#
I beg to move, That the clause be read a Second time.
#
With this it will be convenient to discuss the following:
New clause 3—Review of high-risk bodies—
“(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies.
(2) A review under this section must assess—
(a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise;
(b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and
(c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities.
(3) In this section—
“relevant body” means—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier,
within the meaning of the NIS Regulations.
“foreign state-owned enterprise” means a body corporate in which a foreign state has a controlling interest;
“network and information systems” has the meaning given by section 24(1).”.
This new clause would require the Government to review the security risks posed by critical suppliers and essential service providers linked to foreign states and evaluate whether current powers are sufficient to address these threats.
New clause 4—Critical manufacturing and retail sectors—
“(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities—
(a) the manufacture of critical transport equipment;
(b) the industrial production and processing of food products; and
(c) the retail sale of food and essential goods via large-scale distribution chains.
(2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors.”.
This new clause would require the Secretary of State to designate the manufacturing of critical transport equipment and retail of food and essential goods (when part of a large-scale distribution chain) as essential activities, bringing them within the scope of Part 3 of the Bill.
New clause 5—Local authorities to be regulated as essential services—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert—
“Local Government Local Government The Secretary of State for Housing, Communities and Local Government”
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert—
“The Local Government Sector
12 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector.
(2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register.
(3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records.
(4) In this paragraph “local authority” means—
(a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly;
(b) in Wales, a county council or a county borough council;
(c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994;
(d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.”.
This new clause would bring local authorities within the scope of the NIS Regulations as operators of essential services in relation to their functions managing electoral rolls and social care records. This ensures that public sector bodies holding sensitive data such as electoral rolls and social care records are subject to the same statutory protections as other critical infrastructure.
New clause 6—Computer Misuse Act 1990: security and resilience of network and information systems—
“(1) The Secretary of State must, within twelve months of the passing of this Act, review whether amendments to the Computer Misuse Act 1990 may be conducive to ensuring, maintaining or improving the security and resilience of network and information systems used or relied upon in connection with the carrying on of essential activities.
(2) Following the conclusion of the review under subsection (1), the Secretary of State must lay before Parliament a report which outlines—
(a) the potential amendments to the Computer Misuse Act 1990 which were considered as part of the review;
(b) the review’s conclusions as to whether the potential amendments considered could be beneficial in ensuring, maintaining or improving the security and resilience of relevant network and information systems; and
(c) the Government’s intentions to make amendments to the Computer Misuse Act 1990 or act on any other recommendations of the review.”.
This new clause would require the Secretary of State to review, within 12 months, whether amending the Computer Misuse Act 1990 could improve the resilience of network and information systems, and to report the government’s intentions to Parliament.
New clause 7—Consultation on resourcing of regulatory authorities and regulated persons—
“(1) The Secretary of State must, within one year of the passing of this Act, carry out a consultation with regulatory authorities and regulated persons for the purpose of assessing—
(a) whether regulatory authorities and regulated persons have resources and capabilities adequate to fulfil their requirements under this Act; and
(b) whether further government support is needed.
(2) The Secretary of State must publish a report setting out the findings of the assessment carried out under subsection (1).”.
This new clause would require the Secretary of State to consult and report within one year on whether regulatory authorities and regulated persons have sufficient resources and capabilities to meet their statutory obligations, and whether additional government support is required.
New clause 8—Electoral infrastructure to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
“Elections Electoral infrastructure The Electoral Commission”
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert—
“The electoral infrastructure subsector
12 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector.
(2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to—
(a) maintain a register of electors containing more than 50,000 entries;
(b) issue, receive, or process postal ballots for a parliamentary or local government election; or
(c) count or aggregate votes cast in a parliamentary, mayoral or local government election.
(3) In this paragraph—
“parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom;
“network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026.
(4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
‘(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.’”.
This new clause would designate the administration of elections and maintenance of voter registers as an “essential service” within the meaning of the NIS Regulations.
New clause 9—Political parties to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
“Government Political parties The Secretary of State for Housing, Communities and Local Government”
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert—
“The political parties subsector
12 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector.
(2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons.
(3) In this paragraph—
“registered political party” means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000.”.
This new clause would designate political parties as providing essential services for the purposes of cyber security.
New clause 10—Board oversight of security and resilience of network and information systems—
“(1) Where a relevant body is governed by a board or equivalent management body, that body must exercise oversight of arrangements relating to the security and resilience of the body’s network and information systems.
(2) In exercising oversight, the management body must—
(a) approve the approach taken by the body to the management of risks to the security and resilience of the body’s network and information systems; and
(b) satisfy itself, on a periodic basis, that appropriate and proportionate measures are in place to manage those risks.
(3) The management body may be held accountable for failures by the body to comply with duties relating to the security and resilience of its network and information systems.
(4) Members of the management body must undertake training designed to enable them to identify risks and assess appropriate risk-management practices.
(5) For the purposes of this section, a relevant body is one which is—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier,
within the meaning of the NIS Regulations.”.
This new clause would require active board oversight of, and accountability for, security and resilience measures, where a relevant body is governed by a board or similar body.
New clause 11—Requirement for regular testing of network and information systems—
“(1) A relevant body must undertake regular testing of the security and resilience of the network and information systems on which it relies in the provision of its services.
(2) Testing undertaken in accordance with this section must—
(a) be proportionate, having regard to the size, nature and risk profile of the business; and
(b) be conducted periodically, at intervals that are appropriate to the risks identified by the body.
(3) A relevant body must document—
(a) the outcomes of testing undertaken in accordance with this section; and
(b) any remedial actions required or taken in response to the testing.
(4) Information documented under subsection (3) must be provided to the relevant regulatory authority upon request.
(5) For the purposes of this section, a relevant body is one which is—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier,
within the meaning of the NIS Regulations.”.
This new clause would require bodies to carry out proportionate, periodic testing of the security and resilience of their network and information systems and provide the results to regulatory bodies upon request.
New clause 12—“Last-resort” powers in respect of data centres and AI models—
“(1) Regulations under section 29(1) may confer on the Secretary of State powers (“last-resort powers”) to direct the shutdown of—
(a) data centres, or
(b) AI systems used or deployed by a data centre,
in the event of an AI security or operational emergency.
