Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by the Cybersecurity Business Network (CSRB15)

Cyber Security and Resilience (Network and Information Systems) Bill (3rd February 2026)

Primary navigation

Home

Parliamentary business

MPs, Lords & offices

About Parliament

Get involved

Visiting

Education

House of Commons

House of Lords

What's on

Bills & legislation

Committees

Publications & records

Parliament TV

News

Topics

You are hereParliament home page
>
Parliamentary business
>
Publications and Records
>
Hansard
>
Commons Debates
>
Public Bill Committee Debates
>
Public Bill Committee

Session 2021-22

Cyber Security and Resilience (Network and Information Systems) Bill

Written evidence submitted by the Cybersecurity Business Network (CSRB15)

Introduction

1.

The
Cybersecurity Business Network
is an industry network representing cybersecurity organisations in the UK, advocating for and shaping cyber policy and regulation to encourage a more secure, resilient and prosperous economy and society. Our member-led network consists of organisations that provide services enabling greater security and resilience to the benefit of UK businesses, public bodies and individuals, enhancing their protection and ensuring national sovereignty.

2.

This written evidence is submitted in relation to the Cyber Security and Resilience (Network and Information Systems) Bill (hereby referred to as "the Bill") on behalf of the Cybersecurity Business Network. We are grateful for the opportunity to provide evidence to the Committee. This evidence submission has been informed through close engagement with our members and additional voices from across the cyber sector, from startups to established multinational providers. We are aware of the Government’s stated intention to legislate further in this increasingly dynamic area over time, but believe the opportunity to go further now should be seized in the interests of the security of British businesses and UK Plc as a whole. It is important to address current, widespread public concerns about cyber security and resilience that currently fall outside the Bill’s likely impact.

Executive Summary

3.

In general, we welcome the overarching objectives of the Bill relating to strengthening the UK’s cyber resilience through the expansion of the scope of the NIS Regulations, enhancing the powers of regulators to implement such regulations, and granting the Secretary of State the appropriate powers to update the regulations through secondary legislation.

4.

However, we have concerns with the current trajectory and scope of the Bill. Our evidence focuses on areas where the Bill’s objectives risk being undermined: the breadth and clarity of the Bill’s scope; the lack of uniform standards and regulatory alignment; and the calibration of the Bill’s reporting, transparency, and accountability requirements.

4.1.

ScopeWhile we recognise the importance of bringing into scope key enablers of digital infrastructure, such as data centres, large load controllers, relevant managed service providers, and critical suppliers, there are concerns that the Bill’s scope remains too narrow. As drafted, the Bill may not act as an adequate measure for preventing wide-reaching economic damage that may result from a serious cyber incident. The absence of key sectors of industry such as finance, retail, manufacturing etc. may reduce the overall efficacy of the measures laid out in the Bill.

4.2.

Resilience Standards and AccreditationsThe Bill does not make reference to or mandate existing accreditations and best practice frameworks that organisations are already utilising, such as ISO 27001, or NCSC’s Cyber Essentials/Cyber Essentials Plus schemes. The Bill may prove more effective by embedding these established standards into the legislation, ensuring best practice and simplifying compliance for regulators and organisations in scope.

4.3.

ReportingThe Bill’s reporting requirements do not sufficiently discriminate between better prepared organisations with readily available resources and smaller enterprises that may need more support with cyber. These smaller entities may not have the same capacity to report at the same pace, especially if critical systems have been affected. Additionally, there is the risk that the reporting requirements may make the process reporting overly legalistic, as opposed to providing operationally useful incidence reports.

5.

Therefore, based on these concerns, we ask the Committee to consider the following recommendations:

5.1.

Recommendation 1 - Modification of the Bill’s scopeIn order to address the absence of critical economic actors and supply‑chain dependencies, the Bill’s scope should be expanded to include larger sector areas whose operations can be considered as key to the day-to-day economy.

5.2.

Recommendation 2 - Regulatory alignment and implementation of resilience standards:
The Committee should consider the impact of the specific requirements of the bill and how they could align more cohesively with pre-existing resilience standards, such as ISO 27001 or Cyber Essentials, which many organisations which fall within scope are already actively utilising. Additionally, the Bill should be considered within the wider context of pre-existing legislation to prevent regulatory duplication.

5.3.

Recommendation 3 - Streamlining reporting requirementsReporting requirements should be calibrated to an organisation’s size and function, avoiding over-burdening smaller entities and ensuring incident reports remain accessible and not overly legalistic.

5.4.

Recommendation 4 - Ensuring board level accountabilityAccountability for meeting resilience requirements and fulfilling reporting obligations should rest with the board, working closely with information technology (IT) and compliance teams.

Modification of Scope:

6.

While we support the intention to bring key enablers of critical national infrastructure into scope such as relevant managed service providers (MSPs) and large load controllers, there is the perception of a missing middle ground within the Bill. The Bill’s current scope may leave certain entities outside scope that could pose a national-level risk if subject to a significant cyber incident.

