Cyber Security and Resilience (Network and Information Systems) Bill
Tuesday 6th January 2026
(1 month, 3 weeks ago)
Commons ChamberRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Minister for Digital Government and Data (Ian Murray)
I beg to move, That the Bill be now read a Second time.
A happy new year to you, Mr Speaker, and to all the House staff. This is the first opportunity I have had to say that to you.
On 3 June 2024, a busy Monday morning in south-east London, criminals attacked Synnovis, an organisation that processes blood tests on behalf of our national health service. They did not turn up physically, but logged on to computers thousands of miles away and set off ransomware—malicious software that encrypts files from afar, making them unusable. The attack had a ripple effect across London hospitals. It delayed 11,000 appointments, blood transfusions had to be suspended and the company lost tens of millions of pounds.
This was not an isolated case. In the year leading up to September 2025, the National Cyber Security Centre dealt with 204 “nationally significant” incidents, meaning that they seriously disrupted central Government or our critical public services. That is more than double the 89 incidents in 2024. No one disputes that we must do everything we can to protect the UK from these attacks. The UK is the most targeted country by cyber-attacks in Europe, and it was the fifth most targeted nation in 2024 by nation state-affiliated threat actors. In 2024, it is estimated that UK businesses experienced over 8.5 million cyber-crimes in the 12 months preceding the survey, and that in that year more than four in 10, or 43%, of UK businesses were subject to a cyber-attack, affecting more than 600,000 businesses in total.
Significantly, cyber-attacks are estimated to cost UK businesses almost £15 billion each year, equivalent to 0.5% of the UK’s annual GDP, notwithstanding the wider economic effects of intellectual property theft or the experience of patients, as in the first example. The average cost of a significant cyber-attack for an individual business in the United Kingdom is estimated to be just over £190,000. There has been a 200% increase in global cyber-attacks on rail systems in the past five years, increasing the likelihood of severe disruption to the economy and to people’s daily lives.
Chris Vince (Harlow) (Lab/Co-op)
Does the Minister agree that, as we become more and more reliant on IT systems—I am thinking in particular about the new patient registration system at the Princess Alexandra hospital in my constituency—it is more and more important that we combat potential cyber-attacks, particularly from foreign powers and enemies of this country? That is why the Bill is so crucial.
Ian Murray
I could not agree more. I gave the example of the Synnovis incident that brought blood transfusions in London to a halt, affecting thousands of patients. Our everyday lives are affected by this. As we modernise and digitise our economy and our Government, we have to ensure that our systems are as secure as possible, and cyber-security is right at the heart of that. This is not just a defensive issue; it is very much an economic growth issue as well, as we can see from the impact it has on our economy, our public services and the day-to-day lives of people, as in the example of our train systems that I just mentioned.
Mr Toby Perkins (Chesterfield) (Lab)
I am grateful to my hon. Friend for giving way, and it is great to see him in his post. On economic growth, how has he sought in the Bill to balance the absolute need for a regulatory framework that businesses can have confidence in alongside the ability to attract continued investment, and to ensure that we do not end up with an over-regulatory framework that stifles investment? How did he find that balance?
Ian Murray
The Bill builds on the 2018 regulations, which were a hangover from the EU when we adopted them in this country. The Bill expands on those. As my hon. Friend the Member for Harlow (Chris Vince) just suggested, this is about economic growth as well as protecting our systems, so we have to find a balance between ensuring that our regulators have the powers and tools to regulate properly and giving businesses and our public services the confidence to use digital technology knowing that we have the most secure cyber-security in Europe, if not the world. We are very good at this stuff, and that is the balance to be sought. This Bill is about economic growth rather than about the over-regulation of businesses. I do not say this flippantly, but cyber-security is one of those areas where if everything is working, nobody notices, but when it is not working, suddenly everyone notices and it is everyone’s problem. That is why we are bringing the Bill forward and extending the scope of the powers.
Jim Shannon (Strangford) (DUP)
I thank the Minister very much for what he is saying and bringing forward. There is much in the Bill that we should encourage. I know that he is a regular visitor to Northern Ireland, and Northern Ireland is home to 130 cyber-security companies with some 2,750 employees. It is therefore essential that this legislation protects those jobs and enhances the capacity for more. Does he believe that the Bill both protects us and provides the opportunity for growth in Northern Ireland and, indeed, across the whole of the United Kingdom?
Ian Murray
Indeed it does. It is one of a number of provisions that the Government are bringing forward to create growth across the country, not just in Northern Ireland. The Secretary of State’s passion is to make sure that those jobs are everywhere, right across the United Kingdom, including in Northern Ireland. The Under-Secretary of State for Science, Innovation and Technology, my hon. Friend the Member for Vale of Glamorgan (Kanishka Narayan), has been in Belfast recently discussing this legislation and wider cyber-security issues with the industry in Northern Ireland, so I can assure the hon. Member for Strangford (Jim Shannon) that that is indeed the case.
Dame Meg Hillier (Hackney South and Shoreditch) (Lab/Co-op)
Hackney council was the subject of a major cyber-attack in 2020. It did a good job, though it was very slow because of the nature of the challenge of getting things back up and running. The Bill is therefore very welcome but, pursuant to the answer to my hon. Friend the Member for Chesterfield (Mr Perkins), there are challenges for some of the smaller companies. I represent Shoreditch, which has many tech companies that need to maintain a standard on cyber-security but are small. How is the Minister going to balance the regulation for those smaller companies to ensure that they can keep abreast of things but are not so dampened down that they cannot progress and grow?
Ian Murray
This is about making sure that we extend the scope of the 2018 regulations into other parts of the economy, and I will come on to that later in my contribution. It is about reporting things more quickly to ensure that the attacks can be seen and action can be taken more quickly. It is also about reporting to the regulators to give the regulators confidence and powers across a wider scope of sectors in the economy, and to give businesses the confidence that those sectors have to report to the regulators when things are going wrong so that swifter action can be taken. We can see from the host of recent high-profile issues, including at Hackney council, that it is important to ensure that this legislation goes through quickly and does the job that it is intended to do.
Chris Vince
I thank the Minister for giving way; I apologise for intervening again. Is there a piece of work we need to do on culture? When businesses or the public sector are victims of cyber-crime, there is a danger that employees may feel embarrassed or nervous about reporting their concerns. We need to encourage people if they are victims of cyber-crime to come forward quicker and to recognise the challenges, rather than trying to hide them away and the issue becoming worse.
Ian Murray
While physical security and national security are issues for all of us, so is cyber-security. The Bill builds on the 2018 regulations to widen the scope into other areas of the economy where such issues have become much more prevalent—for example, data centres. I hope that doing so will give industries and sectors, including their employees, the confidence to report things to the regulators. Giving powers to the regulators will give businesses the confidence that they can report stuff; it is not a regulatory heavy hand dampening businesses. I hope that I can assure my hon. Friend and the rest of the House on that.
Before that significant number of interventions, I was talking about why this issue matters and gave statistics for recent cyber-security activity in the United Kingdom. As a result of all that, one of the very first things we did as a new Government after the election was announce this new cyber-security Bill, just 10 working days in. Since then, the Department has been talking to cyber experts, businesses and regulators to turn these proposals into the comprehensive, serious and proportionate piece of legislation that we present for Second Reading today—one that protects the public and strengthens national security without placing undue burdens on businesses. I appreciate that that is a fine balance, but I think that this Bill finds that balance, so I am confident that the whole House will support it.
Pete Wishart (Perth and Kinross-shire) (SNP)
We support this Bill and its efforts to tackle cyber-security, but it does not address the mass unauthorised scraping of trusted news content by generative AI systems. That content, as the Minister knows, is often taken without consent or compensation. As the Bill progresses, will he be prepared to look at some measures—maybe something like a bot register where people have to declare their intent when it comes to this type of activity? Will the Government look at this seriously so that news can be protected in this new environment?
Ian Murray
The hon. Gentleman is ingenious in the way in which he uses interventions on pieces of legislation. I know AI copyright is close to his heart as a former, or perhaps current, professional musician and, indeed, one of the key musicians in MP4—let’s not push that to a Division! AI copyright is, of course, a key issue that the Government are looking at. The Secretary of State for Science, Innovation and Technology and the Secretary of State for Culture, Media and Sport are working closely together on this issue. I think the legislation means that there has to be a report to Parliament in March—I am sure the hon. Gentleman will be very interested in that. We are bringing together the industry and tech companies to try to find a way through that particular issue. We know that it is a huge issue. It is not in the scope of this Bill, which has been kept very tight to deal with these specific and serious cyber-security issues.
As we know, the first duty of Government is to keep people safe. The question is how precisely the Bill will achieve that goal. The answer is simple. The UK’s main cyber-rules—the Network and Information Systems Regulations 2018, or the NIS regime—were first introduced seven years ago and have not been updated since. Those rules require operators of essential services such as energy, water and hospitals, as well as some digital service providers such as online search engines, to take steps to protect the services they provide and the data they hold from cyber-threats.
As Members might expect, a lot has changed in the cyber-landscape in the past eight years. We have had the rise of AI, which cyber-criminals are using to their advantage. Data centres have become a firm fixture of modern life, and we want to see more of them. Since the rules were introduced, criminals tactics have evolved to exploit loopholes in the regulations, as they did in the attack on the NHS supplier that I mentioned, which revealed how hackers can target third parties, such as IT companies, or supply chains as a back-door way to bringing down a wider system. As always, the story is one of technology and cyber-threats moving faster than policymakers can possibly keep up with.
Dave Robertson (Lichfield) (Lab)
My right hon. Friend is right to mention the impact on supply chains. In the west midlands, we recently had the cyber-attack on Jaguar Land Rover. That had a significant impact not just on that company, but on the supply chain, which has its roots right through the west midlands. That essential part of our economy was brought to a grinding halt by a cyber-attack. Will he confirm that this Bill will help prevent such instances from happening in the future?
Ian Murray
I thank my hon. Friend for all he did on the issues facing Jaguar Land Rover. I know that the matter is close to his heart and, indeed, it was a really big issue across the country, showing how a cyber-attack can affect not just one company, but has a ripple effect throughout the economy. Of course, the Government stepped in to unlock a £1.5 billion bolster to Jaguar Land Rover’s cash reserves to help it through that problem.
I should say to my hon. Friend, and I will come to it later, that Jaguar Land Rover and other private organisations are not in the scope of this Bill. The reason is that individual private companies should take their own cyber-security seriously and ensure that the risks of such incidents and threats are minimised as much as possible. The Bill widens the scope of the existing regulations, which do not include that, but of course the Government are working closely with Jaguar Land Rover, Marks & Spencer and other high-profile cases, because we know the impact they can have on our economy. Indeed, had the Government not stepped in and resolved that issue, the impact on Jaguar Land Rover, and the tens of thousands of employees at the plants and in the supply chain, would have been catastrophic and is not worth thinking about. I thank my hon. Friend for raising that issue.
As I said, as always, the story is one of technology and cyber-threats moving faster than policymakers can possibly keep up with, but today we are fixing that. The first change in the Bill is to widen the scope of the 2018 regulations. To keep up with the changes of the past eight years, we are adding a few new things to that list, starting with large-load controllers. That includes any organisation that manages a significant flow of electricity to or from a smart appliance. It might be a company that supports electric car charging, for example. Bringing these entities into scope will safeguard our power supply and give consumers confidence in using energy-smart appliances, all of which are critical as we advance towards our clean power 2030 mission and net zero.
The second change is that we are adding large data centres in recognition of their growing importance to our day-to-day lives and to the economy. These are vast digital warehouses for the United Kingdom, home to servers that host everything from patient records to their bank details. This is the data that underpins modern life and all our lives and communities, and it must be protected.
We are expanding the scope of the regulations to include managed service providers as well. Those are organisations that provide ongoing functions, such as an IT help desk, to an outside client. Their access makes them an attractive target for cyber-attacks as criminals can find one weak spot and bring countless organisations down. For example, in 2014, an attack on a service provider for the Ministry of Defence compromised the personal data of around 270,000 people—military personnel, reservists and veterans. As organisations rely more and more on outsourced tech, we have to close this gap. In fact, weaknesses in the supply chain have become such a risk that we will go even further by allowing regulators to designate certain organisations as critical suppliers. That includes certain suppliers to essential services that could have a significant impact on the economy or society as a whole—for example, key suppliers to water companies, grid operators or air traffic control. These critical suppliers will be subject to cyber-security duties, which we will set out in secondary legislation.
Dame Meg Hillier
Last year, the Treasury Committee wrote to the top 10 banks in the UK because there had been a number of outages. There was no suggestion that cyber-security attacks were involved in most cases. A trend in the responses was that third-party software providers are often the source of the issue. What is the Minister’s thinking about how to involve the banking sector in the scope of the Bill?
Ian Murray
The banking sector is obviously in the regulators’ scope for cyber-security, and there have been a number of outages, as my hon. Friend mentions. The general principle is that cyber-attacks no longer come in through the front door, but through third parties and suppliers. We have seen that, for example, in the recent incidents at Heathrow and in cloud outages with Amazon Web Services and other such companies. They are covered by their own regulations. As I said in answer to my hon. Friend the Member for Lichfield (Dave Robertson) about Jaguar Land Rover, those companies will not be in the scope of the Bill, but we hope that the financial services sector, which is a leader in cyber-security for a whole host of fairly obvious reasons, will take that forward.
The recent attacks on British icons such as Marks & Spencer and Jaguar Land Rover will loom large in people’s minds. Many Members across the Chamber have already mentioned them. Supply chains were thrown into chaos, with small businesses paying the price, which clearly shows the ripple effect across the economy—on other businesses, smaller businesses and patients, such as in the public service examples mentioned earlier—when one part of the system is attacked.
We are clear that all businesses—that covers financial services, Jaguar Land Rover, Marks & Spencer and others—must take immediate steps to protect themselves. That is why, in October, members of the Cabinet wrote to the FTSE 350 companies urging them to strengthen their defences by doing three things: first, to make cyber risk a board priority; secondly, to require suppliers to have a cyber essentials certificate; and thirdly to sign up to the early warning service. That was followed by a similar letter to entrepreneurs and small businesses in November with bespoke advice for smaller teams. We know that those actions work. Organisations with cyber essentials are 92% less likely to claim on cyber insurance than those that do not. Businesses know best how to protect themselves; we are not here to regulate for the sake of regulating.
Government are taking action too. As I announced this morning, the Government cyber action plan sets a radically new model for how Government will strengthen their cyber-resilience and is backed by over £210 million of investment. Government Departments will be held to standards equivalent to those set out in the Bill. That is why the public sector and the Government are not included in the scope of the Bill. The Government should not need to legislate for themselves; we should just get on with making sure that we are leading the charge and that the cyber action plan strengthens the Government’s cyber-resilience. [Interruption.] I do not know if that was an attempt at an intervention from the Opposition Front Bench, but I am happy to take it.
Sir Oliver Dowden (Hertsmere) (Con)
I welcome the Minister’s comments about the obligation on the public sector. However, I caution him that, in my experience, cyber-security is one of those things that Ministers talk about, but then other priorities overtake it. The advantage of legislative requirements is that they force Ministers to think about it. I urge the Minister to look at that point again as the Bill passes through Parliament. There is a case for putting more stringent requirements on the public sector in order to force Ministers’ minds on the point.
Ian Murray
The right hon. Gentleman would have had some involvement in this when he was in government; indeed, the 2018 regulations came from the previous Government. We are all trying to make sure that we are catching up with the technology as quickly as it moves. He makes a very interesting point that I am very conscious of and happy to take away. We are determined to deliver the cyber-security action plan, which is backed by £210 million.
The actions that the previous Government took did not come to fruition in terms of their 2030 target, which is why we have refreshed the action plan and brought it forward with some significant cash. It is important for Ministers to take that forward. I hope that the right hon. Gentleman will hold us to account to ensure that we are fulfilling that promise in the cyber-security action plan. Public services, and indeed central Government, must take the leading role to show businesses that the approach to take is to ensure that all our systems are as secure as possible, not just on economic grounds, but for the people that we all seek to represent.
Dame Chi Onwurah (Newcastle upon Tyne Central and West) (Lab)
I thank the Minister for the excellent points he is making on the importance of cyber-security and the cyber-security action plan. Can he say a little bit about how the success of the cyber-security action plan will be measured, monitored and communicated to the House? He is probably aware that only 33,000 cyber essentials certificates were issued in 2024, for example, so an increased take-up of cyber essentials and the guidance in the action plan are essential.
Ian Murray
There are some key dates to monitor progress in the action plan itself. I wrote to my hon. Friend, the Chair of the Science, Innovation and Technology Committee, this morning on the publication of the action plan to lay out some of those issues; the letter will be landing soon. I would be happy to discuss that in front of the Committee in more detail. I hope that the Committee, and indeed the Opposition and our own Labour Members, hold us to account for delivering on this, because it is fundamentally important to Government, whether it be digitisation, modernising Government or winning the case with the public about why digitisation is so important and why Government should be as secure as possible and lead the charge on that across the whole economy. I hope that we and the Committee can take that forward in the weeks and months ahead.
As I said, the Government cyber action plan launched this morning is backed by over £210 million of investment and Government Departments will be held to standards equivalent to those set out in the Bill. I hope that that partially answers the question from my hon. Friend the Chair of the Science, Innovation and Technology Committee. Although the focus of the Bill is on essential services, it will also indirectly help businesses, including those damaged by the recent attacks, and Government. Almost all organisations today rely on data centres, outsourced IT or some kind of external supplier. By extending the Bill’s oversight, we are preventing attacks that could, in theory, reach thousands of organisations.
The Bill also gives new powers to regulators responsible for enforcing the NIS framework. Effective compliance is crucial to the success of any regime. These reforms could be world-leading on paper, but without proper enforcement they are meaningless.
David Reed (Exmouth and Exeter East) (Con)
We have talked about the regulators having new powers to designate critical national infrastructure in regard to cyber-security threats, but who actually has accountability? The Bill refers to
“regulations made by the Secretary of State.”
Which Secretary of State is that, given that this is a cross-departmental and cross-Government approach?
Ian Murray
Cyber-security is the responsibility of the Department for Science, Innovation and Technology, but the Cabinet Office has a clear resilience issue as well, as we heard from the right hon. Member for Hertsmere (Sir Oliver Dowden), who was in the Cabinet Office previously. The DSIT Secretary of State will make those regulations, but a plethora of regulators are involved in this process—energy, water and data centres all have different regulators. The regulators that regulate those sectors are being empowered through the expanded number of sectors being brought into the legislation to take the responsibility.
Sir Julian Lewis (New Forest East) (Con)
I am extremely grateful to the Minister for giving way. On the point about regulators, the industry has issued a brief, which points out, quite sensibly, that these regulators are going to have a lot of extra duties to perform and they will therefore need extra resources to be able to perform those duties, but the extra resources they require will only be unlocked when the Bill has passed. Is there not a danger of a transition period where duties will be laid on regulators to fulfil their role before they have the resources to carry it out?
Ian Murray
We have to pass the legislation first. It may be amended during its passage through both Houses. Therefore, the regulators will not know what they are regulating until the Bill has passed. However, as I mentioned at the start of my contribution, we have been working with regulators, businesses, organisations and cyber-security experts in the run-up to producing the Bill to make sure that it is in the right place—that it is proportionate on businesses and regulators—and that it is effective, which is the most important thing. I am sure that we will have debates on those kinds of issues as we go through Committee and on to Third Reading, but I very much acknowledge what the right hon. Gentleman said.
The Bill will strengthen the powers of the NIS regulators, ranging from Ofgem to the Civil Aviation Authority, which work together to uphold the UK’s cyber rules across those different sectors—I may have taken the previous intervention 10 seconds too early! We are raising the maximum fine that they can impose, for example, while simplifying the penalty bands to make them clearer. The key driving force for this measure is not to punish rulebreakers or raise revenue, but to incentivise firms to be vigilant. Our goal is 100% compliance and zero fines.
We will also ask regulated organisations to change the way they report attacks and expand both the types of instance they have to report and the timeframe in which they have to report them. This is a small but crucial change. Under the current rules, regulators get notified about a breach only once it has already caused significant disruption—when traffic lights have failed or the heating has shut off. The system does not include cases with the potential to cause a crisis much later, like a hospital’s computer system quietly being spied on as hackers wait for their moment to strike. Under the Bill, if an organisation is within scope, it will have to tell its regulator and the National Cyber Security Centre about these types of breaches within 24 hours and provide a full report within three days. Pace and speed are of the essence. This will not only give us better information, but help agencies to warn others, should they need to, before they become the next targets.
The Bill will also allow the Government to set clear and consistent outcomes for regulations to work towards. One of the virtues of having a regime enforced by different agencies is that each has sector-specific expertise—Ofgem understands the complex digital systems that underpin the national grid, and the Civil Aviation Authority knows the precise threats to air traffic control, for example—but that approach has sometimes led to inconsistencies in how the regime is applied. Some bodies interpret the rules differently from others. The Bill aims to fix that with a single set of objectives issued by central Government and applied across the board. That will send the message that no sector is an easy target in the UK.
We will also improve the way in which regulators, intelligence agencies and law enforcement share information with each other by providing greater clarity on what regulators can share and receive. It is important that regulators have the resources to do their job, as the right hon. Member for New Forest East (Sir Julian Lewis) said. The Bill will also give them new powers to cover the full costs associated with their regulatory duties. To ensure transparency, regulators will consult on how fees are calculated and publish a statement each year to show how the funds are being used. Together, the measures add up to a much more consistent and effective regime with better reporting and much clearer guidance for all involved.
The Bill ensures that the UK’s cyber-security regime is not only fit for today but flexible enough to head off future threats as well. I have mentioned a few things that have changed in the past eight years—shifts in technology and the nature of cyber-attacks, artificial intelligence, data centres and the economy—but one of the biggest changes was, of course, Brexit. Since our exit from the European Union in January 2020, we have been unable to amend the NIS regulations without primary legislation, because the rules were originally part of European Union law. That has slowed the process and made it difficult for us to keep pace with new emerging threats and technology. Meanwhile, Brussels is pressing ahead with NIS2—its forward-looking update—while we lag behind.
That procedural quirk has left essential UK services more exposed, which perhaps tells us something about why the UK has such appalling figures compared with some of our EU counterparts, as hackers and cyber criminals exploit gaps in our dated laws. That is an unacceptable risk, so the Bill includes new powers for the Government to update the NIS regime via secondary legislation, to make it quicker and more agile for dealing with evolving technologies—we might need to respond quickly to a new type of cyber-threat, for example. That is not in order to override Parliament; in almost all cases, the Government will still be required to consult on any changes, and Parliament will have the final say on any legislation made under the power. However, delegated powers are essential for keeping us as responsive as possible. When national security is on the line, we need the ability to act fast and decisively.
In fact, in extreme cases some threats emerge so rapidly that even secondary legislation is too slow; if an ally were to be invaded by a hostile state, for example, the cyber risk to the UK would suddenly escalate. The Government will therefore also be given powers to direct regulators or regulated entities where national security is threatened—to issue specific cyber-security guidance in a crisis, for example. Those powers are intended as a last resort to protect our national security, and safeguards will go into the Bill to ensure that they are used accordingly.
The UK’s cyber sector is the third largest in the world, as we heard from our friend from Northern Ireland, the hon. Member for Strangford (Jim Shannon). It achieves double-digit growth year on year. We have fast-growing clusters of expertise in Cheltenham and Manchester. This legislation will supercharge that success, doubling down on one of our nation’s greatest assets. At its core, the Bill is about protecting the essential services that we all rely on, so that the lights always stay switched on, clean water always runs in our taps, and hospitals are always safe and secure. Those are the real life community issues that we and our constituents all encounter every single day.
This is more than a technical upgrade; it is a bold commitment from the Government to protect one of our biggest economic strengths and keep the UK safe in a rapidly evolving digital world. Together, we are working towards a future in which security is not a hope but a guarantee. I commend the Bill to the House.
Julia Lopez (Hornchurch and Upminster) (Con)
Happy new year, Mr Speaker, and thank you for putting the heating on. I am grateful to the Minister for setting out the Government’s rationale for this legislation in the Secretary of State’s stead. I do not know why the Minister was demoted either, but I want him to know that we appreciate him.
The official Opposition recognise the scale of the cyber-security challenge that the country faces. If the pandemic accelerated the adoption of digital technology at a pace we had never before seen, then the advent of artificial intelligence will embed that technology into our economy in wholly new ways that bring not only opportunity but unprecedented risk. AI and automation will not only transform productivity but equip hostile states, criminal gangs and opportunists alike with tools capable of eroding our national defences at speed and at scale. It is right that Parliament legislates to raise the collective security bar. We on the Conservative Benches support that principle. However, legislation of this kind does not come around often. Cyber law takes time to develop, and once the Bill passes, it is unlikely that Parliament will return to this territory for some years. That means that we must ask two simple but very serious questions today: will this law work and is it enough?
Before we answer those questions, it is worth reminding ourselves of the real-world consequences of failure. Cyber risk is neither abstract nor theoretical. Last year, the UK experienced what is widely regarded as our most economically damaging cyber-incident to date when Jaguar Land Rover suffered a major attack. That was not a sophisticated act of cyber-warfare against the state—although such acts are happening with increasing regularity—but was carried out by a band of hackers. The consequences were enormous, however. For five weeks, Jaguar Land Rover was unable to operate its automated manufacturing lines, cyber-related costs mounted to nearly £200 million, and national economic output was visibly affected in that month alone. The real damage did not stop at the factory gates: hundreds of small and medium-sized enterprises in the supply chain—many of them operating on thin margins—were pushed to the brink, workers faced uncertainty and contractors had their work paused.
Ultimately, the Government had to step in with a £1.5 billion loan guarantee to prevent wider economic fallout. When we consider the Bill, we must ask whether it would do anything to strengthen our collective resilience. That is one of the tests that this legislation ought to meet, and it is not yet clear that it does. Indeed, the attack on JLR would not have been stopped, as the Minister himself has made clear, because it would not have been in scope.
The cyber-threat landscape is evolving at an extraordinary pace. New research shows that cyber-attacks now cost our economy nearly £15 billion every year. High-profile breaches of businesses such as Marks and Spencer and the Co-op have demonstrated how quickly consumer confidence, jobs and supply chains can be put at risk. Last year alone, insurers paid out £197 million to help businesses recover from cyber-incidents. In fact, the collective cyber insurance bill of the FTSE 100 is now larger than the defence research and development budget. The Bill seeks to respond to one aspect of that reality by expanding the scope of regulation. Data centres, managed service providers, load controllers and designated critical suppliers will now fall within its ambit. That is a welcome acknowledgment that digitisation has introduced systemic risks that the original NIS regulations of 2018 did not adequately cover.
