Question proposed, That the clause stand part of the Bill.

With this it will be convenient to discuss the following:

New clause 1—Food supply chain to be regulated as an essential service—

“(1) The NIS Regulations are amended as follows.

(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—

‘Food supply

Food supply chain

The Secretary of State for Environment, Food and Rural Affairs (United Kingdom)’

(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—

‘The food supply chain subsector

11 — (1) This paragraph describes the threshold requirements which apply to essential services in the food supply chain subsector.

(2) For the essential service of the food supply chain in the United Kingdom the threshold requirement is that the person is in the food supply chain and does not qualify as small or a micro-entity (or is excluded) within the meaning of Part 15 of the Companies Act 2006.

(3) after paragraph 10 insert—

(a) a “food supply chain” is a supply chain for providing individuals with items of food or drink for personal consumption, where the items consist of or include, or have been produced to any extent using—

(i) anything grown or otherwise produced in carrying on agriculture, or

(ii) anything taken, grown or otherwise produced in carrying on fishing or aquaculture;

(b) a person is “in” a food supply chain if that person is a producer or an intermediary in a food supply chain.

(4) In paragraph (3)(b)—

(a) “producer” means a person who is carrying on agriculture, fishing or aquaculture;

(b) “intermediary” means a person in the food supply chain between a producer and the individuals referred to in paragraph (3)(a).

(5) In this paragraph—

“agriculture” includes any growing of plants, and any keeping of animals, for the production of food or drink;

“aquaculture” means the breeding, rearing, growing or cultivation of—

(a) any fish or other aquatic animal,

(b) seaweed or any other aquatic plant, or

(c) any other aquatic organism;

“plants” include fungi.

(6) In regulation 8A of the NIS Regulations (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—

(c) provides an essential service of a kind referred to in paragraph 12 of Schedule 2 (food supply chain sector) within the United Kingdom.’”

This new clause would designate those in the food supply chain that rely on network and information systems as “operators of essential services” within the meaning of the Network and Information Systems Regulations 2018, thereby placing them under duties to manage risks to those systems and to provide notification regarding any incidents that have an impact on the food supply chain.

New clause 8—Local authorities to be regulated as essential services—

“(1) The NIS Regulations are amended as follows.

(2) In table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert—

‘Local Government

Local Government

The Secretary of State for Housing, Communities and Local Government’

(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—

‘The Local Government Sector

11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector.

(2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register.

(3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records.

(4) In this paragraph “local authority means”—

(a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly;

(b) in Wales, a county council or a county borough council;

(c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994;

(d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.’”

This new clause would bring local authorities within the scope of the NIS Regulations as operators of essential services in relation to their functions managing electoral rolls and social care records. This ensures that public sector bodies holding sensitive data such as electoral rolls and social care records are subject to the same statutory protections as other critical infrastructure.

New clause 9—Critical manufacturing and retail sectors—

“(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities—

(a) the manufacture of critical transport equipment;

(b) the industrial production and processing of food products; and

(c) the retail sale of food and essential goods via large-scale distribution chains.

(2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors.”

This new clause would require the Secretary of State to designate the manufacturing of critical transport equipment and retail of food and essential goods (when part of a large-scale distribution chain) as essential activities, bringing them within the scope of Part 3 of the Bill.

New clause 11—Electoral infrastructure to be regulated as an essential service—

“(1) The NIS Regulations are amended as follows.

(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—

‘Elections

Electoral infrastructure

The Electoral Commission’

(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—

‘The electoral infrastructure subsector

11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector.

(2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to—

(a) maintain a register of electors containing more than 50,000 entries;

(b) issue, receive, or process postal ballots for a parliamentary or local government election; or

(c) count or aggregate votes cast in a parliamentary, mayoral or local government election.

(3) In this paragraph—

“parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom;

“network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026.

(4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—

“(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.”’”

This new clause would designate the administration of elections and maintenance of voter registers as an “essential service” within the meaning of the NIS Regulations.

New clause 12—Political parties to be regulated as an essential service—

“(1) The NIS Regulations are amended as follows.

(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—

‘Government

Political parties

The Secretary of State for Housing, Communities and Local Government’

(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—

‘The political parties subsector

11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector.

(2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons

(3) In this paragraph—

“registered political party” means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000.’”

This new clause would designate political parties as providing essential services for the purposes of cyber security.

