Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by National Gas (CSRB20)

Cyber Security and Resilience (Network and Information Systems) Bill (3rd February 2026)

Primary navigation

Home

Parliamentary business

MPs, Lords & offices

About Parliament

Get involved

Visiting

Education

House of Commons

House of Lords

What's on

Bills & legislation

Committees

Publications & records

Parliament TV

News

Topics

You are hereParliament home page
>
Parliamentary business
>
Publications and Records
>
Hansard
>
Commons Debates
>
Public Bill Committee Debates
>
Public Bill Committee

Session 2021-22

Cyber Security and Resilience (Network and Information Systems) Bill

Written evidence submitted by Nat

ional

Gas (CSRB20)

Overview

National Gas welcomes the Cyber Security and Resilience (Network and Information Systems) Bill, a crucial piece of legislation for bolstering the UK’s cyber

defences

and safeguard critical national infrastructure (CNI).

With an increasingly complex cyber threat landscape to defend against, these updates to the 2018 Network and Information Security (NIS) Regulations are necessary to equip businesses - particularly operators of CNI and their full supply chains - in defending against attacks. Expanded and flexible ministerial powers are welcome, granting the Government the ability to act rapidly in response to changes in the level and nature of threats.

We look forward to seeing further details in secondary legislation and sectoral

implementation, and

urge the Government to ensure that interventions are proportionate, cost-effective for consumers, and protect the competitiveness of UK industry, while managing the very real risks posed to the UK’s cyber

defences

and CNI.

Incident Reporting

National Gas is broadly supportive of the incident reporting measures outlined in the Bill.

We welcome the fact that relevant managed service providers (RMSPs), relevant digital service providers, designated critical suppliers (DCSs), and data

centres

will have to notify their customers as well as the Competent Authorities in the case of an incident. This closes a critical visibility gap in multi-party incidents - particularly when

an

Managed Service Provider (MSP) or cloud provider is the initial point of compromise - and should lead to faster triage, containment, and restoration. This earlier, more detailed reporting from suppliers can allow faster action against incidents, isolation of inter-dependencies, and improved cross-sector coordination with increased information sharing.

This increased reporting and communication between regulators has the potential to improve the NCSC's ability to identify attack trends and systemic vulnerabilities, allowing greater situational awareness. We believe that this will likely improve future iterations of the CAF, directly improving the cyber resilience of entities such as National Gas.

The reduced reporting timelines, whilst welcome, will result in increased regulatory burdens on

organisations

in order to

comply. Regulators should carefully consider any additional financial burdens as a result of the

changes, and

adjust funding mechanisms as necessary to provide additional resourcing for compliance.

We consider that learning lessons and making improvements to processes following cyber incidents is

critical, and

note this is echoed in the recently-released Government Cyber Action Plan. As suppliers, we are responsible for the cyber security and resilience of our own supply

chain, and

have a critical role to play in working with government to respond rapidly to cyber incidents. This includes good proactive information flow and

co-ordinating

closely with government. To ensure any necessary lessons are applied in response to future incidents, it is critical that government engages proactively with industry to gather the information needed to effectively respond in future.

Need for consistency

We are concerned about the extent to which regulators will collaborate to ensure effective and consistent enforcement. There is a need to provide clear guidance on terms - such as ‘significant impact’ - to ensure consistency across all regulated entities when incidents occur. We stress the need for consistency and

joined-up

thinking across all regulators to ensure collective resilience and consistent responses to incidents across different sectors.

National Gas welcomes alignment with EU

NIS2, but

reporting requirement timings will need to be calibrated to allow OESs to fulfil their obligations at the end of the chain, and reporting thresholds need to be aligned across competent authorities. For example, if an OES

has to

report within 24 hours, then the relevant MSP should report within 18 hours to allow sufficient time for its findings to be incorporated into the OES’s report. The increased compliance costs for a more rigorous reporting regime should also be considered in funding settlements.

New powers for the Secretary of State (SoS)

Dependence on government’s priorities

National Gas has some concern that granting the Government powers to amend NIS regulations through secondary legislation, as set out in the Bill, may lead to regulatory uncertainty as governmental priorities shift over time.

The DSIT Bill team has provided assurances that the power to direct OES entities would only be used where necessary for national security purposes, and where the impact of a direction is deemed to be proportionate. However, National Gas remains cautious about the application of such directions, given the lack of clarity on what the government would deem as an incident affecting national security. Further, the lack of a national security definition gives the government significant leeway to use this power at its own discretion.

The Government should also provide clarity on when the Secretary of State would be expected to intervene alongside the legislation; and specifically, the thresholds and criteria that would trigger intervention. We recommend that the Government identifies and uses an existing blueprint for intervention to help model the effects of any intervention in industry, such as the National Emergency Co-

ordinator

for gas transmission, and includes further clarity on the mechanisms to be used within the Bill.

Operational impacts

There are operational impacts from some of the proposed directions and powers given to the Secretary of State that the Government needs to consider: the way in which a direction to stop a service could create commercial risks, as well as political and time pressure creating incentives for hasty action. An example of this would be that if there is a direction to stop using a specific service or equipment, this could affect the functionality of OT (Operational Technology) / Supervisory Control and Data Acquisition (SCADA) environments, and create inadvertent operational, safety, and commercial risks if the direction is

time-critical

.

Despite the Government saying that any power of direction will follow a prior consultation with the impacted entity, it is unclear whether the government would be restrained in applying such a direction. Factors such as time pressure and political pressure could lead to this happening in a rushed and not thought through way.

There is the potential for further problems to arise if a direction is given to a DCS or a RMSP. A prohibition or removal order could force rapid switch-out of a supplier, component, or managed service, leading to disruption to supply. This will be increasingly likely in the coming years, as the issue of high-risk vendors becomes more important.

There is also a risk for OES entities that some suppliers may struggle with the initial compliance costs, which could reduce their ability to provide ongoing, innovative, and reliable services. This could lead to fewer options in the market, essentially limiting vendor choice and creating new dependencies. Regulators should be careful to

minimise

costs within the updated resilience framework where possible.

Evidentiary threshold

National Gas would value having clarity on the evidentiary threshold the Secretary of State will use, and how proportionality will be assessed (economic impact, feasibility, and alternatives).

Enforcement & Penalties

Fees

The Bill as worded lacks information on the system of fees that regulators like Ofgem will levy under this new regime, leading to uncertainty on the impact on affected

organisations

. The Government should issue guidance to regulators that defines proportionate penalties, that

take into account

risk profile, the commensurate impact on household bills, and provide greater specificity for what these might be, and this should be subject to public consultation.

January 2026

Prepared 3rd February 2026

Footer links

A-Z index

Glossary

Contact us

Freedom of Information

Jobs

Using this website

Copyright

Privacy notice
Cookie policy
Cookie Manager