(2) For the purposes of this section—
“data centre” has the meaning given in paragraph 11 of the NIS Regulations (as amended by this Act);
“AI system” means a machine-based system that, from the input it receives, can infer how to—
(a) generate predictions, digital content, recommendations, decisions or other similar outputs, or
(b) influence a physical or virtual environment,
with a view to achieving an explicit or implicit objective;
“used or deployed” means made available to—
(a) a substantial number of individuals within the United Kingdom; or
(b) providers and operators of essential services;
“AI security or operational emergency” means a situation where the Secretary of State has reasonable grounds to believe that—
(a) there is a security or operational compromise to one or more relevant network and information systems,
(b) this compromise is caused, or contributed to, by the use or operation of an AI system used or deployed by a data centre, whether through autonomous or non-autonomous means; and
(c) this compromise poses a catastrophic risk;
“catastrophic risk” means a risk carrying a reasonable likelihood of causing or contributing to—
(a) large-scale disruption to critical infrastructure or essential services;
(b) significant degradation of the national security, national defence, or intelligence capabilities of the United Kingdom; or
(c) severe, large-scale harm to human life;
“data centre operator” means a person who operates a data centre;
(3) As soon as reasonably practicable after, and in any event within seven days of, giving a direction under subsection (1), the Secretary of State must—
(a) lay a report before Parliament setting out the direction and the reasons for it; and
(b) take all reasonable steps to arrange for the report to be the subject of a debate in each House as soon as is reasonably practicable.
(4) Regulations relating to last-resort powers must establish requirements on data centre operators in relation to data centres used for the training, deployment or operation of AI systems, including relating to—
(a) the possession or installation of technical infrastructure necessary for compliance with last-resort powers;
(b) the provision of secure communication channels for use by the Secretary of State when utilising last-resort powers;
(c) the implementation of regular emergency exercises to ensure that a direction under this section can be received safely and implemented; and
(d) post-mortem processes to be followed before a data centre is allowed to resume operations after the use of last-resort powers, including—
(i) incident reporting; and
(ii) implementation of mitigation measures to prevent recurrence.
(5) A person commits an offence if they fail to comply with any requirement imposed by regulations made under subsection (4).
(6) Regulations relating to last-resort powers may—
(a) confer on the Secretary of State, or on a person designated by the Secretary of State, powers to act where they reasonably believe that an offence under subsection (5) is being, has been, or may be about to be committed;
(b) include, for the purposes of paragraph (a), powers to—
(i) close premises;
(ii) turn off systems or require that they be turned off;
(iii) take any other action necessary to control the risk arising from an AI security or operational emergency.
(7) Regulations must require that, where powers under subsection (6) are exercised, the Secretary of State must—
(a) give written notice of the action taken, and the reasons for the action taken, to the operator or provider as soon as reasonably practicable; and
(b) inform the operator or provider of their right to apply to the High Court for relief.
(8) The High Court may make any order it thinks fit on an application under subsection (7)(b), including—
(a) confirming, varying or cancelling the requirements;
(b) imposing additional requirements;
(c) ordering compensation.
(9) The Secretary of State must publish guidance on the use by licensing authorities, planning authorities and other public authorities of their statutory powers to facilitate compliance with regulations relating to this section.
(10) A public authority must have regard to guidance issued under subsection (9) when exercising any function to which the guidance relates.
(11) The Secretary of State must, within six months of the commencement of this section and subsequently at six-monthly intervals, prepare a report on the causes and potential causes of AI security or operational emergencies and lay a copy of the report before Parliament.
(12) The causes and potential causes of AI security or operational emergencies considered in any report under subsection (11) must include —
(a) adversarial uses of AI systems by state and non-state actors;
(b) the capabilities for cyber-attacks by autonomous AI systems; and
(c) the development of AI systems that can autonomously compromise national security, escape human oversight, and upend international stability, including systems described as “superintelligent AI”.”.
This new clause would enable the Secretary of State to be granted “last-resort powers” to ensure that the government can intervene in case of an emergency caused by AI used or deployed by a data centre which can cause large-scale harm.
New clause 13—Digital Sovereignty Strategy on risks posed by foreign interference and reliance on foreign technologies—
“(1) The Secretary of State must, within 12 months of the passing of this Act, publish a strategy (“a Digital Sovereignty Strategy”) which sets out the Government's approach to maintaining the security and resilience of relevant network and information systems by—
(a) assessing, managing and mitigating risks—
(i) associated with foreign interference,
(ii) arising from reliance on foreign-supplied technologies, and
(b) preventing over-reliance on foreign providers by building domestic capacity.
(2) For the purposes of this section, a “relevant network and information system” is a network and information system belonging to—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier, within the meaning of the NIS Regulations.
(3) A Digital Sovereignty Strategy published under this section must—
(a) include risks associated with—
(i) hardware,
(ii) software,
(iii) supply chains, and
(iv) procurement processes;
(b) include a specific focus on security and resilience in government digital procurement processes, detailing how the Government intends to reduce strategic dependencies on foreign-owned service providers to mitigate the risk of systemic disruption;
(c) include a commitment to prioritise the use of technologies developed in the UK by UK organisations in relevant network and information systems to reduce reliance on foreign technologies, and
(d) where risks are identified under subsection (1)(a)(i), state how the Government intends to address these risks by supporting the use of domestic technologies or systems for the purpose of ensuring the security of those systems.”.
This new clause would require the Government to publish a Digital Sovereignty Strategy setting out how it intends to address risks to relevant network and information systems posed by foreign interference and reliance on foreign technologies, including by supporting the use of domestic technologies.
New clause 14—Register of foreign powers for the purposes of Part 4—
“(1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must by regulations, and within six months of the passing of this Act, establish and subsequently maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom’s critical network and information systems.
(2) Foreign powers determined by the Secretary of State as eligible for inclusion on the register under subsection (1) must include states which have been confirmed by GCHQ as posing a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers, including where the relevant risk is posed by state affiliated groups.
(3) Regulations under this section are subject to the affirmative resolution procedure.
(4) In this section, “foreign power” means—
(a) the sovereign or other head of a foreign state in their public capacity;
(b) a foreign government, or part of a foreign government;
(c) an agency or authority of a foreign government, or of part of a foreign government;
(d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or
(e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government—
(i) hold those posts as a result of, or in the course of, their membership of the party, or
(ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party.”
This new clause would require the Government to maintain a register of state actors posing a threat to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of the Act, which enable the giving of directions in the interests of national security.
New clause 15—Review of the cyber security risk posed by foreign powers—
“(1) The Secretary of State must, within 12 months of the passing of this Act and annually thereafter, review the extent and nature of the risk posed by relevant foreign powers to the network and information systems of operators of essential services and critical suppliers.
(2) A review under this section must identify whether any risk arises from—
(a) activities undertaken outside of the UK, or
(b) foreign owned or controlled infrastructure or locations within the UK.
(3) For the purposes of subsection (1), “relevant foreign powers” include states which have been confirmed by GCHQ as posing a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers, including where the relevant risk is posed by state departments, state agencies or affiliate groups.
(4) Within three months of each review under subsection (1), the Secretary of State must—
(a) lay before Parliament a report containing the findings and conclusions of the review; and
(b) where information is not included in a report on the grounds of being prejudicial to the UK’s national security, send such information to the Intelligence and Security Committee of Parliament.”
