Cyber Security and Resilience (Network and Information Systems) Bill — Amendment Paper: Notices of Amendments as at 12 February 2026

Committee StageThursday 12 February 2026
Cyber Security and Resilience (Network and
Information Systems) Bill
(Amendment Paper)
This document lists all amendments tabled to the Cyber Security and Resilience (Network and Information
Systems) Bill. Any withdrawn amendments are listed at the end of the document. The amendments are
arranged in the order in which it is expected they will be decided.
_NC2 Dr Ben Spencer
Bradley Thomas
Alison Griffiths
. To move the following Clause—
“Register of foreign powers for the purposes of Part 4
(1) For the purposes of informing action taken under Part 4 of this Act, the
Secretary of State must, by regulations, establish and maintain a register of
foreign powers that the Secretary of State believes present a risk to the United
Kingdom’s critical network and information systems within six months of the
passing of this Act.
(2) Foreign powers designated by the Secretary of State under subsection (1) must
include states –
(a) which have been confirmed by GCHQ as having—
(i) perpetrated, or attempted to perpetrate, a cyber-attack in the
UK in the preceding seven years,
(ii) targeted, or intended to target, that attack at the network or
information systems of one or more operators of an essential
service or critical suppliers, or
(iii) carried out, or intended to carry out, that attack through a state
department, agency or affiliate group,
(b) which GCHQ has warned pose a risk to the security or resilience of the
network or information systems of one or more operators of an essential
service or critical suppliers.

(3) Regulations under this section are subject to the affirmative resolution
procedure.
(4) In this section, “foreign power" means–
(a) the sovereign or other head of a foreign state in their public capacity;
(b) a foreign government, or part of a foreign government;
(c) an agency or authority of a foreign government, or of part of a foreign
government;
(d) an authority responsible for administering the affairs of an area within
a foreign country or territory, or persons exercising the functions of
such an authority; or
(e) a political party which is a governing political party of a foreign
government. A political party is a governing political party of a foreign
government if persons holding political or official posts in the foreign
government or part of the foreign government—
(i) hold those posts as a result of, or in the course of, their
membership of the party, or
(ii) in exercising the functions of those posts, are subject to the
direction or control of, or significantly influenced by, the party.”
Member's explanatory statement
This new clause would require the Government to maintain a register of state actors posing a threat
to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of
the Act, which enable the giving of directions in the interests of national security.
_NC3 Dr Ben Spencer
Bradley Thomas
Alison Griffiths
. To move the following Clause—
“Register of foreign powers for the purposes of Part 4: review of nature of risk
(1) For each foreign power added to the register established under section [Register
of foreign powers for the purposes of Part 4], the Secretary of State must
review the extent and nature of the risk posed to the network and information
systems of operators of essential services and critical suppliers, including
whether the risk arises –
(a) from activities undertaken outside of the UK, or
(b) from foreign owned or controlled infrastructure or locations within the
UK.
(2) Within six months of the establishment of the register under section [Register
of foreign powers for the purposes of Part 4(1)], the Secretary of State must
lay before Parliament a report containing –
(a) the findings and conclusions of the review conducted under subsection
(1), and
(b) the Government’s plan for addressing the risks identified.
COMMITTEE STAGE Thursday 12 February 2026 2

