Threads / Cyber Security and Resilience Bill / Cyber Security and Resilience (Network and Information Syst…
Bill Published 28 Jan 2026 Department for Science, Innovation and Technology ↗ View on Parliament

Cyber Security and Resilience (Network and Information Systems) Bill — Amendment Paper: Notices of Amendments as at 28 January 2026

Parliament bill publication: Amendment Paper. Commons.

▤ Verbatim text from source document

Committee StageWednesday 28 January 2026
Cyber Security and Resilience (Network and
Information Systems) Bill
(Amendment Paper)
This document lists all amendments tabled to the Cyber Security and Resilience (Network and Information
Systems) Bill. Any withdrawn amendments are listed at the end of the document. The amendments are
arranged in the order in which it is expected they will be decided.
★ New Amendments.
New Amendments: 1 to 10 and NC1
Kanishka Narayan
To move, That the Bill be considered in the following order, namely, Clauses 1 to 22, Schedule
1, Clause 23, Schedule 2, Clauses 24 to 61, new Clauses, new Schedules, remaining proceedings
on the Bill.
_10 Matt Western
Emily Thornberry
Sir Gavin Williamson
Mike Martin
★ . Clause 10, page 9, line 29, at end insert—
“(2A) The measures taken by an RMSP under paragraph (1) must ensure that the
number of customers to whom the RMSP provides services does not exceed
the critical risk threshold.
(2B) In paragraph (2A), the “critical risk threshold” is the number of customers
within a sector or subsector where an incident affecting the provision of services
to those customers by the RMSP would result in disruption that is likely to have
a significant impact on the economy or the day-to-day functioning of society
in the whole or any part of the United Kingdom.
(2C) Paragraph (2D) applies where the number of customers to whom an RMSP
provides services exceeds the critical risk threshold by virtue of contracts entered

into before the coming into force of section 10 of the Cyber Security and
Resilience (Network and Information Systems) Act 2026.
(2D) The RMSP must take steps to reduce the number of customers to below the
critical risk threshold, including exercising any right to terminate a contract or
vary the terms of a contract.”
Member's explanatory statement
This amendment would place a duty on relevant managed service providers (“RMSPs”) to ensure
that they do not provide services to manage the technology systems for a number of customers that
exceeds a critical risk threshold, such that an incident affecting those services would be likely to
result in significant disruption in the United Kingdom. This would prevent an RMSP managing the
technology systems for a whole sector or subsector. Provision is also made for a situation where an
RMSP is in breach of the critical risk threshold because of contracts entered into before the enactment
of the Bill.
_1 Iqbal Mohamed
★ . Clause 15, page 22, line 15, at end insert—
“(f) whether the incident involves failure modes not previously observed in the
relevant sector materially involving autonomous or adaptive systems based on
machine learning, including where the potential impact of such failure modes
was mitigated or prevented.”
_2 Iqbal Mohamed
★ . Clause 15, page 22, line 25, at end insert—
“(ea) where the incident was associated with one or more autonomous or adaptive
systems based on machine learning, details of those systems and their
involvement in the incident;”
_3 Iqbal Mohamed
★ . Clause 15, page 23, leave out lines 13 to 21 and insert—
“(3) For the purposes of this regulation, an incident is a “data centre incident” if—
(a) the incident has affected or is affecting the operation or security of the
network and information systems relied on to provide the data centre
service provided by the OES, and
(b) the impact of the incident in the United Kingdom or any part of it has
been, is or is likely to be significant having regard to the factors listed
in paragraph (3A).
(3A) The factors referred to in paragraph (3)(b) are—
(a) the extent of any disruption which has occurred, is occurring or is likely
to occur in relation to the provision of the essential service provided by
the OES;
COMMITTEE STAGE Wednesday 28 January 2026 2

(b) the number of users which have been affected, are being affected or
are likely to be affected;
(c) the duration of the incident;
(d) the geographical area which has been affected, is being affected or is
likely to be affected by the incident;
(e) whether the confidentiality, authenticity, integrity or availability of
data relating to users of the essential service has been, is being or is
likely to be compromised;
(f) whether the incident involves failure modes not previously observed in
the relevant sector materially involving autonomous or adaptive systems
based on machine learning, including where the potential impact of
such failure modes was mitigated or prevented.”
_4 Iqbal Mohamed
★ . Clause 15, page 23, line 32, at end insert—
“(ea) where the incident involved one or more autonomous or adaptive systems
based on machine learning, details of those systems and their involvement in
the incident;”
_5 Iqbal Mohamed
★ . Clause 15, page 26, line 37, at end insert—
“(h) whether the incident involves failure modes not previously observed in
the relevant sector materially involving autonomous or adaptive systems
based on machine learning, including where the potential impact of
such failure modes was mitigated or prevented.”
_6 Iqbal Mohamed
★ . Clause 15, page 27, line 7, at end insert—
“(ea) where the incident was associated with one or more autonomous or adaptive
systems based on machine learning, details of those systems and their
involvement in the incident;”
_7 Iqbal Mohamed
★ . Clause 15, page 30, line 8, at end insert—
“(fa) whether the incident involves failure modes not previously observed in the
relevant sector materially involving autonomous or adaptive systems based on
machine learning, including where the potential impact of such failure modes
was mitigated or prevented;”
3 COMMITTEE STAGE Wednesday 28 January 2026