This new clause would require the Government to report on the risk to relevant network and information systems posed by specified foreign powers, considering whether such risks arise from extra-territorial activities and/or UK infrastructure or premises owned or controlled by foreign powers.
New clause 16—Digital Sovereignty Strategy (relevant network and information systems)—
“(1) The Secretary of State must prepare and maintain a Digital Sovereignty Strategy (“the Strategy”) in relation to relevant network and information systems.
(2) The Strategy must—
(a) set out the Government’s assessment of the risks to relevant network and information systems arising from or related to—
(i) dependence on hardware, software, or digital services that may be subject to foreign interference;
(ii) extra-territorial legal requirements that may be imposed on non-domiciled suppliers;
(iii) vulnerabilities, undue control, or supply-chain dependency on foreign states or entities;
(b) technological developments, market concentration, or strategic dependencies that may affect the security or resilience of relevant network and information systems;
(c) set out the Government’s approach to mitigating the risks identified under subsection (2); and
(d) include an assessment of—
(i) the role of open source software, open standards, and open architectures in strengthening the resilience, transparency, and security of relevant network and information systems;
(ii) the security and maintenance needs of open source software components used, or proposed to be used, in relevant network and information systems;
(iii) the skills, capabilities, and capacity of United Kingdom-based developers, maintainers, and technical experts required to support the use of open source components in relevant network and information systems;
(iv) options to increase the use of open source components and to diversify open source suppliers, reduce strategic dependencies, and enhance domestic capability in key technologies used in relevant network and information systems;
(v) options for international collaboration in the production of open source components used in relevant network and information systems;
(vi) any legislative, regulatory, procurement, or policy measures the Government considers necessary to support digital sovereignty through open source components and reduce systemic risk in relation to relevant network and information systems.
(3) The Secretary of State must publish the Strategy and any revisions to it, subject to the redaction of information the publication of which would be reasonably likely to prejudice national security.
(4) The Strategy must be reviewed at least once in every three-year period but may be updated whenever the Secretary of State considers that significant new risks have arisen.
(5) In this section—
“relevant network and information system” means a network and information system belonging to—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier,
within the meaning of the Network and Information Systems Regulations 2018;
“digital sovereignty” means the ability of the United Kingdom to maintain secure, resilient, and reliable access to and control over the hardware, software, data, and digital services on which relevant network and information systems depend;
“open source” has the meaning given to it in the definition published by the Open Source Initiative.”
New clause 18—Review of the number of bodies providing cloud computing services—
“(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the risks posed to relevant network and information systems by the number of different bodies providing or supplying cloud computing services.
(2) For the purposes of this section, “cloud computing services” has the meaning given in paragraph 1 of the NIS Regulations.”
This new clause would require the Government to review the risks posed to relevant network and information systems by the number of different bodies providing or supplying cloud computing services.
New clause 19—Review of risks posed by foreign state ownership or control of providers of cellular Internet of Things modules—
“(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the risks posed to relevant network and information systems by foreign state ownership or control of providers of cellular Internet of Things modules.
(2) For the purposes of this section–
“cellular Internet of Things modules” means devices that communicate over public mobile networks for the purposes of enabling autonomous machine to machine communication;”.
This new clause would require the Government to review the risks posed to relevant network and information systems by providers of cellular Internet of Things modules owned or controlled by foreign states.
New clause 20—Specification of retail commerce as an essential activity—
“(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify as an essential activity retail commerce carried out by companies with an annual turnover in excess of £12 billion.
(2) Regulations introduced under subsection (1) must designate appropriate regulatory authorities for this sector.”
This new clause would require the Secretary of State to designate retail commerce carried out by companies with an annual turnover in excess of £12 billion as an essential activity, bringing it within the scope of Part 3 of the Bill.
New clause 21—Food supply chain to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
“Food supply Food supply chain The Secretary of State for Environment, Food and Rural Affairs (United Kingdom)”
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert—
“The food supply chain subsector
12 — (1) This paragraph describes the threshold requirements which apply to essential services in the food supply chain subsector.
(2) For the essential service of the food supply chain in the United Kingdom the threshold requirement is that the person is in the food supply chain and does not qualify as small or a micro-entity (or is excluded) within the meaning of Part 15 of the Companies Act 2006.
(3) For the purposes of this paragraph—
(a) a “food supply chain” is a supply chain for providing individuals with items of food or drink for personal consumption, where the items consist of or include, or have been produced to any extent using—
(i) anything grown or otherwise produced in carrying on agriculture, or
(ii) anything taken, grown or otherwise produced in carrying on fishing or aquaculture;
(b) a person is “in” a food supply chain if that person is a producer or an intermediary in a food supply chain.
(4) In paragraph (3)(b)—
(a) “producer” means a person who is carrying on agriculture, fishing or aquaculture;
(b) “intermediary” means a person in the food supply chain between a producer and the individuals referred to in paragraph (3)(a).
(5) In this paragraph—
“agriculture” includes any growing of plants, and any keeping of animals, for the production of food or drink;
“aquaculture” means the breeding, rearing, growing or cultivation of—
(a) any fish or other aquatic animal,
(b) seaweed or any other aquatic plant, or
(c) any other aquatic organism.
“plants” includes fungi.
(6) In regulation 8A of the NIS Regulations (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
‘(c) provides an essential service of a kind referred to in paragraph 12 of Schedule 2 (food supply chain sector) within the United Kingdom.’”
This new clause would designate those in the food supply chain that rely on network and information systems as “operators of essential services” within the meaning of the Network and Information Systems Regulations 2018, thereby placing them under duties to manage risks to those systems and to provide notification regarding any incidents that have an impact on the food supply chain.
Amendment 1, in clause 8, page 7, line 36, at end insert—
“(1A) In paragraph (1), after “risks” insert “, including risks arising from fraud,””.
This amendment would explicitly include fraud as one of the risks to the security of network and information systems that relevant digital service providers must identify and manage.
Amendment 28, in clause 10, page 9, line 33, at end insert—
“(2A) The measures taken by an RMSP under paragraph (1) must ensure that the number of customers to whom the RMSP provides services does not exceed the critical risk threshold.
(2B) In paragraph (2A), the “critical risk threshold” is the number of customers within a sector or subsector where an incident affecting the provision of services to those customers by the RMSP would result in disruption that is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom.
(2C) Paragraph (2D) applies where the number of customers to whom an RMSP provides services exceeds the critical risk threshold by virtue of contracts entered into before the coming into force of section 10 of the Cyber Security and Resilience (Network and Information Systems) Act 2026.
(2D) The RMSP must take steps to reduce the number of customers to below the critical risk threshold, including exercising any right to terminate a contract or vary the terms of a contract.”