The Bill also strengthens the powers of regulators, introduces cost recovery mechanisms and tightens incident reporting requirements. Those measures are intended to modernise our cyber framework and address clear shortcomings identified in reviews of the NIS regime in 2020 and 2022. On paper, that all sounds sensible, but intent alone is not enough, which brings me back to our central concern: whether this law will work in practice in raising the standard of our collective resilience. The uncomfortable truth is that, in some of the most high-profile cases of cyber-attack, the penetration of systems was carried out by attackers using valid credentials. That means systems behaved normally. The breaches looked like legitimate access until it was too late. Human frailties were exploited: help desks were persuaded to reset passwords, and staff and contractors were impersonated. This Bill would help mainly after an attack—not before—by mandating reporting, improving intelligence sharing and increasing accountability.
Chris Vince
This is a friendly intervention, as I always like to get a bit of cross-party agreement where possible. I mentioned to the Minister the importance of changing the culture among employees to ensure that they feel confident about reporting cyber-attacks. Does the shadow Secretary of State agree with that?
Julia Lopez
Absolutely. The hon. Gentleman is correct: this is fundamentally about culture—that is the point that I am making. We can pass as many regulations as we like, but a lot of the holes in our cyber-security systems come down to human frailties. That means this challenge is not just about new laws but about changing a number of things to make us more resilient.
It is right not to dictate technical standards in primary law that will soon be outdated in the fast-moving world of technology, so the question is whether this law has the right mix of carrot and stick to make affected firms act in a way that raises the security bar—there are several areas where we fear it may not.
First, there is potentially an enforcement paradox. The Bill expands regulatory powers and increases the scale of potential fines, but the evidence from the existing regime does not suggest definitively that fines and new regulations deliver us greater cyber-resilience. Under the current NIS regulations, enforcement has been slow, inconsistent and often toothless. Very few significant penalties have been issued. Where they have been issued, the delay between incident and sanction has sometimes stretched beyond two years. That delay matters, because it actively undermines deterrence and disconnects accountability from operational reality. Simply widening the scope of regulation without ensuring that regulators are properly resourced, empowered and required to act quickly risks creating obligations that exist on paper but lack any real-world bite.
We also have concerns about the Bill’s cost recovery model. Funding regulators through levies on the organisations that they oversee risks unintended consequences in terms of improving our resilience. For large firms, the cost burden may be manageable, but for smaller enterprises it amounts to an additional operational tax that could divert scarce capital away from cyber-defence, staff training and innovation.
There is also a structural risk here. Regulators that are reliant on fee income might face incentives to expand scope and complexity unnecessarily, creating bureaucratic drag that crowds out voluntary, market-led initiatives, which often raise standards more effectively than prescriptive regulation.
More generally, I worry that this Bill will play into tech monopolies. The companies that thrive in this kind of environment are those with big compliance and legal departments. That concentrates risk and makes our tech economy less diverse, with serious implications that I shall come on to.
There may be reporting challenges too. A two-stage reporting process within 24 and 72 hours may be achievable for large, well-resourced organisations with in-house cyber teams, but for smaller operators it risks creating a compliance culture focused on speed, not substance.
There is also the danger of duplication. Many organisations already face overlapping reporting obligations under UK GDPR, sectoral rules and existing legislation. Without simplification and proportionality, the administrative load could be significant, once again diverting attention and resource from the very cyber-threat management that the Bill seeks to improve. We need to avoid this legislation becoming a “something must be done” Bill that totally misses the mark.
The Bill also fails to grapple properly with the human factor in cyber-security, which has already been talked about by the hon. Member for Harlow (Chris Vince). Technology alone does not keep organisations safe; governance matters. Yet board-level ownership of cyber-risk is moving in the wrong direction. Only 27% of businesses now have a board member explicitly responsible for cyber-security, down from 38% just three years ago. Without mechanisms to ensure senior accountability, fines risk becoming little more than a cost of doing business. Directors remain insulated while operational teams are left to carry the can. National cyber-resilience depends not just on systems and software, but on leadership, culture and accountability at the very top.
For those reasons, ahead of Committee consideration, we on the Opposition Benches are examining how the legislation can be strengthened, while continuing to support its core objectives. In the meantime, regulators must be properly equipped with the right powers, resources and clarity from Parliament on the intent of the law. Sanctions must be applied swiftly and consistently, and guidance must be clear, so that enforcement is credible and deterrence is real.
The Government should also look at how reporting obligations are calibrated. A one-size-fits-all approach might place disproportionate burdens on smaller firms, and it might be better to ensure that reporting thresholds reflect the size, complexity and risk profile of an organisation.
Equally, the funding of regulators must be transparent and predictable. There have to be safeguards against regulatory expansion for its own sake and firm assurances that funds raised are reinvested directly into improving national cyber-resilience, not absorbed by administrative overheads. While the Bill rightly prioritises critical national infrastructure, it cannot afford to ignore high-risk sectors that sit beyond its immediate scope.
There is also a major role for market-based solutions. Cyber insurance, sector-wide intelligence sharing and collaborative resilience initiatives can all complement regulation. These tools can reduce risk and improve preparedness without adding unnecessary legislative complexity.
The review cycle set out in the Bill may be too slow for the threat landscape we face and the pace of technological change. Annual or biannual reviews might allow Parliament to scrutinise effectiveness, respond to emerging threats and ensure that the legislation remains fit for purpose.
Let me make some more general points about the Government’s approach to cyber-security and resilience, and issues about the risk of dependence and threat from adversaries. I see no evidence from this Government that they are thinking with any clarity about the risks of long-term technological dependency and lock-in—quite the opposite, in fact. Large parts of our economy now depend on secure, high-quality digital infrastructure, and that reliance will only increase as AI advances. Whoever provides that infrastructure will wield huge future leverage. It was that reality that ultimately drove the change of heart over Chinese tech sitting at the core of our 5G telecom networks a few years ago.
However, the Government are seemingly betting every chip on US hyper-scalers. They provide our data centres, supply the platforms on which Government Departments are run and, more often than not, are the ones winning all the Government contracts. These investments will provide our companies with things that they need, from compute power to increasingly sophisticated AI platforms, but the UK is doing little simultaneously to mitigate our increased technological dependency. When I say “technological”, we need to understand that technology is what we now run our defence systems, factories, energy networks and communications on. Technology is the plumbing of our nation.
During September’s much crowed-about state visit by President Trump, this Government were visibly begging for good economic headlines after the humiliating resignations of the Deputy Prime Minister and the ambassador to the US, not to mention the uncontainable mess of the Chancellor’s first Budget and the threat of her second Budget. The US-UK tech partnership was the result, with a huge amount of smoke and mirrors deployed over what it actually contained. Whatever substance lay within it, we heard just before Christmas that it had been paused, used as leverage by the US while other trade negotiations were under way.
I am not criticising the US Administration for skilfully playing their hand in their national interest; I am asking this Government rapidly to wake up to the reality of a new world in which the post-war settlement is coming to an end—one that has been giving clues to its existence for many years, since long before President Trump came into office. The United States remains a vital ally, but in this new era Britain must be very clear-eyed about risk, the reality of hard power and the need to protect our sovereign interests.
Cyber-risk requires as much thought about the fundamentals of plumbing as it does about the laws that try to manage how humans use or exploit technology. The UK Government have a vast procurement budget for which our own firms ought to be able to make a successful bid, but UK tech tells me consistently that, for all the talk in the Government’s AI strategy of sovereign tech capability, it has not got a look-in since Labour has been in power. I am concerned that this Bill should not introduce new, burdensome regulation for UK firms in a way that benefits non-UK incumbents with giant compliance teams and legal resources in a way that would exacerbate the risk of vendor lock-in.
Let us turn to another risk. The private sector will have noticed that the new obligations in this Bill broadly do not touch the public sector, where cyber-risk remains red-light-flashingly large, notwithstanding the public cyber strategy that was thrown out today in implicit acknowledgment of that gaping hole. Knowing that the public sector holds such enormous cyber-risk, this Labour Government choose not to minimise it, but to create a brand-new one—a hulking great identity system mandated for anyone who wants a job and, we now hear, possibly for new-born babies. It is mandatory identity by stealth, not consent, and with no honesty about it.
It is not to be against the ability of people to verify themselves digitally for banking, to access certain online services or to stop fraud to think that Labour’s mandated digital identity plan is a complete rotter. The Association of Digital Verification Professionals called what Labour inherited on digital identity a
“world-leading model for data sovereignty that digitised liberty rather than diluted it”.
The citizen, not Government, would be in control. This naive Government are crowding out private sector expertise and making everyone have one of these identities by stealth. They have no idea what this system will cost, and they will not be honest about what it will be used for.
What of the cyber-security of this system? The system on which this digital identity will be run was breached during red team testing last year. When I asked the Secretary of State if that system has now met the National Cyber Security Centre’s cyber-security standard, no answers came. Whistleblowers have continued to speak out about the vulnerabilities of the system, and there is no sense whatsoever from Government that the dodgy digital identity plan will be paused until such a point when they are confident about cyber-security.
Andrew Cooper (Mid Cheshire) (Lab)
I am absolutely staggered to hear the shadow Secretary of State talk about standard software testing practices as though someone is doing wrong by trying to penetrate systems and find flaws in them. Is not the whole point of software testing to find the flaws in a system and get them fixed, rather than parading them in front of the House of Commons as though they are some sort of failure?
Julia Lopez
The hon. Gentleman is wilfully misinterpreting what I am saying. There is not an issue with having systems tested; there is an issue with the fact that the system test failed. There is no evidence that the Government have therefore acted to deal with those systemic failures.
Julia Lopez
The whistleblowers continue to raise serious concerns about the structures upon which the Government’s digital identity platform will be built. The hon. Member looks absolutely outraged that I might suggest there are some concerns about the cyber-security risk of a national, mandated digital identity platform. I find it extraordinary that he suggests that I am expressing concerns that a system might be tested. Of course every system must be robustly tested—that is not the point I am trying to make, and the hon. Member is being wilfully ludicrous in suggesting otherwise. This Prime Minister cannot run an economy, keep promises or control his Back Benchers, or his Front Benchers, so how on earth does anybody think he can run a secure digital identity system?
At the same time as risking technological lock-in by friendly allies, we are creating new vulnerabilities for adversaries to attack. Just before Christmas, UK intelligence agencies warned about increasing, large-scale cyber-espionage from China, targeting commercial and political information. We discovered from Ministers that the Foreign Office itself was the subject of a major cyber-attack in October, which officials believe was carried out by Chinese hackers, and this came in the midst of a major row between the Government and the Crown Prosecution Service about the prosecution of spies operating here in Parliament.
We will be looking closely at this legislation to identify where the Government should be addressing this cyber-reality with much greater force. An approach to cyber-resilience that looks only at introducing new regulations and compliance burdens without thinking through risks such as a mandated identity scheme, dependence on non-sovereign suppliers, the malign intent of other nations, and a failure to build up our own workforce and skills is one that will fail.
Sir Julian Lewis
I do not think I heard the Minister mention anything about the risk of cyber-attacks on local government. Does my hon. Friend agree that that is another potentially juicy target for people who wish to cause major mischief?
Julia Lopez
As my right hon. Friend is aware, local government is outside of the scope of the Bill, but it is a very juicy target—much of the public sector remains a very juicy target. In acknowledgment of that, the Government whipped out a strategy very quickly this morning that is meant to give us assurances about the public sector’s cyber-resilience. I am not sure that that strategy will provide much reassurance, which is why it is important to understand that this Bill can only be one part of a much wider arsenal to tighten gaps where they exist, in both the private and public sectors.
Ian Murray
It is worth clarifying for the House that we brought forward the Government cyber-security strategy this morning because the 2022 consultation undertaken by the previous Conservative Government was not acted upon. This Government are acting on those threats, bringing forward a plan that we will subsequently see through, and I think the hon. Lady should acknowledge that.
Julia Lopez
I welcome the strategy, but I have not yet had a chance to have a good look at it, because the Government always seem to publish these sorts of documents right at the last minute. The only way to get any information out of this Government is to apply some pressure in this House, and then, remarkably, things come flying out of the cupboard.
I will be very interested to see what the strategy looks like and whether it is up to the challenge we now face. The problems and risks of cyber have increased markedly since we were in Government because of the advent of AI technology—that technology is changing the picture very rapidly, just as the defence picture is changing very rapidly. My concern is that this Government are not taking seriously enough the various defence and security challenges that this House faces; they are prioritising spending on welfare payments, union payments and all manner of other things. It is one thing to get a strategy out of the door; it is another to put in place the measures that will implement that strategy. Basically, all we have seen over the past 18 months is strategy documents, without a great deal of delivery. That is one of the reasons why the Government are so rapidly losing public confidence.
In conclusion, we support this cyber Bill in principle—the threat is real and growing, and it demands action. However, it is only a tool, not a cure-all. A Government who are trying to close down gaps in one place while wilfully opening up huge new risks in a different corner are being negligent in their approach. Furthermore, if this legislation is to command confidence, it must be practical, proportionate and genuinely effective. Without meaningful improvements, the Bill risks placing new burdens on business while delivering only marginal gains for our national resilience. Cyber-security is a shared responsibility between Government, regulators, industry and the public, but leadership must come from the top, and that is where this Bill currently falls short.
With the private sector taking the lion’s share of the load while gaping holes remain in public sector cyber-defences, the Bill begs obvious questions about the confidence that citizens should have in flagship Government projects such as the Prime Minister’s mandatory digital identity system. As it stands, the Bill would not have prevented high-profile cyber-shutdowns such as Jaguar Land Rover’s, it does little to address the chronic vulnerabilities in the public sector, and it certainly will not make Labour’s dodgy ID database any more secure. That is why, as the Bill progresses through Parliament, we will be pressing this Government to ensure that it delivers genuine security, proper accountability and raised cyber-defences across the board, while taking them to task on major mistakes such as mandatory ID. Cyber-security is no longer a niche compliance exercise; it is about protecting the fundamental economic and defence interests of our nation.
Matt Western (Warwick and Leamington) (Lab)
I start by welcoming the Bill, which is a serious step forward in protecting the United Kingdom from the great number of cyber-attacks that we face each day. As we have just heard from my right hon. Friend the Minister, this legislation is long overdue. A consultation started back in January 2022, and in April of that year, the then Government identified serious issues and limitations. I was slightly bemused that my hon. Friend the shadow Minister—I do consider her to be a friend—did not cover that in her speech. The previous Government then failed to act for over two years, and as my right hon. Friend the Minister illustrated in his speech, that has proven very costly.
Over the past couple of years, we have seen that cyber-security is not just paramount in our everyday lives; it is crucial. It ensures that there is food on our supermarket shelves and that the lights stay on. It is critical to every corner of the UK, but now we have to move at pace, and not just through this legislation—I urge us to go further. If we are to protect ourselves from our adversaries, we need to develop a true whole-of-society approach to cyber-security and start a national conversation on security at home. This legislation is clearly an important first step. It is a first chapter, but many more must be written if we are going to seriously address our national security, by which I mean our social and economic security.
Increasingly over the past decade, we have seen a blurring of war and peace, with the emergence of hybrid warfare and the widening of the grey zone. We are living in a cyber no man’s land where states or state-sponsored actors—proxies—can act with relative ease and impunity, leaving the world a more dangerous place. The cyber-realm is, and will remain, a key battleground, and it is one that we must seize. Every one of us in the United Kingdom needs to wake up to that fact, particularly with the development of AI and quantum computing and the extraordinary threats that will come from those developments. When it comes to being the target of cyber-attacks, the United Kingdom now ranks third among all nations. In 2024 alone, the NCSC handled an average of four major attacks every week—these are the really serious attacks—and the impact on the economy is staggering. In the same year, cyber-attacks cost the British economy £15 billion, or 0.5% of GDP. When we are trying to increase GDP by 1%, 2% or whatever it is, a hit of 0.5% is so significant.
While 43% of businesses have reported having any kind of security breach or attack over the past 12 months, that figure rises to 67% and 74% for medium and large businesses respectively. Every attack inflicts more pain on UK plc, meaning lower economic growth and lower tax receipts to fund our public services. As we heard earlier, the effects ripple through our whole society.
We have just been talking about the attack on Jaguar Land Rover this summer; that attack cost the company an estimated £500 million, affected over 5,000 businesses and put thousands of jobs at risk, with many of those employees based in my constituency of Warwick and Leamington. The impact was significant, whether it be on cafés, restaurants, pubs or shops, which were all affected by the downturn that immediately led from the shutdown of the factories.
The attack on Collins Aerospace was alluded to earlier. It crippled Heathrow airport, and I think Stansted was affected, too, but less so. It scuppered thousands of hard-earned family holidays in autumn last year, and the ramifications for the travel sector were significant.
It is not just businesses that have been affected. We have seen attacks on councils, as we have heard, and charities. Even the British Library was knocked out two years ago, which impacted so much of our research potential across our higher education institutions. It has significantly affected the UK. The Electoral Commission got knocked out by an attack by Chinese state-sponsored actors. There have been so many other attacks. Even our NHS is not safe. My right hon. Friend the Minister mentioned the attack on Synnovis. Last year, more than 11,000 NHS appointments were lost due to cyber-attacks. The attack in June 2024 on London hospitals by the Russian group Qilin saw 1,100 cancer treatments delayed, 2,000 out-patient appointments cancelled, more than 1,000 operations postponed and, tragically, the death of a patient. The message from across our international partners and the UK’s security services is clear.
Matt Turmaine (Watford) (Lab)
On the attack on the NHS, I worked for 10 years in health and social care prior to being elected to this place, so I witnessed that attack taking place, and nothing could give a starker demonstration of the impact on productivity that cyber-attacks have on our country and our society. There was a meeting of senior clinical commissioning group and other health trust executives in Hertfordshire at the time, and one by one they were forced to leave the room like lights blinking out as the impact of the attack became clear. Does my hon. Friend agree that this Bill is essential to keep our legislation up to date with the new methods of attack that bad actors are using on our state and infrastructure as online technology evolves?
Matt Western
I thank my hon. Friend for sharing his lived experience. I can relate that to when I have spoken to organisations through the Business and Trade Committee and through my role on the Joint Committee for National Security Strategy. I have heard from organisations that have been impacted about how paralysing the immediate aftermath of such an attack is and how it challenges an organisation. It is crucial that these red team, blue team scenarios get played out, but when it is actually happening and a company is facing an entire shutdown of its systems, it is very difficult to navigate. Many have talked about the culture change that is needed, and we need to urgently embrace that change. The experience in the NHS that my hon. Friend mentions is a good example.
These attacks are the new normal and we must be better prepared. In September 2024, led by the FBI and the National Security Agency, the United Kingdom, Germany, Estonia, Canada and a plethora of other allies released their clearest articulation of the threat posed by Russia, and Putin in particular. They said that Russia is
“responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020.”
The NCSC annual review in 2024 called the landscape “diffuse and dangerous”, while the 2025 review could not have been clearer in saying “It’s time to act” in the defining text on the front cover. Richard Horne, head of the NCSC, said:
“Empty shelves and stalled production lines are a stark reminder that cyber attacks no longer just affect computers and data, but real business, real products, and real lives… The recent cyber attacks must act as a wake-up call.”
Just last week, Andrew Bailey, the Governor of the Bank of England, said that cyber-attacks were one of the biggest threats to UK financial stability and stressed the critically important need for collaborative defence.
The reality should be clear to everyone here. The frontline is everywhere. It is our phone, it is at our desk, it is our businesses, it is our infrastructure and it is even here at the heart of our democracy. Such a threat requires a whole-of-society response. We are not the first to have been targeted. Back in 2007—18 years ago—Russia launched a determined cyber-attack on Estonia. It was damaging and debilitating to Estonia’s society and economy. The cyber-attack was a call to action for Estonia and it responded at pace. It brought about cultural change, which was talked about earlier in the debate. Estonia overhauled its legal, political and strategic framework—even looking at its education system—and adopted a whole-of-society approach to cyber-security, developing a serious public-private partnership to counter the threats posed by Russia. No doubt the Minister will have looked at this case in more detail to understand what learnings could be applied here and to our cyber-security strategy more widely to ensure whole-of-society resilience.
The reality is that cyber-attacks target the weakest link. It was welcome to hear my right hon. Friend the Minister talk about the initiatives with the FTSE 350 companies and some of the smaller businesses about how they should be engaging with these threats. It cannot be acceptable that the most popular password in the United Kingdom is “password”. It is ridiculous. Every one of us must act as guardian against our cyber-adversaries.
The Bill lays out valuable and desperately needed provisions. Its extent and scope are hugely welcome, bringing in data centres, large load controllers and managed service providers under the network and information systems regulations protects more of the economy from cyber-attacks. I am particularly pleased to see the inclusion of managed service providers, given the vulnerabilities that organisations often face from external IT suppliers or their supply base.
The amendments to the regulatory framework are a positive step. Improving the reporting of incidents will allow the Government to respond at pace and be agile to the evolving threats and shared vulnerabilities. That said, during the last Parliament, the Joint Committee on the National Security Strategy, which I now chair, called for one cross-sector cyber regulator, and I echo those calls, as I believe that would enable far greater regulation and enforcement. Finally, the improved resilience and security enabled through additional powers granted to the Secretary of State are crucial in enabling the Government to act quickly in real times of crisis.
Despite all the positive aspects of the Bill—I congratulate Ministers after the years of dithering by their predecessor Government—it does leave large parts of the economy outside its scope. As I have mentioned already, how can we incorporate a whole-of-society approach to cyber-security like that of Estonia? There will be many different levers for the Government to pull. This Bill is just one part, and I trust that others will follow swiftly. It is worth noting that the EU’s NIS2 directive is broadly parallel to the Bill before us. However, the EU goes further on cyber-resilience, having added sectors such as manufacturing, food distribution and waste water. Having witnessed such devastating attacks in these sectors in the past year, I urge us to act swiftly with further legislation to address those areas.
In summary, I just restate that I absolutely welcome the Bill and the three key pillars of the legislation—the expanded scope, improving regulation and strengthening resilience—are hugely welcome, as is the importance of experience reporting and sharing by victims. The cyber-attacks we have suffered this past year must be our inflection point—our call to action. Like Estonia in 2007, we have an opportunity to reinvigorate our cyber-defences and ensure the whole of society is resilient. The shadow Minister mentioned digital ID, and I gently say that that opportunity was seized upon by Estonia at the time and it has since introduced digital ID. It is secure, as it is in Denmark. Estonia looked at the opportunity presented by that challenge and that attack that they faced, and those systems work. That has been demonstrated by both those countries. As the annual review from the National Cyber Security Centre rightly asserts,
“the UK’s cyber security is… a shared responsibility where everyone needs to play a part.”
We parliamentarians have a duty to raise the salience of the issue, and to bring about a national conversation to ensure that everyone plays their part.
Finally, may I gently encourage the Minister to go further and faster, and to look at the broader cyber-landscape, as Estonia did and as the European Union is doing with its NIS2 legislation? May I encourage him to consider introducing legislation to cover food production and distribution, manufacturing and other critical sectors? As I have said, however, the Bill is an important first step, and I look forward to working constructively with him to ensure that the UK and its citizens are secure from, and resilient to, any future cyber-attacks.
Madam Deputy Speaker (Judith Cummins)
I call the Liberal Democrat spokesperson.
Victoria Collins (Harpenden and Berkhamsted) (LD)
I wish you and everyone else in the Chamber a happy new year, Madam Deputy Speaker.
It is a pleasure to finally address the long-awaited Cyber Security and Resilience (Network and Information Systems) Bill. As has been pointed out today, it is significant. The National Cyber Security Centre reported that nationally significant cyber-incidents had more than doubled since the previous year. The past year’s surge in cyber-attacks on targets ranging from supply chains to hospitals to critical infrastructure has made one fact clear: there is no economic or societal security without cyber-security. Cyber-attacks cost the UK economy £14.7 billion annually. There have been attacks on companies such as Jaguar Land Rover and Marks & Spencer. More important, however, is the impact on the real economy. Thousands of jobs and businesses are hanging in the balance, and our public services and our private data are also being impacted. As the Minister mentioned this morning, the NHS Synnovis ransomware attack resulted in more than 11,000 postponed appointments and procedures. It has even been linked to one patient’s death, which was attributed to the delay that the attack caused. This matters. We must do all that we can to upgrade protection and our security, because jobs, the economy and lives depend on it.
Our economy—imagine it, if you will, as a house—is under attack. The Liberal Democrats welcome the Bill’s intent to upgrade our home security; the addition of data centres, managed service providers and large load controllers means that we are building stronger fences, and that companies with a master key to all our doors have stronger security. Also, the wiring has been upgraded, and the alarm system is being given an upgrade; there is increased incident reporting. However, the Bill leaves the back door wide open by leaving out key sectors. Our alarm system is not sure when it is supposed to ring, and the companies that have the keys to our doors, and are using our house, are asking for simplicity, clarity and support, so that they can do their job properly. While no single piece of cyber-security legislation can act as a silver bullet, those are gaps that we must address.
We are failing to take the whole-economy approach mentioned by the hon. Member for Warwick and Leamington (Matt Western). We are leaving out the public sector and economically significant sectors, such as retail and manufacturing. The Bill’s stated aim is to protect organisations
“that are so essential that their disruption would affect our daily lives.”—[Official Report, 12 November 2025; Vol. 775, c. 26WS.]
However, the Government apparently do not consider their own public services, provided by local authorities, to be essential enough for protection. The £10 million Redcar council incident proves that voluntary schemes are failing local authorities, but after the Bill is passed, Government institutions and councils will still lack statutory protections and ringfenced funding—and all the while, council budgets are getting tighter. I have no doubt that members of the public whose data, be it from the electoral roll or from social care records, sits in these systems would object to the public sector’s exclusion from the Bill.
As has been mentioned, we are also talking about a potential mandatory digital ID system for the whole country. The Government have already said that it would be built with home-made technology. Where will the cyber-protection be in that? What is more, leaving out sectors such as retail and manufacturing would mean that the JLR and M&S cyber-attacks remained out of scope. These are significant sectors. They involve major employers and major parts of our supply chains, and they handle significant amounts of personal data.
The Bill marks a failure of ambition. The Government claimed in response to a letter that we sent on this topic that they
“do not need to wait for or rely on legislation”
to implement cyber-security requirements in the public sector, and will instead use the Government action plan to ensure that the very same requirements in the Bill will be applied to the public sector. Why must we have this two-tier approach? Why leave out economically and socially significant sectors, such as the public sector? Does the Minister agree that we need mandatory cyber-security standards for those absent sectors of our society, governance and economy? If we are serious about national resilience, about protecting citizens’ data and about aligning with our European partners, let us vote on the issue in primary legislation in this Chamber, so that the issue has the full transparency and accountability that it demands.
A further critical gap in the Bill is the failure to embed security by design, and a lack of clear accountability. This should be board-led, to ensure that each lock, door and window of our house is built securely. In 2019, the NCSC published design principles, and last October the Government launched a secure-by-design framework, which was seen as core to their cyber-security standard. However, the Bill not only excludes Government from critical national infrastructure but abandons that key principle, and fails to include the words “by design”, which matters, particularly as ISC2 research suggests that skills shortages are the No. 1 challenge for compliance with cyber regulation in the UK, with 88% of respondents experiencing at least one cyber-security breach as a result of skills shortages. This is also a missed opportunity for our economy and our cyber-security sector. Prioritising security by design would provide the baseline protection that our critical infrastructure so desperately needs. What consideration have the Government given to ensuring security by design?