Clause 24 defines key terms for this part of the Bill, and in doing so introduces two delegated powers. Those powers enable the Government to bring new sectors into the scope of the NIS regime and to designate regulators to oversee them. The power will be used only in relation to activities that are truly essential to our society and economy—in other words, where disruption could pose risks to life or the economic stability of the UK.

The powers are essential in the rapidly changing world we occupy. As we have seen with data centres and managed service providers, our society and economy can quickly become reliant on new services that are acutely vulnerable to cyber-attacks and system outages. Our legislation must be able to keep up with those changes and protect the services that matter most to our country.

I want to use new Clause 1 as a lens to view a wider question that sits underneath clause 24, rather than as a verdict on the clause itself. That question is how we decide, in a disciplined and credible way, which activities are sufficiently critical to be brought into the scope of the regime, and how that judgment is applied consistently over time.

New clause 1 would bring much of the food supply chain directly into scope through primary legislation. I understand the instinct behind that. Food supply is fundamental to public confidence, and disruption would be felt very quickly. However, if the underlying test for inclusion is systemic impact, food is not the only sector that raises these questions. I am vice-Chair of the Business and Trade Committee, and over the past year we have taken evidence on economic security from major UK firms that have experienced serious cyber-incidents. One example everyone here will be familiar with is Jaguar Land Rover. Evidence to our Committee indicated that the cyber-incident there contributed to UK GDP being around 0.1% lower than expected in the third quarter last year, which was not a marginal effect. That reflected disruption to tightly integrated manufacturing systems, with production lines brought to a halt and knock-on impacts across just-in-time supply chains and regional economies.

I make that point to underline something simple: cyber-risk presents simultaneously as operational, financial and reputational risk, and in combination those effects can be felt economy-wide. If that is the rationale for bringing food into scope early, it inevitably raises questions about other high-value sectors where a single incident can have national economic consequences.

That brings us back to clause 24 and the role of the Secretary of State. The Bill is clearly designed to allow scope for provisions to evolve through secondary legislation as risks change. That flexibility is sensible, but flexibility works only if the criteria for widening scope are clear, predictable and capable of being explained to industry, regulators and Parliament. If decisions appear to be reactive or driven by the most recent or most visible incident, confidence in the regime will suffer rather than strengthen.

That concern is reflected in the written evidence we have received. The Association of British Insurers, for example, supports higher standards of cyber-resilience, but it also emphasises the importance of clear definitions and coherence between regimes, particularly where firms are already subject to overlapping regulatory requirements. Its point is not about resisting regulation, but about avoiding uncertainty and duplication, which do not improve resilience.

My questions are ones of principle rather than position. First, what is the settled test that the Secretary of State will apply when deciding to bring a sector into scope under the clause 24 powers, and how will that judgment be made transparent to Parliament? Secondly, if Parliament were to require rapid expansion of scope, how confident are the Government that regulators would have the capacity to supervise a much larger and more diverse population without diluting oversight elsewhere?

I am not seeking to land a conclusion on new clause 1 today—I understand why it has been tabled and I recognise the seriousness of the issues that it highlights—but if we are going to widen scope, to food or otherwise, the Committee is entitled to press the Government on the discipline and guardrails that will sit behind those decisions. This needs to remain a targeted and credible regime, rather than one that expands without a clear and consistent logic.

New clauses 8 and 9 would close a dangerous gap at the heart of the Government’s cyber-security strategy. Right now, the Bill creates a two-tier system. Private companies running critical national infrastructure face strict legal duties, enforcement and oversight, yet the very public institutions that hold our democracy together and protect our most vulnerable citizens are left outside statutory protection. Nowhere is that more alarming than with our local authorities. Indeed, that is where the Government’s approach diverges from some EU member states. For example, the Netherlands is applying its equivalent legislation to local authorities.

When a council suffers a cyber-attack, it is not just an IT inconvenience; it means real life grinding to halt. Members of the Committee who have served on local authorities will be well aware that a cyber-attack hitting a local authority creates problems with welfare payments, housing services, processing benefits payments, accessing social care for the most vulnerable in our society and collecting bins. Those are crucial activities in the day-to-day life of our society and our democracy. A cyber-attack can leave families without support, vulnerable children without protection and elderly residents without care, yet the Minister has suggested that these services are not necessary to the day-to-day functioning of society. I disagree with that.