This amendment would place a duty on relevant managed service providers (“RMSPs”) to ensure that they do not provide services to manage the technology systems for a number of customers that exceeds a critical risk threshold, such that an incident affecting those services would be likely to result in significant disruption in the United Kingdom. This would prevent an RMSP managing the technology systems for a whole sector or subsector. Provision is also made for a situation where an RMSP is in breach of the critical risk threshold because of contracts entered into before the enactment of the Bill.
Government amendments 7 to 11.
Amendment 6, in clause 18, page 40, line 12, at end insert—
“(8A) Where the CSIRT receives notification of an incident under regulation 11, 11A, 12A or 14E which it considers to materially involve autonomous or adaptive systems based on machine learning, the CSIRT must share relevant technical information with the relevant body within 72 hours.
(8B) For the purposes of this regulation, a “relevant body” means the AI Security Institute or any successor or replacement body designated by the Secretary of State.”.
This amendment would require incident data relating to AI systems in critical national infrastructure to be sent to the body designated by the Government as responsible for AI safety and security.
Government amendments 12 to 14.
Amendment 3, in clause 18, page 41, line 15, at end insert—
“Exemption from disclosure: right to a fair trial
(1) Nothing in sub-paragraphs (1)(d) to (1)(f) of regulation 6, or regulation 6A, permits a NIS enforcement authority to share information with another NIS enforcement authority or with a person within paragraph (2) of regulation 6 if the Secretary of State determines that—
(a) the receiving jurisdiction is one in which the right to a fair trial cannot be guaranteed, or
(b) the disclosure could result in actions being taken that would be incompatible with the right to a fair trial.
(2) For the purposes of making a determination under paragraph (1) above, the Secretary of State must have regard to the opinion of—
(a) subject matter experts, and
(b) competent civil society groups.
(3) The Secretary of State must, within 12 months of the passing of the Cyber Security and Resilience (Network and Information Systems) Act 2026, publish and lay before Parliament an annual report detailing the determinations made under paragraph (1) above in the previous 12 months.”
This amendment would prevent the sharing of information with overseas authorities for the purpose of prosecuting crimes not committed in the UK if the Secretary of State determines that the receiving country is one in which the right to a fair trial cannot be guaranteed.
Government amendments 15 to 17.
Amendment 4, in clause 29, page 54, line 9, at end insert
“, including the risks arising from the use of embedded communications components manufactured outside the UK;”.
This amendment would make explicit that regulations could concern the risks arising from the use of embedded components within the systems (such as cellular internet of things modules).
Amendment 2, in clause 40, page 63, line 7, leave out “5” and insert “3”.
This amendment would increase the frequency of the reports that must be published under Clause 40, from every five years to every three years.
Amendment 5, in clause 43, page 66, line 18, at end insert—
“(i) a requirement relating to embedded communications components manufactured outside the UK.”
This amendment would provide an additional requirement that may be imposed on a regulated person, in relation to an embedded communications component manufactured outside the UK.
Government amendments 18 to 27.
#
As the director of the National Cyber Security Centre has said,
“Every organisation delivering the UK’s critical services…relies on uninterrupted digital operations. Disruptions to those operations isn’t simply an IT issue; it’s a…national resilience issue”.
The Liberal Democrats wholeheartedly support that point, and it is why we welcome the measures introduced by this Bill, which strengthen existing cyber protections to enhance national security. However, as the Liberal Democrats have made clear throughout the Bill’s stages so far, there are many missed opportunities to truly future-proof our country’s cyber-security to protect our democracy, economy and national security. I will speak to the Liberal Democrat amendments to the Bill, which we think would achieve that.
First, on the scope of the Bill, last year we saw the costliest cyber-incident in UK history. The financial damage caused by the attack on Jaguar Land Rover is estimated to have cost between £1.6 billion and £2.1 billion—a cost shared between JLR directly and its supply chain. In the public sector, cyber-attacks are causing eye-watering costs too—just look at Redcar’s cyber-attack, which cost them a staggering £10.4 million. Despite that, the Bill takes no consideration of the significant economic cost of such cyber-attacks, excluding retail and manufacturing industries as well as local government from the scope of the Bill.
New clauses 4 and 5 address a crucial gap. New clause 4 would bring the manufacturing of critical transport equipment and the retail of food and essential goods, where they form part of a large-scale distribution chain, within the scope of essential categories under the Bill. That means that companies such as Jaguar Land Rover would finally receive the protections that their strategic importance demands and protect their supply chains too. New clause 5 extends that same recognition to local authorities, whose digital infrastructure underpins the delivery of services that millions of people depend on.
The Government’s own industrial strategy recognises that sustainable and secure growth requires strong levels of cyber-resilience across the economy, but their own cyber Bill does not live up to this. If a cyber-attack brought JLR’s production lines to a halt or crippled the digital infrastructure of a council, the damage to our economy and people’s daily lives would be enormous.
Those are not the only issues within the scope of the Bill. Safeguarding our democratic processes must be treated as a national security priority, and here, too, the Bill falls short. At a time when foreign interference in our elections is not a hypothetical but a documented and growing threat, the Government have chosen not to act. New clauses 8 and 9 would begin to change that. New clause 8 would designate the administration of elections and voter registers as essential services within the meaning of the network and information systems regulations—a straightforward recognition that the machinery of our democracy is as critical as any power grid or hospital network.
New clause 9 would designate political parties as essential services for the purposes of cyber-security, extending meaningful protection to the organisations through which the British people exercise their democratic voice. I understand that the Bill is not a silver bullet for cyber-security, but these amendments make the modest, targeted and entirely reasonable ask that vehicle manufacturing, food retail supply chains, local authorities, our elections and our political parties are brought within scope.
In turning to online-generated fraud and scams, we can see the impact of a lack of action to secure online and cyber-spaces. Fraud makes up 44% of all UK crime, and online technologies—especially artificial intelligence—are supercharging that. According to reporting in The Times a few weeks ago, research by Lloyds bank found that Meta’s social media sites are a starting point for 76% of purchase scams in the UK, with the value of losses to UK customers estimated at around £66 million in the last year alone. Not only does the Government’s fraud strategy completely overlook the role of social media giants and big tech in the proliferation of online scams, but the Bill fails to address explicitly the risks that fraud and scams pose to critical infrastructure and organisations. That is especially striking when we consider that the Government’s official statistics on cyber-security breaches show that phishing attacks—scams—remain the most prevalent type of breach or attack by far in the UK.
Amendment 1 would change that. It would amend clause 8 to add “risks arising from fraud” explicitly to the list of security threats facing relevant digital services so that those threats can be identified and managed. That is also why the Liberal Democrats are calling for social media giants to be financially liable for scams originating on their platforms and for an online crime agency to tackle these issues and standardise AI labelling.