Effective regulation does not just mean future-proofing; it must be workable. While we welcome expanded incident reporting, the current definitions risk creating a significant regulatory burden. Over-reporting will overwhelm, rather than strengthen, our cyber-security systems. Those who are coming to upgrade our security systems are not being given clear directions. The definition of a “reportable incident” is so broad that it could extend to every phishing email. How will the NCSC feasibly manage the administrative burden when the alarm may be ringing non-stop? Other critical terms lack clarity for industry, including “managed service provider” and the criteria for “digital critical suppliers”, as has been highlighted by techUK and others. These are not just technical details to be ironed out later; they are the difference between a Bill that works and one that does not, and industry needs clarity on how to comply. Will the Minister work with us and with industry to tighten those definitions, so that the Bill is workable, and will he consider the best way to ensure simplicity and effectiveness in incident reporting?
What is being done to support home-grown cyber-security in the UK? What is being done to defend us from hostile foreign interference? With one of the latest defence contracts going to Palantir, what is being done to support UK tech? Would the Government support a digital sovereignty strategy, as suggested by Open Rights Group? The Bill is yet another missed opportunity to support our domestic tech sector, at a time when we should be building UK cyber-security capabilities and creating highly skilled jobs here at home. How can we claim to be serious about national resilience when the very infrastructure protecting our critical systems could be entirely outsourced abroad?
Supporting UK tech and businesses is not just about the providers in the Bill; it is about the thousands of small and medium-sized enterprises that form the backbone of our economy. For the few SMEs and start-ups that are directly affected by it, the Bill creates a regulatory thicket of overlapping rules, different timelines and multiple bodies. Cyber-security is complicated, and for this legislation to work, it must be simple and easily implementable for UK SMEs. What support will there be for those SMEs and start-ups?
It would be remiss of me not to mention the wider cyber-crime landscape. SMEs make up 99.8% of UK businesses, and are often the most vulnerable link in cyber supply chains. The NCC Group confirms that manufacturing, retail and leisure, dominated by SMEs, were the sectors most targeted for ransomware in 2024. That is why the Liberal Democrats are calling on the Government to establish a digital safety net for SMEs—a nationwide first responder service that would provide free-at-the-point-of-use support for small businesses that have been victims of a cyber-attack. Australia is already doing that, providing person-to-person support during and after attacks. If Australia can do it, why can’t we?
On top of all that, the biggest threat is actually fraud, which costs the economy hundreds of billions a year. Two thirds of all fraud begins online, much of it through social media companies with no liability. That is why the Liberal Democrats are calling for social media platforms to be made financially liable for fraud on their sites, which would create a clear line of accountability for criminal activity. Moreover, fraud is a cyber-security issue; it exploits weak systems and inadequate protections. Families lose life savings, elderly people fall victim to sophisticated phishing, and small businesses shut down. The Bill protects infrastructure, but by leaving the back door open, it ignores the billions of pounds of savings lost and the livelihoods upended through online fraud. The Government must address that in their long-awaited fraud strategy. We cannot protect systems but abandon our businesses and our people.
The Bill is progress, but it is not the finish line. The cyber-threat is real, evolving and urgent. The Liberal Democrats will work constructively to strengthen the Bill through amendments, but we must ensure that we do not leave the back door open, and that we future-proof our security. We owe it to our businesses, our families and our national security to get this right.
Dame Chi Onwurah (Newcastle upon Tyne Central and West) (Lab)
Happy new year to you, Madam Deputy Speaker, to all hon. Members and to the staff.
It is appropriate that we begin 2026 by talking about an issue in the House that is of grave importance to all our constituents, but is not discussed enough either here or in the country: cyber-security. At the start of the millennium, only a quarter of the UK and 6% of the world were online. Today, almost 98% of the UK and 68% of the world use the internet. According to Ofcom, we each spend between three and six hours online every day, depending on our age and interests. For many—perhaps too many—life is lived online. Even when people are not online, the infrastructure of their lives is. Whether people use online banking or not, their bank account details will be stored in a cloud somewhere. The same is true of health records, electricity bills, children’s school records, the safety sensors of our nuclear power plants, Christmas Marks & Spencer orders and Uber ride details.
The Prime Minister said that national security is the first duty of any Government. I hope that all hon. Members agree that the Government must ensure the security of the British people as we go about our increasingly online lives. Previous Governments have not taken that issue seriously enough or done enough to protect our citizens. That is why, as Chair of the Science, Innovation and Technology Committee and a self-confessed tech evangelist, I welcome the legislation. I am pleased to see other members of the Committee here. The Committee has not examined cyber-security in detail, but we have expressed significant concerns about public sector data management, for example, after the Afghan data breach came to light.
As we have heard, the UK’s only cross-cutting cyber-security legislation is inherited from the EU. Since Brexit, the EU has updated those regulations, leaving the UK working in an outdated framework. Meanwhile, nationally significant cyber-incidents, as measured by the National Cyber Security Centre, more than doubled last year. The NCSC also warns that artificial intelligence will “almost certainly” increase both the scale and impact of attacks. When everyone can code, thanks to AI, everyone can hack, and we need to respond to that, because those attacks threaten not only our national security, but our economy. In November, the Bank of England cited, for the first time, a major cyber-attack—that on Jaguar Land Rover—as a factor in its decision to hold interest rates. The JLR breach is estimated to have cost the economy almost £2 billion.
I welcome the Bill, which seeks to expand its scope to new sectors, to make regulators more effective, and to grant the Government additional powers to respond to the ever-evolving threat landscape. However, I must be clear that there is more to be done. My main concern relates to the scope of the legislation. The Bill rightly brings data centres, large load controllers and managed service providers within the scope of regulations, and grants competent authorities the power to designate critical suppliers that are vital to the service provided, yet some of our most economically significant sectors remain outside its core obligations.
Retail is the UK’s largest private sector employer. It handles huge volumes of sensitive customer data, runs complex supply chains, and often relies on legacy IT systems, which make it a prime target for cyber-criminals, yet retail is outside the direct scope of the Bill. The legislation would therefore not have prevented the attacks on Marks & Spencer, the Co-op or Jaguar Land Rover, which affected our constituents so greatly.
I welcome the Government’s plan to promote the new cyber governance code of practice to improve preparedness in sectors such as retail. However, even after high-profile breaches, cyber-security is still not prioritised at board level. A recent report by the Information Systems Audit and Control Association—ISACA—shows that only 56% of company boards take cyber-security seriously enough, and that is after JLR.
The Minister, in his excellent speech, said that it was up to private sector companies to manage their cyber-security. I agree, but how will the Government assess whether that is happening? What will the Government do if there is evidence that companies are not managing their cyber-security effectively and that, as a result, our citizens are not adequately protected?
Without a way of monitoring and enforcing governance standards, large parts of our economy remain exposed. ISACA recommends a statutory review of the uptake and effectiveness of the cyber governance code; powers for regulators to mandate periodic external resilience assessments, such as penetration testing and scenario-based exercises; and a requirement for organisations to appoint an accountable individual who meets defined competency standards.
Government Departments, local administrations and public bodies, such as the BBC, are also outside the scope of the legislation. The Bill does nothing to address long-standing weaknesses in public sector data management, which the Select Committee highlighted. As the National Audit Office declared last year, the cyber-threat to the UK Government is “severe and advancing quickly”. The cyber-attack on the Foreign, Commonwealth and Development Office in October is a clear example of how rapidly the attacks are escalating. We need greater rigour to prevent future attacks and build the public trust that is needed for the implementation of digital ID and other digital transformation projects.
I have not been able to study in any detail the action plan that the Government published this morning, but I will look for clear measures of success when it comes to its implementation, and ways in which the cultural change that was mentioned in the debate, which is needed in the public sector as well as the private sector, has been achieved.
The Secretary of State recently told my Committee that the Government would
“assess the improvements the Cyber Security Bill brings to the UK’s cyber defences through post-implementation reviews, regular engagement with NIS regulators and industry, and monitoring the incidence and cost of any future cyber attacks.”
I would welcome clarification of whether those commitments reflect the statutory requirements in clauses 20 to 22 or additional policy commitments, and how they will be funded.
The Bill rightly focuses on critical national infrastructure, but as we all know, we are only as secure as our weakest link. The supply chains for our critical national infrastructure involve many small businesses, who may or may not be within the scope of the Bill, depending on their designation. How quickly does the Minister envisage businesses knowing whether they have been designated as critical suppliers?
I support the Bill’s proposals for mandatory cyber-incident reporting and recognise the value of the Government’s collecting and publishing data on ransomware and other attacks. However, I share the concerns raised by the Association of British Insurers and others about the feasibility of small businesses meeting the proposed two-stage reporting requirement, and particularly the requirement to submit full reports to regulators and the NCSC within 72 hours.
We have seen that the take-up of cyber essentials—the programme to help businesses, and particularly small businesses, achieve the cyber-security they need—is low among businesses. As I said, only 33,000 took it up in 2024. Cyber insurance take-up is also low among small businesses, leaving them vulnerable in terms of skills and protection. Can the Minister say a little about his plans to address that? If the Bill is to succeed, implementation must be done with industry, not to industry, so I echo techUK’s calls for clearer guidance on information sharing and for additional support to help small businesses meet compliance costs.
I hope that the Minister will address the following points specifically. Will the Government consider extending the Bill to economically significant businesses outside its current scope, and empowering regulators to mandate stronger cyber governance and resilience assessments? Will the Government consider including direct measures to strengthen cyber-security and resilience in public administration, including local authorities and Government Departments? Will the Government clarify whether the post-implementation reviews, monitoring of cyber-incidents, and engagement with regulators and industry that the Secretary of State has outlined to my Committee reflect the existing statutory requirements in the Bill? Will the Minister ensure that the new cyber- incident reporting and information sharing requirements are implemented in a practical and proportionate way for small businesses? Will the Government take steps to support cyber insurance take-up? Finally, will they ensure that there is clear guidance on information sharing requirements, and provide additional support to help businesses meet compliance costs?
We need to talk more about cyber-security. I have not touched on some of the national security implications, which the Minister and my hon. Friend the Member for Warwick and Leamington (Matt Western) described very well, but this issue is only going to get more important from the perspective of national security, economic security, and personal safety and security. If we can get the implementation of this Bill right by extending it as necessary, working with industry, supporting smaller businesses, and supporting public trust and public security, then I hope we can build a nation that is not just cyber-secure today, but prepared for the many challenges that lie ahead.
Sir Oliver Dowden (Hertsmere) (Con)
It is a pleasure to follow the hon. Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), who has brought tremendous expertise to this debate. In my previous role overseeing national resilience and cross-Government co-ordination of national security threats, cyber-security was probably the one area that caused me the greatest number of sleepless nights. There has been a lot of talk in recent months and years about the increased need to defend the realm and the steps that need to be taken to address the defence of the realm.
We all know from past experience that the first line of any attack on the defence of the realm is highly likely to be through cyber-attacks. Indeed, in a completely different context, we need only to look at the public comments made by the President of the United States a couple of days ago about the first steps that the United States took in its intervention in Venezuela: he talked about the United States’ capability to knock out the power supply there. If we look at our adversaries, particularly Russia, North Korea and Iran, we can see that they are actively inculcating and encouraging environments in which cyber-attacks can be planned and take place. Whether that is done explicitly by private sector individuals or with the connivance of the state, a deliberate grey zone is created, with the desire to increase knowledge of cyber-risks to the United Kingdom and our allies, and to carry out penetrative attacks to that effect. We are likely to see this grey zone warfare continue to increase as a result of the actions that we see in Ukraine and elsewhere.
We just have to look at our own experience. Many hon. Members have made the point that the initial attack on JLR rapidly cascaded and affected many others in the supply chain. From the Government’s own research and testing—this is in the public domain—one sees that a cyber-attack can rapidly cascade into other areas. For example, when we test the impact of a cyber-attack on our electricity system, it rapidly cascades into our water system, which is dependent on electricity. Clearly, it also rapidly cascades into our transport system. Before long, a small cyber-attack becomes a very, very large cyber-attack. In common with all other advanced countries, the United Kingdom is highly exposed to cyber-attacks—a point that I made repeatedly from the Dispatch Box.
I welcome this legislation and the steps that the Minister has outlined today, but I gently caution against what he said. I do not think it was his intention, but he said that this legislation will fix the cyber-security problem. It will not fix the cyber-security problem. No single piece of legislation is ever going to fix the cyber-security problem, nor is this a question of good guys and bad guys or of, “The last Government did nothing, and this Government are doing something.” Each Government must have a fresh look at the challenges of cyber-security, and take necessary and proportionate steps to address the risks.
Matt Western
Given the right hon. Gentleman’s extensive experience, it is very interesting to hear what he says. If he had his time again—this is not to criticise the previous Government, but to ask about the here and now—would he think that this area needs an absolute focus from across Government and across society, because it is such a crucial part of our defence?
Sir Oliver Dowden
Yes, I totally agree. Indeed, that is why the National Cyber Security Centre, working in conjunction with the last Government and now the current Government, has set out the whole-of-Government approach. It cannot just be about the actions of individual Government Ministers or individual actors in the private sector; the whole of Government need to act together.
On the further steps we could and should have taken—this goes back to my intervention on the Minister—I do think that more pressure needs to be brought to bear on Ministers in terms of their accountability for cyber-security, and I fear that if we do not put this into primary legislation, it can slip further and further down Ministers’ in-trays. Although Ministers have a desire to address it, more pressing and immediate problems distract their attention.
I have some constructive suggestions about how we can improve the proposed legislation. The first is about many of the powers being delegated to secondary legislation or ministerial direction. I do not have a problem with that, because it is essential that we have a framework piece of legislation and then the flexibility to allow secondary legislation to be brought forward to address challenges as they arise, but I urge Ministers to undertake a meaningful and mandatory consultation on any secondary legislation that comes forward, so that businesses and others can contribute to it.
I also caution against Ministers devolving to regulators their duties in respect of cyber-security. Too often—again, this applies to Governments of both colours—regulators are empowered to address cyber-security problems or any other problems. They then charge off in one direction and fail to take into account questions such as proportionality—the impact of the regulations versus their economic burden—and Parliament and Ministers cease to have a significant role. I urge Ministers to keep a tight grip on regulators and on the instructions that they give them.
I would also be a little cautious about some of the arguments made by hon. Members about the need constantly to expand the scope of this legislation to further areas of the private sector. It is very easy for us in this Chamber to talk about the need for further legislation, but when a small business is faced with a huge Act and required to interpret it, it looks a very daunting prospect. My preference would be to continue the sort of co-operation that we have seen through the whole-of-society approach advocated by the NCSC.
On proportionality, I urge Ministers to embrace AI. There are opportunities to use AI to triage incoming attacks and avoid duplication, for example, and a lot of streamlining of the system can be done in that area. On the flipside of AI, we must take very seriously the risk of cyber-attacks posed by agentic artificial intelligence. It appears that we reached an inflection point in November 2025, when Anthropic reported disrupting what it described as the first large-scale cyber-espionage campaign executed largely via agentic AI. We are likely to see much more of this. I would welcome the Minister saying in his concluding remarks what the Government intend to do to ensure that we keep up with this threat, because we are only in the foothills of the risk posed by agentic AI.
Further to the point about the role of the public sector, 40% of incidents handled by the National Cyber Security Centre when I was the Minister responsible were from the public sector, so I question the exclusion of the public sector. I appreciate that the Government have announced a plan. I have not had a chance to look at it, but I can imagine what it contains broadly. The key thing is what stick is applied to public officials and Ministers, outside the core responsible Government Departments, to make sure that they take their responsibilities seriously, so I think some legislative proposals may be needed in that area.
Similarly on budgets, again the core responsible Departments—the Cabinet Office and the Department for Science, Innovation and Technology—will prioritise cyber-security. I fear that other Departments may not, so there is a strong argument for ringfencing cyber-security budgets for all Departments so that money cannot be transferred to more pressing short-term problems, as has often been the case, particularly, for example, in the NHS.
It is very important that we do not overlook the basics. It is very easy to talk about legislation or to talk in high-level terms about threats, but probably the single biggest thing we could do to deal with cyber-risks in this country is to make sure that every time every single business and private individual gets one of those annoying pings on their phone saying that they need to upgrade their software to the latest operating system—it is the same with their PCs, iPads and so on—they do so. That is done by providers, because they know that there is a cyber-risk, and there is a patch to address it. If the patch is applied immediately, that can have a huge effect on the resilience of the whole of society, and the NCSC constantly puts out that message.
We need to look at our resilience in society as a whole when we have a major cyber-attack. We have had major cyber-attacks, but they have tended to be in just one sector, albeit with cascading effects, as with JLR. We have not yet had a whole of society cyber-attack—either one that flows out of control from a criminal attack, or a deliberate attack from a hostile state cascading widely across all of society—affecting our electricity, water supplies and so on. I fear that it is only a matter of time before that happens, and we need to look at the resilience of individuals, including the ability to have analogue systems such as battery-powered torches, rather than electric torches, and so on. I started the work on that as a Minister, and I think more needs to be done in that space.
We also need to look at the question of emergency communications. It was certainly my experience that public sector broadcasters—such as, I think, the BBC—are not required to take emergency communications from the Government in such situations. I think that is a loophole that could be exposed in such a situation.
On resilience more broadly, we are in the foothills of the impact of AI. We are going to see vast impacts on employment and how people lead meaningful lives as AI advances more and more rapidly. For the resilience of our society, this House needs to have a much wider debate—not on this Bill, but more generally—about how we address the epoch-changing challenges we are facing.
In conclusion, I think this is a welcome piece of legislation and an important step forward. My hon. Friend the Member for Hornchurch and Upminster (Julia Lopez) correctly highlighted the very important challenges, and they will need to be addressed as this Bill passes through the House. I think it is an important step forward, but it is only one step, and once this legislation is enacted, we will need to be prepared to return to this issue again and again.
Anna Gelderd (South East Cornwall) (Lab)
I am pleased to support this Bill as the MP for South East Cornwall, which is a constituency of hard-working rural and coastal communities where digital access remains a problem, as there are long distances between services and few alternatives when systems fail. As we know, digital connectivity is a growing necessity for daily life—from traditional farming and fishing businesses to carers supporting vulnerable residents—and access to online job sites, Government websites, and NHS services and emergency support are all part of our new daily existence. Reliable digital infrastructure that is protected from disruption and attack is therefore essential for our economy, public services and community safety.
That is why I am supportive of the actions this Government have taken to improve the lives of my communities, such as the digital inclusion innovation fund, which Labour has put in place to tackle the barriers that stop people getting online in the first place; the roll-out of Project Gigabit, ensuring that rural and hard-to-reach areas are not left behind; and the shared rural network, which is an important landmark partnership between Government and mobile network operators that Labour continues to support to eliminate so-called notspots—I have to say I know about them only too well in South East Cornwall—and improve 4G coverage across rural areas such as mine.
Improved connectivity and cyber-security can support small businesses, enable remote working, improve access to the NHS services we all need, and help young people build their futures through online training, job opportunities and Government support. They can also strengthen our rural resilience, ensuring communities stay connected during emergencies and are better able to adapt to future challenges. My goal is for South East Cornwall to become a digitally connected, resilient and safe constituency, where no one is left behind because of their rural postcode. I am pleased to have been raising constituents’ concerns with Ministers and working with them to improve that for local residents.
Digital systems must also be secure. Cyber-attacks carry real costs for both individual businesses and our wider economy. Businesses in South East Cornwall work hard to provide those services, create local jobs and support our local communities, and there are practical steps that businesses can take. The National Cyber Security Centre provides excellent guidance, but it also matters that businesses know that their Government are acting to protect them as they navigate the growing risks involved in working online. That is why I welcome the action this Bill takes to strengthen our cyber-resilience. May I ask the Minister what is being done on recovery and response planning should incidents occur, as the reality for rural and coastal communities is that outages often last longer and impacts are felt more sharply?
The Bill also presents an opportunity to grow skills, learning and employment across the country. Improving cyber-security standards increases demand for skilled professionals, and it creates pathways into good jobs and long-term careers. That matters for us in South East Cornwall, where we want our young people to see a future locally, without needing to leave to succeed.
This issue also matters for diversity. Our services are stronger when they are designed and protected by people with different backgrounds, experiences and perspectives. Work in this area can open doors for young girls and women into STEM—science, technology, engineering and maths—careers, and help break down the long-standing barriers felt by women under-represented in tech, whether at entry level, in mid-career progression or in leadership roles. The Secretary of State for Science, Innovation and Technology recently welcomed the launch of the women in tech taskforce to bring Government and industry together to identify and dismantle exactly those barriers, and I look forward to seeing the benefits reach the women and girls in South East Cornwall.
It is also important to recognise that cyber-resilience is now a key element of our national security and defence readiness. Staying up to date and agile is essential, particularly as advances in Al and quantum computing not only create new methods for testing, strengthening and securing our systems, but present new challenges that we must face. We have world-class research facilities in the UK, with brilliant minds that can support our national security and ensure that the UK is at the forefront and prepared for future attacks.
The work the Government are doing through the Bill updates the UK’s existing frameworks so that we can respond to new and emerging threats and better protect our communities, as well as safeguarding sensitive information and personal data, but of course there is room for further work in future. With the nationally important Devonport dockyard just across the river from South East Cornwall, many of my local residents cross the Tamar each day to work on site. A serious cyber-attack could disrupt supply chains, compromise secure communications and undermine operational readiness, with real consequences for local safety, local livelihoods and national defence. Supply chain resilience is especially important in South East Cornwall, as many Cornish businesses support larger providers in defence, energy and infrastructure. Ensuring that our services and local systems are resilient protects both local suppliers and national partners. It is essential that the UK defends itself and protects security at home and abroad, so how will the Minister create clear expectations on wider supply chain cyber-resilience, practical support for smaller suppliers such as those in South East Cornwall, and strong incident recovery planning, so that both major defence infrastructure and the SMEs that support it are protected?
For South East Cornwall, the Bill speaks to resilience in the broadest sense. It supports secure services, a stronger economy, new opportunities for skills and jobs, new opportunities for women and girls, and the confidence that the systems we rely on every day are protected. I am glad to support it and the action the Government are taking to keep our digital future safe.
David Reed (Exmouth and Exeter East) (Con)
I very much welcome the opportunity to speak on Second Reading. The Bill addresses one of the most defining national security challenges of our age and we have heard many valuable contributions from right hon. and hon. Members across the House.
Before entering Parliament, I spent several years working to protect our country from cyber-risks. My background in software engineering gave me a rare view under the bonnet of the systems that now underpin almost every aspect of our daily lives. I saw first-hand how our digital infrastructure works and just how vulnerable much of it remains. I really loved that work, and I am proud to say that as a country we are genuine world leaders, but I would be dishonest if I said that it did not leave me deeply worried at times. That is not because of any single threat or actor, but because of the sheer scale, complexity and relentlessness of the cyber-risks we face. Those risks are only accelerating with advances in artificial intelligence, automation and the advent of quantum computing. Those technologies will, as we have heard today, revolutionise our lives in ways that we are only just beginning to understand. We must adapt alongside them if we are to remain a serious technological and economic power.
Our lives are now dependent on digital systems at every level. From water treatment plants and electricity networks, to transport, financial markets, healthcare and the wider economy, it is fair to say that we are no longer merely supported by digital infrastructure, but built upon it. And when those systems fail, the consequences are not abstract. They are immediate, they are human and they can be devastating.
We have already seen that reality play out in this country. If we cast our minds back to May 2017, the WannaCry ransomware attack tore through the national health service. Tens of thousands of computers were infected, and staff were locked out of patient records, diagnostic systems and telephony. Ambulances were diverted, and thousands of appointments and operations were cancelled, including urgent cancer referrals. The estimated cost to the NHS was £92 million, but the human cost—the stress, disruption and loss of confidence—cannot be measured in pounds and pence. The crucial point, which we have heard made in contributions today, is that while the attack was not targeted at the NHS, it was particularly vulnerable, because it was reliant on outdated and unpatched systems, and on the fragmented digital assets it owned. It was a warning shot that should never be forgotten.
More recently, the private sector has faced similarly sobering lessons. Capita was recently fined £14 million following a cyber-attack that compromised the data of more than 6 million people. British Airways and Marriott International suffered major breaches affecting hundreds of thousands of customers, resulting in substantial penalties and lasting reputational damage. These are not small firms, but sophisticated organisations with scale, expertise and resources, yet still they were exposed. That is why the Bill matters and why I want to work constructively with the Government to ensure that we get it right first time.
Crucially, we must build the ability to adapt and update the framework as technology and threats continue to evolve, while—I refer to the point made by my right hon. Friend the Member for Hertsmere (Sir Oliver Dowden)—not making that burdensome on businesses and organisations.
As the UK’s first piece of legislation to include the words “Cyber Security” in its title, the Bill represents an important step forward. It modernises the network and information systems framework; brings new sectors into scope, including data centres, managed service providers and critical suppliers; strengthens incident reporting requirements; enhances enforcement powers; and allows Government to act decisively—I hope—where national security is at risk. I welcome those objectives and, in particular, the recognition that managed service providers and supply chains are now critical attack vectors. That is absolutely correct. Cyber-threats do not respect organisational boundaries, and our regulatory framework must reflect that reality.
However, the Bill must not be treated as some sort of elixir. Cyber-security is not solved by regulation alone. The Bill strengthens protections for critical national infrastructure but leaves significant questions unanswered—questions that we must address if we are serious about national resilience. One of the most pressing concerns raised by industry is the growing complexity of incident reporting. Organisations already face overlapping obligations under data protection law, sector-specific regulation and, soon, economy-wide ransomware reporting requirements. Add to that multiple voluntary reporting channels, and the landscape becomes fragmented and very confusing. Having been a small business owner, I know that, when dealing with marketing, advertising and payments to staff, having extra layers of complexity, with reporting added on, is a difficult position to be in.
The first hours of a cyber-incident are chaotic: systems are down, decisions are time-critical and staff are under immense pressure. Forcing organisations to navigate multiple reporting regimes in that moment risks distracting them from the most important task, which, as we all know, is containing the attack and restoring services. A unified reporting framework with a single point of contact and aligned timelines would reduce burdens on businesses, while improving the quality of information available to Government. The Bill should move us closer to that outcome, not further away from it. I look forward to working with the Government at the next stage of the Bill to ensure that happens.
We must be honest about the limits of sector-based regulation—the Minister referred to this in his opening remarks. The Bill focuses, rightly, on critical national infrastructure, but many of the most damaging attacks in recent years have occurred outside its scope. Manufacturing, retail and consumer services have been heavily targeted. The attack on Jaguar Land Rover, which many right hon. and hon. Members have referred to today, is estimated to have caused up to £2 billion in economic damage across the company and its supply chain. That is a stark example.
