Recently we held the second reading debate on the Cyber security and Resilience Bill which is designed, post Brexit, to update our cyber regulations. Almost everyone who spoke in the debate was of the view that it does not go far enough in meeting the cyber threats that the UK faces. This is an edited version of what I said.
My Lords, first, I declare an interest as an adviser to DLA Piper on AI policy and regulation. I should also say that we as a law firm were subject to a ransomware attack by NotPetya back in 2017. It was not a pleasant experience.
I thank the Minister for her introduction and earlier engagement on the Bill and thank all noble Lords who spoke today in such an expert fashion. On these Benches, like many other noble Lords, we support the fundamental objectives of this legislation to modernise our outdated cyber security framework. But what has been remarkable today is the consensus across the Benches that the Bill is not nearly ambitious enough. Indeed this could be a missed opportunity to align much more closely with the EU framework.
Where is the strategy? Where are the underderlying principles? Where is the plan of action? There is quite a bit missing from the Bill, and I shall take noble Lords through some of those areas.
The threat landscape has deteriorated sharply. The National Cyber Security Centre has managed 204 nationally significant incidents in a single year, double the year before. Yet the Bill will apply directly to only a tiny minority of organisations; meanwhile, 43% of UK businesses have experienced a cyber breach in the last 12 months. One of the most glaring omissions is the almost entire exclusion of the public sector. Central government, public administrations and local authorities are almost entirely exempt from the Bill’s direct statutory duties.
How can we claim national resilience when the state itself is exempt? We have seen the data of 270,000 military personnel compromised in the Ministry of Defence hack, and the devastating attack on the British Library, which destroyed irreplaceable data. Local authorities hold vast repositories of citizen data, from electoral registries to social care records. The ransomware attack on Redcar and Cleveland cost £10 million, the one on Hackney £12 million
We must make cyber security a boardroom issue. Only 27% of businesses now have a board member explicitly responsible for cyber risk, down from 38% three years ago. Unlike the EU’s NIS2, the Bill fails to mandate executive responsibility. We must now extend corporate financial audits to report on how an organisation and its suppliers manage cyber security using existing governance codes.
The urgency here is multiplied by the rapid rise of agentic artificial intelligence. This is a major omission.
Anthropic recently withheld wide release of its Mythos model because it could autonomously find and exploit software vulnerabilities across every major operating system. The UK’s own AI Security Institute, as we have heard, found Mythos substantially more capable at cyber offence than any model previously assessed, and warned that frontier AI capability is doubling every four months. Of course, that will be further amplified by quantum computing.
The EU’s AI Act already imposes binding cyber security and incident reporting duties on the handful of frontier model providers that it judges to pose systemic risk. California and New York do the same for the largest developers. This Bill, by contrast, does not mention AI systems at all, as many noble Lords have pointed out. Last month, the cyber security agencies of the Five Eyes alliance, including our own National Cyber Security Centre, issued a joint statement warning that frontier AI is shrinking the gap between vulnerability discovery and exploitation from months to a matter of days, and this can no longer be treated as a technical issue rather than a leadership responsibility.
Meanwhile, our own defenders have a skills crisis. ISC2 warns that 88% of UK cyber professionals have experienced a breach in the last 12 months as a direct result of skills shortages, yet Clause 43 references “a skilled person”, who must liaise with the Secretary of State during national security directions, without defining what “a skilled person” is.
Who will actually enforce the rules? The Bill distributes duties, as we have heard today, across 12 separate sectoral regulators, many of which, such as Ofwat, already struggle to regulate their own domains. This fragmented approach guarantees duplication and gaps. I agree with the Joint Committee on the National Security Strategy: the UK needs a single expert or lead regulator-to oversee both public and private sectors. Failing that, the Government should at least adopt the EU’s Digital Omnibus model of a single report-once portal.
We must fix the Bill’s definitions. For instance, techUK warns that the current definition of a managed service provider is dangerously broad, risking capture of any basic IT support in the country.
The Bank of England’s own data shows that just three US giants control 73% of the cloud computing services supporting UK financial firms. A number of noble Lords raised the issue of cyber sovereignty. The Trump Administration blocked European and UK firms from accessing Mythos. If a foreign ally can pull the plug on a critical cyber security tool overnight, how can this Government claim true national resilience? That is why, as many noble Lords today have said, we need a comprehensive digital sovereignty strategy. My noble friend Lady Ludford called this “servitude” and the noble Baroness, Lady Berger, talked about “critical dependency”. We need to assess our foreign policy dependencies and support domestic UK providers.
The Bill is silent on cyber-enabled fraud, which costs our economy billions of pounds every year and exploits precisely the same weaknesses this Bill is meant to fix. There is a related threat which is emerging, as Thales has tracked, that automated bot traffic has overtaken human traffic online for the first time. As suggested by the NMA, we need the Secretary of State, under this Bill, to assess the cyber security risks that anonymous bot traffic poses to UK websites.
If we expect businesses to defend themselves, we cannot handicap our own cyber professionals. I welcome what has been said by a number of noble Lords on the question of the Computer Misuse Act, which badly needs amending.
Finally, in the face of autonomous AI threats, the Government need an ultimate backstop. We support proposals from ControlAI to introduce strictly constrained last resort powers, allowing the Secretary of State to direct the shutdown of data centres or AI systems in a catastrophic emergency. The cost of inaction vastly outweighs that compliance burden. Jaguar Land Rover, lost around £500 million in a single attack. But currently JLR sits entirely outside the scope of the Bill, as does the retail sector, as a number of noble Lords have pointed out. That is true too of the insurance sector.
The Bill is a necessary foundation. In Committee, we will push hard for amendments to reflect the changes that are needed. In this way, we can ensure that our national cyber defences are genuinely whole of society and fit for the age of AI. We are going to have a very well-informed Committee; I hope the Minister is looking forward to it.