We must not forget that these threats do not fall solely on large institutions and critical infrastructure. Small and medium-sized enterprises are on the frontline of cyber-crime; they are disproportionately targeted and too often without the resources or expertise to defend themselves. Many of the businesses caught up in the supply chains of our critical industries and exposed to the fraud and cyber-risks that I have described are SMEs, yet there are no provisions in the Bill to help potentially under-resourced SMEs cope with the increasing threat of cyber-attacks. New clause 2 would require the establishment of dedicated cyber-security support services for those businesses. For the Liberal Democrats, backing British small businesses means ensuring that they are not left to face those threats alone.
The Liberal Democrats have also tabled a series of further measures that would make the legislation fit for purpose over the long term. A law is only as good as its enforcement, which is why we are pressing for board-level accountability for cyber-resilience under new clause 10, regular proportionate testing of systems under new clause 11 and more frequent Government reporting every three years—rather than every five years—under amendment 2.
Last week, at London Tech Week, as I was surrounded by experts across the industry, one thing became clear. We think that technology is moving quickly now, but with the growth and development of AI this is the slowest we will ever see change happen. That is why we need the framework to evolve, which means reviewing the security risks posed by foreign-linked critical suppliers, which new clause 3 would do, modernising the outdated Computer Misuse Act 1990, which new clause 6 would do, and assessing whether regulators have the resources they actually need to do their job, which new clause 7 would do. Those are not radical tasks; they are basic conditions for a cyber-security regime that works today and will continue to work in the future.
If there is one matter that cuts to the heart of what the Bill should be about, and asks the fundamental question about Britain’s place in a contested digital world, it is digital sovereignty. All the protections we have discussed for our industries, our democracy and our small businesses will mean little if we do not first answer who controls the digital infrastructure on which all of them depend, and question whether, at every level of the stack, we have critical control over that.
That is echoed loudly by the industry itself. A study by Civo, a UK sovereign cloud provider, found that 83% of IT decision makers in this country worry about the impact of geopolitical developments on their data sovereignty. When we look at the numbers, it is not hard to see why. About 55% of central Government organisations report that over 60% of their estate is on the cloud, and the vast majority of that is with just two providers, both of which are American.
We have handed the keys to significant parts of our national digital infrastructure to foreign corporations, subject to foreign laws and exposed to foreign decisions entirely outside our control. That includes our public services. The Liberal Democrats are alarmed at the NHS’s growing reliance on complex, opaque digital systems set up by Palantir. With Palantir’s background in security and surveillance, that marks a divergence from the traditional relationship between the NHS and firms with specialised medical knowledge. The procurement process for the federated data platform, which was awarded to Palantir in 2023, is worryingly opaque.
#
I recognise the importance of sovereignty, but there are real challenges. How can we deal with the prevalence of, for example, Taiwanese chips in our tech market?
#
I thank the hon. Member for his question. That is why we need a strategy—we need to be clear about the Government’s priorities. On procurement, we have heard from the National Audit Office that cost is often a priority, but at what cost? When the Government are looking for suppliers, what do we value? There must be a strategy for that, and we need to have that conversation so that the direction is clear, whether on hardware or software.
Working internationally is vital, but it is also important to be clear about what is important for us, especially in the tech stack. That is the thing: it is about our security and resilience as well as our economy, strengthening those developing technologies as well as using technology. It is also about working together internationally and knowing that we have the resilience to look after and trade our technology stack.
#
It is about our security, our cyber-security and our resilience. Within a three-mile radius of Belfast, we have some of the best cyber-security resilience in the whole of the United Kingdom. It is about those 2,750 employees and the £258 million of direct gross value added. Does the hon. Lady recognise that powerhouses like Belfast must be fully integrated into our national cyber strategy? Will she put on the record that that is what we should be aiming for?
#
I thank the hon. Member for his intervention. I absolutely agree. Across the United Kingdom, including in Northern Ireland, there are incredible British tech firms. Many of them have said to me that their services are being procured by other Governments in Europe and around the world, yet they find their own British Government not using them or getting the value out of that British technology here by developing skills and jobs.
The Liberal Democrats welcome the Government’s hardware strategy, announced last week, which at least acknowledges the importance of British procurement, but acknowledgment is not a strategy. New clause 13, which I am pleased to say has drawn support from across the House, would make it one. In an increasingly unstable world, the case for British digital resilience, British technology and British sovereign capability has never been stronger. I therefore urge hon. Members to vote for the new clause.
Cyber-security is no longer a technical matter confined to server rooms and IT departments. It is a question of national resilience, economic strength and democratic integrity. The Bill before us takes important steps, but important steps are not enough in today’s digital age. With these amendments, we have the opportunity to close the gaps, broaden the protections and build a framework that is genuinely fit for the digital age.
#
I call the Chair of the Select Committee on Science, Innovation and Technology.
#
It is a pleasure to follow the hon. Member for Harpenden and Berkhamsted (Victoria Collins). I would like to start by making two relevant declarations of interest. I worked for the Office of Communications before entering Parliament and I am currently a fellow of the Institution of Engineering and Technology. Madam Deputy Speaker, you might have heard me mention on occasion that I was an engineer before coming into Parliament. As such, in 2010, I was desperate for issues around technology to come up in Parliament, as it was a subject I actually knew something about, but they rarely did. In the intervening 16 years, however, things have changed, and technology issues such as online safety, wi-fi on trains, sovereign technology and infowars are now raised regularly.
I welcome the increasing role of technology in all our constituents’ lives, but this must go hand in hand with rigorous cyber-security to protect against threats from state and non-state actors. As I highlighted in my speech on Second Reading, the UK’s only cross-cutting cyber-security legislation is currently that inherited from the European Union. The previous Conservative Government failed to update these regulations, leaving us working under an outdated framework. I therefore really welcome this Bill, which seeks to expand the scope of existing cyber-security regulations to new sectors, strengthen the role of regulators and grant the Government new powers to respond to the threats posed by cyber-security breaches.
We are only as secure as our weakest link, but I am afraid we still have a number of weak links left. Cyber-attacks are having a real financial impact on the UK and are happening at an increasing rate. According to the Institution of Engineering and Technology, cyber-attacks cost UK businesses an estimated £64 billion annually, with £37 billion in direct costs and £26 billion in indirect costs. Last year we also saw the well-documented cyber-attack that hit Marks & Spencer, leaving shoppers unable to buy online from the company for months. The company’s profits were almost wiped out, down from £390 million to £3 million for the first half of 2025. As a Sparks card holder myself, I was unable to use my card for six months and I fear I may have contributed to those figures.