I want to put on the record my deep concern about the precedent being set: the British taxpayer is effectively being required to act as insurer of last resort for major companies that have failed to adequately defend themselves. For large firms that are critical to our economy, the expectation that the public will step in cannot become the norm. Responsibility must sit squarely with the boards and executives to invest properly in cyber-security resilience or face the consequences. I am glad to see that the Government have taken the initial steps to have that conversation with industry.
At the same time, small and medium-sized enterprises, which make up the vast majority of our economy, are particularly exposed. They often lack the skills, budgets and capacity to implement proportionate cyber-defences, yet they sit deep within critical supply chains. A single weak link can have cascading consequences far beyond the organisation directly attacked. If cyber-security is economic security—I think we all agree that it is—we need a whole-of-economy approach. That means combining regulation with incentives, and support and standards that uplift resilience across UK plc, not just at the very top. That should include stronger, secure-by-design requirements for technology products, embedded through procurement and standards, and practical, accessible support for smaller businesses, potentially including consideration of a national first responder model to help small firms recover quickly from cyber-attacks.
We must also address the skills challenge head-on, as cyber skills shortages are already undermining resilience and compliance. If we are to give them more investigatory powers, the regulators themselves will need additional technical and enforcement capacity to deliver the expanded responsibilities set out in the Bill. That capacity cannot be assumed; it must be planned for, funded and developed far in advance.
Finally, I want to raise the issue of cyber-crime law. The Computer Misuse Act 1990 dates from a time when fewer than 1% of the population had access to the internet. Its blanket prohibition on unauthorised access fails to distinguish between malicious attackers and legitimate cyber-security professionals acting in the public interest. That matters: vulnerability research and threat intelligence are essential to defending our systems, yet many professionals in the industry operate in a legal grey area when carrying out work that ultimately strengthens our national security. Updating that framework, including by introducing protections for reasonable research, would modernise the law without weakening it.
In conclusion, the Bill is an important foundation. It strengthens protections for critical services and sends a clear signal that cyber-security is a core responsibility of the modern state. However, legislation alone will not deliver that resilience; it requires co-ordination, clarity, capability and sustained investment, as well as an honest understanding of where the Bill must be strengthened as it moves through Parliament.
Cyber-threats do not stand still, and neither can we. I support the direction of travel set out in the Bill and urge the Government to engage constructively as it progresses so that we can deliver a framework that provides real, lasting protections for our country, our economy and the British citizens.
Anneliese Dodds (Oxford East) (Lab/Co-op)
I wish you, Madam Deputy Speaker, all parliamentary staff and all Members in this Chamber a very happy new year.
It is a real pleasure to rise to speak in favour of this crucial Bill, which I am pleased to see having its Second Reading. It is also a pleasure to follow the hon. Member for Exmouth and Exeter East (David Reed), who set out many of the stakes that are so critical here. We also heard that in the opening speech by my right hon. Friend the Minister for Digital Government and Data, who described a number of disturbing cases, as others have done during the debate. He also set out the scale of the impact of cyber-attacks with some concerning figures, as did my hon. Friend the Member for Warwick and Leamington (Matt Western). I was particularly struck by the 0.5% hit to GDP from cyber-attacks and the fact that our country has been the third most severely impacted worldwide by cyber-attacks. It is therefore welcome that the Bill focuses on a faster and more joined-up approach to deter and deal with cyber-attacks.
I believe that that approach has gone alongside a really strong grip from the new Government on the need for a sectoral approach to dealing with cyber-attacks. Of course, we unfortunately had to see that, given the attack on JLR. I was pleased to see the previous Secretary of State really engaging with the automotive sector—work that has been continued by the current Secretary of State—on the challenges and lessons that need to come out of that attack, which has been particularly important in my constituency given the significance of BMW Cowley for employment in Oxford East.
I believe it is critical that we assess cyber-security alongside other forms of cyber-criminality, as the head of MI5 has argued for us to do. Cyber-attacks are increasingly being carried out by quasi-non-state actors that operate in the grey zone that the right hon. Member for Hertsmere (Sir Oliver Dowden) talked about, often implicitly backed by Russia or other adversaries. Those attacks are taking place at the same time as a rise in cryptocurrency laundering and disinformation operations.
I am sadly forced to share the assessment of GLOBSEC, the security-focused think-tank, that the pattern of Russia’s hybrid war
“has persisted without an effective Western response”.
There has been an escalation in cyber-attacks, sabotage, disinformation and political interference, but we have not seen the kind of joined-up approach across like-minded democracies that is needed. I was assured recently by my right hon. Friend the Paymaster General that the Government are working with the EU on combating foreign interference. That work clearly needs to be intensified, especially when we see what is happening to other democracies not so very far away from us.
I saw the threat for myself directly in Moldova, where cyber-criminals’ methods are often being used in combination: a cyber-attack on the election regulator coincided with a disinformation campaign sponsored by Russia and disruptions like bomb hoaxes in real life. So while I welcome this legislation, it must be co-ordinated with broader work to protect our country’s resilience and digital sovereignty, and to secure transparency on foreign interference.
In that regard, I will end by mentioning a concerning development: the sanctioning of two British citizens by the United States over the Christmas period, both of whom have worked to deliver transparency, including on foreign interference—clearly relevant to this Bill. Imran Ahmed is from the Centre for Countering Digital Hate, whose dispassionate, evidence-based analysis has uncovered the spread of disinformation, violent racism and material that poses harms to children. Clare Melford is from the Global Disinformation Index, which provides information about the extent of polarisation and disinformation so that companies can make informed choices about where to advertise—a free market approach to providing transparency.
The Minister stated at the beginning of this debate that when national security is on the line, we must be ready to act, and I strongly agree. A number of Members in the Chamber have said how important it is that we have a cross-economy and cross-society approach to these issues. I believe that the sanctioning of these individuals risks chilling transparency, including potentially transparency that can uncover foreign interference. I hope the Government will resist all attempts to reduce transparency. The welcome efforts in this Bill on cyber-resilience must be accompanied by work to counter other cyber and information-related threats to our national digital sovereignty and, more broadly, threats to our national security and interest.
Bradley Thomas (Bromsgrove) (Con)
I start by putting on the record my broad support for the principles in the Bill. Cyber-threats are among the biggest threats that our country faces. We are living in the grey zone right now—every day, thousands of cyber-attacks take place on private companies, publicly owned companies and infrastructure. This is probably the most profound wave of attacks and hostility that we face; they are in plain sight, but the vast majority of the country and our constituents are unaware of them. That is for good reason: there are many good people working at the National Cyber Security Centre, in the intelligence agencies and the military, across Government and across private industry who do so much to keep us safe. However, that does not mitigate the fact that the threat is real, present and only ever increasing.
It is only ever increasing not just because of criminality in a cyber form, but because of the threats that come from nefarious states, particularly Russia, China, Iran and others that have been mentioned. The Jaguar Land Rover attack is particularly prominent in everyone’s minds. It affected the whole country and affected global supply chains, but it had a particularly profound effect in my constituency, where many of the JLR workforce are based. We have seen what happens if we fail to invest sufficiently in our cyber-defences—such a deficiency in investment only enables those who seek to do us harm. The point has been made that our lives are not somewhat digital; they are fundamentally digital in almost every facet of life.
I would like to emphasise a couple of points in particular. One that I have not heard spoken about much, which I think is both within the scope of the Bill and, at the same time, somewhat adjacent to it, is the role of foreign technology in our supply chains, particularly kill switches. We are seeing increasing numbers of news articles about these switches, particularly relating to energy installations. Questions have been raised on numerous occasions on the Floor of the House about the prevalence of kill switches in Chinese technology in particular and the risk of exposure to an adversarial state abroad that could destabilise our energy systems. I would particularly like to see a joined-up, whole-of-Government approach to tackling the broader threat, instead of it being viewed through a single lens. I know that Ministers will be looking at it across the board, but I would appreciate if the Minister could address how it is being looked at across Government.
Another case is the rise of Chinese-made cars. It struck me that around 12 months ago I rarely saw a Jaecoo or Omoda car on our streets, but now they seem to be everywhere. I cannot help but suspect, given the links that those manufacturers have to the Chinese Communist party, that there are potentially kill switches within those vehicles and, more importantly, that the vehicles are sending data on users’ mobility habits to a foreign adversarial state. The implications of that are profound.
My final point is about the reporting regime. I introduced a ten-minute rule Bill a couple of months ago that touched on the broad principles within reporting, calling on the Government to have a pragmatic approach with regard to the reporting obligations on particularly small companies. I suggested a threshold of £25 million of turnover before a company would be within the scope of my proposed Bill. I chose that threshold because it would omit the vast majority of small or family-owned businesses unless they are designated within one of the 13 critical industries. The reason for that was simply a fear that reporting obligations on small businesses are ever-growing, and for many businesses additional cyber-security obligations could result in significant additional head count that they may not be able to afford. I encourage the Minister to engage as much as possible with representatives of small business to ensure that the reporting obligations are as minimal as possible while capturing the broad principle of the Bill.
I support the broad principle of the Bill; I think it is a step in the right direction. I hope that the Government will adopt a cross-Government approach. This is a wider societal issue that all of us have an obligation and duty to fulfil. I look forward to seeing the Bill’s progress and contributing as it makes its way through Parliament.
Sarah Russell (Congleton) (Lab)
Happy new year to you, Madam Deputy Speaker, your team and everyone else in the House.
It is no overstatement to say that this is one of the most pressing issues of our time. I suspect that if we were not bringing forward this legislation it would only become apparent quite how pressing it had been when there was a major incident that lay it bare. I think it is one of the marks of successful government that we are, hopefully—I touch wood as I say this—managing to stay ahead of the curve on these incidents. There is nothing more important than national security relating to critical infrastructure. I think it is exactly what our constituents want to see us acting on, and I wish they saw more of us discussing issues on a cross-party basis, with broad agreement. It is welcome to see the Government taking these steps.
I particularly want to discuss the enhanced incident reporting duties on the digital service providers and the duties to inform customers. In short, I have real concerns about how those duties will play out in practice. From my experience of having advised whistleblowers in the financial sector, when there are obligations of this nature, some corporations unfortunately make more effort to avoid complying with them than to comply with them. It is an excellent piece of legislation, and I am not suggesting that the Government should have drafted it in any other way, but we need to look at our whistleblowing laws alongside it, because at the moment we do not have strong enough protections for whistleblowers within UK law. That applies both inside and outside employment settings—for example in relation to contractors and other third parties.
If we do not ensure that people have mechanisms by which they can anonymously report breaches of those sorts of obligations, and if we do not have the right protections for them when they are raising the concerns internally in the first place, we will not be able to make adequate use of the Bill’s excellent provisions. I want to impress upon the Minister how important it is that this legislation is looked at in that wider context.
Also within the wider context is a broader debate—lots of us have touched on this without specifically identifying it—about how we balance the risk across society and the cost of the risk. It is about the risk to individuals, national security, individual businesses and individuals within those businesses, such as directors or other senior leaders. It is about how we ensure that in our country we do not have large tech companies, major data centres and other big private sector businesses taking economic benefits without carrying risk. We need those businesses and they are crucial to us, but we do not want them taking the economic benefits of operating in our advanced economy while the Government and therefore the taxpayer carry all the risk and burden of the regulation.
It is great to see that the Bill contains provisions allowing for financial recovery in the enforcement action that we want to take. It is also fantastic that when it comes to the enforcement provisions and finances associated with it, we are looking at up to 4% of global turnover in terms of potential fines for not complying. My position as a former lawyer is always that I want to know that things are enforceable. There are good enforcement mechanisms in the Bill, and there is plenty of money that could potentially be at risk, which incentivises the kind of compliance that we want to see, but we need to look at the broader societal piece about how we balance the risks and opportunities in relation to tech in general.
I was going to talk quite a bit about my concerns about my local public services and how they can better manage cyber-security. The Legal Aid Agency cyber-attack enabled criminals to steal the details of anyone who had applied for legal aid between 2007 and 2025. The scale of the financial risks to those individuals cannot be overstated; the amount of personal data that that involved was absolutely huge. Six out of 10 secondary schools are now subject to cyber-attacks. The Cheshire Cyber Security Programme is in place to help local small businesses manage their cyber-risk. It provides training for up to five members of staff in small businesses. Our local police powers are being used to try to take proactive steps to improve the situation for our local small businesses.
Schools in academy trusts are spending quite a lot of money on cyber-insurance to try to protect against these risks. We have seen schools across the country shut down because they are unable to open following cyber-attacks. The public sector action plan that the Government published this morning is incredibly welcome in terms of cyber-risk, and I really look forward to the opportunity to go through it in more detail. We again need to look at the balance of cost within our society.
I would like to add to the comments of those who have suggested that we should review the Computer Misuse Act 1990 and the lack of current protections for researchers doing important work in this area. We obviously have several institutions that are currently engaged in cyber-security work, including the Alan Turing Institute and the National Cyber Security Centre. We need to make sure that they have the right remit, because this area is only going to expand when the complexities of AI are added. We must ensure that everyone is protected to do their job effectively. That means protecting individuals, businesses and our wider society.
Lastly, we need to move as quickly as we can on this. It is great that we are maintaining our EU alignment, because realistically the only way that we can continue to be a major player and have considerable influence over companies, many of which now have much larger budgets than major economies, is if we work in conjunction with other countries. That is what our ongoing relationship with the EU should be about.
I thank everyone who has been involved with work on the Bill. I think it is excellent, and it is completely the right direction of travel. It is a shame that the Government doing the right thing every day does not get more publicity, even when it is not likely to grab many headlines. It is about doing the work, getting the right structures in place and moving forward productively in a cross-party way where possible. It is about securing our nation and ensuring that our economy is on a strong footing. There is everything to be said in favour of that.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Cyber-attacks are a growing menace for British businesses. They cause chaos for all types of businesses and organisations, both small and large. The consequences of those attacks have hit our economy hard. The disruption caused by the cyber-attacks on Jaguar Land Rover, M&S and the Co-op were felt by many businesses further down their supply chains; for instance, the disruption that hit JLR resulted in a freeze for its steel supply chain, much of it in Wales.
So much of our economy relies on well-functioning digital platforms. Last year, many Lloyds bank customers found themselves unable to access money or pay their bills due to app outages, with that problem compounded by its decision to close high street branches. Yet, bizarrely, Lloyds decided still to pay its chief executive officer Charlie Nunn £5 million in 2024. I make that point to illustrate the lack of accountability we see in positions at the top of these organisations despite massive numbers of people being reliant on those services.
A successful cyber-attack often ends in people having their personal data stolen. That is why it is welcome that the Bill highlights sensible requirements to ensure that businesses properly consider supply-chain risks and their usage of managed service providers, as well as many others. On the other hand, it will be a mystery to many why sectors such as finance, food and drink and retail have not been included, particularly considering how those sectors have been hit hard recently.
The Government would clearly like to achieve security. To do that, it would help if the Bill could be improved to provide greater certainty and clarity for businesses. For instance, how are businesses supposed to manage relationships with managed service providers? For five years, I worked in the cyber-security industry, starting with the introduction of the GDPR, which happened at the same time as the original NIS directive. I found that the cyber-security sector is a well-connected community underpinned by a welcome commitment to sharing knowledge and best practice. For instance, Cyber Wales is a representative body that brings together the Welsh cyber-community. It is an industry that requires input from academia, law enforcement agencies, defence and businesses. There are clusters of success across Wales, including in my constituency. Partnerships built in academia often create spin-off companies that generate jobs. For instance, in Wales, the University of South Wales and Swansea University have done a lot to build up our local cyber-security ecosystem. As the Bill progresses, the Government would be wise to continue to consult regularly with this very engaged community.
It would be helpful to hear what sort of consultations, and how many, have taken place so far. It would also be helpful to hear the Government respond to the Information Systems Audit and Control Association’s proposals, particularly around giving regulators the power to suggest mandatory penetration testing.
The growing cyber-security sector should be a route for much needed economic growth and well-paid jobs in Wales. Many such jobs can be done remotely from anywhere with an internet connection. Recent research from Infosecurity suggests that there are 17,000 vacancies in the cyber-security industry right now, with that figure growing at 10% to 12% a year. That is a huge opportunity for a country like Wales.
Having an effective skills base is one way in which we can guard ourselves against cyber-attacks. Keeping Britain safe from cyber-attacks requires a trained workforce who can marry technical expertise with regulatory competence. I have seen in my professional experience how many people from many other sectors were able to retrain and upskill to work in cyber-security. People with experience in project management or managing processes are very capable of retraining to work in the cyber-security industry. Special thought should be paid to military veterans in particular, who are well suited to those jobs.
One of the questions for the Government should be about how to help more British people into those jobs while ensuring that our education system is equipped to help children pick the sector. That is why I call on the Government to ensure that funding is available for all schools in Wales to take part in the highly successful CyberFirst Wales scheme.
Mike Reader (Northampton South) (Lab)
I start with a story; it is a real story, but I have changed the names for obvious reasons. It was a Tuesday afternoon and I had a call from our CEO, David, who said to me, “Mike, I am jumping on a plane, but I need you to speak to a law firm we have been working with. This lady called Sandra will ring you from A&A law firm. I want you to speak to her. She will talk to you about a project we have been working on. Sorry I have not been able to read you in until now.” I think, “This is a bit strange. David’s a very busy man, but why would he ring me jumping on a plane?”
Sandra rang me, and it seemed pretty legit. We had a chat and it turns out we may know someone in common. I looked her up on LinkedIn: her firm is legit, she is there, and she has connections similar to mine. She tells me, “I need you to sign a non-disclosure agreement so we can talk to you about the opportunity we are working on with David.” I said that was fine and signed the NDA. I was sent a Teams link and joined a call with Sandra and some of her colleagues. Also on the call was David, my chief exec, whose signal was not good. He said, “Mike, I’m on a plane, but I’ve tried to join just to say thanks so much for being a part of this. We’re looking at an acquisition in your business area. I want you to work with A&A legal partners to ensure they have got the information they need. This is a real opportunity for us to grow. You know that we have been looking to grow the business.” Then his signal dropped off.
I carried on the conversation with Sandra and her partners. They started asking for information that perhaps they did not need—for example, about operational matters and how the business worked. They followed up with another call, in which they started asking for financial information about some of our clients. They followed up with another call in which they asked for financial information about the business. At that point, I thought, “I had better ring David and just make sure this is legit.” When I rang David, I found that he had no idea this was going on. Our business was being attacked through a deepfake intrusion. They had mirrored our chief exec, and used his voice for a call and his image for a Teams call. Had I—this story is actually about a friend of mine—not called my boss to say, “Is this legit?” they could have got away with goodness knows what. That seems quite far-fetched, but Arup, another big British firm, got done by a very similar deepfake scam; it lost £20 million to scammers.
I start with that real story about something that happened to one of my colleagues, because this Bill is really important. It is a framework Bill that will set out how we put in place better standards, procedures and controls, but actually where many businesses—be they data centre providers, managed service providers or those already covered by legislation—fall down is at the point when a human is in the loop. We heard from my hon. Friend the Member for Harlow (Chris Vince) about how to get the culture right, and how to ensure that people are considered in future legislation and guidance that will come off the back of the Bill. I wanted to open up and make that point, because through the Bill, we can do all we can on technical processes and procedures, but it is really important that we focus on the human in the loop and the human aspect, as that is often where these major attacks start.
I am really pleased to support the Bill. Cyber-security and cyber-crime impact our daily lives. I will not repeat the stats, which we have heard from many hon. Members on both sides of the House. They impact the businesses that support our economy, our public services and our banking sector—things that we use every day. It is therefore right that the Bill has been brought forward, although there was a considerable delay following the work done in 2022 by the previous Government. I am pleased that the Bill seems to have cross-party support.
The Bill recognises that attacks involve a wide range of methods, and may involve data centres, outsourced IT providers and complex supply chains working in the sector. That is critical for my constituents in Northampton, who are on the northbound data super-highway from London. In the last six months, we have heard announcements of over £1 billion of investment in new data centres, in both the public and private sectors. I thank the Minister and his Department for all their hard work in securing that investment, which will create new jobs in my constituency. Without improved regulation and clarity, that investment remains slightly uncertain. The Bill will definitely improve that clarity and certainty for the sector, as well as for the many businesses in my constituency that rely on a managed service provider for their IT or provide data centres. That is particularly important for all hon. Members, because the control centre that looks after our security is in my constituency. That data security is therefore particularly important for our personal wellbeing.
I have also looked at this issue from the perspective of the many businesses in my constituency who use managed service providers for their IT. They include large businesses. In my previous business—a business of 7,000 or 8,000 people—an MSP provided our help desk; when I had a problem, I would ring it up. The inclusion of managed service providers is critical to give us better protection and improve standards and resilience, and therefore reduce burdens on the businesses that use them, particularly their cyber insurance costs. I have two asks of Government on this. First, as other Members have done, I ask that we do this proportionately, as change in this area may have a considerable impact on small businesses—both on their MSP costs and their direct costs. I also ask that we work hard to consider how the legislation works with international law, particularly as my experience is that a lot of MSPs, such as HelpDesk, use overseas workforces.
I welcome the stronger reporting requirements. I recognise the point made by the hon. Member for Bromsgrove (Bradley Thomas) about his ten-minute rule Bill on regulation and reporting. From a business perspective, as long as there is clarity—the Bill sets out that there will be greater clarity for business—we get honesty, trust and a business environment in which people understand what they have to do and when they have to do it. The Bill moves us towards that.
I also welcome the much stronger enforcement powers in the Bill. That sends a real message to criminals that there are significant risks to them. To businesses, I say that money talks, and when there are stronger enforcement risks to someone’s business, all of a sudden cyber-security ends up higher up the corporate risk register.
As the Bill is implemented, I ask for genuine consultation with industry. It is particularly important to note that this is a framework Bill.
Kit Malthouse (North West Hampshire) (Con)
The hon. Gentleman is making a very interesting and pertinent speech. I hope he will welcome the fact that the Bill strengthens the requirement on companies to not only look at prevention but have an adequate recovery plan. Does he think that there is adequate sanction in the Bill for those companies that are deemed not to have an adequate recovery plan? My reading is that regulators cannot necessarily fine for a negligent recovery. As the hon. Gentleman said, the human factor so often matters, but surely that matters as much in recovery as it does in prevention.
Mike Reader
I think the Bill goes some way on that, and it is clear that future legislation and guidance will start to frame those issues. There are other ways that we can drive businesses to improve their business resilience planning. It is part of the standard Government procurement process to require business continuity planning to be demonstrated, and many large businesses in our constituencies will be trying to transact with Government, whether local or national, with the NHS or others. Business resilience is also required at other times when the state interacts with business; I think of procurement particularly. My background is in one of those key areas.
I was just saying to the Minister that one concern I have is that this is a framework Bill. There is to be a lot of future guidance, so we need continued consultation—this message has been made by others as well—so that the standards are really clear. The legislation was getting quite messy. We want to make it a lot clearer. We want to be really clear with business, and we want to give organisations early notice, so that they can adjust, rather than springing this on business as we push to address a real threat that has been recognised right across industry.
I come back to my original point: we should consider the human in the loop. When we set guidance and requirements, we should look at how businesses think about the human aspect, as well as the technocratic solutions that would be in a business continuity plan or similar. This is a necessary Bill. I support its aims and focus. It signals real confidence to the market—to those already operating in it, and to those who are coming to invest in great places like Northampton, to build the data centres and other infrastructure that we need.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
I refer the House to my entry in the Register of Members’ Financial Interests. I commend my right hon. Friend the Member for Hertsmere (Sir Oliver Dowden) and my hon. Friend the Member for Exmouth and Exeter East (David Reed) for their excellent speeches. I particularly associate myself with their comments on the Computer Misuse Act 1990 and the need for an extension to our cyber-skills in this country. Before entering this place, I worked professionally in cyber-security and operational resilience, advising businesses of all sizes on how to reduce the risk of cyber-attacks and helping them to understand how far-reaching the consequences of a cyber-breach can be from a commercial perspective, and not just a technical one.
I am vice-Chair of the Business and Trade Committee, and we have heard direct evidence for our report on economic security from Marks & Spencer, Co-op and Jaguar Land Rover, all of which suffered catastrophic breaches last year. Although the attacks were different in form and impact, as the shadow Secretary of State, my hon. Friend the Member for Hornchurch and Upminster (Julia Lopez), said, they shared a common feature: they were driven by social engineering, not technical failure. Human access was exploited, trust was abused, and controls failed further up the chain. The outcomes, however, were very different.
At Co-op, a more modern, secure-by-design IT infrastructure enabled an early containment strategy, limiting the impact on customers, stores and the bottom line. Marks & Spencer, which had not prioritised early replacement of legacy infrastructure, suffered months of major disruption to customer-facing services and retail logistics. The financial impact alone for M&S is in the region of £300 million, or 45% of its prior year pre-tax profits. Jaguar Land Rover was in a different category altogether. There, the attack cut into operational technology systems tightly integrated with manufacturing operations, bringing production lines to a standstill and disrupting just-in-time supply chains. That shutdown cascaded far beyond a single company, directly impacting numerous suppliers in the midlands regional economy, as many Members have already mentioned, as well as contributing to a measurable fall in UK GDP, estimated to be in the region of £2 billion.
Those cases demonstrate that cyber-risk manifests in three ways: operational risk, financial risk and reputational risk. Too often, even at FTSE level, businesses and boards fail to grasp that this is a potentially devastating combination. I hear the same message repeatedly from industry, including at the Financial Times Cyber Resilience Summit in London, where I spoke at the end of last year. There is frustration from CISOs—chief information security officers—and security vendors that it can be difficult to develop conversations with boards and audit chairs to assign the appropriate resources and strategic prioritisation. Businesses accept that standards must rise, but they want regulation that is targeted, proportionate and focused on prevention, rather than paperwork.
The Bill does some things well. Updating the 2018 NIS framework, expanding coverage where it is genuinely needed and strengthening enforcement powers are all sensible in principle. Faster incident reporting has value, but reporting alone is not resilience. There are gaps that matter. First, the Bill does not go far enough on governance. Cyber failures are governance failures. Responsibility sits not only at board level, but clearly and specifically with chairs and audit and risk committees, yet the Bill stops short of driving meaningful accountability there. Without that pressure, cyber will continue to be delegated downward to IT and operations teams, rather than being owned at the top.
Secondly, there is a risk of confusing activity with preparedness. Increasing reporting obligations after an incident does nothing to prevent the incident from occurring. Prevention is always better than cure, and this legislation needs a stronger emphasis on baseline capability, risk maturity and early intervention.
Thirdly, we must be careful about cost, capacity and particularly enforcement. The implications for SMEs are significant, particularly those that are pulled into scope through supply chains. At the same time, regulators cannot enforce what they are not resourced to oversee. Without credible enforcement, the Bill risks becoming a paper exercise and boards will respond accordingly.