(3) If the Secretary of State considers that laying a report, or any portion of a
report, under subsection (2) would be contrary to the interests of national
security, the Secretary of State must make a statement to Parliament confirming
that –
(a) a review has been conducted under subsection (1), and
(b) that the report, or a portion of the report, cannot be laid before
Parliament for reasons of national security.”
Member's explanatory statement
This new clause would require the Government to report on the risk to relevant network and
information systems posed by foreign powers appearing on the register established by NC2 considering
whether such risks arise from extra-territorial activities and infrastructure or premises owned or
controlled by foreign powers.
_NC4 Dr Ben Spencer
Bradley Thomas
Alison Griffiths
. To move the following Clause—
“Review of effect of information sharing and analysis centres
(1) The Secretary of State must, within six months of the passing of this Act,
conduct a review of the effect of information sharing and analysis centres on
the security and resilience of network and information systems in regulated
sectors.
(2) Following the conclusion of a review under subsection (1), the Secretary of
State must publish and lay before Parliament a report which –
(a) identifies advantages and challenges associated with the operation of
information sharing and analysis centres;
(b) identifies sectors in which the establishment of information sharing
and analysis centres is likely to be beneficial for the purposes of
increasing the security and resilience of systems; and
(c) where the establishment of further information sharing and analysis
centres is likely to be beneficial, sets out a plan for the establishment
of such centres.
(3) In this section –
“information sharing and analysis centres” means organisations –
(a) whose membership is primarily comprised of entities operating
within a regulated sector for the purposes of the NIS Regulations
and this Act,
(b) that are independent of the designated competent authority or
authorities for the relevant regulated sector, and
(c) whose aim is to increase cyber security among its membership
“regulated sectors” means sectors and subsectors under the regulatory
oversight of designated competent authorities as defined at section 3
and Schedule 1 of the NIS Regulations (as amended by this Act).”
3 COMMITTEE STAGE Thursday 12 February 2026

Member's explanatory statement
This new clause would require the Secretary of State to conduct a review of the effect of existing
information sharing and analysis centres, with a view to determining whether further such centres
should be established.
_NC5 Dr Ben Spencer
Bradley Thomas
Alison Griffiths
. To move the following Clause—
“Duty on Secretary of State to report on the meeting of existing
recommendations and implementation deadlines
(1) The Secretary of State must, at least once in every 12-month period, lay before
Parliament a report outlining the Government’s progress towards meeting –
(a) the recommendations made in the National Audit Office’s report on
Government Cyber Resilience of 29 January 2025, and
(b) the implementation milestones set out in the Government’s Cyber Action
Plan of 6 January 2026
so far as they relate to the security and resilience of network and information
systems.
(2) Any report under this section must, where a deadline or implementation date
has not been met in relation to the matters set out in subsection (1) above,
include –
(a) an explanation for the failure to meet the deadline or implementation
date;
(b) a revised deadline or implementation date and a plan for meeting the
new date.”
Member's explanatory statement
This new clause would require the Secretary of State to report annually on the Government’s progress
towards taking actions relating to the security and resilience of network and information systems
arising from the NAO’s January 2025 report on the Government’s cyber resilience and from the
Government’s Cyber Action Plan.
_NC6 Dr Ben Spencer
Bradley Thomas
Alison Griffiths
. To move the following Clause—
“Inclusion of ransomware attacks in the NIS Regulations
In regulation 1(2) (interpretation) of the NIS Regulations—
COMMITTEE STAGE Thursday 12 February 2026 4

(a) in the definition of “incident”, after “systems” insert “or a ransomware
attack which is targeted at the security of network and information
systems”;
(b) after the definition of “online search engine” insert—
“ransomware attack” means a cyber-attack involving a type of
malicious software that infects a victim's computer systems, can
prevent the victim from accessing systems or data, impairs the
use of systems or data or facilitate theft of data, and in relation
to which a ransom is demanded for access to be restored or for
data not to be published.”
Member's explanatory statement
This new clause would include ransomware attacks in the definition of “incident” in the NIS
Regulations.
_NC7 Dr Ben Spencer
Bradley Thomas
Alison Griffiths
. To move the following Clause—
“Impact of reporting requirements on relevant bodies
(1) The Secretary of State must, within 12 months of the passing of this Act, publish
and lay before Parliament—
(a) a review of the impact, on relevant bodies, of—
(i) the requirements relating to the notification of incidents in Parts
3 and 4 of the NIS Regulations (as amended by this Act); and
(ii) any additional incident notification requirements made by
regulations under this Act; and
(b) proposals for the creation of a single cyber incident reporting channel
for relevant bodies.
(2) A review under this section must consider –
(a) the costs of requirements on relevant bodies; and
(b) interactions with other incident reporting regimes.
(3) In this section, “relevant bodies” means operators of essential services, critical
suppliers or digital service providers, as defined by the NIS Regulations.”
Member's explanatory statement
This new clause would require the Secretary of State to review the impact of incident reporting
requirements on relevant bodies, and to set out proposals for a single incident reporting channel.
_NC8 David Chadwick
Freddie van Mierlo
Victoria Collins
5 COMMITTEE STAGE Thursday 12 February 2026