This brings me to my first amendment, new clause 20, which seeks to designate retail businesses as an essential activity, bringing them within scope of part 3 of the Bill. Retail is the UK’s largest private sector employer. It holds large amounts of consumer data but often relies on dated IT systems. Yet, as I noted on Second Reading, the existing scope of the Bill would not have prevented or even had an impact on the attacks on Marks & Spencer or Jaguar Land Rover, despite the significant disruption they caused to our constituents and our economic activity. Indeed, in November, the Bank of England cited the cyber-attack on JLR as a factor in its decision to hold interest rates.
The Government’s plan to promote the new cyber governance code of practice to improve pre-operative preparedness in sectors such as retail is welcome, but voluntary measures alone will not deliver the consistent adoption of good cyber governance across economically significant sectors such as retail. According to the Government’s figures, only 9,680 Cyber Essentials Plus certificates were issued to small and medium-sized businesses between November 2023 and October 2024. There are an estimated 6 million small and medium-sized enterprises in the UK, so this is not going to address that challenge at the rate at which it needs to be addressed.
I welcome the Opposition amendments that would bring retail businesses within the Bill’s scope, but I am concerned that they might be too extensive in bringing small and medium-sized businesses into its remit and placing a disproportionate burden on them. The revenue threshold of £12 billion in my new clause 20 provides the necessary specificity to ensure that only large retail businesses, including Marks & Spencer and Jaguar Land Rover, would fall under the expanded Network and Information Systems Regulations 2018. This would lead to faster incident-reporting responses and customer notification, alongside stronger powers, including those to deal with non-compliance.
Turning to my new clause 18, we have already heard that the concentration of the UK’s public sector data within a small number of US-owned providers—Amazon Web Services and Microsoft Azure specifically—presents a structural risk to national resilience. Combined, AWS and Microsoft account for 70% to 80% of the public cloud market, according to the Competition and Markets Authority. Part of the issue is that that figure is an estimate. I have put down a series of written parliamentary questions over the last seven years to find out just how dependent the Government are on AWS and Microsoft. This data is not tracked across Government. Can the Minister say how he intends to assess a threat that the Government are not measuring?
As set out in my Committee’s report entitled “Rewiring the state: Delivering digital government”, our national resilience is put at risk by the strategic lock-in that these companies have in many of our public services and Administrations. Major Departments, including His Majesty’s Revenue and Customs and the NHS, are under multi-year agreements that further entrench these cloud infrastructures within the Whitehall ecosystem. Included in my Committee’s report was evidence we heard from the Open Cloud Coalition, who suggested that the Department for Science, Innovation and Technology should consider a period of over-correction, including the mandatory re-competition of high-risk or large-scale contracts, to break cycles of vendor lock-in.
The Government are rightly seeking to co-ordinate cloud contracting, but I believe that this should be done in a way that would ensure more, not less, competition. We would like to see the detail of how the all-of-Government cloud contract will prevent vendor lock-in, and I would like the Minister to outline his engagement with the CMA on the contract’s development. Not only does our reliance on these two cloud services raise practical issues—as seen with the AWS outage in October—but there are questions around data protection. Under the Clarifying Lawful Overseas Use of Data Act and the Patriot Act, the US Government can compel US companies, including AWS and Microsoft, to hand over data if held overseas—that is, in the UK.
I am aware that the Minister might reference our sovereign hosting capability, Crown Hosting, but it hosts only 4% of Government legacy services. Will he please outline how the Government intend to ensure protection so that the public sector makes better use of the services provided by Crown Hosting? Could he also set out how he will ensure that the Government’s digital transformation ambitions cannot be derailed at any time by decisions based on the narrow interests of a foreign, commercial or state actor? He might choose to argue that this is highly unlikely, but I would point him to the recent decision of the US Government to withdraw foreign nationals’ access to Anthropic’s Fable 5 model.
Finally, my new clause 19 calls on the Secretary of State to conduct a review into the risks posed by foreign state ownership or control of providers of cellular internet-of-things modules. I always like to mention that I was the first Member of Parliament to speak about the internet of things, in my debate back in 2011.
Having worked in technology as an engineer, the threat posed by cyber-attacks on the internet of things was very real to me from the start of my parliamentary career. Indeed, in 2017 I wrote an article highlighting the threat of cyber-attacks on sex toys, in a vain attempt to raise the profile of the issue.
#
The hon. Lady was very prescient then, and it has got worse since. There was lots of talk under the previous Administration about Downing Street cars being searched for IOTs. We know about the huge imports from bad actors, such as China and other countries—that is really what we should be worried about. Many of them contain kill switches, which would devastate some of our industry, such as energy. That would be a disaster. She is right to have raised the issue and to continue to raise it.
#
The right hon. Member does well to remind us that the impact of hostile action using CIMs, such as by turning on a kill switch, would be devastating across multiple sectors, including potentially the consumer sector, as well as security, automotive, transport and finance. That is why it is so important to consider this.
I particularly draw the Minister’s attention to the list provided by the US Federal Communications Commission—the equivalent of Ofcom—of equipment and services covered by section 2 of the Secure and Trusted Communications Networks Act. The list dictates what technology is legally permitted to be authorised for import and sale in the US, and many companies on the list are owned or controlled by the Chinese state. I thank the Minister in the other place for meeting me and my hon. Friend the Member for Dunfermline and Dollar (Graeme Downie), whose amendment I also support, and hearing our concerns about the supply of IOT devices. It was unfortunate that the Minister did not see the need for action, particularly given that the US has taken action against Chinese-made goods and that, during a trip of the British-American Parliamentary Group to the US just last week, we heard that further action is likely to be taken against cellular IOT modules specifically. That could mean UK products being banned from import into the US if they contain such CIMs.
We have seen a rapid growth of those devices across transport, as we have mentioned, as well as energy and, importantly, water and health. I am concerned about the ability of our domestic British businesses to export into the US given those restrictions, as well as the impact on our security. I would therefore be grateful if the Minister could set out whether he is looking into that concern.
As was eloquently emphasised in the personal statements made by the recently resigned Secretary of State for Defence, my right hon. Friend the Member for Rawmarsh and Conisbrough (John Healey), and Armed Forces Minister, my hon. Friend the Member for Birmingham Selly Oak (Al Carns), the first duty of Government is the security of their citizens. That is true when it comes to our armed forces and our defence in the real world, and it is also true when it comes to our security in the virtual world. Those two overlap so much more than in the past.
I welcome the Bill, but I have real concerns about the need to bring retail businesses such as M&S within its scope, the concentration of the UK’s public sector data in a small number of US-owned providers, the implications for technology sovereignty that that raises, and the risks posed by foreign state ownership of providers of cellular internet-of-things modules. I hope that the Minister will address those concerns and deliver the cyber-security and resilience that our constituents deserve.
