Threads / Cyber Security and Resilience (Network and Information Systems) Bill / Cyber Security and Resilience (Network and Information Syst…
Bill Published 5 Feb 2026 Department for Science, Innovation and Technology ↗ View on Parliament

Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by BCS, The Chartered Institute for IT (CSRB21)

Parliament bill publication: Written evidence. Commons.

Attachments
▤ Verbatim text from source document

Cyber Security and Resilience (Network and Information Systems) Bill (5th February 2026)

Primary navigation

Home

Parliamentary business

MPs, Lords & offices

About Parliament

Get involved

Visiting

Education

House of Commons

House of Lords

What's on

Bills & legislation

Committees

Publications & records

Parliament TV

News

Topics

You are hereParliament home page
>
Parliamentary business
>
Publications and Records
>
Hansard
>
Commons Debates
>
Public Bill Committee Debates
>
Public Bill Committee

Session 2021-22

Cyber Security and Resilience (Network and Information Systems) Bill

Written evidence submitted by BCS, The Chartered Institute for IT to the Cyber Security and Resilience (Network and Information Systems) Public Bill Committee (CSRB21)

About This Document

BCS, The Chartered Institute for IT

is the professional body for IT, representing over 70,000 technologists including those working across cyber. BCS has produced this briefing in collaboration with BCS’ own Information Security Specialist Group (‘ISSG’) which includes leading experts from the field of Information and Cyber Security. The document is aimed to provide policymakers with a specialist view from the IT profession and provide them with the questions BCS suggest should be asked at this stage of the Bill cycle. BCS advocates for professional registration and standards for all who are working in cyber.

Introduction

The government introduced the Cyber Security and Resilience Bill (CSRB) to Parliament for its first reading on 12 November 2025. The government says that the Bill will reform and add to the existing Network and Information Systems (NIS) Regulations 2018, increase defences against cyber-attacks and better protect critical services like energy, water, transport and healthcare. Medium and large companies providing services like IT management, IT help desk support and cyber security to private and public sector organisations like the NHS, will be regulated for the first time.

The BCS ViewQuestions to Answer

Ø

The Bill can go further than it stands in its current formit focusses only on critical services. This does not reflect the reality that much more of the British economy and society relies almost entirely upon functioning IT systems and services. Malicious actors would therefore still be able to cause significant disruption and financial costs without having to target the critical services that this Bill seeks to increase protections on.

o

We would encourage policymakers to set minimum standards of governance and board-level accountability for other sectors. We also support minimum standards for such wider reporting of cyber-security incidents which would then enable us to understand the true scale of cyber-related disruption (and be better-placed to share actionable information and to prioritise efforts to prevent them).

Ø

BCS has campaigned for the inclusion of better reporting of incidents and near misses so we welcome their inclusion in the Bill. We would further welcome more clarity around how this reporting would work in practice.

Ø

The Bill focuses heavily on enterprise and large businesses providing direct services to those named critical services and does not fully acknowledge that these companies themselves are underpinned by the vast SME sector.

Ø

It is positive that we have set a direction of travel for the MSP (Managed Service Provider) industry, and we hope that secondary legislation will provide clearer guidance and tighter rules for the 89% of MSPs not included in this Bill. BCS would encourage policymakers to use this opportunity to interrogate whether the exclusion of 89% of the MSPs is appropriate and what can be done to better protect the IT ecosystem.

We are concerned that the Information Commissioners Office (ICO) may not have the additional resource and compulsion to investigate and enforce the measures in the Bill. A key question to ask would be how much additional resource will the ICO need and receive.

o

The question of compliance is critical to the success of the CSRB due to the high number of incidents that occur due to non-compliance. The Cyber Assessment Framework (CAF) acknowledges this as an issue of particular note with senior leaders: "
Senior management or other pockets of the organisation consider themselves exempt from some policies or expect special accommodations to be made."

The Bill does not fully address concentration riskreliance on a small number of critical IT providers or data centres could leave wider sectors vulnerable, even if those critical services are protected.

A key question for policymakers to ask of this Bill iswhich of the most serious recent incidents would have been prevented had this Bill been in place?

January 2026

Prepared 5th February 2026

Footer links

A-Z index

Glossary

Contact us

Freedom of Information

Jobs

Using this website

Copyright

Privacy notice
Cookie policy
Cookie Manager