Fourthly, the Bill needs to recognise the connection between, and draw a clear distinction between, IT and operational technology. What works for enterprise IT systems may be inappropriate or even dangerous in OT environments such as manufacturing, critical national infrastructure, energy and logistics. Segregation, architecture and the configuration of security devices must be assessed. Risk profiles differ; controls differ. That nuance matters.
I want to be clear that the Opposition support the aims of this Bill in principle. Cyber-resilience requires a whole-of-society approach involving Government, regulators, businesses and boards working together, but if this legislation is to drive real change, it must be enforceable, proportionate and grounded in how organisations actually operate. Boards and audit committees must feel the weight of responsibility, regulators must have the tools and resources to act, and prevention must be prioritised over post-incident form filling. The National Cyber Security Centre has produced clear, practical guidance for boards, and that should sit at the heart of our approach. We need smarter regulation, properly enforced, not just more of it.
Amanda Martin (Portsmouth North) (Lab)
I want to start by saying happy new year to you, Madam Deputy Speaker, to the staff, to all in this House and to the residents of Portsmouth.
I thank the Minister for his introduction to the Bill and for highlighting some of the major concerns that cyber-insecurity has caused and continues to cause for this country. I welcome the Cyber Security and Resilience (Network and Information Systems) Bill because it reflects a clear change of direction under a Labour Government, moving from a fragmented and often reactive approach to a cyber-security approach that is strategic, cross-Government, resilient and focused on national capability and everyday solutions. We have heard it said many times in this House that the first duty of any Government is to protect their citizens, and in the modern world that duty must extend to the digital systems we all rely on.
Cyber-attacks now pose a daily threat, not just to Government systems but to the livelihoods and security of people in Portsmouth, where major employers, manufacturers, ports and supply chains are attacked and the consequences are immediate and personal. Production can stop overnight, wages can be put at risk and sensitive personal data can be exposed. Constituents in my city who work for, supply or depend on companies such as Jaguar Land Rover have seen this reality at first hand. When large engineering, retail and manufacturing firms are targeted, the impact ripples far beyond their head offices, reaching workers on the shop floor, contractors, small local suppliers and customers whose orders are delayed or cancelled.
For a city like Portsmouth, which is built on defence, maritime work, engineering skills and complex supply chains, cyber-resilience is not an abstract policy or a technical exercise; it is about protecting jobs, safeguarding family incomes, maintaining confidence in the systems that keep our city working, ensuring the security of the public services people depend on every day, and ensuring that our city’s residents are kept safe. Portsmouth city council has been a target. In late 2024, its website was hit by a cyber-attack called a distributed denial of service—DDOS—attack by a pro-Russian hacking group. The attack made it difficult for residents to access council services online for a period of time. Fortunately, no personal or council services were compromised, but the attack demonstrated that even local public infrastructure in places such as Portsmouth is a target for cyber-actors. This is not just an abstract risk.
Local crime statistics show that cyber-crime is a lived experience for Portsmouth residents. About 16% of residents reported experiencing cyber-crime in a 12-month period, including phishing attempts, online fraud and accounts being hacked. As my hon. Friend the Member for Harlow (Chris Vince) noted, not all these crimes are reported as people feel embarrassed, alone or foolish. That is how these crimes continue to proliferate through our society. Local police crime figures also show significant levels of harassment, malicious communications and other online offences that are often instigated through cyber-attacks. These are not just techie problems; they translate into financial losses, practical inconveniences and, most alarmingly, psychological harms and in some cases people attempting to take their own lives because of the damage that has been caused.
Yes, there is an economic cost to cyber-crime, but there is also a human cost, and that is why this Bill matters. It modernises the UK cyber-security framework by strengthening baseline requirements, improving instant reporting and extending protections to a wider range of essential services and supply chains. Its three pillars are welcome. It recognises that weaknesses in one organisation can rapidly cascade across the entire economy, whether it is through the actions of cyber-criminals or hostile foreign actors. It recognises that cyber-crime is real and its effects devastating.
This is not just about big business; as we have heard, cyber-attacks disrupt NHS appointments, threaten energy and water supplies, and prevent people from living their daily lives. Last year alone, 11,000 NHS appointments were lost due to cyber-attacks, and since 2024 at least five direct cyber-attacks have been targeted at UK water supplies—one of them targeted at Southern Water. In 2025, it was reported that 62% of UK energy organisations experience cyber-attacks.
Crucially, Labour recognises that cyber-security is not only a technical issue, but a workforce and economic one. Clearer standards and stronger oversight give businesses the confidence to invest, raise resilience across the economy and ensure that organisations are not left to face increasingly sophisticated threats alone. The Bill rightly ensures that breaches are reported swiftly within 24 hours, because pace and speed are vital if we are to minimise the domino effect of cyber-crime.
The Bill rightly gives regulators the flexibility and powers they need to act as new threats emerge. That comes with the assurance of resources and transparency, as well as a more consistent strategy, evidence and wider clarity. That is particularly important for Portsmouth. Our city is home to the Royal Navy, with one of Europe’s most significant naval bases sitting alongside a major commercial port, advanced engineering and manufacturing activity and a university that recognises expertise in cyber-crime and digital security. When our city was blitzed in the second world war, we could see it and act on it. Cyber-crime needs to be brought into the light in the same way, so that we can all act on the attacks that are happening and create a different culture in which people do not hide and are not embarrassed to say what has happened to them, their businesses or their community.
Portsmouth already plays a vital role in our national security and industrial base. It is not just a target, but a part of the solution. I am proud that the University of Portsmouth is recognised as a centre of cyber-expertise, with leading research and collaboration on cyber-crime, digital security and economic crime. Its centre for cyber-crime and economic crime brings together multidisciplinary experts studying cyber-crime courses, prevention and resilience, and it works with community groups, schools and local businesses to raise awareness and protect people from cyber-crime. The university also conducts advanced research into cyber-security systems and threat detection through computing and behavioural science, helping to develop real-world solutions that improve organisation and national resilience. These efforts not only support local households and employees, but grow the skilled cyber workforce that the UK needs, which links directly to the economic and security objectives of the Bill.
The Bill lays the foundations for a more secure and resilient Britain, and I am pleased to support its Second Reading. In doing so, I seek reassurances and clarity from the Minister on four key points. First, how will the whole of Government work together to ensure that Portsmouth, with its defence, maritime and manufacturing base alongside thousands of small businesses, local services and the public sector, is supported to benefit fully from the Bill? Secondly, how will the Government work with and reach all employers to strengthen knowledge and skills, long-term economic resilience, accountability and responsibility? Thirdly, how will the Bill be linked to investment in cyber-skills and training, so that we are not left without the people needed to make the changing world an easier place to live?
Finally, how can we ensure that this is just the start of the conversation? How can we use the Bill to help change the culture around cyber-attacks so that individuals and organisations can, yes, take responsibility and ownership, but in a supportive environment, rather than one that lays blame? How can we as MPs across the House encourage openness among our constituents, small businesses, large employers and the public sector alike, so that together we can carry out the Government’s first duty, which is to protect their citizens in a modern, ever-changing world?
Ben Lake (Ceredigion Preseli) (PC)
It is a pleasure to speak on Second Reading of the Bill. I am very pleased to say that I support the Government’s introduction of the Cyber Security and Resilience (Network and Information Systems) Bill and welcome it as a very important first step in strengthening the protections of the UK’s critical national infrastructure and because it addresses many of the gaps that have been identified in numerous implementation reviews in recent years.
Other right hon. and hon. Members have made the point that the risk and harm inflicted by cyber-attacks are significant and very real. Others have cited their impact on a whole host of businesses and industrial sectors and on society. We have heard about the harm inflicted on NHS services, for example, and many Members have referred to the attacks on JLR, the Co-op and Marks & Spencer. The impact that the attacks had on not only those businesses, but the wider supply chains and local economies, is significant. As the Minister said when he opened the debate, it is estimated that some £14.7 billion is lost to the UK economy annually due to cyber-attacks, which is the equivalent of 0.5% of GDP, so it is right that the Government act to address these risks and harms.
In doing so, the Government comply with one of the calls of the strategic defence review, which stated that the world has changed and, in listing the other, more conventional threats that the country faces, specified that daily cyber-attacks at home are something we need to take very seriously. The Government are right to bring forward the Bill. As other Members have made very clear, the nature of cyber-crime and cyber-attacks and the threat that they pose are ever evolving, so I have a great deal of sympathy with the Government as they endeavour to keep up with what is a very rapidly developing industry and nature of threat.
Although I support the Bill and look forward to working with Ministers as it passes through the House, there are two points on which I would welcome clarity or further consideration by Ministers. A few Members have mentioned the importance of looking at our cyber-resilience in a more holistic manner. Although technical security and safety are very important, and the Bill goes a long way to addressing those matters, it could perhaps be strengthened by looking at our digital sovereignty. Other Members have made the important point that we need to consider supplier concentration in this field and domestic capability. If we fail to do so, we risk long-term dependency.
There are a few examples that I could draw on, but I will use that of Microsoft deciding to suspend the use of some of its services for justices in the International Criminal Court. I am not saying that Microsoft is going to threaten the UK Government or any of our services, but that example illustrates the risk that if we, or aspects of our economy or businesses, are overly dependent on certain suppliers, we are vulnerable. It is right that the Government have a way of preparing contingency plans for that or, at the very least, that they consider the potential impact of over-dependence on certain suppliers.
I wonder whether that consideration could be included as part of the statement of strategic priorities that part 3 of the Bill stipulates will be made by Ministers. The statement could then look not only at technical security as part of its cyber-resilience approach, but at digital sovereignty and domestic capability. In that regard, it would be not too dissimilar to some of the efforts we are starting to see from European partners. France and Germany are starting to undertake similar strategies and reviews of their domestic capability and potential over-reliance on certain suppliers.
My second and final point is to seek clarity from the Minister when he sums up on the directions to certain bodies and persons for national security purposes in part 4 of the Bill. If we accept that the nature of the cyber-threat and the risk to cyber-security are ever evolving, it will be impossible for any one piece of legislation to encompass all the possible dangers we may face. In order to try to future-proof the Bill, especially against national emergencies or crises, I wonder whether Ministers should consider even further last-resort powers, particularly to enable them to direct the shutdown of any domestic data centres or AI systems in the event of a security or operational emergency. I ask that because I am not entirely clear whether the powers already listed in the Bill allow Ministers to do that. If they do not, I ask the Government to consider such powers, so that they are able to intervene appropriately in the event of a future national crisis or emergency caused by AI systems in particular data centres. Such events could cause large-scale harm to the public, especially in the very rare but hopefully unlikely scenario in which the designated persons who are otherwise responsible for those systems refuse to co-operate with the Government.
Having raised those two points, I wish to underline my support for the Government’s efforts in this regard. I very much welcome the Bill and its Second Reading.
Emily Darlington (Milton Keynes Central) (Lab)
I welcome the Bill and the cyber action plan for public services, which was published today. As we have heard from right hon. and hon. Members’ many great speeches today, this is so important to the UK economy and public.
Despite being one of the smaller countries in the world, we are still one of the biggest targets for cyber-attacks. In the past 12 months, there has been some good news: only four in 10 businesses and three in 10 charities have had cyber-security breaches—the figures are down on the previous year. However, there has been a huge increase in nationally significant cyber-incidents, which have more than doubled in the past year, including the malicious cyber-attacks on critical infrastructure by Russia and China.
These matters are important to companies based in Milton Keynes Central, where one in three jobs are in technology. Milton Keynes is a leader in the development of AI and tech services, including in legal services, financial services and autonomous vehicles. Those companies have experienced cyber-attacks, so the Bill is very welcome. The difficulty is that it misses a huge portion of the discussion, and Ministers have somewhat neglected to mention sovereign technology in their comments or in the strategy. I hope that they will do so in the wind-up.
One role of sovereign technology is to fight cyber-crime. There are many definitions of sovereign technology, so what does it actually mean? To me, most of the public and the industry, it means UK innovation and technology. It is developed in the UK and is UK-owned intellectual property. It means a company paying UK taxes. Most importantly, it means a UK company being accountable to the UK. The Government have talked a lot about their commitment to developing and securing sovereignty, but that needs to be extended to all critical technology and infrastructure. Not only is that important in cyber-security terms, but it has other advantages, too: it is good for the economy, creates innovation and sets the highest standards, and it thereby gets public support and confidence and achieves small business support for absorbing the innovation. It achieves growth by creating not only UK customers, but—ambitiously—worldwide customers.
The Government have done that quite well in the past. They have created safe and secure solutions. Crown Hosting Data Centres is a really good example of a joint venture between the Government and Ark Data Centres. Unfortunately, only 3% to 4% of Government servers actually use it, and we must ask why. What are we doing to promote safe and secure solutions in the UK that would help us to fight for cyber-security and ensure that it is promoted across the public sector, and to ensure that those solutions gain support in the private sector? Instead of using Crown Hosting Data Centres, many are using ones run by foreign firms with securities and standards developed outside the UK. Outages at Amazon Web Services in cloud hosting have cost business millions.
Let us look at other areas where the public rightly worry about cyber-attacks and cyber-security, such as NHS data. We have heard about the impact of cyber-crimes on the NHS and on lives, but it also impacts public confidence. Palantir has a £330 million contract to bring together all NHS data. That is a fantastic initiative and really important, and the public support it because they do not want to have to repeat their health story to each and every doctor, nurse or other health professional that they meet. The difficulty is that using a foreign firm with some questionable alliances has led to an erosion of public trust and to a lack of trust among doctors, slowing the take-up of this important innovation in NHS services. That is partly because the co-founder of Palantir called our pride in the NHS “Stockholm syndrome”. Unfortunately, he misunderstands the very body to which he is selling services and is thereby eroding public trust. I know many UK firms that could have done just as good a job—and probably better, because trust among the public and doctors would have increased.
We hear that Palantir has just won a £240 million contract with the Ministry of Defence for
“data analytics capabilities supporting critical strategic, tactical and live operational decision making across classifications”.
Again, it is hugely important that we are using the latest technology to promote our MOD and that we are tying all that up. I do not think anybody in this House has concerns about the MOD making these kinds of investments; it is who we choose to partner with that drives the concern.
As I have already argued, the reality is that cyber-security has to be UK-focused. We have to protect our national interest and ensure that our partners put our national interest and cyber-security first and foremost. The views of organisations such as Palantir on the NHS and its integration into US Immigration and Customs Enforcement—otherwise known as ICE—lead us to worry that it does not share UK values. It creates a strategic vulnerability. That is what the sector is saying to us, and we should listen to it. Cyber-security is not just about reporting; it is about the investments we make ahead of time. Imagine if those two contracts and their economic opportunities had been given to UK firms. There would be enhanced UK-based cyber-security and greater confidence in our most critical areas of health and the military.
Let me raise another example which, if The Daily Telegraph is correct, I am sure will raise significant public trust concerns. It has reported today that the Government are considering using Starlink for the emergency services network, replacing the existing radio set-up that is used by ambulances, police and the fire service in an emergency—our most critical infrastructure. This company is controlled by a man who has shown his willingness to turn off satellites in Ukraine at his own political whim.
Cameron Thomas (Tewkesbury) (LD)
The hon. Lady is making a really important point about Elon Musk’s Starlink system, but will she go a little further and recognise that not only has Elon Musk switched off Starlink in Ukraine at will, but he has done so on occasions that might have turned the tide of the war?
Emily Darlington
I thank the hon. Member for raising that point. It is important to note that Elon Musk turned off Starlink at very strategic points for the Ukrainian military when it was advancing on Russian-held territory. It is not just that he chose to turn it off; he chose to turn it off at a critical time for the Ukrainian military. I worry that somebody who chooses to do that, and who encourages violence among the UK public at a far-right rally, at which he said,
“Whether you choose violence or not, violence is coming to you. You either fight back or you die”,
is not an appropriate or safe partner for our emergency services.
I absolutely support the comments made by my right hon. Friend the Member for Oxford East (Anneliese Dodds) about transparency, and about some of the actions being taken by those who have been willing to stand up to these companies and demand transparency. While that is probably not the subject of today’s debate, I think we must take those actions as a warning for what is to come.
I welcome the Bill and the action plan, but to truly make the UK safe and secure from state-sponsored or criminal cyber-attacks, we need to ensure that there is a UK sovereign infrastructure, capacity and capability. The Government can lead the way through their own procurement practices by making sure we are partnering with UK sovereign firms. That is good for security, good for protecting us against cyber-attacks, and good for the economy and public trust.
Andrew Cooper (Mid Cheshire) (Lab)
It is a privilege to follow my hon. Friend the Member for Milton Keynes Central (Emily Darlington), who made a fantastic speech. I do not think mine will be of quite the same quality, but I will do my best.
Having spent my career prior to entering this place as a software developer, it is perhaps not so much a pleasure as a blast of nostalgia to be speaking on this Bill today. The Bill provides for an important and long-overdue update to the NIS regulations, and provides the means to keep those regulations up to date more quickly as new threats emerge. That was a massive gap in our capability left behind by the rather haphazard and cavalier manner of our departure from the EU, and it is absolutely right that we resolve it as soon as we can.
It is a cliché to say that the nature of the threats we face has changed. Whether it is state-sponsored cyber-attacks, hacktivism, identity theft or ransomware attacks, those threats can have a widespread and significant impact on people’s lives, on the wider economy, and on our safety and security. Many Members from across the House have noted the cyber-attack on Jaguar Land Rover —which led to that company posting a loss of £485 million last year and, as I think we heard earlier, to a £2 billion impact on the wider economy—and the Co-op infiltration, which cost that retailer at least £206 million. However, this is not a new issue, and virtually no area of the economy has not experienced attempts to penetrate its systems and cause disruption or steal data.
Cameron Thomas
The hon. Member speaks of the cyber-attacks on Jaguar Land Rover and the Co-op. Those who pay council tax to Gloucester city council have concerns that following a Russian cyber-attack in 2021, that council recently discovered a £17.5 million deficit. Will the hon. Member recognise that too?
Andrew Cooper
I thank the hon. Member for his intervention. I confess that I am not an expert on the IT of Gloucester city council, but I am sure the Minister has heard his intervention, and may wish to respond in his summing up.
I welcome the measures in the Bill to bring managed service providers and data centre infrastructure into scope. When I began my career working on hotel reservation systems, legacy on-premise infrastructure was the standard operating practice. Some organisations would develop their own line of business systems and some would buy in, but virtually all would be hosted on their own servers, often with clever names such as Spartacus, Xena or Buffy the Vampire Slayer—names that I worked with over the years.
That situation changed for a whole pile of reasons, such as the need to support more public access, the requirement to facilitate more home working, huge increases in the speed of domestic and business broadband, the need to provide failover, redundancy and scaling, the shift away from big capital investment towards infrastructure as a service, and wanting to benefit from more rapid roll-out of features and applications that require significant server infrastructure behind them, such as we have seen more recently with AI. Systems have been moving virtually wholesale to those that are managed remotely and sandboxed to multiple organisations, and towards virtual servers or services in data centres, rather than on-premise tin.
Bringing these two areas into scope is obvious, and it is long overdue. I offer a note of caution about this part of the Bill, and it relates to the threshold at which the regulations apply. For managed service providers, we need to ensure that we are providing appropriate levels of cyber-security without blocking new entrants to the market. That applies to critical suppliers, too. The risk is that we end up boosting the hegemony of the big outsourcers and IT suppliers, rather than being able to support new domestic entrants. There is a risk of vendor lock-in, as we have heard several times today. Equally, the threshold on data centres appears to have been set so high that only larger ones will be in scope. I hope that the Minister will keep both of those points under review as the Bill progresses and think about how we can strengthen this provision to strike the right balance.
The other area of the Bill that I want to talk about relates to the regulators. The Minister set out in his opening remarks why he believes a sectoral approach is appropriate, and there is merit to that argument. Sectoral regulators have deep, long-standing institutional knowledge and they understand how the processes work in their sector. However, as I touched on earlier, the consequences of failure are enormous, with real-world impacts on people’s everyday lives. We should not expect an overarching cyber regulator to have the domain-specific knowledge of the water sector or the air traffic control sector, and nor should we expect every sectoral regulator to carry the expertise of how modern scalable data centres that detect faults automatically and automatically failover to different regions or different jurisdictions work. We just need to think about what the priority of an individual sectoral regulator will be, because it will not necessarily be cyber-security. We have to get the balance right, and we need to listen to the sectoral expertise on that.
In conclusion, this Bill is an important and long-overdue update to the UK’s cyber-security framework. I look forward to working with the Government to get the scope and scale of these regulations right and to ensure that all the systems that we rely on every day are secure in the face of current and emerging threats.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
The cyber Bill should be one of the most fundamentally important pieces of legislation the House will consider in this Parliament, because the UK’s cyber-resilience is a cornerstone of the foremost duty of Government: the protection of the people.
The shadow Secretary of State has already made clear that His Majesty’s official Opposition appreciate the urgent need to act to protect our society, our economy and our security in the face of growing and evolving cyber-security risks. The cyber Bill, however, is a Bill of missed opportunities. It would not have stopped the JLR or Marks & Spencer cyber-attacks. It is silent on the threats from hostile state actors, and it does not answer the fundamental question of: if NIS1 was not enforced, what difference will further regulations make?
Cyber-security is key to our national security. It is too important an issue to play partisan politics with. As a responsible Opposition, we will work with the Government to get the approach to this legislation correct.
Many Members have made insightful contributions today. My right hon. Friend the Member for Hertsmere (Sir Oliver Dowden), who has great experience in this regard, raised the issue of hostile state actors and gave the Ministers some practical advice on which I hope they will reflect. My hon. Friend the Member for Exmouth and Exeter East (David Reed) spoke about his professional experience and about the need for proportionate regulations and modification of the Computer Misuse Act 1900, which was mentioned by several other Members. My hon. Friend the Member for Bromsgrove (Bradley Thomas) made an important point about physical technology and the risk of threats from cellular modules. My hon. Friend the Member for Bognor Regis and Littlehampton (Alison Griffiths) also spoke about her own experience and, in particular, about the importance of the Government’s ensuring that the Bill has an impact. The hon. Member for Ceredigion Preseli (Ben Lake) mentioned digital sovereignty, another important issue which we have discussed on many occasions in this place.
We also heard from the hon. Member for Warwick and Leamington (Matt Western), the Chair of the Select Committee; from the hon. Members for Newcastle upon Tyne Central and West (Dame Chi Onwurah) and for South East Cornwall (Anna Gelderd); from the right hon. Member for Oxford East (Anneliese Dodds); and from the hon. Members for Congleton (Sarah Russell), for Northampton South (Mike Reader), for Portsmouth North (Amanda Martin), for Milton Keynes Central (Emily Darlington), and for Mid Cheshire (Andrew Cooper).
The gravest and the most pernicious risks to UK cyber-security go completely unaddressed by this Bill. Cyber is the emerging battlefield of state security, with hostile state actors ramping up their efforts to disrupt our society, our economy and our democracy apace. Time and again in this Parliament, the Government have baulked at acknowledging the elephant—or, in this case, the dragon—in the room when it comes to matters of national security. Last year the director of GCHQ, the UK’s intelligence and cyber-security agency, confirmed that it devotes more resource to China than any other single mission.
The evidence is clear: the Chinese Communist party is one of the greatest national security threats that our country faces. In November last year, Mr Speaker took the exceptional step of circulating a briefing from MI5 warning of the widespread efforts of individuals and organisations working on behalf of the Chinese Ministry of State Security to target Parliament for intelligence gathering. In the intervening weeks we have learned that Home Office systems were accessed, apparently by a Chinese state-affiliate group. Reports have circulated that the attack is linked to the Chinese gang Storm 1849, previously connected with cyber-attacks on MPs and the Electoral Commission. Furthermore, in December 2025 the Government confirmed that they had sanctioned two Chinese companies for perpetrating what they described as indiscriminate cyber-attacks on the UK public and private sector IT systems.
These are not isolated incidents. They are evidence of a concerted and intensifying campaign on the part of the Chinese Communist party and its affiliates to undermine vital public services and UK businesses. How our country, and how our democratic allies and partners, face the threat of hostile state actors, working in concert, is an epoch-defining challenge. It is a challenge that we must meet, or we will live to regret it.
It is no coincidence that several recent cyber-incidents have targeted organs of Government, with malicious actors rightly perceiving that many of our Departments are the weakest links in the cyber-security ecosystem. The National Audit Office’s 2025 report on Government cyber-resilience laid bare the inconsistent, and in some cases glacial, progress of the Government in making effective improvements in cyber-resilience. Last month’s attack on Home Office IT systems is a stark reminder of the urgency of improving Government cyber-security. His Majesty’s official Opposition have received a clear message from cyber-industry stakeholders: the Government should be leading from the front and setting the standard for effective cyber-resilience. I am pleased that the Government managed, at the last moment, to push out the cyber action plan today. It acknowledges the challenge, but how it will ensure that change is delivered is unclear.
Attacks on household names such as Jaguar Land Rover, Marks & Spencer and the Co-op have raised public awareness of the risks we face, with consumer supply chains interrupted and jobs put in peril. However, the Bill would not have prevented those attacks had it been in force when they took place. Given the constraints on public finances as a result of the Chancellor’s reckless Budget decisions, the Government need to ask themselves how many cyber-attacks of the magnitude of that on JLR we can afford to bankroll. The Government must undertake an urgent review to identify companies whose failure as the result of a cyber-attack would present a comparable risk to the UK economy to that on JLR.
Failing to address all the urgent problems will leave an open goal for malicious cyber-actors to undermine the UK’s security and prosperity. The House is unlikely to revisit cyber-security legislation for some time. The threat to our economy and national security from malicious cyber-actors is one of the most serious we face as a country.
In the parliamentary debate after MI5’s China espionage briefing, the Minister for Security pledged to strengthen the legislative tools available to disrupt the threat. Why not use the opportunity presented by the Bill to address that head-on? We stand ready to work with the Government to stand up for and protect our country, and to prevent the Bill from becoming yet another missed opportunity.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
First and foremost, I thank all Members for their contributions to the debate. I am glad that the House has welcomed the Bill, with deep expertise shown by Members on both sides of the House. Of course, Members have asked questions and I will try to share the Government’s approach. Before that, let me set out what is at stake.
The UK is the most cyber-attacked country in Europe. In 2024, more than 600,000 businesses were subject to a cyber-attack, the average cost of which was just over £190,000. The cost of cyber-attacks to UK businesses in aggregate is estimated to be £14.7 billion a year. The personal experience of my hon. Friend the Member for Northampton South (Mike Reader) is on my mind, as well the facts that my hon. Friend the Member for Warwick and Leamington (Matt Western) shared, such as the most common password in this country being “password”, and, indeed, the comments of my hon. Friend the Member for Mid Cheshire (Andrew Cooper) about Buffy the Vampire Slayer being an effective name deployed in some contexts. The combination of aggregate impacts and such personal experiences is the motivation for the Bill.
