Cyber Security and Resilience (Network and Information Systems) Bill — Amendment Paper: Notices of Amendments as at 25 March 2026

Report StageWednesday 25 March 2026
Cyber Security and Resilience (Network and
Information Systems) Bill, As Amended
(Amendment Paper)
This document lists all amendments tabled to the Cyber Security and Resilience (Network and Information
Systems) Bill. Any withdrawn amendments are listed at the end of the document. The amendments are
arranged in the order in which it is expected they will be decided.
★ New Amendments.
New Amendment: NC13
_NC2 Victoria Collins
Freddie van Mierlo
David Chadwick
Helen Maguire
. To move the following Clause—
“Cyber security support service for SMEs
(1) The Secretary of State must, by regulations, make provision for the
establishment and operation of a cyber security support service for relevant
small and medium-sized enterprises (SMEs) for the purposes of improving the
security and resilience of their network and information systems.
(2) For the purposes of this section, a relevant SME is one which is—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier,
within the meaning of the NIS Regulations.
(3) A support service established under this section must provide—
(a) advice and technical assistance to SMEs following a cyber incident; and
(b) guidance on recovery and remediation.”

Member's explanatory statement
This new clause would require the Secretary of State to establish a cyber security support service for
relevant SMEs.
_NC3 Victoria Collins
Freddie van Mierlo
David Chadwick
Helen Maguire
. To move the following Clause—
“Review of high-risk bodies
(1) The Secretary of State must, within six months of the passing of this Act, publish
and lay before Parliament a review of the national security risks posed to
relevant network and information systems by foreign state ownership or control
of relevant bodies.
(2) A review under this section must assess—
(a) the number of relevant bodies which are owned, in whole or in part,
by a foreign state or a foreign state-owned enterprise;
(b) the risk of such bodies being compelled to facilitate unauthorised access
to, or surveillance of, network and information systems in the United
Kingdom; and
(c) the adequacy of current powers under Part 4 (Directions for national
security purposes) to mitigate such risks posed to the security and
resilience of essential activities.
(3) In this section—
“relevant body” means—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier,
within the meaning of the NIS Regulations.
“foreign state-owned enterprise” means a body corporate in which a
foreign state has a controlling interest;
“network and information systems” has the meaning given by section
24(1).”
Member's explanatory statement
This new clause would require the Government to review the security risks posed by critical suppliers
and essential service providers linked to foreign states and evaluate whether current powers are
sufficient to address these threats.
REPORT STAGE Wednesday 25 March 2026 2

_NC4 Victoria Collins
Freddie van Mierlo
David Chadwick
Helen Maguire
. To move the following Clause—
“Critical manufacturing and retail sectors
(1) The Secretary of State must, within six months of the passing of this Act,
introduce regulations under section 24(3) to specify the following as essential
activities—
(a) the manufacture of critical transport equipment;
(b) the industrial production and processing of food products; and
(c) the retail sale of food and essential goods via large-scale distribution
chains.
(2) Regulations made under subsection (1) must designate appropriate regulatory
authorities for these sectors.”
Member's explanatory statement
This new clause would require the Secretary of State to designate the manufacturing of critical
transport equipment and retail of food and essential goods (when part of a large-scale distribution
chain) as essential activities, bringing them within the scope of Part 3 of the Bill.
_NC5 Victoria Collins
Freddie van Mierlo
David Chadwick
Helen Maguire
. To move the following Clause—
“Local authorities to be regulated as essential services
(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry
relating to the energy sector, insert—
The Secretary of State for Housing,
Communities and Local Government”
Local Government “Local
Government
(3) In Schedule 2 (essential services and threshold requirements), after paragraph
11 insert—
“The Local Government Sector
12 — (1) This paragraph describes the threshold requirements which apply to specified
kinds of essential services in the local government subsector.
3 REPORT STAGE Wednesday 25 March 2026

