Committee Stage Insights on the Cyber Security and Resilience Bill

17 February 2026

The committee stage hearings on the Cyber Security and Resilience Bill have brought together voices across from the industry, including regulators, public bodies and academia, to scrutinise the government’s flagship cyber resilience legislation and expand on the existing framework of the Network and Information Systems (NIS) regulations. 

Although there seems to be a general consensus that the Cyber Security and Resilience Bill acts as a positive step to strengthen resilience in some of the UK’s more vulnerable sectors, the committee stage hearings saw a number of critiques raised against the current version of the Bill.

There was notable tension between the Government’s push for regulatory agility against systemic threats and industry demands for definitional clarity and legal certainty. The Bill dramatically expands the NIS regulatory perimeter to encompass data centres, large load controllers, and Managed Service Providers (MSPs), introducing powers to designate critical suppliers based on a cumulative five-step test. 

One central issue lies in the government’s reliance on secondary legislation to define key thresholds, argued as necessary to keep pace with threats like AI, but which critics fear creates a disproportionate, costly, and legally ambiguous compliance burden, especially for small and medium-sized enterprises (SMEs).

Other key takeaways from the committee stage include:

• Scope, Outcomes, and Thresholds: Kanishka Narayan MP, Minister for AI, defended the Bill’s ‘outcomes’ focus for addressing frontier risks (AI/quantum) and pre-positioning threats. However, RUSI argued the scope should shift from sectoral lists to ‘impact-based’ thresholds, such as FTSE350 companies, suggesting the public/private divide is the wrong metric.
• Uncertainty and SME Burden: The ICO stressed the need for precise secondary legislation and clear definitions to issue generic advice. Parliamentarians, including Ben Spencer MP, warned that leaving too much detail to future regulations creates legal jeopardy and a disproportionate compliance burden on SMEs, risking a ‘chilling effect’ on the UK tech sector.
• Critical Supplier Designation Test and Vagueness: Kanishka Narayan MP clarified the designation mechanism as a cumulative five-step test intended as a safeguard. Yet, Ben Spencer argued the definition remains so vague that non-critical services could technically be designated, while Palo Alto Networks (PAN) argued the regime should be limited to suppliers with systemic importance across multiple sectors.
• Reporting Logistical and Legal Barriers: Regulators (ICO, Ofcom) and Parliamentarians (Alison Griffiths) strongly argued for a single, consolidated incident reporting portal to prevent firms from having to report the same event to multiple bodies (GDPR, NIS, etc.). Professor John Child also highlighted the Computer Misuse Act (CMA) as a barrier, as it criminalises legitimate security testing, discouraging professionals from documentation and reporting.
• Governance, Culture, and Regulatory Cost: Industry voices (Fortinet, PAN, Worshipful Company of Information Technologists) unanimously argued that cyber must be treated as a board-level business risk. Conversely, Parliamentarians (Ben Spencer) criticised the Minister’s defence of the new power allowing regulators to charge fees, arguing it could act as an ‘operational tax’ that diverts funds away from actual security improvements.

The Bill Committee will now digest the evidence presented to them and produce a report scheduled to be published on 3rd March, that will outline recommendations and amendments for the Bill prior to its third reading in the House of Commons.

If you have any questions about the Cyber Security and Resilience Bill, committee stage scrutiny, or how this new legislation may affect your business, please get in touch at secretariat@cb-network.org.