National security is the first responsibility of any Government. Cyber-threats have grown and the previous Government failed to move fast enough in the light of that. This Government are acting robustly to ensure that the British public are secure. The big message is, “Let’s ditch legacy systems and platforms and move to a more secure future.” We have done that by ditching the Conservative party; it is time to do it across our economy.
Let me deal with some of the themes that hon. Members raised, especially threats from AI that will emerge in future. The right hon. Member for Hertsmere (Sir Oliver Dowden) and my hon. Friend the Member for Congleton (Sarah Russell) mentioned those threats. AI will almost certainly continue to make elements of cyber-intrusion operations more effective and efficient, and cyber-threats more frequent and intense. That is why it is important that organisations take steps to bolster their cyber-defences. Under the Bill, organisations must have regard to the state of the art when maintaining the security of their network and information systems. That applies not only to cyber-defences, but to cyber-threats.
The right hon. Member for Hertsmere mentioned agentic AI, and I am conscious that it will be a particular risk. A significant source of mitigation must be the quality of our capability in the private sector, but also in the public sector. I pay tribute to the work of the AI Security Institute, which is right at the frontier of understanding the risk of agentic AI.
Several Members asked questions about scope. Of course, there is a significant risk across our economy, but we have chosen to focus, as NIS regulations have historically done, on essential services, the failure of whose network and information systems poses imminent threat to life to the British public. For that reason, the scope of the Bill is tight. That is not to say that other businesses should not do a great deal to protect themselves against cyber-attacks. However, the Government need assurances that the resilience to cyber-attack of essential services, the disruption of which would have the most profound consequences for public safety, national security and economic stability, is prioritised. Of course, businesses outside the scope of the Bill should make it a critical business priority to gain the same assurance without the need for as much Government intervention.
I am aware of the points made by my hon. Friends the Members for Lichfield (Dave Robertson) and for Warwick and Leamington, the Chair of the Joint Committee on the National Security Strategy, as well as by my hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), the Chair of the Science, Innovation and Technology Committee, on Jaguar Land Rover. In that instance, the Government acted swiftly in exceptional circumstances by providing a £1.5 billion loan guarantee to protect jobs, support businesses in the supply chain, and preserve this vital part of British industry. However, as the hon. Member for Exmouth and Exeter East (David Reed) noted, that should not be the expectation on Government; businesses must look to their own defences as a matter of corporate responsibility.
Kanishka Narayan
I might just make a bit of progress.
My hon. Friend the Member for Warwick and Leamington mentioned the food sector and food retailers, given recent attacks. Following the attacks on Marks & Spencer and Harrods, my hon. Friend the Minister for Food Security and Rural Affairs has written to and engaged deeply with the chief executive officers of major food retailers to advise on how the food sector can best protect itself from cyber-threats.
There is a broader question about sectors that are not regulated by this Bill, which has been raised by numerous Members from across the House. The fact that a sector is not regulated under the Bill does not mean that organisations in it cannot protect themselves against cyber-attacks. As I said, the Bill is not designed to cover every sector. Where sectors are covered by existing regulations, and where the Government do not consider it essential to regulate a sector through the Bill, we have taken a proportionate approach. Introducing blanket coverage for whole new sectors would create extensive regulatory burdens for more of our economy, stifling economic growth. At the same time, this Bill will enable the Government to bring more sectors into scope in the future, and to take swift action if national security is at risk.
The Bill sits alongside a series of actions that the Government have taken. I highlight in particular the fact that the Government have written to UK businesses and trade bodies across sectors to make sure that they are embedding cyber essentials across their supply chains, that they are making cyber-resilience a board-level priority, and that the NCSC’s early warning system and advice is heeded.
Both Conservative Front Benchers, the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted (Victoria Collins), and my hon. Friend the Member for Congleton spoke about coverage of the public sector. The public sector requires a significant step change in cyber and digital resilience. As has been mentioned numerous times, today we have published the Government’s cyber action plan, backed by £210 million of investment. The plan takes decisive action and holds Government Departments accountable for their cyber-security and resilience, as well as providing them with more direct support and services, and co-ordinating responses to fast-moving incidents.
I will take up the point made by the right hon. Member for New Forest East (Sir Julian Lewis) about the juiciness of local government digital provision. I share his enthusiasm. The Government’s cyber action plan takes into account wider Government and public sector coverage. In fact, it strengthens, clarifies and joins up how lead Government Departments hold the wider public sector, including local government, to account for improved and equivalent cyber-resilience.
I will make an observation about the points raised about not just reporting and assessment, but recovery and resilience. I flag to hon. Members from right across the House that our proposals for security and resilience requirements are being prepared for secondary legislation. They will align with the NCSC’s cyber assessment framework, which relates to effective response and recovery. A consultation is likely in the year ahead.
There were a series of questions and comments about regulators, and proportionate and effective regulation. The Bill allows regulators to make sure that they are well resourced to carry out their duties, and can charge reasonable fees to cover more of the cost of their activities under the regime. It will enhance the regulators’ impact by ensuring clearer information gateways and increased incident reporting, and establishes a unified set of objectives. The shadow Secretary of State talked about regulators not finding enough incidents, and about them finding too many, but I will let her work out the obvious contradiction in her position.
I say in response to the right hon. Member for Hertsmere that there is clear scope for AI capability to be used in triage. I very much hope that the reviews that the Secretary of State must undertake—they are embedded in the Bill’s requirements—will ensure that we look at efficient ways that regulators can do that.
The Chair of the Science, Innovation and Technology Committee, my hon. Friend the Member for Newcastle upon Tyne Central and West, made a point about the frequency and quality of the reviews of the regime in this Bill. The Department for Science, Innovation and Technology will monitor and evaluate the new framework in reviewing the effectiveness of the regime. The Bill requires the Secretary of State to lay before Parliament a report on the operation of certain NIS legislation, and to publish one at least every five years. It will be an extensive review, so we want to make sure that it is proportionate, rather than overly frequent. The commitments made by the Secretary of State to the Chair relate primarily to the Bill.
In response to the points made by my hon. Friends the Members for Warwick and Leamington, and for Mid Cheshire, about the possibility of a cross-sectoral cyber regulation approach, I flag that 12 regulators are responsible for enforcing this regime, because different sectors rely on different technologies, and have very different risk attitudes and responses to vulnerabilities. It is right that we use sector expertise to address sector-specific issues.
The hon. Member for Bognor Regis and Littlehampton (Alison Griffiths) made an appropriate point about enterprise IT and operational technology being differentiated. That is why we have used a sectoral lens; it is a very tractable way of differentiating the risk factors. We have set out a sectoral approach, but that does not preclude the Secretary of State from setting out, in a statement of strategic priorities, the possibility of co-ordination and information sharing across regulators.
In response to the points made by the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted, as well as the hon. Member for Exmouth and Exeter East, about making sure that incident thresholds are clear and proportionate, the 24-hour light-touch notification requirement is proportionate. All that is needed is information alerting the regulator and the National Cyber Security Centre to the nature of the incident; the system does not rely on over-regulation. With the exception of data centres, reportable incidents that affect operators of essential services would need to have affected the operation of significant network and information systems right across the entity, and to have a significant national security impact. That is extremely unlikely to include minor matters, such as the receipt of a phishing email.
The Chair of the Treasury Committee, my hon. Friend the Member for Hackney South and Shoreditch (Dame Meg Hillier), made a point about financial services organisations, and I respond simply by flagging that UK financial services are resilient against cyber-threats. The threats are of course growing, but the regulatory approach taken by the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England were some of the sources for the approach we have taken in this Bill. Regulatory overlap was mentioned; this Government will make sure that businesses that have to navigate multiple regulatory frameworks with multiple services will face minimal burdens. We will work with our regulators and international authorities, including those in the EU, on the implementation of the Bill.
Turning to the impact on business, and the Bill ensuring a proportional approach to security, the Government will regulate only when that is necessary to protect our economy and our country from serious harm. A single attack can disrupt hospitals, transport and vital services, putting lives at risk, and we will not gamble with our economy or our people’s safety. The cost of doing nothing is, of course, too great. As I have mentioned, cyber-attacks drain almost £15 billion a year from UK businesses. At the same time, this Bill takes a proportionate approach to ensuring the safety of British people.
Board-level responsibility was brought up by a number of Members from across the House. I simply say that all business leaders need to take responsibility for their organisation’s cyber-resilience. On 13 October last year, the Government wrote to chief executives, requesting that they make cyber-security a board-level responsibility. The Government’s new cyber governance code of practice focuses on the governance of cyber risk specifically, and we will consider using secondary legislation to require companies to clarify their cyber-security responsibilities at board level.
A number of Members raised the issue of the effect on small and medium-sized businesses. Growth is the Government’s No. 1 mission, and small businesses are the engine room of that growth. They provide many of our most important services. That is exactly why small and, particularly, micro-sized managed or digital services are exempt from regulation under this Bill. They can be regulated only if they are designated as critical suppliers, and there will be an extremely high bar for designation. That should answer the question from my hon. Friend the Member for Mid Cheshire about companies meeting the bar for designation. A point was made about the ability of small businesses to tell quickly whether they are in scope. The regulator will complete an investigation process, which will include giving notices and having consultations with relevant businesses, prior to confirming whether an organisation meets the criteria for being in scope. That process needs to be robust, but we hope to make sure that those regulatory processes are proportionate, too.
I turn to a critical question from my hon. Friend the Member for Milton Keynes Central (Emily Darlington), my right hon. Friend the Member for Oxford East (Anneliese Dodds) and the hon. Member for Ceredigion Preseli (Ben Lake) on long-term sovereignty and capability in this country. Over the last decade and a half, the Conservative party in government sold this country’s strategic leverage over the primary sector, software and digital infrastructure. We will not repeat that mistake. We have already committed, right across the board, to extremely robust digital sovereignty measures. We have committed £500 million to a sovereign AI fund. We have made sure that there are tens of billions of pounds pouring into this country as capital infrastructure for AI, and British firms like Nscale are right at the heart of that. There is an advanced market commitment to cloud compute, to make sure that British companies are right at the heart of the provision of core infrastructure in future. Through the British Business Bank, we are committing tens of billions.
David Reed
We talk about sovereign capability, but how can we have fully sovereign capability when we do not own the means of production of most advanced chips?
Kanishka Narayan
I point the hon. Member to a thriving compound semiconductor cluster in south Wales, as well as chip manufacturing companies. If he doubts how advanced Arm is—the primary chip design company in the world—I would advise him to read a primer on the chip company supply chain.
The Government are pursuing a clear sense of digital sovereignty. On China, I flag that we are taking stronger action to protect our national security, including our critical national infrastructure, as well as making sure that, where appropriate, we look for opportunities for co-operation. The national security strategy, the independent review of state threat legislation and our new powers on counter-terrorism will make sure that we do that.
I am conscious that I am testing your patience, Madam Deputy Speaker, so I will simply flag a final point. The “whole society” approach was mentioned by a number of right hon. and hon. Members. We are making a series of investments in skills to ensure that young people are inspired to pursue careers in cyber-security. On the points made by my hon. Friends the Members for South East Cornwall (Anna Gelderd), and for Portsmouth North (Amanda Martin), I am deeply passionate about ensuring that young people—young women and girls, in particular—in their areas, Wales and across the country pursue thriving careers in cyber-security.
National security is the first responsibility of this Government. The Bill could not be more necessary for confronting developments in global cyber-threat. I thank all right hon. and hon. Members for their engagement with the Bill as it progresses. I encourage them to engage deeply. To all rogue organisations with hackers at the helm—I do not just mean the Conservative party—I say this: your time is up. With this Bill, we will make sure that the British public are secure.
Question put and agreed to.
Bill accordingly read a Second time.
Cyber Security and Resilience (Network and Information Systems) Bill: Programme
Motion made, and Question put forthwith (Standing Order No. 83A(7)),
That the following provisions shall apply to the Cyber Security and Resilience (Network and Information Systems) Bill:
Committal
(1) The Bill shall be committed to a Public Bill Committee.
Proceedings in Public Bill Committee
(2) Proceedings in the Public Bill Committee shall (so far as not previously concluded) be brought to a conclusion on Thursday 5 March 2026.
(3) The Public Bill Committee shall have leave to sit twice on the first day on which it meets.
Consideration and Third Reading
(4) Proceedings on Consideration shall (so far as not previously concluded) be brought to a conclusion one hour before the moment of interruption on the day on which those proceedings are commenced.
(5) Proceedings on Third Reading shall (so far as not previously concluded) be brought to a conclusion at the moment of interruption on that day.
(6) Standing Order No. 83B (Programming committees) shall not apply to proceedings on Consideration and Third Reading.
Other proceedings
(7) Any other proceedings on the Bill may be programmed.—(Jade Botterill.)
Question agreed to.
Cyber Security and Resilience (Network and Information Systems) Bill (Money)
King’s recommendation signified.
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Cyber Security and Resilience (Network and Information Systems) Bill, it is expedient to authorise the payment out of money provided by Parliament of:
(1) any expenditure incurred under or by virtue of the Act by the Secretary of State or another public authority, and
2) any increase attributable to the Act in the sums payable under or by virtue of any other Act out of money so provided.—(Jade Botterill.)
Question agreed to.
Cyber Security and Resilience (Network and Information Systems) Bill (Ways and Means)
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Cyber Security and Resilience (Network and Information Systems) Bill, it is expedient to authorise:
(1) the imposition of charges under or by virtue of the Act; and
(2) the payment of sums into the Consolidated Fund.—(Jade Botterill.)
Question agreed to.
Cyber Security and Resilience (Network and Information Systems) Bill (Carry-over)
Motion made, and Question put forthwith (Standing Order No. 80A(1)(a)),
That if, at the conclusion of this Session of Parliament, proceedings on the Cyber Security and Resilience (Network and Information Systems) Bill have not been completed, they shall be resumed in the next Session.—(Jade Botterill.)
Question agreed to.
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Tuesday 3rd February 2026
(1 month ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
The Chair
Good morning, everyone. We are now sitting in public and the proceedings are being broadcast. I remind Members, please, to switch electronic devices to silent, and that tea and coffee are not allowed during sittings. Today, we will first consider the programme motion on the amendment paper. We will then consider a motion to enable the reporting of written evidence for publication and a motion to allow us to deliberate in private about our questions before the oral evidence sessions. In view of the time available, I hope we can take those matters formally without debate. I call the Minister to move the programme motion standing in his name, which was discussed yesterday by the Programming Sub-Committee for the Bill. Time Witness Until no later than 10.00 am Royal United Services Institute; DLA Piper Until no later than 10.40 am techUK; Nine23; ISC2 Until no later than 11.25 am Cisco; Darktrace; NCC Group; Amazon Until no later than 2.40 pm Information Commissioner's Office; Ofcom; Ofgem Until no later than 3.00 pm Inter-Parliamentary Alliance on China Until no later than 3.20 pm Professor John Child, Professor of Criminal Law, University of Birmingham Until no later than 3.40 pm National Police Chiefs’ Council Until no later than 4.00 pm The Worshipful Company of Information Technologists Until no later than 4.20 pm NHS Greater Glasgow and Clyde Until no later than 4.50 pm Fortinet; Palo Alto Networks Until no later than 5.10 pm Department for Science, Innovation and Technology
Ordered,
That—
1. the Committee shall (in addition to its first meeting at 9.25 am on Tuesday 3 February) meet—
(a) at 2.00 pm on Tuesday 3 February;
(b) at 11.30 am and 2.00 pm on Thursday 5 February;
(c) at 9.25 am and 2.00 pm on Tuesday 10 February;
(d) at 9.25 am and 2.00 pm on Tuesday 24 February;
(e) at 11.30 am and 2.00 pm on Thursday 26 February;
(f) at 9.25 am and 2.00 pm on Tuesday 3 March;
(g) at 11.30 am and 2.00 pm on Thursday 5 March;
2. the Committee shall hear oral evidence on Tuesday 3 February in accordance with the following Table:
3. proceedings on consideration of the Bill in Committee shall be taken in the following order: Clauses 1 to 22; Schedule 1; Clause 23; Schedule 2; Clauses 24 to 61; new Clauses; new Schedules; remaining proceedings on the Bill;
4. the proceedings shall (so far as not previously concluded) be brought to a conclusion at 5.00 pm on Thursday 5 March.—(Kanishka Narayan.)
Resolved,
That, subject to the discretion of the Chair, any written evidence received by the Committee shall be reported to the House for publication.—(Kanishka Narayan.)
The Chair
Copies of written evidence received by the Committee will be made available in the Committee Room.
Resolved,
That, at this and any subsequent meeting at which oral evidence is to be heard, the Committee shall sit in private until the witnesses are admitted.—(Kanishka Narayan.)
The Chair
We are now sitting in public again. We have heard declarations of interest. If there are any other others, please say. We will now hear oral evidence from Jen Ellis, associate fellow for cyber and tech at the Royal United Services Institute, who is joining us online, and David Cook, who is a partner at DLA Piper. Thank you for coming.
Before calling the first Member to ask a question, I remind Members that questions should be limited to matters within the scope of the Bill. We must stick to the timings in the programme order that the Committee has agreed to. For this session, we have until 10 am. I call the shadow Minister.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
Q
Jen Ellis: There is a thing that you always hear people say in the cyber-security industry which is, “There are no silver bullets”. There is no quick fix or one easy thing, and that definitely applies when looking at policy as well. I cannot give you a nice, easy, pat answer to how we solve the problem of attacks like the ones we saw last year. What I can say is that, looking at the Cyber Security and Resilience Bill specifically, I think it could include companies above a certain size or impact to the UK economy. The Bill currently goes sector by sector— which makes lots of sense, to focus on essential services—but I think we could say there is another bucket where organisations beyond a certain level of impact on the economy would also be covered. That could be something like the FTSE350. Including those might be one way to go about it, but it is worth noting that it would not simply solve the problem because the problem is complex and multi-faceted, and this is just one piece of legislation.
David Cook: With respect to NIS2, that is an example of a whole suite of laws that have come in across the European Union—the Digital Decade law; I think there is something like 10 or 15 of these new laws. They do all sorts of different things, and NIS2 sits within that. NIS2 is the reform of the NIS directive, which is the current state of play in UK law. NIS2 gives certainty and definition, by way of the legislation itself and then the implementing legislation, which means that organisations have had a run-up at the issue and a wholesale governance programme, which takes a number of years, but they know where they are headed, because it is a fixed point in the distance, on the horizon.
The Bill we are talking about today has the same framework as a base. The plan then is that secondary legislation can be used in a much more agile way to introduce changes quickly, in the light of the moving parts within the geopolitical ecosystem outside the walls. For global organisations with governance that spans jurisdictions, a lack of certainty is unhelpful. Understanding where they need to get to often requires a multi-year programme of reform. I can see the benefits of having an agile, flexible system, but organisations—especially global ones, which are the sort within the scope of this Bill—need time to prepare, recruit people, get the skillset in place, and understand where they need to get to. That fixed future point needs to be defined.
Chris Vince (Harlow) (Lab/Co-op)
Q
David Cook: There is reform all over the world. At its core, we have got a European law that is transposed in UK national legislation, the General Data Protection Regulation. That talks about personal data and has been seen as the gold standard all over the world. Different jurisdictions have implemented, not quite a copycat law, but one that looks a lot like the GDPR, so organisations have something that they can target, and then within their territory they are often going to hit a compliance threshold as well. Because of changes in the geopolitical environment, we are seeing—for example in Europe, but also in Australia and the United States—specific laws coming in that look at the supply chain in different sectors and provide for more onerous obligations. We are seeing that in the environment. NIS2 is being transposed into national laws. Organisations take a long time to get to the point of compliance. We are probably behind the curve, but this is not a new concept. Adapting to change within tech and change within how organisations themselves are relying on a supply chain that is more vulnerable and fragile is common.
Bradley Thomas (Bromsgrove) (Con)
Q
Jen Ellis: For sure, it should not come down to whether you are public or private; it should be about impact. Figuring out how to measure that is challenging. I will leave that problem with policymakers—you’re welcome. I do not think it is about the number of employees. We have to think about impact in a much more pragmatic way. In the tech sector, relatively small companies can have a very profound impact because they happen to be the thing that is used by everybody. Part of the problem with security is that you have small teams running things that are used ubiquitously.
We have to think a little differently about this. We have seen outages in recent years that are not necessarily maliciously driven, but have demonstrated to us how reliant we are on technology and how widespread the impact can be, even of something like a local managed service provider. One that happened to provide managed services for a whole region’s local government went down in Germany and it knocked out all local services for some time. You are absolutely right: we should be looking at privately held companies as well. We should be thinking about impact, but measuring impact and figuring out who is in scope and who is not will be really challenging. We will have to start looking down the supply chain, where it gets a lot more complex.
Tim Roca (Macclesfield) (Lab)
Q
Jen Ellis: As a starting point, I will clarify that I am a fellow at RUSI. I work closely with Jamie, but I do not work for RUSI. I also take no responsibility for Jamie’s comments.
On the comparisons, David alluded to the fact that Europe is a little bit ahead of us. NIS2, its update to NIS1, came into force three years ago with a dangling timeline: nations had until October 2024 to implement it. My understanding is that not everybody has implemented it amazingly effectively as yet. There is some lag across the member states. I do not think we are too out of scope of what NIS2 includes. However, we are talking about primary legislation now; a lot of the detail will be in the secondary legislation. We do not necessarily know exactly how those two things will line up against each other.
The UK seems to be taking a bit of a different approach. The EU has very specifically tried to make the detail as clearly mandated as possible, because it wants all the member states to adopt the same basis of requirements, which is different from NIS1, whereas it seems as though the UK wants to provide a little bit of flexibility for the regulators to “choose their own adventure”. I am not sure that is the best approach. We might end up with a pretty disparate set of experiences. That might be really confusing for organisations that are covered by more than one competent authority.
The main things that NIS2 and CSRB are looking at are pretty aligned. There is a lot of focus on the same things. It is about expanding scope to make sure that we keep up with what we believe “essential” now looks at, and there is a lot of focus on increased incident reporting and information sharing. Again, the devil will be in the detail in the secondary legislation.
The other thing I would say goes back to the earlier question about what is happening internationally. The nations that David mentioned, like Australia or the jurisdiction around the EU, are really proactive on cyber policy—as is the UK. They are taking a really holistic view, which David alluded to in his introduction, and are really looking at how all the pieces fit together. I am not sure that it is always super clear that the UK is doing the same. I think there is an effort to do so, and UK policymakers are very proactive on cyber policy and are looking at different areas to work on, but the view of how it all goes together may not be as clear. One area where we are definitely behind is legislating around vendor behaviour and what we expect from the people who are making and selling technology.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Q
Jen Ellis: Again, that is a hugely complex question to cover in a short amount of the time. One of the challenges that we face in UK is that we are a 99% small and mediums economy. It is hard to think about how to place more burdens on small and medium businesses, what they can reasonably get done and what resources are available. That said, that is the problem that we have to deal with; we have to figure out how to make progress.
There is also a challenge here, in that we tend to focus a lot on the behaviour of the victim. It is understandable why—that is the side that we can control—but we are missing the middle piece. There are the bad guys, who we cannot control but who we can try to prosecute and bring to task; and there are the victims, who we can control, and we focus a lot on that—CSRB focuses on that side. Then there is the middle ground of enablers. They are not intending to be enablers, but they are the people who are creating the platforms, mediums and technology. I am not sure that we are where we could be in thinking about how to set a baseline for them. We have a lot of voluntary codes, which is fantastic—that is a really good starting point—but it is about the value of the voluntary and how much it requires behavioural change. What you see is that the organisations that are already doing well and taking security seriously are following the voluntary codes because they were already investing, but there is a really long tail of organisations that are not.
Any policy approach, legislation or otherwise, comes down to the fact that you can build the best thing in the world, but you need a plan for adoption or the engagement piece—what it looks like to go into communities and see how people are wrestling with this stuff and the challenges that are blocking adoption. You also need to think about how to address and remove those challenges, and, where necessary, how to ensure appropriate enforcement, accountability and transparency. That is critical, and I am not sure that we see a huge amount of that at the moment. That is an area where there is potential for growth.
With CSRB, the piece around enforcement is going to be critical, and not just for the covered entities. We are also giving new authorities to the regulators, so what are we doing to say to them, “We expect you to use them, to be accountable for using them and to demonstrate that your sector is improving”? There needs to be stronger conversations about what it looks like to not meet the requirements. We should be looking more broadly, beyond just telling small companies to do more. If we are going to tell small companies to do more, how do we make it something that they can prioritise, care about and take seriously, in the same way that health and safety is taken seriously?
David Cook: To achieve the outcome in question, which is about the practicalities of a supply chain where smaller entities are relying on it, I can see the benefit of bringing those small entities in scope, but there could be something rather more forthright in the legislation on how the supply chain is dealt with on a contractual basis. In reality, we see that when a smaller entity tries to contract with a much larger entity—an IT outsourced provider, for example—it may find pushback if the contractual terms that it asks for would help it but are not required under legislation.
Where an organisation can rely on the GDPR, which has very specific requirements as to what contracts should contain, or the Digital Operational Resilience Act, which is a European financial services law and is very prescriptive as to what a contract must contain, any kind of entity doing deals and entering into a contract cannot really push back, because the requirements are set out in stone. The Bill does not have a similar requirement as to what a contract with providers might look like.
Pushing that requirement into the negotiation between, for example, a massive global IT outsourced provider and a much smaller entity means either that we will see piecemeal clauses that do not always achieve the outcomes you are after, or that we will not see those clauses in place at all because of the commercial reality. Having a similarly prescriptive set of requirements for what that contract would contain means that anybody negotiating could point to the law and say, “We have to have this in place, and there’s no wriggle room.” That would achieve the outcome you are after: those small entities would all have identical contracts, at least as a baseline.
Emily Darlington (Milton Keynes Central) (Lab)
Q
David Cook: The original NIS regulations came out of a directive from 2016, so this is 10 years old now, and the world changes quickly, especially when it comes to technology. Not only is this supply chain vulnerability systemic, but it causes a significant risk to UK and global businesses. Ransomware groups, threat actors or cyber-criminals—however you want to badge that—are looking for a one-to-many model. Rather than going after each organisation piecemeal, if they can find a route through one organisation that leads to millions, they will always follow it. At the moment, they are out of scope.
The reality is that those organisations, which are global in nature, often do not pay due regard to UK law because they are acting all over the world and we are one of many jurisdictions. They are the threat vector that is allowing an attack into an organisation, but it then sits with the organisations that are attacked to deal with the fallout. Often, although they do not get away scot-free, they are outside legislative scrutiny and can carry on operating as they did before. That causes a vulnerability. The one-to-many attack route is a vulnerability, and at the moment the law is lacking in how it is equipped to deal with the fallout.
Jen Ellis: In terms of what the landscape looks like, our dialogue often has a huge focus on cyber-crime and we look a lot at data protection and that kind of thing. Last year, we saw the impact of disruptive attacks, but in the past few years we have also heard a lot more about state-sponsored attacks.
