← Back to House of Commons Debates
Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting) 2026-02-05
05 February 2026
Lead MP
Kanishka Narayan
Debate Type
General Debate
Tags
Employment
Other Contributors: 30
At a Glance
Kanishka Narayan raised concerns about cyber security and resilience (network and information systems) bill (third sitting) 2026-02-05 in the House of Commons. A government minister responded. Other MPs also contributed.
How the Debate Unfolded
MPs spoke in turn to share their views and ask questions. Here's what each person said:
Lead Contributor
Opened the debate
The Bill will make crucial updates that build on the NIS regulations by expanding their scope to cover data centres, large load controllers, and managed service providers. It introduces powers for regulators to designate suppliers as critical for their sector and includes provisions related to incident-reporting regimes, recovery of regulatory costs, information-gathering and sharing, enforcement powers, and national security directions.
Ben Spencer
Con
Runnymede and Weybridge
The Bill will update and expand the NIS regulations by bringing new services within scope of regulation, giving sector regulators power to designate critical suppliers, updating incident-reporting regimes, and providing extensive powers for the Secretary of State to respond to emerging cyber-threats. However, concerns exist about overburdening small and medium-sized enterprises with complex regulations.
Alison Griffiths
Con
Bognor Regis and Littlehampton
Supports intent behind the Bill but raises concerns that clause 2 does a lot of framing work without considering practical application, particularly how proportionality will be applied in practice.
Chris Vince
Lab/Co-op
Harlow
Recognises need for balance between flexibility and clarity. Acknowledges businesses' struggle with legal uncertainty but emphasises importance of compliance due to its impact on business operations.
The Bill fails to provide legal certainty and a proportionate framework for businesses, leaving critical sectors unprotected. There is concern over the lack of action regarding Chinese cyber attacks on UK officials.
Kanishka Narayan
Con
Welcomes some Opposition views but criticises opposition stance as usual. Emphasises flexibility in the Bill, stating that it prevents prescriptive actions and allows for tailored engagement with businesses, Government, and regulators. Proposes clear tests for critical suppliers and supports incident reporting extension.
Spencer
Lab
Supports clause 3 but raises concerns about the complexity of cross-border compliance and its impact on SMEs and digital service provision abroad. Asks for clarity on discussions with industry representatives to ease regulatory burden.
Kanishka Narayan
Con
Responds that there have been extensive engagements with techUK, managed service providers, and the NCSC regarding cross-border compliance. Assures a proportionate regime for businesses, including those providing essential services from abroad.
Raises concerns about the reliance on capacity as a trigger for regulation, suggesting that criticality should also be considered when assessing systemic risk.
Kanishka Narayan
Con
Acknowledges Alison Griffiths' point and confirms that data centres below the capacity threshold but high on criticality will still be covered under the critical suppliers framework. Emphasises the importance of initial notification requirements for national security risks.
Bradley Thomas
Con
Bromsgrove
Asks about potential conflicts between data centres' customer confidentiality obligations and mandatory rapid reporting, seeking assurance that such conflicts will not impact future business.
Kanishka Narayan
Con
Explains that the initial notification requirement is critical for managing national security risks. Assures that incidents can have significant impacts beyond data centres themselves, thus requiring prompt reporting and structured oversight.
Supports amendments to make Ofcom the sole regulator for the data infrastructure subsector, aligning with international regulations and enhancing national security and economic stability.
Bradley Thomas
Con
Harlow
The hon. Friend agrees that greater consideration must be given to the vulnerability of the supply chain of large load data centres, especially with UK SMEs facing challenges in securing Government procurement contracts and relying on US big tech providers for cloud services.
Chipping Barnet
The hon. Friend's point about the balance of regulation is well taken, but every additional requirement placed on businesses should be seen as a potential harm unless proven otherwise. Regulations must be carefully balanced to ensure they provide benefits that outweigh any burdens imposed.
Dave Robertson
Lab
Lichfield
The hon. Member for Chipping Barnet's assertion that every regulation is inherently harmful is an extreme view. Regulatory certainty and confidence in data centre security are essential for SMEs to operate successfully, and the Bill aims to provide such assurance.
Alison Griffiths
Lab/Co-op
Cardiff North
Griffiths supported the shadow Minister's emphasis on board awareness and enforcement, noting that effective regulation must incentivise businesses to take cybersecurity seriously.