. To move the following Clause—
“Local authorities to be regulated as essential services
(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry
relating to the energy sector, insert—
The Secretary of State for Housing,
Communities and Local Government”
Local Government “Local
Government
(3) In Schedule 2 (essential services and threshold requirements), after paragraph
10 insert—
“The Local Government Sector
11 — (1) This paragraph describes the threshold requirements which apply to specified
kinds of essential services in the local government subsector.
(2) For the essential service of the maintenance of electoral registers, the threshold
requirement is that the entity is a local authority responsible for the
maintenance of an electoral register.
(3) For the essential service of the management of social care records, the threshold
requirement is that the entity is a local authority responsible for the
management of social care records.
(4) In this paragraph “local authority means” —
(a) in England, a county council, a district council, a London borough
council, the Common Council of the City of London or the Council of
the Isles of Scilly;
(b) in Wales, a county council or a county borough council;
(c) in Scotland, a council constituted under section 2 of the Local
Government etc. (Scotland) Act 1994;
(d) in Northern Ireland, a district council constituted under section 1 of the
Local Government Act (Northern Ireland) 1972.””
Member's explanatory statement
This new clause would bring local authorities within the scope of the NIS Regulations as operators
of essential services in relation to their functions managing electoral rolls and social care records.
This ensures that public sector bodies holding sensitive data such as electoral rolls and social care
records are subject to the same statutory protections as other critical infrastructure.
_NC9 David Chadwick
Freddie van Mierlo
Victoria Collins
COMMITTEE STAGE Thursday 12 February 2026 6

. To move the following Clause—
“Critical manufacturing and retail sectors
(1) The Secretary of State must, within six months of the passing of this Act,
introduce regulations under section 24(3) to specify the following as essential
activities—
(a) the manufacture of critical transport equipment;
(b) the industrial production and processing of food products; and
(c) the retail sale of food and essential goods via large-scale distribution
chains.
(2) Regulations made under subsection (1) must designate appropriate regulatory
authorities for these sectors.”
Member's explanatory statement
This new clause would require the Secretary of State to designate the manufacturing of critical
transport equipment and retail of food and essential goods (when part of a large-scale distribution
chain) as essential activities, bringing them within the scope of Part 3 of the Bill.
_NC10 David Chadwick
Freddie van Mierlo
Victoria Collins
. To move the following Clause—
“Consultation on resourcing of regulatory authorities and regulated persons
(1) The Secretary of State must, within one year of the passing of this Act, carry
out a consultation with regulatory authorities and regulated persons for the
purpose of assessing—
(a) whether regulatory authorities and regulated persons have resources
and capabilities adequate to fulfil their requirements under this Act;
and
(b) whether further government support is needed.
(2) The Secretary of State must publish a report setting out the findings of the
assessment carried out under subsection (1).”
Member's explanatory statement
This new clause would require the Secretary of State to consult and report within one year on
whether regulatory authorities and regulated persons have sufficient resources and capabilities to
meet their statutory obligations, and whether additional government support is required.
_NC11 David Chadwick
Freddie van Mierlo
Victoria Collins
7 COMMITTEE STAGE Thursday 12 February 2026