_8 Iqbal Mohamed
★ . Clause 15, page 30, line 21, at end insert—
“(ea) where the incident was associated with one or more autonomous or adaptive
systems based on machine learning, details of those systems and their
involvement in the incident;”
_9 Iqbal Mohamed
★ . Clause 18, page 40, line 10, at end insert—
“(8A) Where the CSIRT receives notification of an incident under regulation 11, 11A,
12A, or 14E that materially involves autonomous or adaptive systems based
on machine learning, the CSIRT must share relevant technical information with
the relevant body within 72 hours.
(8B) For the purposes of this regulation, a “relevant body” means the AI Security
Institute or any successor or replacement body designated by the Secretary of
State.”
_NC1 Matt Western
Emily Thornberry
Sir Gavin Williamson
Mike Martin
★ . To move the following Clause—
“Food supply chain to be regulated as an essential service
(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry
relating to digital infrastructure insert—
The Secretary of State for Environment,
Food and Rural Affairs (United
Kingdom)
Food supply chain “Food supply
(3) In Schedule 2 (essential services and threshold requirements), after paragraph
11 insert—
“The food supply chain subsector
(1) This paragraph describes the threshold requirements which apply to essential
services in the food supply chain subsector.
(2) For the essential service of the food supply chain in the United Kingdom the
threshold requirement is that the person is in the food supply chain and does
COMMITTEE STAGE Wednesday 28 January 2026 4

not qualify as small or a micro-entity (or is excluded) within the meaning of
Part 15 of the Companies Act 2006.
(3) For the purposes of this paragraph—
(a) a “food supply chain” is a supply chain for providing individuals with
items of food or drink for personal consumption, where the items consist
of or include, or have been produced to any extent using—
(i) anything grown or otherwise produced in carrying on agriculture,
or
(ii) anything taken, grown or otherwise produced in carrying on
fishing or aquaculture;
(b) a person is “in” a food supply chain if that person is a producer or an
intermediary in a food supply chain.
(4) In paragraph (3)(b)—
(a) “producer” means a person who is carrying on agriculture, fishing or
aquaculture;
(b) “intermediary” means a person in the food supply chain between a
producer and the individuals referred to in paragraph (3)(a).
(5) In this paragraph—
“agriculture” includes any growing of plants, and any keeping of animals,
for the production of food or drink;
“aquaculture” means the breeding, rearing, growing or cultivation of—
any fish or other aquatic animal, (a)
(b) seaweed or any other aquatic plant, or
(c) any other aquatic organism;
“plants” include fungi.
(6) In regulation 8A of the NIS Regulations (nomination by an OES of a person to
act on its behalf in the United Kingdom), after paragraph 1(b) insert—
(c) provides an essential service of a kind referred to in paragraph 12 of
Schedule 2 (food supply chain sector) within the United Kingdom.”
Member's explanatory statement
This new clause would designate those in the food supply chain that rely on network and information
systems as “operators of essential services” within the meaning of the Network and Information
Systems Regulations 2018, thereby placing them under duties to manage risks to those systems and
to provide notification regarding any incidents that have an impact on the food supply chain.
Order of the House
[6 January 2026]
That the following provisions shall apply to the Cyber Security and Resilience (Network
and Information Systems) Bill:
5 COMMITTEE STAGE Wednesday 28 January 2026

Committal
1. The Bill shall be committed to a Public Bill Committee.
Proceedings in Public Bill Committee
2. Proceedings in the Public Bill Committee shall (so far as not previously concluded)
be brought to a conclusion on Thursday 5 March 2026.
3. The Public Bill Committee shall have leave to sit twice on the first day on which it
meets.
Consideration and Third Reading
4. Proceedings on Consideration shall (so far as not previously concluded) be brought
to a conclusion one hour before the moment of interruption on the day on which
those proceedings are commenced.
5. Proceedings on Third Reading shall (so far as not previously concluded) be brought
to a conclusion at the moment of interruption on that day.
6. Standing Order No. 83B (Programming committees) shall not apply to proceedings
on Consideration and Third Reading.
Other proceedings
7. Any other proceedings on the Bill may be programmed.
COMMITTEE STAGE Wednesday 28 January 2026 6