(2) For the essential service of the maintenance of electoral registers, the threshold
requirement is that the entity is a local authority responsible for the
maintenance of an electoral register.
(3) For the essential service of the management of social care records, the threshold
requirement is that the entity is a local authority responsible for the
management of social care records.
(4) In this paragraph “local authority means” —
(a) in England, a county council, a district council, a London borough
council, the Common Council of the City of London or the Council of
the Isles of Scilly;
(b) in Wales, a county council or a county borough council;
(c) in Scotland, a council constituted under section 2 of the Local
Government etc. (Scotland) Act 1994;
(d) in Northern Ireland, a district council constituted under section 1 of the
Local Government Act (Northern Ireland) 1972.””
Member's explanatory statement
This new clause would bring local authorities within the scope of the NIS Regulations as operators
of essential services in relation to their functions managing electoral rolls and social care records.
This ensures that public sector bodies holding sensitive data such as electoral rolls and social care
records are subject to the same statutory protections as other critical infrastructure.
_NC6 Victoria Collins
. To move the following Clause—
“Computer Misuse Act 1990: security and resilience of network and information
systems
(1) The Secretary of State must, within twelve months of the passing of this Act,
review whether amendments to the Computer Misuse Act 1990 may be
conducive to ensuring, maintaining or improving the security and resilience
of network and information systems used or relied upon in connection with
the carrying on of essential activities.
(2) Following the conclusion of the review under subsection (1), the Secretary of
State must lay before Parliament a report which outlines–
(a) the potential amendments to the Computer Misuse Act 1990 which
were considered as part of the review;
(b) the review’s conclusions as to whether the potential amendments
considered could be beneficial in ensuring, maintaining or improving
the security and resilience of relevant network and information systems;
and
(c) the Government’s intentions to make amendments to the Computer
Misuse Act 1990 or act on any other recommendations of the review.”
REPORT STAGE Wednesday 25 March 2026 4

Member's explanatory statement
This new clause would require the Secretary of State to review, within 12 months, whether amending
the Computer Misuse Act 1990 could improve the resilience of network and information systems,
and to report the government’s intentions to Parliament.
_NC7 David Chadwick
Victoria Collins
Freddie van Mierlo
. To move the following Clause—
“Consultation on resourcing of regulatory authorities and regulated persons
(1) The Secretary of State must, within one year of the passing of this Act, carry
out a consultation with regulatory authorities and regulated persons for the
purpose of assessing—
(a) whether regulatory authorities and regulated persons have resources
and capabilities adequate to fulfil their requirements under this Act;
and
(b) whether further government support is needed.
(2) The Secretary of State must publish a report setting out the findings of the
assessment carried out under subsection (1)”
Member's explanatory statement
This new clause would require the Secretary of State to consult and report within one year on
whether regulatory authorities and regulated persons have sufficient resources and capabilities to
meet their statutory obligations, and whether additional government support is required.
_NC8 David Chadwick
Victoria Collins
Freddie van Mierlo
. To move the following Clause—
“Electoral infrastructure to be regulated as an essential service
(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry
relating to digital infrastructure insert—
The Electoral Commission” Electoral infrastructure “Elections
5 REPORT STAGE Wednesday 25 March 2026

