NCC Group gives evidence to Parliament on the Cyber Security and Resilience Bill

NCC Group’s Chief Scientist, Chris Anley, today gave evidence to the UK Parliament’s Cyber Security and Resilience (Network and Information Systems) Bill Committee, appearing alongside representatives from Cisco, Darktrace and Amazon.

The Cyber Security and Resilience Bill is set to overhaul UK cyber rules, strengthening the security and reporting requirements critical organisations face, and extending the UK NIS regulations to thousands of new businesses, including managed service providers, energy flexibility providers and data centres.

Invited to Parliament as an expert witness, Chris emphasised that based on the Government’s own impact assessments, only 0.1% of the UK private sector currently falls within the scope of the Bill, “one hundredth of the tip of the iceberg”. He said that a whole‑of‑economy approach will be required if the UK is to be effectively secured. This should include incentivising further uptake of schemes like Cyber Essentials and the UK Software Security Code of Practice - a voluntary scheme used by organisations to strengthen software supply chain security for which NCC Group was recently announced as an Ambassador.

Turning to the Bill itself, Chris encouraged Government to publish draft secondary legislation and guidance as early as possible, giving industry clarity ahead of implementation. He also warned that the Bill’s new reporting obligations add “to an already complicated situation” whereby UK organisations must report a single cyber incident multiple times. He called for a single point of contact and a single reporting timeline, noting that while this may sound ambitious, Australia has already implemented such a system and the EU is pursuing similar streamlining through its Digital Omnibus package.

Chris also urged MPs to use the passage of the Bill as a “golden opportunity” to reform the Computer Misuse Act. He explained that cyber security professionals currently risk criminal prosecution when undertaking legitimate defensive actions, such as identifying ransomware command‑and‑control infrastructure. He voiced support for the CyberUp campaign’s proposed statutory defence, grounded in four safeguarding principles, arguing that such a reform would both protect defenders and maintain the integrity of the law.

Finally, Chris noted the benefits of the UK’s sectoral regulator model, arguing that regulators overseeing sectors where operational technology (OT) predominates can set tailored measures that better protect those environments. A “one‑size‑fits‑all” approach, he warned, risks leaving critical OT systems more vulnerable to successful attack.