← Back to House of Commons Debates
Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting) 2026-02-05
05 February 2026
Lead MP
Kanishka Narayan
Parliamentary Under-Secretary of State for Science, Innovation and Technology
Debate Type
General Debate
Tags
No tags
Other Contributors: 25
At a Glance
Kanishka Narayan raised concerns about cyber security and resilience (network and information systems) bill (fourth sitting) 2026-02-05 in the House of Commons. A government minister responded. Other MPs also contributed.
How the Debate Unfolded
MPs spoke in turn to share their views and ask questions. Here's what each person said:
Government Response
Government Response
Welcomed Committee members, emphasised the importance of Clause 9 which regulates large and medium-sized managed service providers (MSPs) for their cyber-security. Discussed new duties imposed by Clause 10 on MSPs to identify and manage risks, ensuring robust protections are in place. Emphasised the need for proportionality in regulation and engagement with industry bodies such as techUK. The clause introduces a new power for regulators to designate critical suppliers under NIS regulations. It sets a high bar, requiring credible risk of systemic disruption and consideration of alternative management methods before designation. Safeguards include consultations with relevant regulators and designated suppliers. Responded to points raised by other MPs. Confirmed schools are not in scope but highlighted existing work with Government's cyber-security strategy to ensure pupil data is secure. Emphasised the five-step test for critical supplier designation and the proportionate measures specified in secondary legislation.
Kanishka Narayan
Parliamentary Under-Secretary of State for Science, Innovation and Technology
Welcomed the Committee to discuss Clause 9 which brings large and medium-sized managed service providers into scope of the Network and Information Systems Regulations. Emphasised the importance of regulating MSPs due to their widespread access to clients’ networks and systems, citing a Collins Aerospace incident that highlighted risks. Stated that clause provides definitions for 'managed service' and 'relevant managed service provider', ensuring clarity on organisational inclusion. Noted Clause 10 imposes new duties on MSPs to identify and manage cyber-security risks. Highlighted the importance of considering the latest tools, technologies, techniques, and methods ('regard to the state of the art'). Asserted these provisions strengthen cyber-security across supply chains and reduce vulnerabilities in outsourced IT services.
Alison Griffiths
Con
Bognor Regis and Littlehampton
Acknowledged bringing MSPs into scope is right but emphasised the need for proportionality given different levels of risk among providers despite their size. Highlighted that real risk lies in privileged access and cross-customer dependency rather than just size alone.
Lincoln Jopp
Con
Spelthorne
Questioned the use of headcount as a metric for defining SMEs in IT, suggesting through-flow of transactions or data could be more relevant. Raised concern that current definitions may not fully capture the scale and impact of digital service providers.
Ben Spencer
Con
Runnymede and Weybridge
Discussed Clause 9 which brings new categories of technology service providers within scope of NIS regulations. Provided statistics on MSP activity in the UK, indicating around 1,500 to 1,700 medium or large organisations would be regulated. Highlighted their critical role and potential risk due to significant access to client networks and data. Mentioned 86% support from respondents for regulating MSPs as per previous Government consultation.
Chris Vince
Lab/Co-op
Harlow
Sought clarification on the proportion of regulated MSPs in relation to total number of MSPs. Highlighted potential discrepancies between individual organisation numbers and market share proportions.
Lincoln Jopp
Con
Bognor Regis and Littlehampton
Questions the Bill's clarity regarding hospital trusts' obligations in case of a reportable event involving an MSP. Concerns that lack of clarity could lead to compliance issues for hospitals.
Concerned about the commercial impacts on MSPs, particularly new contracts and regulatory uncertainty which may render existing frameworks redundant.
Chris Vince
Lab
Bognor Regis and Littlehampton
Raises concern that micro and small enterprises have been omitted from the legislation due to guidance challenges. Acknowledges their importance in cyber-security but questions whether they can manage overlapping regulatory duties.
Alison Griffiths
Lab
Cardiff North
There is a real possibility that firms will face issues due to lack of clarity in the Bill. Legal certainty is important as regulatory uncertainty can hinder business decisions and lead to companies assuming they are not regulated entities, which may prevent them from taking necessary actions.
Kanishka Narayan
Con
Ruislip-Northwood
Clarifies the coverage of MSPs under the Bill, stating that 11% by number but 97.6% by revenue are covered. Addresses questions about concentration risk and notification overlap. Emphasises the need for regulatory clarity to prevent unnecessary legal costs.