. To move the following Clause—
“Electoral infrastructure to be regulated as an essential service
(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry
relating to digital infrastructure insert—
The Electoral Commission” Electoral infrastructure “Elections
(3) In Schedule 2 (essential services and threshold requirements), after paragraph
10 insert—
“The electoral infrastructure subsector
11 — (1) This paragraph describes the threshold requirements which apply to specified
kinds of essential services in the electoral infrastructure subsector.
(2) For the essential service of the administration of an election or the maintenance
of an electoral register in the United Kingdom, the threshold requirement is
that the service relies on network and information systems to—
(a) maintain a register of electors containing more than 50,000 entries;
(b) issue, receive, or process postal ballots for a parliamentary or local
government election; or
(c) count or aggregate votes cast in a parliamentary, mayoral or local
government election.
(3) In this paragraph—
“parliamentary election” means an election of a Member to serve in the
Parliament of the United Kingdom;
“network and information system” has the meaning given by section 24(1)
of the Cyber Security and Resilience (Network and Information Systems)
Act 2026.
(4) In regulation 8A (nomination by an OES of a person to act on its behalf in the
United Kingdom), after paragraph 1(b) insert—
“(c) provides an essential service of a kind referred to in paragraph
11 of Schedule 2 (elections sector) within the United Kingdom.”
Member's explanatory statement
This new clause would designate the administration of elections and maintenance of voter registers
as an “essential service” within the meaning of the NIS Regulations.
_NC12 David Chadwick
Freddie van Mierlo
Victoria Collins
COMMITTEE STAGE Thursday 12 February 2026 8

. To move the following Clause—
“Political parties to be regulated as an essential service
(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry
relating to digital infrastructure insert—
The Secretary of State for Housing,
Communities and Local Government”
Political parties “Government
(3) In Schedule 2 (essential services and threshold requirements), after paragraph
10 insert—
“The political parties subsector
11 — (1) This paragraph describes the threshold requirements which apply to
specified kinds of essential services in the political parties subsector.
(2) For the essential service of the management and operation of a
registered political party in the United Kingdom, the threshold
requirement is that the political party is represented by at least two
Members of the House of Commons
(3) In this paragraph—
“registered political party” means a party registered under Part 2
of the Political Parties, Elections and Referendums Act 2000.”””
Member's explanatory statement
This new clause would designate political parties as providing essential services for the purposes of
cyber security.
_NC13 Freddie van Mierlo
David Chadwick
Victoria Collins
. To move the following Clause—
“Statement on risks posed to systems by foreign interference
(1) The Secretary of State must, within 12 months of the passing of this Act, publish
a statement of the Government’s plans in relation to risks to the security and
resilience of network and information systems arising from foreign interference.
(2) Any statement under this section must—
(a) set out the Government’s intentions to assess, manage and mitigate
the risks posed, or which could potentially be posed, to the security and
resilience of network and information systems by foreign interference
in such systems;
(b) include risks associated with—
9 COMMITTEE STAGE Thursday 12 February 2026

(i) hardware,
(ii) software,
(iii) supply chains,
(iv) procurement processes, and
(v) the use of, or reliance on, foreign technologies or systems;
(c) include a specific focus on government digital procurement processes.
(d) where risks are identified under (2)(b)(v), state whether the Government
intends to address these risks by encouraging or supporting the use of
domestic technologies or systems.”
Member's explanatory statement
This new clause would require the Government to publish a statement of how it intends to address
and mitigate any risks to network and information systems posed by foreign interference.
_NC14 Freddie van Mierlo
David Chadwick
Victoria Collins
. To move the following Clause—
“Cyber security support service for SMEs
(1) The Secretary of State must, by regulations, make provision for the
establishment and operation of a cyber security support service for relevant
small and medium-sized enterprises (SMEs) for the purposes of improving the
security and resilience of their network and information systems.
(2) For the purposes of this section, a relevant SME is one which is—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.
(3) A support service established under this section must provide—
(a) advice and technical assistance to SMEs following a cyber incident; and
(b) guidance on recovery and remediation.”
Member's explanatory statement
This new clause would require the Secretary of State to establish a cyber security support service for
relevant SMEs.
_NC15 Freddie van Mierlo
David Chadwick
Victoria Collins
COMMITTEE STAGE Thursday 12 February 2026 10

