Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Shoosmiths LLP (CSRB27)

Cyber Security and Resilience (Network and Information Systems) Bill (5th February 2026)

Primary navigation

Home

Parliamentary business

MPs, Lords & offices

About Parliament

Get involved

Visiting

Education

House of Commons

House of Lords

What's on

Bills & legislation

Committees

Publications & records

Parliament TV

News

Topics

You are hereParliament home page
>
Parliamentary business
>
Publications and Records
>
Hansard
>
Commons Debates
>
Public Bill Committee Debates
>
Public Bill Committee

Session 2021-22

Cyber Security and Resilience (Network and Information Systems) Bill

Written evidence submitted by Shoosmiths LLP to the Cyber Security and Resilience (Network and Information Systems) Public Bill Committee (CSRB27)

Shoosmiths LLP is a UK law firm with considerable experience advising clients based in the UK, Europe and elsewhere on cyber resiliency issues, across many sectors.

We are responding to the call for evidence on the Cyber Security and Resilience (Network and Information Systems) Bill (the
CSR Bill
) as we can give practical guidance on the issues which are likely to be challenging to organisations within scope. We have advised businesses extensively on the effect of the current UK Network and Information Systems Regulations (
NIS Regs
) and on the equivalent EU updates to the common underlying Cybersecurity Directive through the Network and Information Systems 2 Directive, (
NIS 2
) and related laws.

There are common challenges and we would be concerned to see avoidable mistakes replicated. We have identified priority areas which we respectfully ask you to consider as you undertake the Committee review process.

1.

Where should digital sit?

There is acknowledged tension between regulating digital infrastructure, which is super-sectoral, and sectoral regulation.

The EU has fully harmonised digital rules as they need an integrated approach. Experience from NIS 2 is that harmonisation should be supported and embedded into the CSR Bill as far as possible. From our experience advising on NIS 2 compliance programmes, we are already seeing divergence in sectors which are not subject to harmonised rules. Many organisations whose regulated activities fall within the scope of the harmonised digital category have been able to make better progress in their compliance, governance frameworks and cyber resilience than sectors outside the harmonised list.

Digital infrastructure is the most important sector to get right. The (future) Information Commission (
IC
) has no practical experience of regulating the NIS Regs, and a light-touch enforcement approach which attracts widespread criticism. It also has a complex data protection remit, with difficult aspects of AI regulation. There is a real prospect of conflicting regulatory aims.

In order for the IC to be a meaningful player in the UK’s cyber regulatory apparatus there must, in our view, be a significant overhaul in set-up, approach and funding. We invite the Committee to look at organisations such as Ofcom, which have already had to grapple with the structural and financial challenges to create an effective cyber investigations and enforcement arm. The IC is already undergoing significant budgetary increase to tackle its data protection remit. Given the additional funding and structural changes required, we suggest that using institutions with existing expertise such as the NCSC would be a more tax efficient and effective solution.

We therefore ask you to give serious consideration to whether the IC is the right regulator for RDSPs and RMSPs.

If it is, we strongly question whether it should be sole digital regulator and/or whether the remit of the NCSC should change (see below).

2.

The role of the NCSC

The UK NCSC is a world-renowned advisory body. It is designated "CSIRT" and must be notified of cyber incidents via dual reporting to it and the relevant sectoral regulator.

The NCSC has a proven track record delivering practical, recognised baselines, such as Cyber Essentials, as well as the Cyber Assessment Framework, which benefit from solid uptake across organisations. Alongside standards and guidance, the NCSC has credible and active experience supporting organisations’ security posture against real threats through services like Active Cyber Defence. Given its expertise we believe that the NCSC should be given greater investigatory and/or enforcement powers under the NIS Regs.

First, the NCSC should be given full investigatory powers to sit alongside those of sectoral regulators. Each sector regulator can take advantage of these as required, with the ability to refer to the NCSC where needed. Powers should include a power to override where there are two or more conflicting regulators (like the ENISA approach in the EU).