Lincoln Jopp
Lab
Boston and Skegness
Questions the Minister regarding factual errors in the impact assessment, specifically the hourly rate of £34 for a contract lawyer. Argues that such figures undermine the credibility of the impact assessment.
Alison Griffiths
Lab
Cardiff North
Clause 12 should be closely scrutinised as it addresses supply chain risks beyond individual operators. The clause allows regulators to designate suppliers as critical where disruption would significantly affect essential or digital services. However, there is concern about whether the power will be used early and clearly enough to address shared operational technology (OT) risks before they become cross-sector incidents.
The clause is one of the provisions that has given rise to widespread industry concern regarding its scope and implications. It discusses the need for transparency and engagement in the designation process, highlighting concerns about the lack of certainty and potential impact on smaller companies.
This contribution is not fully provided in the transcript excerpt given. Alison Griffiths' position would need to be filled with her full statement if available.
Daniel Poulter
Con
St albans
The idea that access to the IT network or system will somehow be discriminatory, or dichotomise between people who are in scope of this measure and people who are not, seems complete nonsense. There is often a focus on doctors but it really is a whole-team effort.
Chris Vince
Con
Harlow
I wonder whether the distinction might be how time-sensitive losing a particular service would be. That is just a suggestion.
Daniel Poulter
Con
St albans
There would need to be an arbitration system where a company that is under threat of being designated a critical supplier could have a discussion or debate about whether that designation was relevant or not. How will the regulator know what it should look at? Does the hospital trust go to the regulator and say, 'Hello regulator, here is a list of all the private service providers who are supplying our OES—and by the way, this list is going to change every single day,'?
Lincoln Jopp
Lab
Birmingham, Hodge Hill
I visited the Maypole special school in my constituency. It has 20 members of staff and 18 pupils. It books the transport, and the transport is paid for by the local education authority in which the pupil lives. It is clearly critical that children get to the school—just as it would be for a hospital.
Daniel Poulter
Con
St albans
I really struggle to see how an OES that is providing a service to another OES could effectively argue that it is not within the full scope of these regulations. A lot of providers are going to think, 'Why should we provide to an OES when we might be at risk of being designated as a national critical supplier?' This will have a chilling effect on organisations supplying to OESs.
Responded to points raised about operational technology and proportionality. Confirmed that vendors and providers of operational technologies will be covered by the provision of the five-step test for critical supplier designation. Highlighted that the Bill takes a nuanced position on proportionality, ensuring clarity on the number of suppliers affected and their ultimate impact.
Asked about schools being within the scope of the Bill and questioned the Minister's characterisation of the Bill’s provisions as not knowing how many critical suppliers there are or the cost implications. Emphasised that patient data and children’s data are precious, raising concern over why schools are not covered.
Agreed with the necessity of introducing measures to protect critical infrastructure, even if the exact number of critical suppliers is unknown. Supported the introduction of regulations as soon as possible.
Raised concerns about legal disputes that may arise after implementation and questioned the Minister’s dismissive comments, highlighting the importance of specific concerns for future legal arguments.
Spencer
Lab
Nottingham North
Proposes amendments to clause 15 to ensure that incidents involving autonomous or adaptive systems based on machine learning are reported. Argues that this is necessary due to the increasing use of AI in cyber-attacks and the need for data on such risks.
Kanishka Narayan
Lab
Dewsbury
Acknowledges concerns about emerging AI risks but argues against specifying risk factors in the Bill. Suggests that technology is agnostic to specific risks and mentions ongoing work by the Government on mitigating such risks through the AI Security Institute.
Shadow Response
None
Shadow Response
Critiques the impact assessment's discrepancy regarding contract lawyer costs. Emphasises that business models should be left to businesses, not government. Argues for a regulatory framework that is least burdensome yet provides certainty. Asked about the application of Bill’s provisions, specifically concerning schools and public sector authorities not being covered by the Bill. Criticised the Minister’s dismissive comments, suggesting future legal disputes may rely on parliamentary debates for settling arguments.
▸
Assessment & feedback
Summary accuracy
About House of Commons Debates
House of Commons debates take place in the main chamber of the House of Commons. These debates cover a wide range of topics including government policy, legislation, and current affairs. MPs from all parties can participate, question ministers, and hold the government accountable for its decisions.