I do not know how familiar everyone in the room is with Volt Typhoon and Salt Typhoon; they were widespread nation-state attacks that were uncovered in the US. We are not immune to such attacks; we could just as easily fall victim to them. We should take the discovery of Volt Typhoon as a massive wake-up call to the fact that although we are aware of the challenge, we are not moving fast enough to address it. Volt Typhoon particularly targeted US critical infrastructure, with a view to being able to massively disrupt it at scale should a reason to do so arise. We cannot have that level of disruption across our society; the impacts would be catastrophic.
Part of what NIS is doing and what the CSRB is looking to do is to take NIS and update it to make sure that it is covering the relevant things, but I also hope that we will see a new level of urgency and an understanding that the risks are very prevalent and are coming from different sources with all sorts of different motivations. There is huge complexity, which David has spoken to, around the supply chain. We really need to see the critical infrastructure and the core service providers becoming hugely more vigilant and taking their role as providers of a critical service very seriously when it comes to security. They need to think about what they are doing to be part of the solution and to harden and protect the UK against outside interference.
David Cook: By way of example, NIS1 talks about reporting to the regulator if there is a significant impact. What we are seeing with some of the attacks that Jen has spoken about is pre-positioning, whereby a criminal or a threat actor sits on the network and the environment and waits for the day when they are going to push the big red button and cause an attack. That is outside NIS1: if that sort of issue were identified, it would not be reportable to the regulator. The regulator would therefore not have any visibility of it.
NIS2 and the Bill talk about something being identified that is caused by or is capable of causing severe operational disruption. It widens the ambit of visibility and allows the UK state, as well as regulators, to understand what is going in the environment more broadly, because if there are trends—if a number of organisations report to a regulator that they have found that pre-positioning—they know that a malicious actor is planning something. The footprints are there.
Freddie van Mierlo (Henley and Thame) (LD)
Q
Jen Ellis: You have covered a lot of territory there; I will try to break it down. If you look at the attacks last year, all the companies you mentioned were investing in cyber-security. There is a difficulty here, because there is no such thing as being bullet-proof or secure. You are always trying to raise the barriers as high as you can and make it harder for attackers to be successful. The three attacks you mentioned were highly targeted attacks. The example of Volt Typhoon in the US was also highly targeted. These are attackers who are highly motivated to go after specific entities and who will keep going until they get somewhere. It is really hard to defend against stuff like that. What you are trying to do is remove the chances of all the opportunistic stuff happening.
So, first, we are not going to become secure as such, but we are trying to minimise the risk as much as possible. Secondly, it is really complex to do it; we saw last year the examples of companies that, even though they had invested, still missed some things. Even in the discussions that they had had around cyber-insurance, they had massively underestimated the cost of the level of disruption that they experienced. Part of it is that we are still trying to figure out how things will happen, what the impacts will be and what that will look like in the long term.
There is also a long tail of companies that are not investing, or not investing enough. Hopefully, this legislation will help with that, but more importantly, you want to see regulators engaging on the issue, talking to the entities they cover and going on a journey with them to understand what the risks are and where they need to get to. If you are talking about critical providers and essential services, it is really hard for an organisation—in its own mind or in being answerable to its board or investors—to justify spend on cyber-security. If you are a hospital saying that you are putting money towards security programmes rather than beds or diagnostics, that is an incredibly difficult conversation to have. One of the good things about CSRB, hopefully, is that it will legitimise choices and conversations in which people say, “Investing time and resources into cyber-security is investing time and resources into providing a critical, essential service, and it is okay to make those pay-off choices—they have to be made.”
Part of it is that when you are running an organisation, it is so hard to think about all the different elements. The problem with cyber-security—we need to be clear about this—is that with a lot of things that we ask organisations to do, you say, “You have to make this investment to get to this point,” and then you move on. So they might take a loan, the Government might help them in some way, or they might deprioritise other spending for a set period so that they can go and invest in something, get up to date on something or build out something; then they are done, and they can move back to a normal operating state.
Security is not that. It is expensive, complex and multifaceted. We are asking organisations of all sizes in the UK, many of which are not large, to invest in perpetuity. We are asking them to increase investment over time and build maturity. That is not a small ask, so we need to understand that there are very reasonable dynamics at play here that mean that we are not where we need to be. At the same time, we need a lot more urgency and focus. It is really important to get the regulators engaged; get them to prioritise this; have them work with their sectors, bring their sectors along and build that maturity; and legitimise the investment of time and resources for critical infrastructure.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Q
David Cook: The legislation talks about secondary legislation, so it allows for an agile, flexible programme whereby organisations can be brought within scope very quickly if concerns make that necessary. What that leaves us with, though, is that although legislation can be changed quickly, organisations often cannot. Where there is a definition, as we see with NIS2, as to which entities are in scope, organisations can embark on a multi-year programme to get into a compliant position. They can throw money at it, effectively.
What this legislation talks about, through the secondary legislation, is bringing organisations into scope and mandating specific security controls or specific requirements on those organisations in terms of security, but while the law might come in over a weekend, organisational change will not necessarily follow. There is a potential issue there. I can see the benefit and attractiveness of secondary legislation being used to achieve that aim, but having a clearer baseline as to what that sort of scope might look like—it could be ramped up or down, and the volume could be turned up or down, depending on need—would be more helpful. Reducing scope while diverging from NIS2 might be a benefit in terms of the commercial reality, but it might be a misstep in terms of security and the long tail that it takes to get more secure.
The Chair
Thank you. I am going to bring Allison Gardner in, because she has been waiting. You have two minutes, Allison.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Q
Jen Ellis: That is a great question, and a tricky one. We talk a lot about training and security awareness, and unfortunately I think it becomes yet another tick box: you start a job and watch your little sexual harassment training video, then you watch your cyber-security training video, and probably the former sticks with you better than the latter. I think we have to change that. We have to change that dynamic.
I go back to my last answer, which was that I think one of the strengths of the Bill is that, hopefully, it will enable the regulators to engage much more on this topic and therefore to engage their covered entities much more. That is what we need to see. We need to see the leadership in organisations engage with the topic of cyber-security, not as a chore, as a tick-box exercise or as that headline they read about JLR, but actually as something that matters to their organisation—as something they are going to engage with at a board and executive team level, all the way down through the organisation. Cultural change comes from the top, typically, and we need to see that level of change.
I do not think that there is anything specific in the legislation, as it is currently written, that says, “And this,” in flashing lights, “is going to change the human factors piece.” I think that the devil will be in the detail of the secondary legislation, and then in what the regulators specifically ask for. But there does need to be a general shift in the culture, whereby as sectors generally we start to talk more about this as a requirement. The financial services sector has talked about security for a long time—it has been a reality for it—but I am not sure how true that is, at breadth, in something like the water industry.
I hope that that will change. I hope that we will start to see having those conversations at the top levels, and then all the way down, becoming more of a cultural norm. Unfortunately, you cannot create culture change quickly. When it comes to talking about human factors, it is about people becoming much more aware of it and thinking more about it. That will take time—
The Chair
Order. Thank you very much, but I have to cut you off there.
Jen Ellis: Sorry for taking too long.
The Chair
No, you have been brilliant.
That brings us to the end of the time allotted for the Committee to ask questions. On behalf of the Committee, may I thank you both for sparing time from your busy schedules to give evidence this morning?
Examination of Witnesses
Jill Broom, Stuart McKean and Dr Sanjana Mehta gave evidence.
The Chair
Good morning, everyone, and welcome. We will now hear oral evidence from Jill Broom, head of cyber-resilience at techUK, from Stuart McKean, chairman of Nine23, and from Dr Sanjana Mehta, senior director for advocacy at ISC2. We must stick to the timings in the programme motion that the Committee has agreed for this session; we have until 10.40 am. Will the witnesses please briefly introduce themselves for the record?
Dr Sanjana Mehta: Good morning. My name is Sanjana; I work as senior director, advocacy, at ISC2.
Jill Broom: Good morning. My name is Jill Broom; I am head of cyber-resilience at techUK, the trade association for the technology industry in the UK.
Stuart McKean: Good morning. I am Stuart McKean; I am the founder and chairman of Nine23. We are a small MSP, based in the UK.
Dr Spencer
Q
My second question is a bit more technical. Do you consider that the definition in the Bill of a managed service provider is sufficiently clear and certain for businesses to understand whether they are in scope or out of scope of the Bill?
Dr Sanjana Mehta: I appear before the Committee today on behalf of ISC2, which is the world’s largest not-for-profit membership association for cyber-security professionals. We have 265,000 members around the world and 10,000-plus members in the UK.
On your question about sectoral scope, our central message is that we welcome the introduction of the Bill and we believe that it will go a long way towards improving the cyber-resilience of UK plc. Yes, there are certain sectors that are outside the scope of the Bill, and we believe that there are a number of non-legislative measures that could be used to enhance the cyber-security of other industries and parts of the sector. In particular, the forthcoming national cyber action plan should be used as a delivery vehicle for improving the resilience of UK plc as a whole.
On the previous panel, I think Jen mentioned that there are voluntary codes of practice. As an organisation, we have piloted the code of practice for cyber governance, and we have signed up to the ambassadors scheme for the code of practice for secure software development. We think that the upcoming national cyber action plan can further encourage the uptake of such schemes and frameworks. Most importantly, we call upon Government to focus on skills development as a non-legislative measure, because ultimately that will be the key enabler of success, whether it is for organisations that are within or outside the scope of the Bill.
The Chair
The witnesses need not feel obliged to answer every question; if colleagues could direct their questions to individual witnesses, we will get through quicker.
Stuart McKean: I think that the MSP definition is quite broad at the moment, so adding some clarity to it will help. At the moment, the key definition of an MSP is based on size, and whether you are a small, medium, large or even microenterprise. The reality is that only11%, I think, of MSPs are the large and medium-sized enterprises that are going to fall in scope of the Bill as a managed service provider. Although the definition might be quite broad, the clarity on the size of MSP is actually quite particular, and you will lose a lot of MSPs that will not be in scope.
Jill Broom: Although some of our members are content with the definition of managed service provider, others feel that, as Stuart said, it is too broad. It continues to cause a little bit of confusion, since it is likely to encompass virtually any IT service. Probably some further work needs to be done and further consultation. There will be some further detail in the secondary legislation around that definition. I wanted to highlight that a lot of detail is coming in secondary legislation, which can make it quite difficult to scrutinise the primary legislation. A broad call-out for ensuring mandatory and meaningful consultation on that secondary legislation and associated guidance would be really welcome.
We are already working with the Bill team to put some of the pre-consultation engagement sessions in place, but we would call for the consultation to be brought forward to help us to understand some of the detail. The consultation period on the secondary legislation is currently estimated to happen towards the end of the summer, but we would like that to be brought forward, where possible. That consultation is going to cover a lot of detail, so it needs to be a substantial amount of time to allow us to comment. We are keen to be involved in that process as much as possible.
Kanishka Narayan
Q
Stuart McKean: You are going to hear the word “complex” a lot in this session. It is hugely complex. I would almost say that everyone likes to dabble. Everyone has little bits of expertise. Certain companies might be cloud-focused, or focused on toolsets; there are a whole range of skillsets. Of course, the larger organisations have multiple teams, multiple scopes and much more credibility in operating in different areas. As that flows down the supply chain, in many cases it becomes more difficult to really unpick the supply chain.
For example, if I am a managed service provider delivering a cloud service from a US hyperscaler, who is responsible? Am I, as the managed service provider, ultimately on the hook, even though I might be using a US-based hyperscaler? That is not just to pick on the hyperscalers, by the way—it could be a US software-based system or a set of tools that I am using. There are a whole range of parts that need to become clearer, because otherwise the managed service community will be saying, “Well, is that my responsibility? Do I have to deliver that?”.
You are then into the legislation side with procurement, because procurement will flow down. Although I might not be in scope directly as a small business, the reality is that the primes and Government Departments that are funding work will flow those requirements down on to the smaller MSPs. Although we might not be in scope directly, when it comes to implementing and meeting the legislation, we will have to follow those rules.
Dr Gardner
Q
Jill Broom: With the board, historically, cyber has not been viewed as a business risk, but as a technical problem to be addressed by the technical teams, instead of being a valuable, fundamental enabler of your business and a commercial advantage as well, because you are secure and resilient. That has been a problem, historically. It is about changing that culture and thinking about how we get the boards to think about this.
I think a fair amount of work is happening; I know the Government have written to the FTSE 350 companies to ask them to put the cyber governance code of practice into play. That is just to make cyber a board-level responsibility, and also to take account of things such as what they need to do in their supply chain.
Dr Gardner
Q
Jill Broom: Some of our members have pointed out that the number of organisations under cyber-regulations is very small, and it is only going to increase a small amount with the advent of this particular Bill. Similarly, in the different jurisdictions there are duties at the board level. There is an argument for it. The key thing is that we need to be mindful of it being risk-based, and also that there are organisations that could be disproportionately affected by this. I think it needs a little more testing, particularly with our members, as to whether a statutory requirement is needed.
Bradley Thomas
Q
Dr Sanjana Mehta: May I weigh in on the second question first? It is good to note that the definition of reportable incident has expanded in the current legislation. One of the concerns that the post-implementation reviews had from the previous regulatory regime was that the regulated entities were under-reporting. We note that the Bill has now expanded the definition to include incidents that could have an adverse impact on the security and operations of network and information systems, in addition to those incidents that are having or have had a negative impact.
While that is clear on the one hand—some factors have been provided, such as the number of customers affected, the geographical reach and the duration of the incident—what is not clear at the moment is the thresholds linked with those factors. In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators.
We must think about regulatory capacity to deal with all the reports that come through to them, and to understand what might be the trade-offs on the regulated entities, particularly if an entity is regulated by more than one competent authority. For those entities, it would mean reporting to multiple authorities. For organisations that are small or medium-sized enterprises, there is a real concern that the trade-offs may result in procedural compliance over genuine cyber-security and resilience. We call on the Government for immediate clarification of the thresholds linked to those factors.
Jill Broom: I would like to come in on that point. Our members would agree with it. Companies need to be clear about what needs to be reported, when it needs to be reported and where they need to report it. A bit of clarity is required on that, certainly around definitions. As Sanjana said, it is good to see that the definition is expanding, but definitions such as “capable of having” a significant impact remain unclear for industry. Therefore, we need a bit more clarity, because again, it means that we could risk capturing absolutely everything that is out there, and we really want to focus on: what is most important that we need to be aware of? Determining materiality is essential before making any report.
In terms of the where and the how, we are also in favour of a single reporting platform, because that reduces friction around the process, and it allows businesses, ultimately, to know exactly where they are going. They do not need to report here for one regulator and there for another. It is a streamlined process, and it makes the regime as easy as possible to deal with, so it helps incentivise people to act upon it.
I have another point to add about the sequencing of alignment with other potential regulation. We know that, for example, the Government’s ransomware proposals include incident-reporting requirements, and they are expected to come via a different legislative vehicle. We need to be careful not to add any additional layers of complexity or other user journeys into an already complex landscape.
Freddie van Mierlo
Q
Secondly, Dr Mehta, you spoke earlier about what is not in scope in this legislation. I am particularly interested in the fact that local government is not included in it, because it has a critical role in electoral services and in local and national democracy. What do you think are the threats from leaving local government out of scope?
Jill Broom: I think that generally, our members would always call for alignment, where possible, in any kind of legislation that spans the geographies. But we understand that the Bill focuses on a particular sector—the critical national infrastructure in the UK—and we welcome the intent of it.
Dr Sanjana Mehta: On sectoral scope, with the way that the Bill is currently drafted, there is obviously flexibility to introduce new sectors, and to bring in more provisions and guidance through secondary legislation and additional guidance. That being said, our recommendation is certainly to expand the sectoral scope at this stage by bringing in public administration.
There are a number of key reasons for that. First, public administration needs to be role model of good cyber-security to the rest of the economy. I think it was the 2025 state of digital government review that pointed out that the risk of cyber-attacks on Government is critical. You mentioned local government, but there are also central Government Departments that hold and process vast amounts of personal and sensitive information; I think, for example, DWP administered £288 billion of benefits over the past year. More than 23 million people claimed some sort of benefits from DWP and, in responding to those claims, DWP must have processed huge amounts of very sensitive medical and financial information on individuals. We think it is an omission to leave it out, and we recommend that the Government consider bringing it into scope.
Lincoln Jopp (Spelthorne) (Con)
Q
Stuart McKean: I do not think the cyber-criminal really cares, to be blunt. They will attack anywhere. You can, of course—
Alison Griffiths
I am so sorry. Could you possibly speak into the microphone? I cannot hear you.
Stuart McKean: Sorry. I was saying that the cyber-criminal does not care about lines, geographies or standards. They do not care whether you have an international standard or you follow the legislation of a certain country. They will attack where they see the weak link.
Lincoln Jopp
Q
Stuart McKean: It is probably across all three, to be quite honest with you. It is very dependent on what they want to achieve, whether it be an economic attack or a targeted attack on a corporate entity. I do not think it has those boundaries—I genuinely think it is across the whole industry and the whole globe. The reality is that cyber-attacks everybody. We are being attacked every day. I do not see it as an international boundary, or a UK thing or a US thing. It is generally across the globe.
Lincoln Jopp
Do either of the other witnesses have anything to say on that?
Jill Broom indicated dissent.
Dr Sanjana Mehta indicated dissent.
Andrew Cooper (Mid Cheshire) (Lab)
Q
Jill Broom: I think, again, there is something to be said about the devil being in the detail. A lot is coming with the secondary legislation, so we will learn more about the specifics on incident reporting and penalties that will come into play. There needs to be a balance between those in terms of the risk and the impact. In the Bill itself, there probably need to be some greater safeguards or references to frameworks about how those types of decisions will be made.
Andrew Cooper
Q
Stuart McKean: It is an interesting cultural challenge. You want people to be open and to report incidents that are having an impact, but at the same time, if they report those incidents they might get fined, which could be economically challenging, particularly for a small business. Yes, we want to open and to report incidents, but—and this is where the detail comes in—what is the level of detail that needs to be reported and what is the impact of reporting it? When you report it to the regulators, what are they going to do with it? How will they share it and how will it benefit everybody else? The devil is definitely in the detail, and it is a cultural change that is required.
Sarah Russell (Congleton) (Lab)
Q
Jill Broom: We can assume that it will, because if you are in the supply chain or come within scope, you will have certain responsibilities and you will have to invest, not just in technology but in the skills space as well. How easy it is to do that is probably overestimated a bit; it is quite difficult to find the right skilled people, and that applies across regulators as well as business.
Generally speaking, yes, I think it will be costly, but there are things that could probably help smaller organisations: techUK has called for things such as financial incentives, or potentially tax credits, to help SMEs. That could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first.
Dr Sanjana Mehta: If I may expand on that, we have been consulting our members and the wider community, and 58% of our respondents in the UK say that they still have critical and significant skills needs in their organisations. Nearly half of the respondents—47%—say that skills shortages are going to be one of the greatest hurdles in regulatory compliance. That is corroborated by evidence, even in the impact assessment that has been done on the previous regulatory regime, where I think nearly half of the operators of essential services said that they do not have access to skills in-house to support the regulatory requirements. Continuing to have sustained investment in skills development is definitely going to require funding. Taking it a step back, we need first of all to understand what sort of skills and expertise we have to develop to ensure that implementation of the Bill is successful.
Alison Griffiths
Q
Stuart McKean: I am not an expert on the detail, but I would say that there is currently very little detail in the Bill regarding IT and OT.
Alison Griffiths
Q
Stuart McKean: The devil is always in the detail, so any more clarity that can be put in the Bill is always going to be a good thing.
Alison Griffiths
Does anyone have anything else?
Jill Broom: I think that I will need to come back to you in writing on the specifics of operational technology.
The Chair
Feel free to write in, secondary to this session, if you feel that you want to expand on any answers.
Dave Robertson (Lichfield) (Lab)
Q
It is very easy to write a piece of legislation, but if we do not have the professionals needed to deliver the level of compliance at the thresholds we are setting in this place, that raises other potential issues. Do you have a view about whether the 11% you mentioned is in the right ballpark for the number of professionals we have, or whether it needs to move either way?
Stuart McKean: I am referring to the Government’s report on MSPs that was done a couple of years ago. There are some 12,500 MSPs in the UK. Of those that are in scope of the Bill, 11% are medium-sized and large, but they account for something like 85% of the revenue that MSPs generate in the UK. Proportionally, the larger and medium-sized organisations will have the skillsets needed to deliver the requirements set out in the Bill. As it comes down the supply chain, most managed service providers are suitably qualified to deliver, but they will not be in scope of the Bill. Certainly the critical national infrastructure will not be in that sort of space. We have a good industry, and I think most of the MSPs are in that space, but I would highlight that MSPs are generally IT companies, and cyber-security is not an IT problem. It is much bigger than IT.
Although MSPs can be at one end, this goes back to a question that was asked before about why companies do not just do this anyway, and so be more secure. The reality is that they do not generally understand it; they do not understand the risk and they do not have the qualified people, and it goes on in a sort of vicious circle. A lot of those companies will just go, “Yeah, I’ve got an MSP. They deal with that.” It is an interesting challenge, but, to your question directly, I think medium-sized and large MSPs will not have an issue.
Dr Sanjana Mehta: If I may weigh in on this, I just want to take a step back and comment on the state of the profession in the UK. I appreciate that we are having this discussion specifically in relation to the regulated entities, but there is a broader picture. Parts of the industry are not in scope, but they need to have the right skills as well. We are starting off on a good foundation. The work done by industry, academia and professional associations over the past few years has helped to grow the profession steadily. The report by the Department for Science, Innovation and Technology mentions that the number of cyber-security professionals directly employed in the sector has increased by 11% over the past year.
That said, there is more to be done. I urge the Government to think about the skills piece, not only in relation to the Bill but as a wider challenge. We are very proud of our 10,000-plus members in the UK, who work very hard day and night to secure their organisations despite all the challenges and pressures, but the Bill does give Government a pivotal opportunity to elevate the status of the profession and to professionalise the sector.
Andrew Cooper
Q
Stuart McKean: It is about understanding what your service is delivering. Again, one of the key terms in the Bill is resilience. Needing resilience is a key part of the Bill. Whether you need a service that has international boundaries and you need to fail over to another country will be down to the organisations defining where they want their services to be. If they are happy that they are failed over into the US or another country, that is fine; but the reality is that it will be down to the organisation that has a requirement for a resilient service understanding where its data is. As long as it understands where its data is and what it is asking of the MSP, I am not sure the Bill will cover that as such. It is talking about resilience in general. I do not think it goes into the detail of where your data is.
Bradley Thomas
Q
Stuart McKean: Under the designation of a critical supplier, the Bill says:
“any such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom”.
That is a pretty big statement. As a small business owner, how do I know whether what I do is going to have an economic effect on the UK? It will have an economic effect on my business, but whether it has a wider impact is a big statement. I am not sure that it is clear enough.
Bradley Thomas
Q
Stuart McKean: It needs more detail, even if that is about providing some boundaries so that we have something to say, “If it is going to do the following, what is a ‘significant economic impact’?”. I would like to think that none of our services would have a significant economic impact, but they may well affect a person, so I would bring it more on to the citizen and the impact on people. We heard this a number of times in relation to the JLR incident: the impact on the supply chain was huge, it was economically very costly and directly impacted people’s lives. Anything that can provide more clarity in the definition of an impact at that level can only help.
Jill Broom: I agree. More clarity is needed. The Bill should be tighter in terms of defining that sort of systemic risk.
Dr Sanjana Mehta: The Bill as it stands requires competent authorities and regulators to designate an organisation as a critical supplier rather than the regulated entity. Organisations work with complex multi-tier supply chains, and the concern is that competent authorities that are one step further removed from those complex supply chains, and have even less visibility, transparency and control over those supply chains, might find it difficult to determine true criticality and risk within the supply chains. We ask for greater collaboration and co-ordination between the regulated entities and the competent authorities in designating an organisation as a critical supplier.
Dr Spencer
Q
Jill Broom: There is probably a broader point around legal certainty, which is not given on the face of the Bill. Some of our members have highlighted language that could create some pretty significant legal jeopardy for regulated entities. The Bill needs to go a bit further. It could and should do more to provide some legal certainty, because the cost to companies could be quite significant. To the point on consistency across regulators and things like that, we need more frameworks around how that is going to work. Leaving all the detail to secondary legislation is what makes it slightly difficult to examine what is on the face of the Bill, so making sure that everything is consulted on in a mandatory and meaningful way will be important.
The Chair
I am looking around the table, and it seems to me that everybody is satisfied. Thank you very much indeed, Sanjana, Jill and Stuart, for giving your time so freely this morning—I know you are very busy people.
Examination of Witnesses
Matt Houlihan, Ben Lyons, Chris Anley and Dr Ian Levy gave evidence.
The Chair
Q
Dr Ian Levy: Good morning. I am Ian Levy, and I am a vice-president and distinguished engineer at Amazon. That job allows me to look across everything that Amazon does, including Amazon Web Services, the bookshop, our new satellite system and everything in between. Prior to that, I spent 23 years in GCHQ, and I was the founding technical director and designer of the National Cyber Security Centre.
Chris Anley: I am Chris Anley, chief scientist at NCC Group. We are a multinational cyber-security company, listed on the London Stock Exchange and headquartered in Manchester.
Matt Houlihan: Hi everyone. I am Matt Houlihan, and I am the vice-president for government affairs in Europe for Cisco, which is a technology company specialising in networking, security and collaboration technologies.
Ben Lyons: Good morning. I am Ben Lyons, and I am senior director for policy and public affairs at Darktrace. We are a company that uses AI for cyber-security, headquartered up in Cambridge.
Dr Spencer
Q
Starting with Ben from Darktrace, how are developing and emerging technologies such as AI and post-quantum crypto changing the nature of cyber-security threats? Do you think the Bill responds adequately to that changing threat landscape?
Moving on to Matt from Cisco, what further guidance and consultation from the Government and the Information Commissioner is needed for MSPs to comply effectively with their obligations under the Bill?
Chris from NCC Group, the National Audit Office report last year highlighted lots of serious deficiencies in Government cyber-resilience. Do you think the cyber action plan goes far enough? How can Government Departments be overseen and held to account in a way that will deliver meaningful improvements in cyber-resilience?
Finally, Ian from Amazon, a core feature of your business model is extensive exposure to supply chain partners. Do you think that the designation of critical suppliers by regulators under the Bill is the correct approach? What further consultation is needed to make sure that that is proportionate, prioritises the most critical suppliers and, crucially, gives a degree of certainty, whether legal or financial?
Ben Lyons: AI is significantly changing cyber-security. You can think about it at three levels: first, the way in which attackers are using AI to mount cyber-attacks; secondly, the need to secure AI systems and AI within companies and organisations; and thirdly, the question of how AI is changing cyber-security on the defensive side.