We have already seen the consequences at Tewkesbury borough council, where a cyber-attack was so severe that it triggered a major incident and crippled core services. Likewise, the attack on Gloucester city council cost the taxpayer more than £1 million and put at risk some of the most sensitive information held on UK residents, particularly if one considers the nature of employment in Gloucestershire. The reporting from those attacks showed that local authorities, which are cash-strapped and struggling to make do as they are, had to divert staffing resources into addressing those incidents.

I have much sympathy with the hon. Gentleman’s arguments about the importance of local government, and I believe that it should be within scope of the Bill. Essential services are provided by councils on a day-to-day basis, but local councils are increasingly cash-strapped. Does he share my concern about the burden of compliance falling on councils, many of which differ in size and scale from their adjacent neighbours? They have differing degrees of IT infrastructure capability. We run the risk of increasing the compliance and regulatory burden on councils at a time when they may already have stretched budgets and lack the resource and capacity in the system to accommodate that additional burden.

The hon. Gentleman makes an important point. We cannot allow these services to be interrupted. He will be well aware of the impact that bins not being collected has on our streets.

Councils are being targeted because they hold sensitive personal data and provide much-needed services to the most vulnerable in society, yet they are being left as soft targets, without statutory requirements and the ringfenced resources that accompany them. We cannot claim to be building a cyber-secure Britain while leaving the frontline of public services unprotected. Resilience must extend beyond councils.

Our new clauses also ask that our political parties and electoral infrastructure are properly protected, because we know that hostile states and non-state actors are actively seeking to undermine democratic systems. An attack does not need to change an electoral result to be devastating; it need only cast doubt on the integrity of the count or prevent legitimate voters from casting their ballots. We know that trust, once lost, is extraordinarily hard to rebuild. The security of our elections is too important to be left to secondary legislation made at some future date.

Finally, our new clauses would require the Government to bring critical manufacturing, food production and large-scale retail distribution into scope. When British companies such as JLR lose billions to cyber-incidents, or when national retailers such as Marks & Spencer are paralysed, it is not just a private commercial issue, but a blow to national economic security, and there is no economic security without cyber-security. The Minister will be aware that the ramifications of the JLR attack were felt across south Wales because of the link to the steel industry supply chain. Our neighbours in the European Union already recognise this issue through the NIS2 framework, which covers food production and transport manufacturing as essential sectors. The new clauses simply ask the Government to match that seriousness.

At their heart, our new clauses are about ending the two-tier approach. We seek the Government’s recognition that councils, political parties, electoral infrastructure and core supply chains are just as critical to national resilience as power stations and data centres. A country is not secure if its public services, at any level, are exposed. Its elections are vulnerable, and its economy can be brought to a standstill by a single cyber-attack. These new clauses hope to close those gaps and make Britain safer.

Part 3 is a very important part of the Bill. It gives the Secretary of State a range of powers, including ones to bring additional sectors into the scope of regulation, to update the NIS regulations, to publish statements of strategic priorities for regulators and to publish codes of practice that set out cyber-security measures for entities to comply with their regulatory duties.

Clause 24 includes a power enabling the Secretary of State to specify new services that can be brought into the scope of the NIS regulations, and to designate additional regulatory authorities. Those powers are intended to allow the Secretary of State to identify additional critical sectors and respond to emerging threats quickly. That agility introduced by this measure has been broadly welcomed as appropriate, given the fast-evolving nature of malicious cyber-activity.

Given the extent of the Secretary of State’s new powers, however, it is important to put in place guardrails to ensure that the appropriate response to emerging threats is indeed further regulation, rather than market-led or insurance-based mitigations. Can the Minister provide any further information at this stage about the procedure that will be followed in deciding whether to expand the scope of regulation to ensure consistency and transparency?

Hon. Members have tabled several new clauses that would prompt the Secretary of State to use her duties under clause 24. I will speak to new clause 1, tabled by Matt Western, and new clause 9, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe, together, as they have some thematic overlap. New clause 1 seeks to bring all entities, other than small businesses and microbusinesses, in the food production, distribution and retail supply chain into the scope of regulation as operators of essential services. New clause 9 also touches on the regulation of food supply chains. It would require the Secretary of State to designate retailers of

“food and essential goods (when part of a large-scale distribution chain)” and manufacturers of “critical transport equipment” as providers of essential services to be brought into the scope of regulation.

