Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Doctors Lam and Seifert (CSRB11)

Cyber Security and Resilience (Network and Information Systems) Bill (3rd February 2026)

Primary navigation

Home

Parliamentary business

MPs, Lords & offices

About Parliament

Get involved

Visiting

Education

House of Commons

House of Lords

What's on

Bills & legislation

Committees

Publications & records

Parliament TV

News

Topics

You are hereParliament home page
>
Parliamentary business
>
Publications and Records
>
Hansard
>
Commons Debates
>
Public Bill Committee Debates
>
Public Bill Committee

Session 2021-22

Cyber Security and Resilience (Network and Information Systems) Bill

Written evidence submitted by Doctors Lam and Seifert to the Cyber Security and Resilience (Network and Information Systems) Public Bill Committee (CSRB11)

Summary

1

This submission proposes four targeted amendments to the Cyber Security and Resilience (Network and Information Systems) Bill: (i) to require risk-management duties for regulated entities to take account of risks arising from data-sharing practices and third-party access, (ii) to expand, subject to appropriate consultation and impact assessment, the definition of regulated digital services to include advertising technology services, (iii) to introduce proportionate security safeguards for information shared between regulators and public authorities under Clause 18 and (iv) to ensure that guidance issued under Clause 19 addresses the secure handling of sensitive information exchanged in the course of regulatory compliance. These recommendations are motivated by our economic research showing that cybersecurity standards and data-sharing incentives interact in digital markets, and that regulatory design should account for these feedback effects in order to promote socially optimal levels of security and resilience.

Introduction

2

The increasing digitalisation of society makes the resilience of the networks and information systems underpinning essential day-to-day services more important than ever.

3

We are a team of academics specialising in the economics of cybersecurity and digital markets. Our work focuses on the optimal design of cybersecurity regulation. Regulation is needed when market incentives lead firms to implement security measures that do not adequately protect society. Determining whether market-generated cybersecurity incentives are sufficient therefore requires us to compare firms’ privately-optimal choices with the benchmark of what would be socially optimal. A market failure arises when private incentives depart from this social optimum.

4

While market failures are frequently discussed in the cybersecurity context (UK Government 2022; National Cyber Security Centre, 2024), the precise nature of these market failures has received more limited attention. Our research fills this gap by formally characterising market failures related to cybersecurity using game-theoretic methods and by shaping appropriate regulatory responses on that basis (Lam and Seifert, 2021, 2023a, 2023b, 2026).

5

This approach is important because the resolution of a market failure must be carefully designed, even when some aspects of that failure are well understood (for example, the tendency of firms to underinvest in cybersecurity in many markets, see Lam and Seifert, 2023a). This is especially true of cybersecurity market failures because data protection represents only one aspect of a firm’s wider business strategy in digital markets. Our research shows that regulation-induced changes to firms’ cybersecurity decisions can spill over to their data sharing and wider competitive behaviour (Lam and Seifert, 2023a, 2026).

6

For example, holding everything else fixed, raising the minimum security standard improves welfare by countering the tendency of firms to underinvest. Our work shows that higher security standards can also have the unintended side effect of incentivising data sharing, however. Higher security standards can even lead to lower social welfare as a result of excessive data sharing that is induced by the standard itself (Lam and Seifert, 2023a, 2023c). This makes it particularly important for primary legislation to recognise that cybersecurity rules can reshape firm behaviour more broadly. Further policy-relevant examples drawn from this research are available at
https://cybereconinsight.co.uk/
.

7

The real-world impact of stricter cybersecurity standards and other regulations will of course be context-dependent. We believe that the principle that firms make interrelated decisions in digital markets can nonetheless be usefully integrated into this primary legislation to ensure it meets its objectives. We set out our recommendations below.

Recommendations

I. Explicitly recognise feedback effects between cybersecurity and data sharing incentives

8

Many entities within the scope of the Bill are involved in data sharing. This includes relevant digital service providers (RDSPs) such as online marketplaces, relevant managed service providers (RMSPs) that access and manage clients’ systems and data, and critical suppliers that form an integral part of the supply chain. It also includes some operators of essential services (OESs), for example energy supply companies that share sensitive data on consumers’ energy usage.

9

Our research shows that, in a context where firms can share data among each other, cybersecurity market failures should not be considered in isolation. Instead, cybersecurity and data sharing need to be considered jointly in order to ensure beneficial outcomes for society. Concretely, the cyber-risks that the operator of an essential service or regulated person must protect against should not be seen as
fixed
in nature, depending on the physical characteristics of the infrastructure or network in question (system security), but also as
dependent
on the extent to which the regulated entity shares data across that network (behavioural security). In this way, the Bill can be made robust to behavioural (data sharing) changes that its own provisions generate among firms.

10

As such, we propose to add a new paragraph to
Clause 10, Part 4A, Regulation 14B(2)
(governing RMSPs)

as follows:

"(c) have regard to risks arising from the scale and nature of its data-sharing practices and third-party access to those network and information systems."

11

We propose similar adjustments to the corresponding risk-management provisions for RDSPs (Regulation

12
of the Network and Information Systems Regulations 2018, as amended by
Clauses 7 and 8
of the Bill), for OESs (Regulation 10 of the Network and Information Systems Regulations 2018, as amended by
Clauses

7 and 8
of the Bill), and to the security requirements applicable to designated critical suppliers (
Regulation

14H
, as inserted by
Clause 12
, and any regulations made under the regulation-making power in
Clause 29
).

