Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Rob Newby (on the Energy sector) (CSRB01A)
Parliament bill publication: Written evidence. Commons.
Cyber Security and Resilience (Network and Information Systems) Bill (3rd February 2026)
Primary navigation
Home
Parliamentary business
MPs, Lords & offices
About Parliament
Get involved
Visiting
Education
House of Commons
House of Lords
What's on
Bills & legislation
Committees
Publications & records
Parliament TV
News
Topics
You are hereParliament home page
>
Parliamentary business
>
Publications and Records
>
Hansard
>
Commons Debates
>
Public Bill Committee Debates
>
Public Bill Committee
Session 2021-22
Cyber Security and Resilience (Network and Information Systems) Bill
Written evidence submitted by Rob Newby (CSRB01A)
Cyber Security and Resilience (Network and Information Systems) Bill
Energy sector
1. Introduction and basis of evidence
1.1 I submit this evidence based on senior operational experience engaging with cyber risk, resilience and incident response in complex, safety-critical environments, including the UK energy sector and its digital and operational supply chains.
1.2 My evidence is grounded in how cyber security operates in practice under real-time operational, safety and regulatory constraints, rather than solely from a policy or assurance perspective.
2. Relevance to the Committee’s inquiry
2.1 This submission addresses the Committee’s interest in the expansion of scope under the NIS regime, incident reporting obligations, regulator powers, supply chain accountability, and the resilience implications of systemic and cross-sector dependencies.
3. What the Bill gets right
3.1 The Bill correctly recognises that the original NIS framework no longer reflects modern digital and operational dependencies.
3.2 Expanding scope to include managed service providers, data centres and large load controllers is necessary and overdue.
3.3 The emphasis on resilience rather than narrow technical compliance is welcome, particularly given the convergence of cyber, physical and operational risk in energy systems.
4. Risk of unintended consequences
4.1 As currently framed, the Bill risks reinforcing compliance-driven behaviour rather than improving operational resilience.
4.2 Unless regulatory expectations are explicitly aligned with operational authority, time-critical decision making and cross-regulator coordination, compliance activity will increase without a corresponding improvement in system outcomes.
5. Energy-specific considerations
Operational time criticality
5.1 Energy systems operate continuously under physical and safety constraints that cannot be paused to meet cyber process requirements.
5.2 Incident reporting timelines and remediation expectations must explicitly allow operators to prioritise physical safety and system stability.
5.3 The Bill should be amended to recognise that immediate cyber reporting may not always be compatible with safe system operation.
Supply chain authority and accountability
5.4 Energy operators increasingly depend on third parties for OT monitoring, analytics, identity services and remote access.
5.5 While expanding regulatory scope to these suppliers is correct, the Bill does not sufficiently distinguish between accountability and authority.
5.6 The Bill should clarify how responsibility is apportioned where a regulated operator lacks contractual or practical authority to mandate supplier controls.
Secretary of State direction powers
5.7 Direction powers may be appropriate in national emergencies affecting energy security.
5.8 However, the Bill lacks explicit guardrails to prevent conflicting instructions across cyber, safety, market and energy regulators.
5.9 The Bill should require coordination duties and transparency thresholds when direction powers are exercised.
6. Cross-sector systemic risk
6.1 Energy resilience is now tightly coupled to sectors outside traditional energy regulation, including cloud services, identity providers and data centres.
6.2 These dependencies are shared with other regulated sectors, including retail.
6.3 A companion submission addressing the retail sector expands on these shared dependencies and the implications of concentration risk.
6.4 The Bill should explicitly enable regulators to identify and act on cross-sector systemic risk, not solely firm-level compliance.
7. Recommendations
7.1 The Bill should be amended to clarify accountability where regulated entities lack authority over suppliers.
7.2 Incident reporting obligations should explicitly recognise real-time safety and stability constraints.
7.3 Secretary of State direction powers should include coordination and transparency requirements.
7.4 Regulators should be empowered to assess and act on cross-sector concentration risk.
8. Closing
8.1 The energy sector already operates under high-assurance regimes.
8.2 This Bill can strengthen resilience if it aligns regulatory expectations with operational reality and decision rights.
8 January 2026
Prepared 3rd February 2026
Footer links
A-Z index
Glossary
Contact us
Freedom of Information
Jobs
Using this website
Copyright
Privacy notice
Cookie policy
Cookie Manager