“(1) The Secretary of State must, within six months of the passing of this Act, conduct a review of the effect of information sharing and analysis centres on the security and resilience of network and information systems in regulated sectors.

(2) Following the conclusion of a review under subsection (1), the Secretary of State must publish and lay before Parliament a report which –

(a) identifies advantages and challenges associated with the operation of information sharing and analysis centres;

(b) identifies sectors in which the establishment of information sharing and analysis centres is likely to be beneficial for the purposes of increasing the security and resilience of systems; and

(c) where the establishment of further information sharing and analysis centres is likely to be beneficial, sets out a plan for the establishment of such centres.

(3) In this section –

“information sharing and analysis centres” means organisations –

(a) whose membership is primarily comprised of entities operating within a regulated sector for the purposes of the NIS Regulations and this Act,

(b) that are independent of the designated competent authority or authorities for the relevant regulated sector, and

(c) whose aim is to increase cyber security among its membership.

“regulated sectors” means sectors and subsectors under the regulatory oversight of designated competent authorities as defined at section 3 and Schedule 1 of the NIS Regulations (as amended by this Act).”—

This new clause would require the Secretary of State to conduct a review of the effect of existing information sharing and analysis centres, with a view to determining whether further such centres should be established.

Brought up, and read the First time.

I beg to move, That the Clause be read a Second time.

This new clause would require the Secretary of State to review the effect of existing information sharing and analysis centres, with a view to determining whether further such centres should be established. The financial services industry has successful voluntary schemes—the Cyber Defence Alliance, and the Financial Services Information Sharing and Analysis Centre—which act as hubs for collaboration on all matters relating to the prevention, detection, mitigation and investigation of cyber-threats and criminality impacting members. These organisations provide an essential alerting and co-ordinating role for their members, including providing intelligence and technical support during ongoing incidents. They can assist in building partnerships contextualised to particular sector risks.

According to Richard Starnes of the Worshipful Company of Information Technologists, companies

“may be competing with one another in their chosen businesses, but they are all in the same boat with regard to being attacked by whatever entities are attacking them.”

And he said that if the FS-ISAC were replicated

“on an industry-by-industry basis, particularly ones in CNI, that would be helpful. It would also help with information sharing with entities like NCSC and GCHQ.”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 64, Q75-76.]

On the point about information sharing with a view to bolstering resilience, Marks and Spencer reported to me that it was surprised to have received more information from the FBI on the origin and impact of the cyber-attack that it suffered than it received from UK authorities. That should adequately demonstrate why sufficient data sharing is required to underpin our resilience and bolster our strength.

That information is concerning. I entirely agree with my hon. Friend that information sharing is important when dealing with evolving threats.

I am grateful to the Shadow Minister for giving way, if only to repeat what my hon. Friend the Member for Bromsgrove has just said. The Minister and the Government Whip were both on their phones, and I do not think they were fully concentrating on the fact that M&S has reported that it got more information about its information loss from the FBI than from our own agencies. I repeat that for the record so that the Minister has a chance to concentrate on that very important information.

I thank my hon. Friend for his Intervention, which is more for the Minister and the Government Whip’s benefit than mine.

Properly established ISACs will not only increase real-time awareness of cyber-risks and mitigations, but could also alleviate some of the burden on regulators in terms of sector-specific intelligence analysis. Industry feedback and experience from the adoption of the Network and Information Systems Regulations 2018 indicate that sectoral regulators are unlikely to have the capacity to assist with intelligence sharing in relation to real-time cyber-risks.

We know from the sectoral regulators’ oral evidence that building sufficient capacity for effective regulatory oversight is a challenge. Where we have models for sector-led and market-led good practice in hardening cyber-resilience, we should look at how it can be rolled out further. Seeing more of these organisations emerge could even lead to broader adoption beyond NIS-regulated areas to other industries. ISACs have the potential to become integral nodes in improving whole-of-society cyber-resilience, and it is an approach called for by many cyber industry stakeholders. I therefore commend new Clause 4.

I thank the Shadow Minister for this Amendment, which would require the Secretary of State to review how information sharing and analysis centres support the functioning of the NIS regime and what steps the Government can take to improve them.

I recognise the intent of this new Clause. These centres play a key role in promoting collaboration and co-ordination in the cyber-security space, allowing organisations to share information, intelligence and best practice. In fact, the UK already benefits from a range of such initiatives, many of which are facilitated by the National Cyber Security Centre. In its latest annual report, the NCSC noted that more than 200 companies now meet regularly in trust groups to exchange intelligence and best practice, and to support each other in incident response. NIS regulators also support organisations to share information with each other in sector-specific groups.

However, while I fully endorse the value of those initiatives, I do not believe it is the Government’s role to review how they operate or to mandate how or where they are established. Such centres are meant to be a forum in which organisations can voluntarily engage in the exchange of information. As such, they operate most effectively where the initiative for participation comes from the organisations themselves or from technical authorities such as the NCSC.

The Government are, of course, committed to ensuring that the information-sharing provisions within the Bill are effective, and that will be assessed through the formal review of the legislation already required under clause 40. I kindly ask the shadow Minister to withdraw the new clause.

In response to the Minister’s comments, Clause 40 is about a review; it does not provide any direction, other than for the Secretary of State to do their job in reviewing this area. I will press new clause 4 to a vote.

Question put, That the clause be read a Second time.

The Committee divided: Ayes 6, Noes 9.

Question accordingly negatived.