12

We propose that
Clause 36 (Code of practice)
be modified, such that it explicitly addresses the assessment of risk (including effects related to data sharing):

"36( ) A code of practice issued under this section may, in particular, include guidance on matters relevant to the assessment of risk under these Regulations."

13

We propose that
Clause 40 (Report on legislation)
be modified, such that it explicitly addresses the impact of the legislation on patterns of data sharing and risk:

"(ba) assess whether, and to what extent, the operation of the legislation has affected patterns of data sharing and the distribution of cyber risk across regulated sectors;"

II. Expand the scope of the Bill to include the advertising technology (AdTech) sector

14

The AdTech sector is fundamental to the business model of online marketplaces and online search engines. Targeted advertising based on user data is core to the business models of these RDSPs. AdTech, such as real-time bidding infrastructure, is often embedded in these online platforms, creating operational dependencies that can affect the continuity and resilience of regulated digital services. These linkages generate service continuity risks for RDSPs stemming from AdTech systems.

15

These risks are not covered by the Bill unless AdTech firms are designated as critical suppliers. Given the close data linkages between AdTech and RDSPs, we propose that the AdTech sector itself should fall within the scope of the Bill. This puts the emphasis on data linkages rather than the contractual linkages underlying the designation of critical suppliers, which is appropriate in the context of network security.

16

To that end, we propose, subject to appropriate consultation and impact assessment, expanding the definition of regulated digital services under the Network and Information Systems Regulations 2018, as amended by
Clauses 7 and 8
of the Bill, to include advertising technology services such as real-time bidding platforms, ad exchanges, and programmatic advertising infrastructure.

III. Ensure appropriate security safeguards for information sharing between regulators

17

The Bill introduces enhanced information sharing provisions for data exchanges between regulators and other government bodies (Clause 18, Sharing and use of information). Much of the data falling within the scope of this increased regulatory data sharing is likely to be highly sensitive in nature. For example, details of an otherwise undisclosed cyber-attack can allow malicious actors to reverse engineer vulnerabilities that may be exploited in other regulated entities.

18

Notwithstanding the application of existing data protection and public sector security frameworks, we recommend that the Bill explicitly require security safeguards to be put in place as part of any data exchanges falling within Clause 18 that are commensurate with the associated cyber risk.

19

We propose adding a new subsection within
Clause 18
as follows:

"18( ) A person or body to whom information is disclosed under this section must take appropriate and proportionate technical and organisational measures to secure that information, having regard to its sensitivity and the risks associated with unauthorised access, loss, or misuse."

20

In practical terms, the security obligation under Clause 18 could be supported through the establishment of trusted information-sharing channels (such as technical platforms or secure communication frameworks) that facilitate the secure exchange of sensitive information between regulators and public authorities.

IV. Address data sharing within regulatory guidance

21

Guidance issued under Clause 19 shapes how regulated entities implement their security and compliance obligations. We recommend that it address the secure and proportionate handling of sensitive information exchanged in the course of complying with these Regulations.

22

We propose that
Clause 19(4A)
be amended by inserting a new paragraph (e) as follows:

"(e) the secure and proportionate handling and transmission of sensitive information, including customer, operational, and usage data, where such information is exchanged as part of compliance with these Regulations or in connection with third-party access required for the implementation of security or compliance measures."

References

Lam, W.M.W. and Seifert, J. (2021)
Regulatory interactions and the design of optimal cybersecurity policies: Final

project

report
. ESRC Discribe Hub+. Available at:
https://static1.squarespace.com/static/5f8ebbc01b92bb238509b354/t/618cf3a82f816f66d11dd4cc/1636627370520/Lam+Seifert+Final+Project+Report.pdf

Lam, W.M.W. and Seifert, J. (2023a) ‘Regulating data privacy and cybersecurity’,
Journal of Industrial Economics
, 71(1), pp. 143–175. Available at:
https://doi.org/10.1111/joie.12316

Lam, W.M.W. and Seifert, J. (2023b)
Secure hardware adoption in the open data context: Final

project

report
. ESRC Discribe Hub+. Available at:
https://static1.squarespace.com/static/5f8ebbc01b92bb238509b354/t/64f0a20cb55adc3c6fd66335/1693491738108/Final+Report+-+Lam+Seifert.pdf

Lam, W.M.W. and Seifert, J. (2023c)
Harnessing market incentives to improve cybersecurity outcomes for firms and consumers

. ESRC

Discribe

Hub+ Policy Briefing.
Available at:
https://static1.squarespace.com/static/5f8ebbc01b92bb238509b354/t/6584160b15550c0278d2a1d3/1703155215062/Cyber+Incentives+Briefing+Note.pdf

Lam, W.M.W. and Seifert, J. (2026) ‘Cybersecurity and data sharing under imperfect competition’,
working paper

.

National Cyber Security Centre (2024)
Market incentives
. NCSC Annual Review 2024, Chapter 03. Available at:
https://www.ncsc.gov.uk/collection/ncsc-annual-review-2024/chapter-03/market-incentives

UK Government (2022)
2022 cyber security incentives and regulation review
. Department for Science, Innovation and Technology & Department for Digital, Culture, Media & Sport. Available at:
https://www.gov.uk/government/publications/2022-cyber-security-incentives-and-regulation-review

January 2026

Prepared 3rd February 2026

Footer links

A-Z index

Glossary

Contact us

Freedom of Information

Jobs

Using this website

Copyright

Privacy notice
Cookie policy
Cookie Manager