(3) In Schedule 2 (essential services and threshold requirements), after paragraph
11 insert—
“The electoral infrastructure subsector
12 — (1) This paragraph describes the threshold requirements which apply to
specified kinds of essential services in the electoral infrastructure
subsector.
(2) For the essential service of the administration of an election or the
maintenance of an electoral register in the United Kingdom, the
threshold requirement is that the service relies on network and
information systems to—
(a) maintain a register of electors containing more than 50,000
entries;
(b) issue, receive, or process postal ballots for a parliamentary or
local government election; or
(c) count or aggregate votes cast in a parliamentary, mayoral or
local government election.
(3) In this paragraph—
“parliamentary election” means an election of a Member to serve
in the Parliament of the United Kingdom;
“network and information system” has the meaning given by
section 24(1) of the Cyber Security and Resilience (Network and
Information Systems) Act 2026.
(4) In regulation 8A (nomination by an OES of a person to act on its behalf
in the United Kingdom), after paragraph 1(b) insert—
“(c) provides an essential service of a kind referred to in
paragraph 11 of Schedule 2 (elections sector) within the
United Kingdom.”””
Member's explanatory statement
This new clause would designate the administration of elections and maintenance of voter registers
as an “essential service” within the meaning of the NIS Regulations.
_NC9 David Chadwick
Victoria Collins
Freddie van Mierlo
. To move the following Clause—
“Political parties to be regulated as an essential service
(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry
relating to digital infrastructure insert—
REPORT STAGE Wednesday 25 March 2026 6

The Secretary of State for Housing,
Communities and Local Government”
Political parties “Government
(3) In Schedule 2 (essential services and threshold requirements), after paragraph
11 insert—
“The political parties subsector
12 — (1) This paragraph describes the threshold requirements which apply to
specified kinds of essential services in the political parties subsector.
(2) For the essential service of the management and operation of a
registered political party in the United Kingdom, the threshold
requirement is that the political party is represented by at least two
Members of the House of Commons.
(3) In this paragraph—
“registered political party” means a party registered under Part 2
of the Political Parties, Elections and Referendums Act 2000.””
Member's explanatory statement
This new clause would designate political parties as providing essential services for the purposes of
cyber security.
_NC10 David Chadwick
Victoria Collins
Freddie van Mierlo
. To move the following Clause—
“Board oversight of security and resilience of network and information systems
(1) Where a relevant body is governed by a board or equivalent management
body, that body must exercise oversight of arrangements relating to the security
and resilience of the body’s network and information systems.
(2) In exercising oversight, the management body must—
(a) approve the approach taken by the body to the management of risks
to the security and resilience of the body’s network and information
systems; and
(b) satisfy itself, on a periodic basis, that appropriate and proportionate
measures are in place to manage those risks.
(3) The management body may be held accountable for failures by the body to
comply with duties relating to the security and resilience of its network and
information systems.
(4) Members of the management body must undertake training designed to enable
them to identify risks and assess appropriate risk-management practices.
(5) For the purposes of this section, a relevant body is one which is –
7 REPORT STAGE Wednesday 25 March 2026

(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier,
within the meaning of the NIS Regulations.”
Member's explanatory statement
This new clause would require active board oversight of, and accountability for, security and resilience
measures, where a relevant body is governed by a board or similar body.
_NC11 David Chadwick
Victoria Collins
Freddie van Mierlo
. To move the following Clause—
“Requirement for regular testing of network and information systems
(1) A relevant body must undertake regular testing of the security and resilience
of the network and information systems on which it relies in the provision of
its services.
(2) Testing undertaken in accordance with this section must –
(a) be proportionate, having regard to the size, nature and risk profile of
the business; and
(b) be conducted periodically, at intervals that are appropriate to the risks
identified by the body.
(3) A relevant body must document –
(a) the outcomes of testing undertaken in accordance with this section;
and
(b) any remedial actions required or taken in response to the testing.
(4) Information documented under subsection (3) must be provided to the relevant
regulatory authority upon request.
(5) For the purposes of this section, a relevant body is one which is –
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier,
within the meaning of the NIS Regulations.”
Member's explanatory statement
This new clause would require bodies to carry out proportionate, periodic testing of the security
and resilience of their network and information systems and provide the results to regulatory bodies
upon request.
REPORT STAGE Wednesday 25 March 2026 8

