“(1) The Secretary of State must, at least once in every 12-month period, lay before Parliament a report outlining the Government’s progress towards meeting—

(a) the recommendations made in the National Audit Office’s report on Government Cyber Resilience of 29 January 2025, and

(b) the implementation milestones set out in the Government’s Cyber Action Plan of 6 January 2026

so far as they relate to the security and resilience of network and information systems.

(2) Any report under this section must, where a deadline or implementation date has not been met in relation to the matters set out in subsection (1) above, include—

(a) an explanation for the failure to meet the deadline or implementation date;

(b) a revised deadline or implementation date and a plan for meeting the new date.”—

This new clause would require the Secretary of State to report annually on the Government’s progress towards taking actions relating to the security and resilience of network and information systems arising from the NAO’s January 2025 report on the Government’s cyber resilience and from the Government’s Cyber Action Plan.

Brought up, and read the First time.

I beg to move, That the Clause be read a Second time.

The National Audit Office’s 2025 report on cyber-resilience highlighted that Government Departments and agencies are among the weakest links in the UK’s cyber-security ecosystem and lack a credible plan to become cyber-resilient in the short to medium term. The Government play a key role in the management of certain critical national industries, but the continuing cyber-security vulnerabilities in the IT systems used to operate CNI expose the UK to the threat of serious attacks that could undermine national security and the economy.

That is not to mention the risk to enormous amounts of highly sensitive data held on Government systems. Dr Sanjana Mehta of ISC2 said in her oral evidence that the Department for Work and Pensions administered £288 billion of benefits over the past year, with more than 23 million people claiming benefits of some kind. That activity involves processing vast amounts of personal, medical and financial data, which presents rich pickings for malicious actors.

The feedback from industry stakeholders, many of whom are being asked by the Government to take on onerous security and reporting obligations under this Bill, echoes those concerns regarding Government cyber-immaturity. There is a strong sentiment that the Government should be leading by example, as Chris Anley of the NCC Group commented in the Committee’s oral evidence sessions.

In view of the growing risk posed to UK cyber-security by hostile state actors, by their affiliates and by criminal gangs, improving Government cyber-security is urgent. It is clear from the NAO’s findings and other recent reports that Government Departments have lacked the clear goals and necessary accountability to incentivise tackling this significant challenge.

In his letter of 19 February to members of the Committee, the Minister said:

“Government will be held to equivalent cyber security requirements that we expect of the essential and digital services in scope of the Cyber Security and Resilience (Network and Information Systems) Bill.”

But as matters stand, there are no effective legal mechanisms for accountability to Parliament on increasing Government cyber-resilience to the standards necessary to meet the intensifying threats facing our Government Departments and agencies.

New clause 5 would compel the Secretary of State to make yearly reports to Parliament setting out the Government’s progress towards meeting the recommendations of the National Audit Office’s 2025 report on Government cyber-resilience and towards meeting the standards they set themselves in their recent cyber action plan. Where necessary, the Secretary of State would have to account for failures to meet deadlines for implementation and issue a new plan to achieve compliance.

In moving this new clause, I am aware of the challenges that successive Governments have faced in driving up cyber-resilience standards. There are serious practical and budgetary obstacles that can impede progress, such as the vast amount of legacy IT equipment that remains in use, which is inherently more vulnerable to attack. Moreover, there is the ongoing problem of recruiting highly skilled cyber-security professionals to work in these roles, given the competition in the recruitment market and constraints on public sector salaries. Illustrative of that challenge is the worrying statistic, cited by Chris Anley of the NCC Group, that

“almost a third of cyber-security posts in Government are presently unfilled”.––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 24, Q29.]

None the less, the Government have now put in place a plan that they consider achievable, and they should be held to account for it. The new clause creates a mechanism for that much-needed accountability.