#
It is always a great honour to follow the hon. Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), who talks common sense most of the time she gets up, which may be one of the reasons why she is still on the Back Benches. If we listened more to those who know something about things, rather than talking as though we know things, and saying things that are invariably wrong, we in Parliament would obviously be better off.
The greatest threat we face is that bad actors out there are using this level of technology to get across to countries such as the UK. This is not a party political point, because both Governments have failed to face up to it to the degree that they should have—that is why this Bill is welcome, but it is not everything, as the hon. Lady says—but we think that we can treat the bad actors as though they were normal actors in a commercial sense. However, China is using slave labour to undercut markets and regularly puts IOTs into cars. It gets away with it because we think that we need China more than it needs us. That is the big problem. The hon. Lady is right to raise it, and I congratulate her for again making an excellent speech.
I will in due course beg to move my amendment on anti-refoulement, because although this is a good Bill, some bits are missing and others have been skated over. This is one area about which we will come, again and again, to regret that we had not done more. The issue is British citizens abroad ending up under the rule of Governments that do not believe in the concept of freedom before the law, in a fair trial as part of that process, or in habeas corpus, which is an English common law right that has gone around the world.
The amendment seeks to prohibit data sharing with jurisdictions that cannot guarantee a fair trial. It maintains the current legal approach, which generally restricts the sharing of sensitive information outside the EU. Currently, information sharing of a type enabled by proposed new regulation 6, which is in clause 18, is prohibited outside the EU. The proposed new regulation is therefore weaker than what is going on in the European Union. Sadly, it paves the way for such sharing, rather than restricting it.
The amendment therefore seeks to prohibit information sharing with places where the Secretary of State believes that a fair trial simply cannot be obtained. It would require the Secretary of State to consult civil society and human rights experts to identify jurisdictions—this would apply universally and not just to China, although China is a big player in this—where the right to a fair trial cannot be guaranteed, with all decisions subject to mandatory annual reports to Parliament. That is important: Parliament should be part of this and make decisions about whether it agrees with the Government.
Beijing is a good example. It has frequently used seemingly legitimate criminal complaints to target dissidents. Proposed new regulation 6, if unamended, therefore raises transnational repression risks rather than solving them. The amendment is necessary to close that loophole in the Bill, which currently fails to anticipate politically motivated requests from such totalitarian states. I often say that we should stop speaking about countries such as China, Russia, Iran and North Korea as authoritarian states. They are not authoritarian states; they are totalitarian states. Why do I say that? Because everything in those countries is owned and run by the state. Authoritarian states are often dictatorships, but they are not the same thing as totalitarian states. They are brutal and nasty, but totalitarianism is a complete system. This is about totalitarian states.
Proposed new regulation 6 is predicated upon helping other Governments obtain justice. The argument of my amendment 3 is that—quite apart from the transnational repression risks—justice as we understand it cannot be served in a country where essentially there is no rule of law, no right to a fair trial, and a judicial system that serves the party. As I often say, it is a matter of pride that perhaps the greatest gift this country has given to the world is the concept of freedom in the face of the law. That is the point I made earlier: habeas corpus came from English common law and dominates so much of the free world’s thinking. It was not until the 1970s that some countries in Europe actually practised habeas corpus, so it was not just the case that it was produced by Britain; it was also owned by many other countries. That is what is at risk here, and we should be the greatest defenders of that right to a fair trial anywhere in the world.
Let us take a few of these countries as examples for why amendment 3 is needed. Let us look at China. Requests were made by authoritarian states—totalitarian states in this case—regarding Interpol notices, as has been the recent pattern, and this happens a lot. The People’s Republic of China and other countries have a troubling recent history of very significant transnational repression, hounding dissidents in the UK and cloaking their political persecution in superficially legitimate criminal charges. The PRC is not alone in requesting information on political opponents in the UK, and it does it a lot. We can confidently speculate that China will make requests of the UK almost immediately should the Bill be passed.
Let me look at the single biggest case that confronts us in China at the moment: that of Jimmy Lai. He is a British citizen. I cannot tell you, Madam Deputy Speaker, how endlessly in debates, even under the previous Administration, we had to fight to get the Government to state that he is a British citizen, not a dual nationality citizen. He is a British citizen, is proud to be British, has been British all his life and has only ever owned a British passport—he has never been a Chinese citizen with a Chinese passport.
The special rapporteur on torture, Alice Jill Edwards, in her 2024 and 2025 reports, specifically flagged concerns that evidence obtained through torture is still widely admitted in Chinese courts. She also expressed concerns in late 2024 regarding the case of Jimmy Lai in Hong Kong, noting that evidence allegedly secured through torture in mainland China was and is being used in the trial. On 15 November 2024, the United Nations working group on arbitrary detention published its opinion that Jimmy Lai is “unlawfully and arbitrarily detained” and called for his immediate release. The proposed new regulation will not go far enough and therefore does not deal with this, and that is what my amendment 3 is all about.
On the risk of extradition to China from safe third countries, currently the UK does not have a bilateral extradition treaty with the People’s Republic of China, and it has suspended its bilateral extradition treaty with Hong Kong—something that many of us were calling out for at the time in 2020. In 2025, proposed changes to the Extradition Act 2003 would allow co-operation between UK and Hong Kong authorities on a
“case-by-case ad hoc basis”.
The trouble with that is that it begins to open the door. The risk of sharing NIS data is not confined to the physical removal of individuals; it also poses a profound threat to national security and the safety of the diaspora within the UK—how often have we heard about that?
These totalitarian states not only seek to extradite dissidents, they seek to silence them through transnational repression and to compromise the UK’s own digital resilience. Sharing NIS data with an adversarial jurisdiction is akin to providing a road map for a state-sponsored cyber-attack. For dissidents and human rights defenders living in the UK, NIS data can be used to demonise and de-anonymise their activity. This information is frequently used to identify and harass family members remaining in their home country, to conduct targeted phishing and surveillance against the individual’s private devices, and to coerce the individual into becoming an informant under the threat of criminal charges based on the shared technical data.
Let me deal with another case: that of Ryan Cornelius in the United Arab Emirates. Ryan Cornelius is a British citizen who has been arbitrarily detained in Dubai for 18 years, despite well-documented evidence of an unfair trial and inhuman treatment. Ryan’s detention has been found to be arbitrary by the UN working group on arbitrary detention. His case arose from a high-profile financial dispute involving loans connected to a major Dubai development project. Although he and his associates had reportedly complied with restructuring agreements with Dubai Islamic Bank, he was arrested without warning, transferred by plain-clothed officers to a police facility, where he was held incommunicado, denied access to a lawyer and subjected to aggressive interrogation. During this time, he was coerced into signing documents in Arabic—a language he does not understand—under the false premise that this would give him his release.