. To move the following Clause—
“Review of high-risk bodies
(1) The Secretary of State must, within six months of the passing of this Act, publish
and lay before Parliament a review of the national security risks posed to
relevant network and information systems by foreign state ownership or control
of relevant bodies.
(2) A review under this section must assess—
(a) the number of relevant bodies which are owned, in whole or in part,
by a foreign state or a foreign state-owned enterprise;
(b) the risk of such bodies being compelled to facilitate unauthorised access
to, or surveillance of, network and information systems in the United
Kingdom; and
(c) the adequacy of current powers under Part 4 (Directions for national
security purposes) to mitigate such risks posed to the security and
resilience of essential activities.
(3) In this section—
“relevant body” means—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.
“foreign state-owned enterprise” means a body corporate in which a
foreign state has a controlling interest;
“network and information systems” has the meaning given by section
24(1).”
Member's explanatory statement
This new clause would require the Government to review the security risks posed by critical suppliers
and essential service providers linked to foreign states and evaluate whether current powers are
sufficient to address these threats.
_NC16 David Chadwick
Victoria Collins
Freddie van Mierlo
. To move the following Clause—
“Board oversight of security and resilience of network and information systems
(1) Where a relevant body is governed by a board or equivalent management
body, that body must exercise oversight of arrangements relating to the security
and resilience of the body’s network and information systems.
(2) In exercising oversight, the management body must—
11 COMMITTEE STAGE Thursday 12 February 2026

(a) approve the approach taken by the body to the management of risks
to the security and resilience of the body’s network and information
systems; and
(b) satisfy itself, on a periodic basis, that appropriate and proportionate
measures are in place to manage those risks.
(3) The management body may be held accountable for failures by the body to
comply with duties relating to the security and resilience of its network and
information systems.
(4) Members of the management body must undertake training designed to enable
them to identify risks and assess appropriate risk-management practices.
(5) For the purposes of this section, a relevant body is one which is –
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.”
Member's explanatory statement
This new clause would require active board oversight of, and accountability for, security and resilience
measures, where a relevant body is governed by a board or similar body.
_NC17 David Chadwick
Victoria Collins
Freddie van Mierlo
. To move the following Clause—
“Requirement for regular testing of network and information systems
(1) A relevant body must undertake regular testing of the security and resilience
of the network and information systems on which it relies in the provision of
its services.
(2) Testing undertaken in accordance with this section must –
(a) be proportionate, having regard to the size, nature and risk profile of
the business; and
(b) be conducted periodically, at intervals that are appropriate to the risks
identified by the body.
(3) A relevant body must document –
(a) the outcomes of testing undertaken in accordance with this section;
and
(b) any remedial actions required or taken in response to the testing.
(4) Information documented under subsection (3) must be provided to the relevant
regulatory authority upon request.
COMMITTEE STAGE Thursday 12 February 2026 12

(5) For the purposes of this section, a relevant body is one which is –
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.”
Member's explanatory statement
This new clause would require bodies to carry out proportionate, periodic testing of the security
and resilience of their network and information systems and provide the results to regulatory bodies
upon request.
_NC18 Freddie van Mierlo
. To move the following Clause—
“Computer Misuse Act 1990: security and resilience of network and information
systems
(1) The Secretary of State must, within twelve months of the passing of this Act,
review whether amendments to the Computer Misuse Act 1990 may be
conducive to ensuring, maintaining or improving the security and resilience
of network and information systems used or relied upon in connection with
the carrying on of essential activities.
(2) Following the conclusion of the review under subsection (1), the Secretary of
State must lay before Parliament a report which outlines–
(a) the potential amendments to the Computer Misuse Act 1990 which
were considered as part of the review;
(b) the review’s conclusions as to whether the potential amendments
considered could be beneficial in ensuring, maintaining or improving
the security and resilience of relevant network and information systems;
and
(c) the Government’s intentions to make amendments to the Computer
Misuse Act 1990 or act on any other recommendations of the review.”
Member's explanatory statement
This new clause would require the Secretary of State to review, within 12 months, whether amending
the Computer Misuse Act 1990 could improve the resilience of network and information systems,
and to report the government’s intentions to Parliament.
_NC19 Dr Ben Spencer
. To move the following Clause—
“Vulnerability research: review of the merits of a statutory defence
(1) The Secretary of State must, within twelve months of the passing of this Act,
review the extent to which an amendment to section 1 of the Computer Misuse
13 COMMITTEE STAGE Thursday 12 February 2026