7.

We recommend that the Committee considers adopting a risk-based approach, with clear criteria (e.g. scale, data sensitivity, national significance) to determine which organisations fall into scope.

7.1.

This should include services that manage large volumes of sensitive data, act as critical dependencies for companies within scope, or behave as key functions for the UK’s digital and physical economy on both a national and regional level (e.g. retail, manufacturing, financial services)

8.

The Bill should provide clear guidance and support to in-scope organisations on the compliance and resilience risks that may arise when working with non-UK entities and organisations outside the Bill’s scope (for example, US-based hyperscalers). This presents an opportunity for NCSC and regulators to work together to develop practical, up-to-date guidance to help organisations understand and manage cyber risks effectively across jurisdictions.

9.

There is an omission of legal obligation and accountability for government departments and organisations within the public sector. While currently out of scope of the Bill, the resilience of the public sector may benefit from being held legally liable for potential compliance breaches. This would require a different approach to the private sector given there is no comparable sectoral regulator. There is scope for the NCSC to potentially perform an appropriate oversight function.

Regulatory alignment and implementation of resilience standards

10.

There are a number of existing resilience frameworks and accreditations for cyber security and resilience adopted by organisations across the industries. These include:

10.1.

ISO 27001, and related information security standards

10.2.

NCSC Cyber Essentials and Cyber Essentials Plus

10.3.

Sector‑specific and international frameworks (e.g. IEC 62443, NIST CSF 2.0 etc.)

11.

Many organisations, particularly larger MSPs and enterprises, are multinational organisations dealing with international regulatory regimes and already make use of existing frameworks as commercial tools that signal trust, allowing them to differentiate themselves and demonstrate standards within the market. However, the Bill does not reference any existing standards or frameworks.

12.

By leveraging existing standards, the Bill could raise the baseline security and resilience of organisations within its scope, simplify the role of regulators by providing more objective benchmarks, and align regulatory expectations with market incentives.

13.

This would create a legal presumption of conformity, where regulators must act to prove the non-compliance of organisations aligned with a recognised standard or accreditation. This would prevent a conflict of expectations, where regulators may interpret resilience requirements in different ways.

14.

Additionally, there should be consideration of the impact of potential regulatory overlap with pre-existing regulatory frameworks to prevent the potential duplication. For example, telecom operators deemed as operators of essential services (OES) may be in scope of the Bill, in addition to the Telecommunications (Security) Act 2021. Where there exists potential regulatory duplication, the implementation of a unified incidence reporting mechanism or an extension of reporting deadlines could be considered.

Streamlining reporting requirements

15.

The current reporting obligations operate under a ‘one-size-fits-all’ principle. However, imposing the same obligations on every in-scope or brought into scope organisation risks over‑burdening small-to-medium enterprises (SMEs) that may not have the same accessibility or availability of resources in order to make prompt reports, especially in the case of a critical system outage.

16.

There is also the concern that overcomplicated reporting requirements could lead to overly legalistic reporting, drafted by lawyers rather than technical or operational staff, which may not capture the full scope or context of the incident. This may reduce transparency by discouraging early, candid incidence disclosure in favour of defensive, minimised legal statements.

17.

We call for a streamlined reporting process, calibrated to organisational size and function, ensuring that reporting requirements are proportionate, and not punitive, and encourages the appropriate level of information sharing. This includes providing greater support from regulatory bodies for small-to-medium enterprises, especially in the case of lack of available resources and/or critical system outages during the initial 24-72 hour incidence reporting window.

18.

Reporting should also be aligned across regulatory regimes, minimising duplication with existing sectoral obligations and creating a unified incidence reporting mechanism, allowing organisations to make multiple incidence reports across regulatory frameworks.

Ensuring board-level accountability

19.

Cyber resilience has historically been considered an IT issue rather than a core element of enterprise risk management. Generally, the responsibility has been delegated to IT or compliance teams, and investment in cyber resilience infrastructure is often sporadic and not sustained.

20.

We call for the Bill, and associated secondary legislation and guidance, to strengthen board‑level accountability in a fair and proportionate manner. The Bill should mandate cyber resilience and reporting requirements as a board‑level responsibility for organisations within scope, comparable to existing financial, legal, and safety responsibilities.

21.

To ensure greater accountability, boards should nominate an individual representative who takes on the responsibility of assuring the cyber security and resilience measures of the organisation, as well as leading the response in the event of a cyber incident.

22.

Ensuring that board executives are held accountable for cyber security incidents will contribute to the creation of a top-down culture of cyber resilience. This may encourage further investment in skills and training, and enshrines cyber resilience into core board-level decision‑making.

January 2026

Prepared 3rd February 2026

Footer links

A-Z index

Glossary

Contact us

Freedom of Information

Jobs

Using this website

Copyright

Privacy notice
Cookie policy
Cookie Manager