Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Rob Wright, Chief Commercial Officer, Hexiosec, Ambassador for Software Security for DSIT (CSRB25)

Cyber Security and Resilience (Network and Information Systems) Bill (5th February 2026)

Primary navigation

Home

Parliamentary business

MPs, Lords & offices

About Parliament

Get involved

Visiting

Education

House of Commons

House of Lords

What's on

Bills & legislation

Committees

Publications & records

Parliament TV

News

Topics

You are hereParliament home page
>
Parliamentary business
>
Publications and Records
>
Hansard
>
Commons Debates
>
Public Bill Committee Debates
>
Public Bill Committee

Session 2021-22

Cyber Security and Resilience (Network and Information Systems) Bill

Written evidence submitted by Rob Wright, Chief Commercial Officer, Hexiosec, Ambassador for Software Security for DSIT (CSRB25)

As a former Expert Adviser to DSIT on Cyber Resilience, I welcome the aims of the Cyber Security and Resilience (Network and Information Systems) Bill and strongly support its ambition to strengthen national resilience across essential sectors. The expansion of the NIS Regulations to include data centres, managed service providers, and other critical suppliers is both timely and necessary, reflecting the evolving threat landscape faced by UK organisations.

A crucial consideration is ensuring that these measures are genuinely effective for the organisations directly affected by the Bill and for their supply chain. This requires obtaining an external, adversarial view of an organisation’s information technology and benchmarking it against annual results from different sectors and countries. Without this insight, it will be difficult to determine whether the Bill is achieving its intended impact.

This approach provides that view of an organisation’s information technology as an attacker sees it. The National Cyber Security Centre recently advocated this methodology, though this came after the draft Bill was produced. It is my recommendation that the Bill require organisations to conduct such assessments on their own systems and on their key suppliers through the use of Attack Surface Management. This should also be carried out centrally to evaluate the overall effectiveness of the Bill, as it is one of the most effective ways to assess and reduce the likelihood and impact of cyber incidents.

From an economic perspective, embedding this requirement into the regulatory framework would support three key national objectives:

Reducing the cost of cyber incidents to the UK economy

Cyber breaches impose billions in direct and indirect costs, including business interruption, fraud, and loss of confidence. This approach reduces exposed digital assets before they can be exploited, lowering the frequency and severity of incidents across sectors.

Improving operational resilience for UK businesses

By giving organisations realtime knowledge of their digital exposure, particularly as supply chains grow more complex, it enables faster decisionmaking, improved risk management, and greater continuity of essential services.

Strengthening the UK’s position as a secure, competitive digital economy

Clear expectations around proactive security measures encourage innovation and investment in highquality UK cyber capabilities. This strengthens domestic supply chains, supports highvalue jobs, and enhances international confidence in the UK as a safe environment for digital trade and technology adoption.

I therefore encourage the Committee to consider Attack Surface Management for external assessment as a foundational control supporting the Bill’s objectives. As the UK continues to modernise its cyber regulatory environment, this provides a practical, scalable mechanism to deliver measurable resilience improvements across critical national sectors, ultimately benefiting the wider UK economy.

February 2026

Prepared 5th February 2026

Footer links

A-Z index

Glossary

Contact us

Freedom of Information

Jobs

Using this website

Copyright

Privacy notice
Cookie policy
Cookie Manager