Does the Shadow Minister agree that if Labour Members vote against new Clause 5, it would be a classic case of “Do as I say, not as I do”? If they are happy to go on the record as voting it down on that basis, does the shadow Minister agree there would be an element of what is politely termed “variable geometry”? The more direct word is “hypocrisy”.

My hon. Friend is absolutely right.

It is interesting to hear the hon. Member for Spelthorne say that this is apparently hypocrisy and the Shadow Minister agree with him. The National Audit Office report was published on 29 January 2025, barely six months after the General Election, so it was really commenting on 14 years of Conservative-led Governments. I think it is pertinent to put it on record there has been a lack of focus in this area for far too long, and I am glad that the Government are introducing legislation. If we are to have comments such as that made by the hon. Member for Spelthorne, I feel it is appropriate to have something on the record to counter it.

I agree about the importance of putting things on the record. Since the hon. Member obviously has not been listening to my speech, he can check it out on the record. I acknowledged the challenges in this area—[Interruption.] Does the Government Whip want to intervene, or was she just chuntering? I will continue.

Given that the Bill puts quite a burden on the private sector, as we discussed over several sittings before the parliamentary recess, I think it is important that the Government recognise, as my hon. Friend the Member for Spelthorne said, it would be pretty shameless not to vote for accountability for themselves while putting it on other people. Let us see how the vote goes. I commend new Clause 5 to the Committee.

I thank the Shadow Minister for moving new Clause 5, which seeks to require annual reporting on progress towards meeting the recommendations of the National Audit Office’s report on Government cyber-resilience and meeting the implementation milestones of the Government’s cyber action plan.

We recognise the value of accessing the expertise of Parliament to hold the Government accountable for the changes required for our cyber-resilience. That is why, notwithstanding the hon. Member for Spelthorne acknowledging the embarrassment of the Conservative party owning its hypocrisy, this Government have already strongly welcomed the recent reports from the Public Accounts Committee and the National Audit Office on Government cyber-resilience.

I declare an interest as a member of the Public Accounts Commission, which regularly scrutinises the National Audit Office. Can the Minister give some reassurance to Labour Members, who are being accused of hypocrisy, that we do make sure that the highest levels of cyber-security are met?

My hon. Friend is right. Where the Conservative party did absolutely nothing and continues with its hypocrisy, I am glad to inform hon. Members that this Government have already adopted a duty to provide biannual reporting on progress against the recommendations of these two reports.

New Clause 5 simply asks the Government to commit to reporting back on meeting the milestones they have set themselves for increasing cyber-security standards. Is the Minister confident in the Government’s ability to deliver on their cyber strategy, or is the document not worth the paper it is written on?

I simply repeat my prior sentence: this Government have already adopted a duty to provide biannual reporting on progress against the recommendations of these two reports.

In addition, the Government’s cyber action plan was published in January this year. It sets out how the Government will rapidly improve the cyber-security and resilience of public services to deliver a step change in cyber and digital resilience across the public sector. The plan sets out clear accountability structures to ensure that cyber-risks at all levels of Government are actively owned and effectively managed, with those responsible held to account.

The continued use of legacy IT equipment is a particular vulnerability across the Government estate. That will take some time to address entirely, but is there a strategy in place to prioritise the upgrading of this legacy equipment, given that it is one of the greatest areas of exposure?

The hon. Member makes a very important point. We have heard of two major sources of risk from a cyber point of view: legacy technology and technology debt, and frontier AI attacks. The Government’s cyber action plan is not technology-specific, but both those sources of risk are very much on my mind, and I will make sure they are also on the mind of those implementing the Government’s cyber action plan.

I assure Members that we will continue to work with Parliament to support oversight of the plan’s implementation and to explore additional avenues for scrutiny of the Government’s cyber-resilience to guarantee the right level of accountability. I therefore kindly ask the Shadow Minister to withdraw his new Clause.

Question put, That the clause be read a Second time.

The Committee divided: Ayes 6, Noes 9.

Question accordingly negatived.