for success, whether organisations are within or outside the scope.
Jill Broom
techUK
Highlights that while some members find the definition of managed service provider (MSP) satisfactory, others find it too broad and confusing. Calls for a meaningful consultation on secondary legislation to help with scrutiny.
Stuart McKean
Nine23
Points out that only 11% of MSPs are large or medium-sized enterprises which will be in scope, indicating the need for clarity in definitions. Discusses the complexity and challenges related to procurement requirements flowing down supply chains.
Jill Broom
TechUK
London
She advocates for clarity in reporting requirements, a single reporting platform to reduce friction and streamline the process, and careful sequencing of alignment with other regulations. She supports the legislation but calls for it to be aligned where possible with EU standards without compromising UK's focus on critical national infrastructure.
He asks Jill Broom about the strength of UK legislation compared to EU and questions Dr Mehta regarding the exclusion of local government from the scope of regulation.
Lincoln Jopp
Con
Spelthorne
He inquires about international regulatory regimes' effectiveness in deterring cyber-criminals, asking whether they impose barriers high enough to discourage attacks. He seeks clarification on where attacks are most likely to occur - nationally or corporately.
Responding to questions about the impact of regulatory regimes on cyber-attacks and their geographical boundaries, he states that cyber-criminals disregard such boundaries and will attack weak links irrespective of geography. He agrees with Jill Broom's call for clarity regarding reporting requirements.
Andrew Cooper
Lab
Mid Cheshire
He questions whether the legislation strikes a balance in encouraging organisations to report incidents transparently without fear of stringent penalties, advocating for cultural change and specific details on incident reporting.
Sarah Russell
Lab
Congleton
She enquires about the potential cost implications of the new cyber-security legislation on businesses and whether it will promote increased spending on security measures.
She advocates for expanding the sectoral scope to include public administration as a role model in cybersecurity. She supports the recommendation that central government departments should be brought into regulatory scope due to their critical handling of sensitive information.
There are approximately 12,500 MSPs in the UK with medium-sized and large organisations accounting for about 85% of revenue. Stuart emphasises that cyber-security is a broader issue than IT companies alone can address, highlighting the need for skilled professionals and regulatory clarity.
Dr Mehta urges the Government to think about skills development not only in relation to the Bill but as a wider challenge. She highlights that while there has been an 11% increase in cyber-security professionals, more work needs to be done to professionalize the sector.
Asked Stuart McKean about how the legislation deals with cross-border resilience and compliance for MSPs. Stuart responded that resilience is a key part of the Bill but it does not detail where data should be hosted internationally.
Questioned witnesses on benchmarks regarding incident reporting thresholds in the Bill, noting concerns about clarity and potential over-reporting for smaller firms. Stuart McKean highlighted the lack of definition around 'significant economic impact'.
Agreed with other speakers that more clarity is needed on defining systemic risk in the Bill.
Supports the inclusion of managed service providers in the Bill. He notes that the definition is largely appropriate but suggests clarifying certain aspects such as the 'ongoing management' aspect and the activities involved like support, maintenance, monitoring, and active administration. Emphasises the importance of guidance post-Bill to maintain clarity on MSP roles.
Acknowledges the NAO report's critique but also highlights the positive aspects of the Government’s cyber action plan including £210 million additional funding. Discusses issues such as a skills shortage and outdated IT systems, emphasising broader budgetary discussions beyond this Bill.
Concerns over overly broad definitions for critical suppliers which may include SMEs unnecessarily. Questions the liability implications of partners’ services running on AWS and calls for a lead regulator model to reduce ambiguity in reporting requirements.
Ian Levy
Not specified
Not specified
Emphasised the importance of early consultation on technical details, supported incident reporting improvements for victims' benefit and a single reporting forum. Urged the government to look at Australia's cyber-security legislation as an example.
Ben Lyons
Not specified
Not specified
Agreed with outcomes-based approaches in cybersecurity policy, suggested a shared incident reporting portal for ease of use and clarity on supply chain regulations. Believed the NCSC’s role should prioritise early support to victims.
Matt Houlihan
Not specified
Not specified
Supported balance between specificity and agility in cybersecurity legislation, suggested tighter definitions for incident reporting and narrower Secretary of State powers with guardrails. Recommended looking at international best practices like Australia's Security of Critical Infrastructure Act.
Matt Houlihan
Organisation
Cisco
Discussed the comparators to NIS2, the EU's progress on cybersecurity laws, and Australia’s Security of Critical Infrastructure Act. Emphasised the need for the Cyber Security Resilience Bill (CSRB) and highlighted the challenges in implementation and wide scope. Cited 8% of UK companies are cyber-mature based on Cisco research.
Chris Anley
Expert
Noted that other territories like EU, US, Portugal already benefit from protections for defenders and mentioned Australia's provision of cybersecurity support to SMEs. Highlighted streamlining of reporting requirements in progress.
Stressed the importance of incentives to ensure companies look at their responsibilities across cyber-security. Emphasised avoiding putting national security requirements on entities that cannot possibly meet them. Discussed the difficulty of changing corporate culture through regulation quickly and highlighted instances where small entities were required to defend against state-level attacks.
▸
Assessment & feedback
Summary accuracy
About House of Commons Debates
House of Commons debates take place in the main chamber of the House of Commons. These debates cover a wide range of topics including government policy, legislation, and current affairs. MPs from all parties can participate, question ministers, and hold the government accountable for its decisions.