_NC12 Alex Sobel
. To move the following Clause—
““Last-resort” powers in respect of data centres and AI models
(1) Regulations under section 29(1) may confer on the Secretary of State powers
(“last-resort powers”) to direct the shutdown of—
(a) data centres, or
(b) AI systems used or deployed by a data centre,
in the event of an AI security or operational emergency.
(2) For the purposes of this section—
“data centre” has the meaning given in paragraph 11 of the NIS
Regulations (as amended by this Act);
“AI system” means a machine-based system that, from the input it receives,
can infer how to—
(a) generate predictions, digital content, recommendations, decisions
or other similar outputs, or
(b) influence a physical or virtual environment,
with a view to achieving an explicit or implicit objective;
“used or deployed” means made available to—
(a) a substantial number of individuals within the United Kingdom;
or
(b) providers and operators of essential services;
“AI security or operational emergency” means a situation where the
Secretary of State has reasonable grounds to believe that—
(a) there is a security or operational compromise to one or more
relevant network and information systems,
(b) this compromise is caused, or contributed to, by the use or
operation of an AI system used or deployed by a data centre,
whether through autonomous or non-autonomous means; and
(c) this compromise poses a catastrophic risk;
“catastrophic risk” means a risk carrying a reasonable likelihood of causing
or contributing to—
(a) large-scale disruption to critical infrastructure or essential
services;
(b) significant degradation of the national security, national defence,
or intelligence capabilities of the United Kingdom; or
(c) severe, large-scale harm to human life;
“data centre operator” means a person who operates a data centre;
(3) As soon as reasonably practicable after, and in any event within seven days of,
giving a direction under subsection (1), the Secretary of State must—
(a) lay a report before Parliament setting out the direction and the reasons
for it; and
(b) take all reasonable steps to arrange for the report to be the subject of
a debate in each House as soon as is reasonably practicable.
9 REPORT STAGE Wednesday 25 March 2026

(4) Regulations relating to last-resort powers must establish requirements on data
centre operators in relation to data centres used for the training, deployment
or operation of AI systems, including relating to—
(a) the possession or installation of technical infrastructure necessary for
compliance with last-resort powers;
(b) the provision of secure communication channels for use by the Secretary
of State when utilising last-resort powers;
(c) the implementation of regular emergency exercises to ensure that a
direction under this section can be received safely and implemented;
and
(d) post-mortem processes to be followed before a data centre is allowed
to resume operations after the use of last-resort powers, including—
(i) incident reporting; and
(ii) implementation of mitigation measures to prevent recurrence.
(5) A person commits an offence if they fail to comply with any requirement
imposed by regulations made under subsection (4).
(6) Regulations relating to last-resort powers may—
(a) confer on the Secretary of State, or on a person designated by the
Secretary of State, powers to act where they reasonably believe that
an offence under subsection (5) is being, has been, or may be about to
be committed;
(b) include, for the purposes of paragraph (a), powers to—
(i) close premises;
(ii) turn off systems or require that they be turned off;
(iii) take any other action necessary to control the risk arising from
an AI security or operational emergency.
(7) Regulations must require that, where powers under subsection (6) are exercised,
the Secretary of State must—
(a) give written notice of the action taken, and the reasons for the action
taken, to the operator or provider as soon as reasonably practicable;
and
(b) inform the operator or provider of their right to apply to the High Court
for relief.
(8) The High Court may make any order it thinks fit on an application under
subsection (7)(b), including—
(a) confirming, varying or cancelling the requirements;
(b) imposing additional requirements;
(c) ordering compensation.
(9) The Secretary of State must publish guidance on the use by licensing authorities,
planning authorities and other public authorities of their statutory powers to
facilitate compliance with regulations relating to this section.
(10) A public authority must have regard to guidance issued under subsection (9)
when exercising any function to which the guidance relates.
REPORT STAGE Wednesday 25 March 2026 10