We also ask you to consider granting the NCSC standalone enforcement powers for use where a regulator does not have mature capability or resource, where there are conflicting aims, or where it is reasonable to take a multi-sectoral approach.

This would engender a harmonised approach, consistent standards, and a consistent enforcement regime.

The CSR Bill envisages joint regulators, for example for data centres (DSIT and Ofcom) so there can be no theoretical barrier to such a "hybrid" approach.

There is serious discrepancy between regulators in cyber understanding, regulatory approach, and resource: for example, Ofcom compared with Ofwat.  On the other hand, in highly regulated sectors such as telecoms, companies have established channels of communication and a mature understanding of regulatory expectations. One of the suggested "hybrid" approaches would resolve both these issues.

This would also help address conflicting guidance, covered in Clause 19. We suggest specifying the NCSC’s role in encoding guidance and establishing clear precedence where there is conflict with sectoral guidance. Guidance should be written or at least approved by the NCSC, to avoid fragmented standards. The CSR Bill addresses this in part through a statement of strategic priorities, but we respectfully consider that this will cause confusion. The hybrid approach would avoid this.

We also suggest that NCSC codes of practice should become harmonised standards (as under NIS 2).

3.

Designation of critical suppliers

We suggest taking an alternative approach to the designation and regulation of critical suppliers.

Cyber resiliency must be standardised and centralised to be achievable for the companies involved. It cannot be efficiently managed through regulatory co-ordination.

Under the proposed scheme, any regulator can designate a critical supplier and regulate their cybersecurity posture directly. The example given in
Designating critical suppliers - GOV.UK
, Synnovis in the health sector, is unusual, involving a very specialist supply chain. We believe that this has led to a skewed perspective. In most cases, suppliers will be serving many sectors. This is particularly true in digital sectors. It is unrealistic for suppliers to be subject to fragmented regulatory regimes, particularly in cases where they are led by non-specialist cyber regulators.

The "overlap" examples in the government press release above illustrate the complexity. These are already highly simplified scenarios. It is not realistic for suppliers to be regulated by many different regulators where they are supplying services based on similar (or the same) IT systems.

By way of analogy, this is like asking a supplier delivering service using electricity to be simultaneously regulated by a water, health or postal regulator in respect of the same electricity supply.

As proposed, the system would lead to numerous difficulties and anomalies. Just one example: (illustrated in
Relevant managed service providers - GOV.UK
) an MSP designated as a critical supplier cannot apparently be designated in its own right. What if such a supplier is designated within one sector only? Who will decide what constitutes the "same" or a "different" service?

We propose the following:

For critical suppliers which are RDSPs or MSPs, or which supply at least one sector, provide for a direct designation rather than supplier status, with regulation managed by the NCSC, as explained above.

Where appropriate, an exception could be made for critical suppliers which are not RDSPs or MSPs and which supply a sole sector, where the sectoral regulator could be appointed with NCSC approval, again subject to NCSC oversight (if considered necessary to address a "Synnovis" situation.)

4.

Should the UK government be in scope?

In our view, the UK government should be in scope of the CSR Bill. Exempting it will cause a drop in standards and a loss of public trust.

The UK government may wish to learn from the experience of South Korea, which recently passed legislation bringing governmental bodies and agencies within its cyber resiliency regime following a disastrous data breach which affected over 30 million citizens. A voluntary approach (such as the recent GCAP) sends the wrong signals about how seriously HMG takes cyber resiliency.

Apart from the accountability principle, it will also lead to anomalies. Complex governance structures and partnerships will be difficult to separate from each other, especially where systems or suppliers are shared. The current government strategy in the healthcare and rail sectors, including nationalising rail franchises, risk fragmented governance. Another difficulty is organisations where the government has quasi-private sector role, such as under the state aid rules.

In the long term it is better to delay rather than duck public sector accountability. The EU has adopted this approach in the EU AI Act, giving the public sector four more years to achieve compliance to recognise the importance and scale of legacy systems.

5.

What about board accountability?

