Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Rob Newby (on the Retail sector) (CSRB01B)
Parliament bill publication: Written evidence. Commons.
Cyber Security and Resilience (Network and Information Systems) Bill (3rd February 2026)
Primary navigation
Home
Parliamentary business
MPs, Lords & offices
About Parliament
Get involved
Visiting
Education
House of Commons
House of Lords
What's on
Bills & legislation
Committees
Publications & records
Parliament TV
News
Topics
You are hereParliament home page
>
Parliamentary business
>
Publications and Records
>
Hansard
>
Commons Debates
>
Public Bill Committee Debates
>
Public Bill Committee
Session 2021-22
Cyber Security and Resilience (Network and Information Systems) Bill
Written evidence submitted by Rob Newby (CSRB01B)
Cyber Security and Resilience (Network and Information Systems) Bill
Retail sector
1. Introduction and basis of evidence
1.1 I submit this evidence based on senior experience engaging with cyber resilience, operational risk and incident response in large-scale retail environments, alongside work across other regulated sectors.
1.2 This provides a system-level view of how cyber incidents propagate through shared infrastructure and supply chains.
2. Relevance to the Committee’s inquiry
2.1 This submission addresses scope expansion, incident reporting thresholds, supply chain accountability, regulator powers, and systemic risk arising from shared dependencies.
3. What the Bill gets right
3.1 The Bill correctly recognises that cyber risk is no longer confined to individual organisations.
3.2 Including managed service providers and critical suppliers within scope is essential to improving national resilience.
4. Risk of unintended consequences
4.1 Retail operates at high volume, high tempo and low margin.
4.2 Applying regulatory assumptions drawn from utility or safety-critical models without adaptation risks creating reporting noise rather than resilience.
5. Retail-specific considerations
Scale and materiality
5.1 Large retailers experience very high volumes of cyber events daily, the vast majority of which have no material customer or national impact.
5.2 Incident reporting thresholds must be explicitly materiality-based.
5.3 The Bill should require reporting aligned to customer harm and systemic risk, not event volume.
Concentration risk and shared dependencies
5.4 Retail resilience is dominated by concentration risk across payments, logistics, identity, cloud platforms and data centres.
5.5 A single provider failure can impact multiple retailers simultaneously.
5.6 Regulating individual retailers without addressing these shared dependencies will not materially improve national resilience.
Supply chain authority
5.7 Retailers often depend on managed service providers embedded deep within their technology stacks.
5.8 Retailers may carry regulatory accountability without equivalent authority to mandate supplier controls.
5.9 This encourages contractual risk transfer rather than genuine risk reduction.
Workforce and capability reality
5.10 Cyber capability varies significantly across the retail sector.
5.11 The Bill should encourage sector-level resilience mechanisms, shared services and regulator-facilitated coordination.
6. Cross-sector systemic risk
6.1 Retail shares critical dependencies with other regulated sectors, including energy.
6.2 A companion submission addressing the energy sector highlights how these shared dependencies create systemic risk.
6.3 The Bill should treat resilience as a system-level property, not a sector-by-sector compliance exercise.
7. Recommendations
7.1 The Bill should mandate materiality-based incident reporting aligned to customer and national impact.
7.2 Regulators should be enabled to identify and act on cross-sector concentration risk.
7.3 Accountability should be clarified where retailers lack authority over suppliers.
7.4 Sector-level resilience mechanisms should be encouraged alongside firm-level obligations.
8. Closing
8.1 Retail resilience depends on continuity, recovery and trust at scale.
8.2 The Bill will be most effective if it focuses on systemic risk and operational reality rather than compliance volume.
8 January 2026
Prepared 3rd February 2026
Footer links
A-Z index
Glossary
Contact us
Freedom of Information
Jobs
Using this website
Copyright
Privacy notice
Cookie policy
Cookie Manager