(11) The Secretary of State must, within six months of the commencement of this
section and subsequently at six-monthly intervals, prepare a report on the
causes and potential causes of AI security or operational emergencies and lay
a copy of the report before Parliament.
(12) The causes and potential causes of AI security or operational emergencies
considered in any report under subsection (11) must include —
(a) adversarial uses of AI systems by state and non-state actors;
(b) the capabilities for cyber-attacks by autonomous AI systems; and
(c) the development of AI systems that can autonomously compromise
national security, escape human oversight, and upend international
stability, including systems described as “superintelligent AI”.”
Member's explanatory statement
This new clause would enable the Secretary of State to be granted “last-resort powers” to ensure
that the government can intervene in case of an emergency caused by AI used or deployed by a data
centre which can cause large-scale harm.
_NC13 Victoria Collins
★ . To move the following Clause—
“Digital Sovereignty Strategy on risks posed by foreign interference and reliance
on foreign technologies
(1) The Secretary of State must, within 12 months of the passing of this Act, publish
a strategy (“a Digital Sovereignty Strategy”) which sets out the Government's
approach to maintaining the security and resilience of relevant network and
information systems by–
(a) assessing, managing and mitigating risks –
(i) associated with foreign interference,
(ii) arising from reliance on foreign-supplied technologies, and
(b) preventing over-reliance on foreign providers by building domestic
capacity.
(2) For the purposes of this section, a “relevant network and information system”
is a network and information system belonging to—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier, within the meaning of the NIS Regulations.
(3) A Digital Sovereignty Strategy published under this section must—
(a) include risks associated with—
(i) hardware,
(ii) software,
(iii) supply chains, and
(iv) procurement processes;
11 REPORT STAGE Wednesday 25 March 2026

(b) include a specific focus on security and resilience in government digital
procurement processes, detailing how the Government intends to reduce
strategic dependencies on foreign-owned service providers to mitigate
the risk of systemic disruption;
(c) include a commitment to prioritise the use of technologies developed
in the UK by UK organisations in relevant network and information
systems to reduce reliance on foreign technologies, and
(d) where risks are identified under subsection (1)(a)(i), state how the
Government intends to address these risks by supporting the use of
domestic technologies or systems for the purpose of ensuring the
security of those systems.”
Member's explanatory statement
This new clause would require the Government to publish a Digital Sovereignty Strategy setting out
how it intends to address risks to relevant network and information systems posed by foreign
interference and reliance on foreign technologies, including by supporting the use of domestic
technologies.
_1 Victoria Collins
David Chadwick
Freddie van Mierlo
. Clause 8, page 7, line 36, at end insert—
“(1A) In paragraph (1), after “risks” insert “, including risks arising from fraud,””
Member's explanatory statement
This amendment would explicitly include fraud as one of the risks to the security of network and
information systems relevant digital service providers must identify and manage.
_2 Freddie van Mierlo
David Chadwick
Victoria Collins
. Clause 40, page 63, line 7, leave out “5” and insert “3”
Member's explanatory statement
This amendment would increase the frequency of the reports that must be published under Clause
40, from every five years to every three years.
Order of the House
[6 January 2026]
REPORT STAGE Wednesday 25 March 2026 12

That the following provisions shall apply to the Cyber Security and Resilience (Network
and Information Systems) Bill:
Committal
1. The Bill shall be committed to a Public Bill Committee.
Proceedings in Public Bill Committee
2. Proceedings in the Public Bill Committee shall (so far as not previously concluded)
be brought to a conclusion on Thursday 5 March 2026.
3. The Public Bill Committee shall have leave to sit twice on the first day on which it
meets.
Consideration and Third Reading
4. Proceedings on Consideration shall (so far as not previously concluded) be brought
to a conclusion one hour before the moment of interruption on the day on which
those proceedings are commenced.
5. Proceedings on Third Reading shall (so far as not previously concluded) be brought
to a conclusion at the moment of interruption on that day.
6. Standing Order No. 83B (Programming committees) shall not apply to proceedings
on Consideration and Third Reading.
Other proceedings
7. Any other proceedings on the Bill may be programmed.
Withdrawn Amendments
The following amendments were withdrawn on 24 March 2026:
NC1
13 REPORT STAGE Wednesday 25 March 2026