Alongside government accountability we believe there should be a clear mechanism to ensure board accountability. The difficulty of getting management buy-in to cyber resiliency is already acute.

We suggest an additional statutory requirement for boards to ensure they direct adequate resource to managing the cyber resiliency of the organisation by reference to published NCSC guidance.

This aligns with the mechanism for ensuring compliance with Modern Slavery legislation.

This will help, not hinder, businesses by creating a level playing field. It will also incentivise cybersecurity investment, with wider benefits to the UK. Our country has a world-leading and growing managed services and cyber resiliency sector which will directly benefit.

6.

Explicit protection for good faith notification

We advise providing protection for companies where they make "good faith" notifications. NIS 2 notifications are intended to be supportive not penal, and we strongly support this approach. The UK can go further (a Brexit dividend) with well-considered rules.

This could be achieved by exempting from future regulatory scrutiny any information given within the first 24 hours of an incident. Another approach is to specify that immediate response teams will not share information for future regulatory purposes.

This is extremely important. Legal teams spend a lot of time advising clients on whether to notify regulators. In the context of a critical cyber incident this wastes time and stops others from being protected.

Clause 18(2) of the CSR Bill will allow sharing of information with any CSIRT or SPOC equivalent overseas, not just the EU. This will be a serious concern to companies and a disincentive to report. It should be properly circumscribed.

The power introduced by Clause 18(3) which is granted to the IC to use information for its own purposes – including data protection or FOI Act regulation- is likely to prohibit meaningful sharing and have a chilling effect.

7.

Extra-territorial effect

The CSR Bill should have a UK Representative framework from the outset, rather than as a future possibility via secondary legislation (Clause 30).

Non-UK RDSPs and RMSPs are the most important to bring within UK Representative requirements immediately as they have no or little physical infrastructure, no clarity over ownership, and are critical to UK companies.

8.

Cost recovery mechanisms

We welcome funding through an industry levy and agree that this should be linked to entity size. It should also be centralised to avoid arbitrary disparities caused by uneven regulator sector, size and enforcement approach.

A possible route would be through a link to inherent risk, for example, by levying more from entities carrying more cyber risk.

A very efficient approach is certification led by the private sector. This would mean the NCSC encoding basic standards for a compliance and audit regime and setting an obligation to comply with the code. Private sector providers could certify as auditors. The UK has a mature and efficient compliance ecosystem: for example, multi-factor authentication (MFA) is enforced through ISO 27001.

9.

Are the basic cybersecurity requirements strong enough?

Clause 30 of the CSR Bill states that regulations "may" impose requirements on "regulated persons" (OESs, RDSPs, RMSPs, and critical suppliers). It does not set out any specific cyber security requirements, which are stated in general terms (Clause 29).

This vagueness risks the legislation achieving nothing. Past experience shows that this leads to diluted and unambitious targets (see for example the narrow requirements under the Product Security and Telecommunications Infrastructure Act 2022). NIS2 carries baseline requirements for secondary legislation, and we believe this is the better approach.

In our view there should be at least a baseline compliance framework in primary legislation to enable planning by affected businesses and ensure alignment with existing standards and frameworks.

10.

National security directions

Clause 44 is not clear enough for organisations as the term "requirement of a regulatory nature" may or may not include legal requirements.

It is doubtful whether the Secretary of State can override legal requirements (such as a duty to comply with data protection law) through such a mechanism, and without some form of judicial oversight. We also advise caution over Clause 53 which grants the government power to issue directions to regulators in the exercise of any cybersecurity function in the interests of national security. Recent experience from the US is that powers to direct regulators can be mis-used by an administration and easily result in overreach, remembering that future governments may have priorities which conflict with current norms. We therefore strongly suggest guardrails including judicial oversight embedded in the legislation now.

The same goes for Clause 56 (information sharing) and Clause 50 (enforcement of notification).

February 2026

Prepared 5th February 2026

Footer links

A-Z index

Glossary

Contact us

Freedom of Information

Jobs

Using this website

Copyright

Privacy notice
Cookie policy
Cookie Manager