Bradley Thomas
Con
Stretford and Urmston
Thomas acknowledged the need for a balanced approach between administrative burden and real cyber risks. He proposed setting a threshold of £25 million turnover for companies to be regulated under cybersecurity laws, aiming to reduce burdens on smaller businesses.
Dave Robertson
SNP
West Lothian
Robertson intervened to argue against the anti-tax sentiment expressed by other speakers and highlighted how tax funding supports essential services for business success.
Chris Vince
Con
Lichfield
Vince acknowledged the need for flexibility in legislation due to the evolving nature of cyber-threats and technology, supporting the Minister's approach.
Minister confirmed that thresholds were set with technical experts' advice but would remain open to adjustments through secondary powers in the Bill as needed.
The Chair instructed the Minister to speak more loudly and slowly for clarity.
Minister explained that clause 5 brings Crown-operated data centres into scope of NIS regulations, closing a critical gap and urged clause stand part. He clarified exemptions for intelligence agencies handling highly classified information.
Spencer
Lab
Barnsley Central
Spencer inquired about the regulation of Crown data centres providing commercial services to both public and private sectors, seeking clarification from the Minister.
Minister assured that if a Crown data centre provides dual services, it will be regulated under NIS rules but offered to write further details. He reiterated the importance of load control regulation for cyber security.
Alison Griffiths
Lab
Cardiff Central
Griffiths noted that definitions in clause 7 may age quickly due to rapid technological changes and advised the Committee to remain alert about future relevancy.
Minister welcomed Griffith's observation, emphasising adaptability through Bill flexibilities. He highlighted broader architecture characteristics rather than specific resource definitions to capture evolving cloud models and AI deployments.
Spencer asked about the Government’s powers to adjust provisions as technology evolves and inquired about consultations on these adjustments within the scope of the Bill.
John Spencer
Con
Rutland
Explains clauses 7 and 8 provide updates reflecting the changing nature of vital digital services. Discusses exclusion of public sector-controlled RDSPs and RMSPs from regulation, questioning why these are excluded when the rest are not.
Bradley Thomas
Con
Cheltenham
Acknowledges reason for amendment tabled but questions whether it's appropriate to highlight only one risk vector in clause. Emphasises importance of using opportunities like this Bill to raise awareness about fraud.
Discussed the relevance of digital service provider portfolios to risk exposure and requested a written response on commercial confidentiality duties. Emphasised the need for holistic cyber-risk management, including coverage of all dependencies and adherence to guidance from the Information Commission.
Government Response
Kanishka Narayan outlines support for flexible regulatory engagement, clear tests for critical suppliers, incident reporting extension, cross-border compliance discussions with industry representatives, and proposes a single regulator (Ofcom) model to streamline the data infrastructure sector. He addresses concerns about capacity thresholds and customer confidentiality conflicts. The Minister responded by emphasising the need to resource regulators properly, addressing previous criticisms that regulatory bodies were understaffed. He also referenced initiatives such as the CyberFirst programme aimed at improving skills in cybersecurity. Minister explained that extensive engagement led to precise definitions for cloud computing service characteristics. He highlighted secondary powers to keep provisions under review and adapt as needed. Explains that security duties within NIS require RDSPs to manage full spectrum of risks including fraud but advises caution against highlighting only one risk vector in clause. Discusses ongoing work on a new fraud strategy by the Home Office. Responded to questions regarding risk exposure and commercial confidentiality by agreeing to provide a written clarification on prompt notification responsibilities. Discussed Clause 8's modifications aimed at improving cyber-risk management through broader coverage of network systems and reliance on Information Commission guidance.
Shadow Response
None
Shadow Response
Dr Spencer acknowledges clause 3's importance but questions the regulatory complexity for businesses, particularly SMEs, and seeks clarity on industry discussions to ease compliance burdens. Spencer questioned why specific sectors, namely data centres and large load controllers, were chosen for regulation under the Bill. She asked about future technological developments and whether the current regulatory framework would remain flexible enough to accommodate them. Shadow Minister questioned about regulatory adjustments in the face of technological evolution, seeking clarification on Government's flexibility within the Bill.
▸
Assessment & feedback
Summary accuracy
About House of Commons Debates
House of Commons debates take place in the main chamber of the House of Commons. These debates cover a wide range of topics including government policy, legislation, and current affairs. MPs from all parties can participate, question ministers, and hold the government accountable for its decisions.