Those new clauses reflect concerns about the cyber-attacks targeting the food retailers M&S and Co-op last year. New clause 9 reflects issues raised by the major attack on JLR, which cause such disruption and threatened the stability of regional jobs and supply chains. Those attacks caused significant public concern, but they would all remain out of scope after the Bill comes into effect.

As to the question of bringing food retailers into scope, the UK is fortunate to have a diverse and competitive supermarket and smaller food retail sector. Consumers in many areas of the country can find ready alternatives in the event of disruption to supply chains interrupting their ability to access their usual supermarket or grocer. As such, there is an argument about whether supply chain entities in the sector necessarily share the same criticality profile of other sectors regulated by the NIS regulations to warrant the regulatory burden on businesses of bringing them in scope. That is particularly so given the low threshold applied in new clause 1, under which only small and microbusinesses would escape regulation. That approach would place the costs and complexity of complying with regulation on any business exceeding 50 staff members. However, the Government should look more closely at the position of individual supply chain entities in very remote or underserved communities, where consumers have little or no choice.

As for the impact of expanding the sectoral scope of regulation in this way, we have already heard in oral evidence some of the challenges faced by regulators in ensuring they have sufficient, suitably skilled cyber-security professionals to ensure an effective approach to regulation. My understanding is that there is a limited pool of such expertise, and it should clearly be deployed to address risk in the most critical sectors and companies. In that regard, there may be a case for regulation in respect of the very largest out-of-scope companies.

The JLR attack highlighted the threat to the UK economy of gaps in the cyber-resilience of organisations that hold a critical place in the UK’s employment market, either directly or through employment provided by their supply chain entities. The Government justified their £1.5 billion bailout in the form of a loan guarantee based on protecting 34,000 directly employed staff and 120,00 supply chain jobs. The truth is that the Government can ill afford to remain in a position where they are forced to stump up similar guarantees to other out-of-scope companies that are deemed too big to fail in the event of future attacks of this type.

The risk is not receding; it is only intensifying, as we can see from the number and scale of attacks over the last year. That is why, in many ways, it is so surprising that the Bill does not address the biggest and most publicly visible cyber-attacks and incidents that we have seen. A solution needs to be found to mitigate the challenge to the UK economy. The first task is identifying companies that have the potential to cause disruption on the scale of JLR in the event of a serious cyber-attack. The Secretary of State should absolutely be reviewing that.

Then there is the question of the most effective response, whether that is regulation, or looking at what role cyber-security insurance can play in companies taking responsibility for the financial consequences of an attack and, critically, shielding the public finances from those consequences. The danger is that very large companies that are critical in our economy are de facto being insured by the Government in the context of serious cyber-attacks. Clearly, that cannot continue. Surely, that is something the Government have considered, so I would be grateful if the Minister confirmed his Department’s plans for addressing this pressing risk.

New clauses 8, 11 and 12, tabled in the name of the hon. Member for Brecon, Radnor and Cwm Tawe, seek to bring local authorities—in relation to their functions in managing electoral rolls and social care records—the Electoral Commission and political parties within the scope of regulation, as operators of essential services. I totally share the hon. Gentleman’s concerns about the threat to our institutions from foreign interference, which goes to the heart of our amendments relating to electoral infrastructure, which we will debate later. We know that attacks on the vital apparatus of our democracy are a focal point of malicious cyber-activity by hostile state actors. The National Cyber Security Centre confirmed that China state-affiliated actors were responsible for cyber-attacks on the UK Electoral Commission and Parliament in 2021 and 2022. In November last year, MI5 issued an alert to parliamentary staff on the risk of Chinese state espionage.

These institutions form the bedrock of a functioning democracy and the Government must urgently look at how they can better safeguard in a world where emerging technologies are being deployed by malicious actors to undermine the democratic process. NCSC stated in its 2025 report that

“The next UK General Election is expected to be the first to rely predominantly on cloud-based Electoral Management Systems”.

To prepare for that transition, the NCSC has said it is

“supporting the Ministry of Communities Housing and Local Government to ensure that security standards and resilience measures are future-proofed.”

Can the Minister update us on that work and his assessment of what further steps are needed to safeguard UK democracy in the face of that growing risk?

Ordered, That the debate be now adjourned.—(Taiwo Owatemi.)

Adjourned till this day at Two o’clock.