#
It is a pleasure to follow the right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith). I concur with the points he made on Jimmy Lai and Jagtar Singh Johal and, more widely, about the internet of things. I think of Norway and Denmark, which suddenly realised that hundreds of buses they had imported from China had kill switches, meaning that their entire public transport networks could potentially have been disabled, just like that. That is the reality of these new technologies, and we need to face up to it and have our eyes wide open in the contracts and deals that we sign.
On Second Reading five months ago, I welcomed the Cyber Security and Resilience (Network and Information Systems) Bill, but even in the short time since then, the world has become an ever more dangerous place, and the cyber-threat has only intensified. I commend the Government on their hard work in the intervening period, and in my remarks today I want to focus on the cyber-threat landscape, my two amendments—new clause 21 and amendment 28—and the need for a national conversation on national security, which of course includes cyber-security.
Let me start with the cyber-threat landscape. The UK is the most cyber-attacked nation in Europe and the third most cyber-attacked nation globally, with three in four businesses having suffered a cyber-attack in the past year. My hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah) talked about the attacks on Jaguar Land Rover, Marks & Spencer, the Co-op and others. Having spoken with those businesses with the Joint Committee on the National Security Strategy and individually, I know of the scale of the impact that was felt within their operation and how affected they were by these attacks. It is unimaginable, even for the most seasoned business and industry leaders, to suddenly find themselves under such attack, and the repercussions for the economy have been very significant.
In April, the CEO of the National Cyber Security Centre, Richard Horne, laid out the scale of cyber-attacks: on average, the NCSC deals with around four nationally significant incidents a week—that is not the hundreds of incidents that are occurring every day, but the really serious, significant ones. The threat of cyber-attacks will only intensify. Continued state-backed cyber-attacks from Russia, China and Iran, either directly or via proxies, are being fuelled by technological advancements in AI and quantum computing, increasing the complexity and sheer volume of such attacks. The reality is that major cyber-attacks are no longer rare one-offs but an operational reality facing every business and organisation—public and private—across the UK, as they are globally. It is important that we secure our systems to make them more robust and deter such attacks, so that those who wish to do us harm will go after others. It is in this context that the Bill has been introduced, and it takes serious, robust steps to increase the resilience of the UK.
However, given the escalating threat picture, I continue to have concerns about the scope and breadth of the Bill. That is why I have tabled new clause 21 and amendment 28, which I hope the Minister will reconsider. New clause 21 would bring those in the food supply chain within the scope of the NIS regulations and regulate them as “operators of essential services”, while excluding smaller businesses, to avoid an unnecessary administrative burden. I understand that the Minister addressed this on Second Reading, explaining that essential services would only include those sectors
“the failure of whose network and information systems poses imminent threat to life to the British public.” —[Official Report, 6 January 2026; Vol. 778, c. 225.]
I would gently suggest that the collapse or disruption of the food supply chain would pose an imminent threat to life. I say that in an honest and not patronising way. Those of us who have had conversations behind the scenes about what happened during the pandemic, and Opposition Members who were far closer to that when in government, will realise that the health threat was one element, but the collapse of society—not just the economy, but society—with the potential for civil unrest and rioting, due to the lack of food and toilet rolls on shelves and so on, would have been the most urgent and pressing issue. It is worth noting that the European Union’s NIS2 directive does include food distribution in its regulation, so it is feasible and recognised internationally as important. The Bill does grant the Secretary of State powers to bring in new sectors. Could the Minister reassure me that the Department will give this due consideration today and in the future?
Secondly, amendment 28 would ensure that relevant managed service providers do not provide services to manage the technology systems for a number of customers that exceeds a critical risk threshold within the same sector or subsector. The rationale behind this is simple: it is about building resilience and ensuring that if one RMSP fails or is breached, a whole sector is not hamstrung by it. I can envision a situation whereby one particular RMSP dominates a large category or small subsector that may be a crucial part of a supply chain, thereby crippling the whole chain. Indeed, my hon. Friend the Member for Newcastle upon Tyne Central and West cited the UK Government’s dependency on AWS and Microsoft as an example. Will the Minister please consider that?
Aside from my two amendments, it is clear that the Bill, in itself, is not the only answer to our cyber-resilience; multiple approaches are needed. Given that the Bill does not include large swathes of the economy or local government, it is even more important that we explain to businesses and the public the very real threats that we face. That brings me to my final point, which is on the need for a national conversation on national security. We can have the best crafted and tightest legislation and regulation, but unless we have a real cultural shift and acknowledgment of the cyber-threat and its impacts, from board level to entry-level positions, all of this will be wasted. I once again encourage the Department and the whole machinery of government to go further and faster in explaining the threat posed and the steps we can all take to boost resilience, because resilience starts with the mobile phone in our pocket, and cyber-security is only as strong as its weakest link.
The Joint Committee on the National Security Strategy, which I chair, has begun its inquiry into building national resilience through a national conversation. It is clear from the evidence we have heard from Taiwan, the Netherlands and other European nations I have spoken to that we need to explain the threat to people, build a stronger cultural sense of resilience and explain that we all have a role to play; it is not simply the state’s responsibility. I will update the House on our findings in due course, and I hope the Minister and the Government will find that useful when considering their plans for national resilience.
To conclude, this Bill is a substantial and serious step forward in protecting the UK from cyber-attacks. It makes us more resilient and strengthens our collective security, but there are areas where I encourage the Government to be more ambitious—namely, by bringing the food supply chain into the essential services classification, as Europe is doing; setting critical risk thresholds for RMSPs; and expanding the scope of the Bill to encompass more of the economy.
#
It is a pleasure to follow such esteemed colleagues. My only declaration before I start my speech is that I hold a degree in information systems from the University of Leeds.
I have been sat here for the last two hours looking at the memorial plaque for Jo Cox, 10 years after the horrific day that we lost Jo. I was a West Yorkshire candidate alongside Jo in the run-up to the 2015 election. It is to my huge detriment that I never got to serve with her here. Today is such a difficult day for so many colleagues. I know that Jo would have dearly liked to see many of the things that Labour is doing in government. It is incumbent on us to try to push forward all the things that Jo strived for, to make this place better, to make the country better and to make the world better.
Let me now turn to cyber-security. Data centres are warehouse-like facilities that house the information technology equipment upon which almost all digital activity relies. The UK Government say that they
“underpin almost all economic activity and innovation, including the development of AI and other technology, public service delivery”
and modern-day communications. Europe’s largest data centre market is Greater London, where most of the UK data centres are concentrated. There are four types of data centre, one being AI data centres, which are facilities specialised for the high-performance computing needs of AI development and AI models. Having data centres based in the UK allows our Government to regulate them, such as by requiring them to meet cyber-security standards and reduce their environmental impact, which is obviously very important.