Act, with the effect of introducing a statutory defence available to individuals
undertaking ethical vulnerability research, would improve the security of the
network and information systems of relevant bodies.
(2) A review under this section must consider whether a statutory defence would
enable relevant bodies to improve the resilience of their network and
information systems via enhanced vulnerability testing and research.
(3) For the purposes of this section—
(a) “ethical vulnerability research” means access, whether authorised or
otherwise, to computer material with the intention of identifying
vulnerabilities to cyber attacks, where—
(i) the research is aimed at enhancing the resilience of the network
and information system of a relevant body or relevant bodies,
and
(ii) the findings of the research are kept securely, shared only with
those responsible for the security or resilience of the network
and information system concerned, and shared solely for the
purpose of enhancing the security or resilience of the network
and information system concerned;
(b) “relevant bodies” means operators of essential services, critical suppliers,
digital service providers or managed service providers, as defined by
the NIS Regulations.”
Member's explanatory statement
This new clause would require the Government to review whether the resilience of relevant
organisations could be enhanced by introducing a statutory defence to s1 of the Computer Misuse
Act, so that a person could be deemed not guilty if they engage in vulnerability research in the
public interest.
Order of the House
[6 January 2026]
That the following provisions shall apply to the Cyber Security and Resilience (Network
and Information Systems) Bill:
Committal
1. The Bill shall be committed to a Public Bill Committee.
Proceedings in Public Bill Committee
2. Proceedings in the Public Bill Committee shall (so far as not previously concluded)
be brought to a conclusion on Thursday 5 March 2026.
3. The Public Bill Committee shall have leave to sit twice on the first day on which it
meets.
COMMITTEE STAGE Thursday 12 February 2026 14

Consideration and Third Reading
4. Proceedings on Consideration shall (so far as not previously concluded) be brought
to a conclusion one hour before the moment of interruption on the day on which
those proceedings are commenced.
5. Proceedings on Third Reading shall (so far as not previously concluded) be brought
to a conclusion at the moment of interruption on that day.
6. Standing Order No. 83B (Programming committees) shall not apply to proceedings
on Consideration and Third Reading.
Other proceedings
7. Any other proceedings on the Bill may be programmed.
Order of the Committee
[3 February 2026]
That—
1. the Committee shall (in addition to its first meeting at 9.25 am on Tuesday 3
February) meet—
(a) at 2.00 pm on Tuesday 3 February;
(b) at 11.30 am and 2.00 pm on Thursday 5 February;
(c) at 9.25 am and 2.00 pm on Tuesday 10 February;
(d) at 9.25 am and 2.00 pm on Tuesday 24 February;
(e) at 11.30 am and 2.00 pm on Thursday 26 February;
(f) at 9.25 am and 2.00 pm on Tuesday 3 March;
(g) at 11.30 am and 2.00 pm on Thursday 5 March;
2. the Committee shall hear oral evidence on Tuesday 3 February in accordance with
the following Table:
Witness Time
Royal United Services Institute; DLA Piper Until no later than 10.00 am
techUK; Nine23; ISC2 Until no later than 10.40 am
Cisco; Darktrace; NCC Group; Amazon Until no later than 11.25 am
Information Commissioner's Office; OFCOM;
OFGEM
Until no later than 2.40 pm
Inter-Parliamentary Alliance on China Until no later than 3.00 pm
15 COMMITTEE STAGE Thursday 12 February 2026

Witness Time
Professor John Child, Professor of Criminal
Law, University of Birmingham
Until no later than 3.20 pm
National Police Chiefs’ Council Until no later than 3.40 pm
The Worshipful Company of Information
Technologists
Until no later than 4.00 pm
NHS Greater Glasgow and Clyde Until no later than 4.20 pm
Fortinet; Palo Alto Networks Until no later than 4.50 pm
Department for Science, Innovation and
Technology
Until no later than 5.10 pm
3. proceedings on consideration of the Bill in Committee shall be taken in the
following order: Clauses 1 to 22; Schedule 1; Clause 23; Schedule 2; Clauses 24 to
61; new Clauses; new Schedules; remaining proceedings on the Bill;
4. the proceedings shall (so far as not previously concluded) be brought to a conclusion
at 5.00 pm on Thursday 5 March.
COMMITTEE STAGE Thursday 12 February 2026 16