Economy and Fair Work Committee
The Cyber Security and Resilience (Network and Information Systems) Bill is a UK Government Bill introduced in the House of Commons on 12 November 2025 by Liz Kendall MP, Secretary of State for Science, Innovation and Technology.
The Bill and associated documents can be viewed on the UK Parliament website.
The Bill had its Second Reading in the House of Commons on 6 January 2026 and has now completed its Committee stage. A carry-over motion has been lodged in the House of Commons to allow it to continue its progress in the next parliamentary year (following the summer).
A Legislative Consent Memorandum (LCM) was lodged on 6 January 2026 by Angela Constance MSP, Cabinet Secretary for Justice and Home Affairs, which was referred to the Economy and Fair Work Committee to consider.
The Scottish Government is in discussion with the UK Government as set out in the LCM and intends to lodge a supplementary LCM to update the Parliament on progress. The supplementary LCM is now expected to be lodged after the summer recess.
The purpose of the Bill is to strengthen the UK's defences against cyber-attacks and improve the security and resilience of critical infrastructure, including by—
amending the Network and Information Systems Regulations 2018 and giving enhanced powers to competent authorities, including in relation to information sharing, incident reporting and enforcement; and
giving the Secretary of State powers to—
further specify which activities should be regulated and by which authority;
make regulations relating to the security and resilience of network and information systems;
designate a statement of strategic priorities;
issue a code of practice for regulatory authorities; and
direct regulators and regulated bodies where threats relating to network and information systems pose a risk to national security.1
The Scottish Government is broadly supportive of the Bill's aims, but has identified several clauses where it does not recommend legislative consent be given. Its concerns are about provisions that would allow the Secretary of State to amend Acts of the Scottish Parliament through UK secondary legislation, and alter the competence of Scottish Ministers, without any duty to consult or seek consent.
Discussions between the UK and Scottish Governments are ongoing. Once concluded, the Scottish Government intends to lodge a supplementary LCM.
The Scottish Government and UK Government are not currently in agreement on which aspects of the Bill require consent (paragraphs 10 – 15 of the LCM).
The Scottish Government is recommending that legislative consent is given for clauses 12, 15, 17-23, 33, 38, 40, 46-52, 56 and Schedules 1 and 2. Detailed reasons for this are given in the LCM at paragraphs 18 to 58. Broadly, this is because they expand and/or improve the existing cyber security regime.
However, the Scottish Government has also identified clauses where it does not currently recommend that legislative consent is given. These are clauses 25, 26, 27, 28, 29, 30, 31, 32, 34, 35, 41, and 45. Paragraph 59 of the LCM notes that—
These provisions concern the conferral of regulation making powers on the Secretary of State, which could be exercised in relation to devolved matters but do not require the consent of the Scottish Ministers.1
The Scottish Government is in discussion with the UK Government about these clauses and intends to lodge a supplementary LCM to update the Parliament on progress. The supplementary LCM is now expected to be lodged after the summer recess.
The draft motion on legislative consent is as follows—
That the Parliament agrees that the relevant provisions of the Cyber Security and Resilience (Network and Information Systems) Bill, introduced in the House of Commons on 12 November 2025, relating to clauses 12, 15, 17-23, 33, 38, 40, 46-52, 56 and Schedules 1 and 2, so far as these matters alter the executive competence of the Scottish Ministers, should be considered by the UK Parliament.
The Committee considered the LCM at its meeting on 4 February 2026. It agreed, for now, to note the LCM in anticipation of a supplementary LCM being lodged. It wrote to the UK and Scottish Governments welcoming the constructive dialogue taking place and expressing hope that a resolution, acceptable to both Governments can be reached.
As agreement has not yet been reached, and a supplementary LCM not now expected until after summer recess, the Committee took evidence on the LCM from Angela Constance MSP, Cabinet Secretary for Justice and Home Affairs, at its meeting on 4 March 2026.
The Cabinet Secretary stated that, although the Scottish Government is broadly supportive of the Bill's aims, it is concerned that current drafting would allow UK Ministers to amend Acts of the Scottish Parliament through secondary legislation, and to change the executive competence of Scottish Ministers, without any duty to consult Scottish Ministers or seek consent to do so.
The Cabinet Secretary said that discussions with the UK Government had been constructive and would continue into the next Session. She stated that the UK Government estimates Royal Assent in early 2027 and commencement in late 2028.
The Committee expressed concern at the slow pace of progress on cybersecurity generally in the UK, noting that consultation on this Bill's measures took place in 2022. The Committee discussed awareness of the importance of cybersecurity for business and public sector bodies, current cyber‑resilience work in Scotland, and international benchmarking.
The Committee sought clarity on which Scottish public bodies would be impacted by the Bill. Paul Chapman, the Scottish Government's Head of Public Sector Cyber Resilience, explained that only the regulation of health services by the Scottish Government and regulation of the water sector by the Drinking Water Quality Regulator for Scotland would meet the criteria for designation as a competent authority in Scotland.
Members asked about the financial impact of the Bill on the public sector and on businesses, and about the potential scale of the new duties. Paul Chapman stated that no major costs are expected as a result of the Bill and that the designation of critical suppliers (which would require them to comply with cyber security regulation) would only be used as a last resort.
The Committee also asked about alignment with EU cyber resilience legislation. The Cabinet Secretary confirmed that the Scottish Government maintains its long-standing position of alignment where possible, and that UK and Scottish authorities work closely with EU counterparts on issues around cybersecurity.
The Committee notes the Scottish Government's position as set out in the Legislative Consent Memorandum.
The Committee reiterates its view, as expressed in previous reports, that—
the Scottish Parliament should have the opportunity to effectively scrutinise the exercise of all legislative powers within devolved competence; and
accordingly, powers conferred on UK Ministers should be subject to a requirement for the Scottish Ministers’ consent when exercised within devolved competence.
The Committee notes that the Scottish Government has recommended partial consent for the clauses in the Bill where there is agreement, and that discussions are still ongoing on the areas of disagreement.
The Committee welcomes this constructive dialogue, and recommends the Parliament gives its consent to the clauses identified in the Scottish Government's Legislative Consent Memorandum and Legislative Consent Motion.
This report will be drawn to the attention of a successor Committee, to assist its scrutiny of any supplementary LCM for the Cyber Security and Resilience (Network and Information Systems) Bill.