In brief, we see significant use of AI by attackers. Today, we are releasing the results of a survey in which 73% of surveyed security professionals say that AI-powered threats are having a significant impact on their organisation. These are things like phishing, reconnaissance, and lowering the barriers to being able to launch attacks and review more targets more effectively. Last month, the chief executive officer of Anthropic, which is one of the main frontier AI labs, warned that he sees AI-led cyber-attacks as potentially being the main way in which cyber-attacks are conducted in the future.
At the level of the enterprise, you have a challenge of how you secure the enterprise, in terms of not only developing and deploying AI, but visibility of AI used in an organisation. We are certainly seeing AI transform how cyber-security vendors and organisations manage the threat: they have greater visibility, can detect threats more quickly and the like. On how the Bill responds to that, one positive in its approach is that it is setting out an agile, outcomes-based approach that means that the regulatory regime can be capable of evolving as the threat evolves. It is sensible not to talk about AI in depth on the face of the Bill, but through mechanisms such as the code of practice, it will be possible for expectations to evolve over time as the threat and the technology mature.
The Chair
I should say to the witnesses: do not feel obliged to answer each question if you do not feel that you have anything material to add.
Matt Houlihan: It is very tempting to answer the question on AI, but thank you for the question on managed service providers. It is right that managed service providers are looked at in this Bill. An increasing amount of the work of managing IT services is clearly now outsourced to managed service providers. There needs to be some scrutiny and some baseline of cyber-security with those. I would say a couple of things on what guidance is needed. We broadly support the definition in the Bill. I appreciate the comments in the previous session that suggested that the definition was a little too broad and could be refined, which I think is fair, but when you compare the definition in the CSRB with the definition of managed service providers used in the NIS2 legislation, a couple of bits of clarity are provided in the CSRB. First, the managed service provider needs to provide an
“ongoing management of information technology systems”.
We feel that word “ongoing” is quite important. Secondly, it has to involve
“connecting to or…obtaining access to network and information systems relied on by the customer”.
We feel that
“connecting to or…obtaining access to”
the network is an important part of the definition that should be put forward. One area where more tightness can be provided is where, in the Bill, there is a non-exhaustive list of activities that an MSP could be involved in, such as
“support and maintenance, monitoring, active administration”.
The Bill then says, “or other activities”, which adds quite a bit of uncertainty on what is and is not an MSP.
The other area I would like to highlight and link to Ben’s answer on AI is that the “active administration” activity raises a question about the extent to which AI-enabled managed services would come under that definition. I am sure that lots of managed service providers will use AI more and more in the services that they provide to their end customers; to what extent does “active administration” involve an AI-related service?
To end on that specific question, the Information Commissioner’s Office will, I believe, issue guidance for managed service providers once the Bill is passed. That guidance will be the critical thing to get right, so there should be consultation on it, as my colleague from techUK suggested earlier. I would also suggest that that guidance cannot be a simple check-box list of things that have to be done. We should shift our thinking to have more of an ongoing appreciation of what cyber-security involves in practice for MSP or other regulated entities under the Bill. Making sure there is an ongoing process and that there is effective enforcement will be important.
Chris Anley: On the NAO report , the cyber action plan and public sector cyber-security, you are absolutely right to point out that the NAO report identifies serious issues. The Government recently acknowledged that they are likely to miss their 2030 cyber-resilience targets. It is also important to point out that the cyber action plan lays out an approach with many very positive elements such as an additional £210 million in central funding. There are many benefits to that, including a centralised provision of services at scale, a concentration of expertise and a reduction of costs.
Then there are other broader initiatives in the cyber action plan. The UK software security code of practice, which has been mentioned several times in these sessions, is a voluntary code that organisations can use as a tool to secure their supply chain. Cisco and NCC Group are ambassadors for that scheme and voluntarily comply with it, and it improves our own resilience.
Whether the cyber action plan goes far enough is a very difficult question. The NAO report also points out the extreme complexity of the situation. Within the budgetary constraints, I think it is fair to say that the steps in the plan seem reasonable, but there is a broader budgetary conversation to be had in this area. Two of the most significant issues identified in the report are the skills shortage, which has come up in these sessions—almost a third of cyber-security posts in Government are presently unfilled, which is dangerous—and the fact that Departments rely on vulnerable, outdated legacy IT systems, which may be the cause of an incident in their own right and would certainly make an incident much more severe were one to occur. The problem is that those are both largely budgetary issues. Successive Governments have obviously focused on delivering taxpayer value, as they should—we are all taxpayers—but over a period of a decade or more, that has led to a position where Departments find it difficult to replace legacy IT systems and fill these high-skill, high-cost cyber-security positions. There is very much a broader discussion to be had, as has been raised in these sessions, about where we should be in terms of the budget. You are absolutely right to raise the public sector issues. Although the Bill focuses on the private sector, the public sector obviously must lead by example.
Dr Ian Levy: We think the current definitions of critical suppliers are probably overly broad and risk bringing in SMEs, when you really do not want to do that. That said, we need to think about the transitive nature of supply chains. With previous regulations that talk about cyber-security, we have seen a flow-down of requirements through contracting chains. There is a question about how far it is reasonable to go down those contracting chains. In my experience, the value of the contract and the potential impact are not necessarily correlated. We certainly saw that when we were giving evidence for the Telecommunications (Security) Act 2021.
There is a real question about how you define what supply chain you mean. You mentioned that AWS has a complex supply chain. We certainly do—it is astoundingly complex—but the important thing is that we control the really important parts of that. For example, we build our own central processing units, graphics processing units, servers, data centres and so on. The question then becomes: how does that translate out to customers? If a customer is using a partner’s service running on AWS, where does the liability accrue? I do not think that is adequately covered in the Bill.
In terms of certainty and foreseeability, the Bill as it stands admits a single entity being regulated multiple times in multiple different ways. We are subject today to at least four different sets of regulations and regulators. Some of them conflict, and some of them are ambiguous. As this expands out, a single reporting regime—a lead regulator model—would take some of that ambiguity away so that you have more foreseeability and certainty about what you are trying to do.
There are things in the current drafting of the Bill that we think need some consultation. There are things in primary legislation, such as the Secretary of State’s powers, that seem to be unbounded—that is probably the best way to describe it—and that seems dangerous. We understand the necessity for powers around national security, but we think there need to be some sort of safeguards and consultation about how they are used in practice. For any multinational company, something that is effected in the UK is likely to affect all our customers, so some real constraint is needed around that.
Kanishka Narayan
Q
Chris Anley: By our calculation, as you say, the number of organisations that fall under the scope of the Bill in terms of the Government’s impact assessment is 0.1% of the private sector, which is one one-hundredth of the tip of the iceberg. We are going to have to adopt a whole-of-economy approach if we are going to secure the UK—we have already talked about the public sector issues.
On the Bill itself, we have three main comments. First, the secondary legislation forms the bulk of the technical measures, so we are calling for early consultation on that. Secondly, the Bill imposes additional reporting obligations, adding to an already complicated situation for reporting cyber-incidents in the UK. The reporting obligations trigger at a time of great complexity for an organisation, so we are calling for a single point of contact for reporting all cyber-security incidents in the UK and a single timeline. That may sound like a big ask—an impossible dream. Australia has already done it, and the EU is in the process of doing it in its digital omnibus streamlining package.
Finally, in terms of cyber professionals, the passage of a cyber-security Bill through Parliament is a golden opportunity to address the serious problems with the Computer Misuse Act 1990. Cyber professionals who are defending the UK cannot currently do so without risking criminal prosecution. We cannot carry out basic identification and verification actions without potentially committing the offence of unauthorised access to computer material, because a ransomware gang, for example, is unlikely to give us authorisation to identify the command and control system they are using to attack the UK.
We support the CyberUp campaign, which is proposing an amendment to the Computer Misuse Act to provide a statutory defence, resting on four strong safeguarding principles. We believe that that would help to protect our defenders while maintaining the integrity of the law. Based on the campaign’s research into the size of the cyber-security industry in the UK, the amendment would not only help to prevent incidents and mitigate incidents in progress, but add 9,500 highly skilled jobs and over £2.5 billion in revenue to the UK economy. Other nations are already benefiting from this type of safeguard, including our oldest ally, Portugal, which has implemented them in its recent amendments to NIS2, which is the exact legislative equivalent of the process we are in today. In summary, please help us to defend the UK by protecting our defenders.
Dr Ian Levy: To follow up on what Chris says, we strongly agree on early consultation on the technical detail of the secondary legislation. Somebody said in the previous session that, in security, the devil is always in the detail. Well-meaning text can be massively misinterpreted. We need to be very careful about that, so wide, early consultation is key.
On incident reporting, I will make two points. Chris made the point that when you are being asked to report, you are at your most desperate, because you have just found out that you have been attacked and you do not know what is going to happen. A lot of legislation accidentally ignores the victim. When we set up the NCSC, one of the primary things was that we were there to support the victims. I urge you not to lose sight of that. Absolutely, go after and find the culprits later, but in the moment, the victims are absolutely key to this.
The second part of that, about a single reporting timeline and a single reporting route, is that it is not just good for the victims but the only way that we generate strategic intelligence. That is one of the things that is missing in the UK—and has been for decades. We have five, six or seven different reporting portals that all characterise things differently and take different types of information, and bringing them together to have a single picture about the actual threat to the UK is incredibly difficult. A single reporting forum could fix that.
Ben Lyons: I might distinguish between what organisations need to do and whether organisations are in scope. In terms of what they need to do, the outcomes-based approach is sensible. If you think about when the Johnson Government were consulting on the measures that would go on to form this Bill, that was a time when ChatGPT had not been invented and the geopolitical environment was very different. The world is moving fast, and I think that the cyber assessment framework is a good starting place for what a code of practice could look like, because it is already understood by industry and is outcomes-driven.
I agree with the previous comments about incident reporting. I think that there is a lot of merit in the suggestion around a shared portal so that it is easier to report incidents in that moment of dealing with a cyber-attack. Within the regime as envisaged, probably the most important bit with reference to reporting is about improving that early clarity and visibility for the NCSC so that they can help. That is probably where I would place the emphasis, more than on regulators having that information within 24 hours. In that context, an approach that recognises best efforts in that first 24 hours but is focused on tackling the problem will be important for dealing with the issue.
On the supply chain, I would say—and we have heard about this before—that there could be more clarity there in terms of who would be in scope for designated suppliers. Thinking a bit around both systemic dependency and the potential for wider disruption would be important factors to give it more clarity.
Matt Houlihan: To round off the responses, on the question about finding the balance between specificity and agility, the Bill does a reasonable job at that. We can totally see the need to keep some of the doors open, because not only is the nature of the threat changing rapidly but the nature of technology—and of our capabilities to defend—is changing as well. We have already talked about AI, and we have lots of quantum research taking place as well that will have a big bearing on cyber-security.
It is right that the Bill has some agility in it, but it is clear from the responses today that there is a need to tighten it up in certain places. We talked about incident reporting, and having a simpler, more co-ordinated system for regulated entities to work with so that that reporting process is easier. The definition of “incident” itself needs to be looked at, we believe. The idea of an instance not only having, but being capable of having, an adverse effect on information systems opens the door very widely to lots of potential incidents that may need to be reported on. Having a tighter definition there would be very useful.
To touch on the point about Secretary of State powers, we feel that the door is a little bit too wide. If you look at legislation such as Australia’s cyber-security legislation from 2018, the Security of Critical Infrastructure Act, that also has some good Secretary of State powers, but there are lots of guardrails contained in it that make it clear that it is a power of last resort, where the entity is unwilling or unable to carry out the remedial action itself. There are also other guardrails contained in that legislation. We urge the Committee and the Government to look at that Act and take inspiration from it to think about where those guardrails could be worked into the UK law.
The Chair
Four colleagues wish to ask questions, and they have only 20 minutes in which to ask them, so I appeal for brevity, both in the questions and, if you do not mind, in the answers.
Bradley Thomas
Q
Dr Ian Levy: I will start with that one.
The Chair
Please, Gentlemen, do not feel obliged to answer each question.
Dr Ian Levy: On the diverse networks and where they are hosted, it is important to be clear that resilience changes as scale changes. When it comes to the statistical model used to talk about resilience for a national system, if you have, say, three physical data centres in the UK connected by a redundant ring, that has a well-understood statistical model, but as you get bigger and bigger and more diverse, the statistics change, so the way you analyse resilience changes. That is not specific to Amazon Web Services; it applies to any large-scale system.
The way that we talk about resilience needs to be thought through carefully. I would urge you to consider outcomes and talk about availability and resilience to particular events. If somebody drives a JCB into a data centre, in a national-scale resilience model that can have a big impact, but in a hyperscale it will not.
We need to be clear about what the regulation is trying to do. If you look at us as a data centre operator, it is very different from someone who is providing co-location services. We provide our data centres for the sole purposes of providing our services, which have a very particular resilience model that is very different from somebody sticking their own racks in a third-party data centre. Some of the terms need to be better defined.
In terms of balancing growth, regulation, oversight and so on, there is a fallacy about putting specific technologies into legislation, except in very specific circumstances. We talked about post-quantum cryptography and AI. They will affect resilience, but probably not in the way we think they will today, so I would caution about putting specific technology definitions on the face of the Bill.
Matt Houlihan: On the cross-border question, very quickly, there are clearly a lot of jurisdictions looking at legislation in this space. There is absolutely an opportunity in the UK to look at things, such as mutual recognition agreements, that would simplify the international regulatory landscape, but there is also the opportunity for the UK to lead in this space as a very well-respected and cyber-capable country.
Touching on getting the balance right on growth and security, we have seen some useful moves recently from the UK Government and previous Governments on looking at codes of practice, which are voluntary in nature but help engage companies, as the recent software security code of practice did with mine and Chris’s. Techniques like that offer a nice balance and engage companies, but get that message around growth absolutely right.
Dr Gardner
Q
My second question is for Ben. In combining AI and cyber, you are combining technologies that come with their own unique risks with cyber-security. I am interested in how you mitigate against that. I am intrigued because, when you talk about AI, I assume you are not talking about straightforward machine learning.
Chris Anley: In terms of what other things we could do, we have talked about voluntary codes. The value of voluntary codes was questioned in an earlier session; but the World Health Organisation best practice guide on handwashing, which is entirely voluntary, saved millions of lives in the recent pandemic. It is important to bear in mind that codes that help you to protect yourself are definitely valuable.
Other actions that are already taking place that we may want to extend on the basis of solid evidence and data are the cyber essentials scheme, for example, and the various codes of practice. The cyber governance code of practice for boards was mentioned earlier, along with the Government outreach and attempting to get boards to recognise that cyber risk is a business risk and an existential threat. We talked about the cyber assessment framework and how that is likely to be the scope within which this Bill is implemented. So, we do not necessarily need to do something new. The scope of the Bill, as we said, is 0.1% of the UK private sector. There is scope to expand the existing things that we are doing, especially cyber essentials, for example, raising the bar for small and medium-sized enterprises across the economy. There is a lot that we are already doing that we could do, that we already have the scope to expand, but obviously that must be done prudently and on the basis of solid evidence.
Dr Gardner
Q
Ben Lyons: That is something we think very deeply about. We see AI as helping to mitigate some of the risks from cyber-security by making it possible to detect attacks more quickly, understand what might be causing them, and to respond at pace. We are an AI native company and we have thought deeply about how to ensure that the technology is both secure and responsible. We are privacy-preserving by design. We take our AI to the organisation’s environment to build an understanding of what normality looks like for them, rather than vast data lakes of customer data. We take a lot of effort to ensure that the information surfaced by AI is interpretable to human beings, so that it is uplifting human professionals and enabling them to do more with the time they have. We are accredited to a range of standards, like ISO 27001 and ISO 42001, which is a standard for AI management. We have released a white paper on how we approach responsible AI in cyber-security, which I would be happy to share with you and give a bit more detail.
Chris Vince
Q
Matt Houlihan: I am very happy to. Two main comparators come to mind. One is the EU, and we have talked quite a bit about NIS2 and the progress that has made. NIS2 does take a slightly different approach to that of the UK Government, in that it outlines, I think, 18 different sectors, up from seven under NIS1. There is that wide scope in terms of NIS2.
Although NIS2 is an effective piece of legislation, the implementation of it remains patchy over the EU. Something like 19 of the 27 EU member states have implemented it to date in their national laws. There is clearly a bit of work still to do there. There is also some variation in how NIS2 is being implemented, which we feel as an international company operating right across the European Union. As has been touched on briefly, there is now a move, through what are called omnibus proposals, to simplify the reporting requirements and other elements of cyber-security and privacy laws across the EU, which is a welcome step.
I mentioned in a previous answer the work that Australia has been doing, and the Security of Critical Infrastructure Act 2018—SOCI—was genuinely a good standard and has set a good bar for expectations around the world. The Act has rigorous reporting requirements and caveats and guardrails for Government step-in powers. It also covers things like ransomware, which we know the UK Home Office is looking at, and Internet of Things security, which the UK Government recently looked at. Those are probably the two comparators. We hope that the CSRB will take the UK a big step towards that, but as a lot of my colleagues have said, there is a lot of work to do in terms of seeing the guidance and ensuring that it is implemented effectively.
Chris Anley: On the point about where we are perhaps falling behind, with streamlining of reporting we have already mentioned Australia and the EU, which is in progress. On protection of their defenders, other territories are already benefiting from those protections—the EU, the US, and I mentioned Portugal especially. As a third and final point, Australia is an interesting one, as it is providing a cyber-safety net to small and medium-sized enterprises, which provides cyber expertise from the Government to enable smaller entities to get up to code and achieve resilience where those entities lack the personnel and funding.
Emily Darlington
Q
Dr Ian Levy: The previous set of witnesses talked about board responsibility around cyber-security. In my experience, whether a board is engaged or not is a proxy indicator for whether they are looking at risk management properly, and you cannot change corporate culture through regulation—not quickly. There is something to be done around incentives to ensure that companies are really looking at their responsibilities across cyber-security. As the previous panellists have said, this is not just a technical thing.
One of the things that is difficult to reconcile in my head—and always has been—is trying to levy national security requirements on companies that are not set up to do that. In this case I am not talking about Amazon Web Services, because AWS invests hugely in security. We have a default design principle around ensuring that the services are secure and private by design. But something to consider for the Bill is not accidentally putting national security requirements on those entities that cannot possibly meet them.
When I was in government, in the past we accidentally required tiny entities, which could not possibly do so, to defend themselves against the Russians in cyber-space. If you translate that to any other domain—for example, saying that a 10-person company should defend itself against Russian missiles—it is insane, yet we do it in cyber-space. Part of the flow-down requirements that we see for contracting, when there is a Bill like this one, ends up putting those national security requirements on inappropriate entities. I really think we need to be careful how we manage that.
Matt Houlihan: Can I make two very quick points?
The Chair
Very briefly—yes.
Matt Houlihan: My first point is on the scale of the challenge. From Cisco’s own research, we released a cyber-security readiness index, which was a survey of 8,000 companies around the world, including in the UK, where we graded companies by their cyber maturity. In the UK, 8% of companies—these are large companies—were in the mature bracket, which shows the scale of the challenge.
The other point I want to make relates to its being a cyber-security and resilience Bill, and the “resilience” bit is really important. We need to focus on what that means in practice. There are a lot of cyber measures that we need to put in place, but resilience is about the robustness of the technology being used, as well as the cyber-security measures, the people and everything else that goes with it. Looking at legacy technology, for example—obsolete technology, which is more at risk—should also be part of the standards and, perhaps, the regulatory guidance that is coming through. I know that the public sector is not part of the Bill, but I mention the following to highlight the challenge: over a year ago, DSIT published a report that showed, I think, that 28% of Government systems were in the legacy, unsupported, obsolete bracket. That highlights the nature of the challenge in this space.
Alison Griffiths
Q
Chris Anley: On the OT versus IT question, we have mentioned specificity versus flexibility. The benefit of the UK sectoral regulator model is that regulators that are in areas where OT is predominant can set specific measures that can reinforce those environments, whereas if you try a one-size-fits-all approach, you run the risk of certain critical OT-based systems becoming subject to successful attacks.
Ben Lyons: The broad approach that the UK is taking is sensible, in that the existing guidance has a range of principles around OT, as well as IT, security. Manufacturing is not in the scope of the Bill, which is probably appropriate, but it is worth looking at what could be done to improve the security of the manufacturing sector, more broadly, probably through non-legislative means. In light of recent attacks, it is important to ensure that guidance and incentives are in place to support that sector.
Freddie van Mierlo
Q
Dr Ian Levy: In October 2025, we had an incident that had quite a widespread impact. We have engaged with regulators around the world, including multiple regulators in the UK, to explain what happened. We published, quite transparently, what had happened during the incident and afterwards. Explaining how the part of the organisation that had built that particular system works is very time-consuming. It is also almost certainly out of date by the time we have finished. In that particular case, it was something called a “race condition”, which is a well understood computer-science hard problem. No amount of regulation or legislation would have made a difference, because it was a race condition, and they are incredibly hard to find in software.
I think that regulating outcomes is the right answer, and making sure that we are doing due diligence, and that our view of appropriate risk management is broadly the same as yours, without making us a national security entity. That is the challenge. How we run our business is not really relevant; it is the outcomes that matter.
Matt Houlihan: It is increasingly important that businesses, parliamentarians and Government officials work together on these issues. As we said earlier, the pace of change in terms of the technology, and indeed the business environment—at both the UK and global levels—is moving very quickly. Having that exchange of information will be important.
It is important—from an international business point of view—that regulation is as aligned as is practicable with the other jurisdictions that a lot of the companies here will be working in. That will not only benefit companies that are headquartered elsewhere and operate in the UK; it will benefit UK-headquartered companies that are looking to expand abroad. It must also be proportionate and targeted. I think that at the nub of your question, there is clearly a need, going forward, for strong co-operation and the sharing of expertise and experiences.
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Tuesday 3rd February 2026
(1 month ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
The Chair
Good afternoon. We will now hear oral evidence from Ian Hulme, the interim executive director of regulatory supervision and director of regulatory assurance for the Information Commissioner’s Office; Natalie Black, group director for infrastructure and connectivity for Ofcom; and Stuart Okin, director of cyber regulation and artificial intelligence for Ofgem. We need to stick to the timings in our programme order, so we have until 2.40 pm for this session. Could the witnesses please introduce themselves briefly before we hand over for questions?
Ian Hulme: Good afternoon. My name is Ian Hulme, and I am interim executive director of regulatory supervision at the ICO.
Natalie Black: Good afternoon. I am Natalie Black, and I am group director for infrastructure and connectivity at Ofcom.
Stuart Okin: My name is Stuart Okin; good afternoon. I am the director for cyber regulation and artificial intelligence at Ofgem.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
Q
My second question is jointly for Ian and Stuart, from the ICO and Ofgem. Some industry stakeholders have expressed concern about low levels of incident reporting and enforcement under the NIS1—network and information systems—regs. How will your respective approaches to regulation change as a result of this Bill, to ensure that it is implemented and that cyber-resilience is improved across the sectors you are responsible for regulating?
Natalie Black: I will kick off. We have some additional responsibilities, building on the NIS requirements, but the data centre aspect of the Bill is quite a substantial increase in responsibilities for us. It is worth emphasising that we see that as a natural evolution of our responsibilities in the sector. Communications infrastructure is evolving incredibly quickly, as you will be well aware, and data centres are the next big focus. In terms of preparations, we are spending this time getting to know the sector and making sure we have the right relationships in place, so that we do not have a standing start. I have done a number of visits, for example, to hear at first hand from industry representatives about their concerns and how they want to work with us.
We are also focusing on skills and recruitment. We already have substantial cyber-security responsibilities in the communications infrastructure sector. We are building on the credibility of the team, but we are focused on making sure we continue to invest in them. About 60% of the team already come from the private sector. We want that to continue going forward, but we are not naive to how challenging it is to recruit in the cyber-security sector. For example, we are working with colleagues from the National Cyber Security Centre, and looking at universities it is accrediting, to see how we can recruit directly using those kinds of opportunities.
Ian Hulme: On incident reporting, the thresholds in the existing regulations mean that levels are very low. Certainly, the reports we see from identity service providers do not meet those thresholds. I anticipate that we will see more incidents reported to us. With our enhanced regulatory powers and the expanded scope of organisations we will be responsible for, I anticipate that our oversight will deepen and we will have more ability to undertake enforcement activity. Certainly from our perspective, we welcome the enhanced reporting requirements.
Stuart Okin: To pick up on the incident side of things, I agree with Ian. The thresholds will change. With the new legislation, any type of incident that could potentially cause an issue will obviously be reported, whereas that does not happen today under the NIS requirements.
On enforcement, in seven years we have used all the enforcement regimes available to us, including penalties, and we will continue to do so. We absolutely welcome the changes in the Bill to simplify the levels and to bring them up, similar to the sectorial powers that we have today.
Chris Vince (Harlow) (Lab/Co-op)
Q
Stuart Okin: In the energy sector, we tend to use operational technology rather than IT systems. That might mean technology without a screen, so an embedded system. It is therefore important to be able to customise our guidance. We do that today. We use the cyber assessment framework as a baseline, and we have a 335-page overlay on our website to explain how that applies to operational technology in our particular space. It is important to be able to customise accordingly; indeed, we have added physical elements to the cyber assessment framework, which is incredibly important. We welcome that flexibility being maintained in the Bill.
Ian Hulme: Just to contrast with colleagues from Ofcom and Ofgem, ICO’s sector is the whole economy, so it is important that we are able to produce guidance that speaks to all the operators in that sector. Because our sector is much bigger, we currently have something like 550 trust service providers registered, and that will grow significantly with the inclusion of managed service providers. So guidance will be really important to set expectations from a regulatory perspective.
Natalie Black: To round this off, at the end of the day we always have to come back to the problem we are trying to solve, which is ensuring cyber-security and resilience. As you will have heard from many others today, cyber is a threat that is always evolving. The idea that we can have a stagnant approach is for the birds. We need to be flexible as regulators. We need to evolve and adapt to the threat, and to the different operators we will engage with over the next couple of years. Collectively, we all appreciate that flexibility.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Q
The ICO is a horizontal regulator working across all sectors. In your experience, would a single cyber regulator be a good idea? What would be the benefits and the challenges? I will allow Ofcom and Ofgem to jump in and defend themselves.
Ian Hulme: I suppose the challenge with having a single regulator is that—like ourselves, as a whole-economy regulator—it will have to prioritise and direct its resources at the issues of highest harm and risk. One benefit of a sectoral approach is that we understand our sectors at a deeper level; we certainly work together quite closely on a whole range of issues, and my teams have been working with Natalie and Stuart’s teams on the Bill over the last 18 months, and thinking about how we can collaborate better and co-ordinate our activities. It is really pleasing to see that that has been recognised in the Bill with the provisions for information sharing. That is going to be key, because the lack of information-sharing provisions in the current regs has been a bit of a hindrance. There are pros and cons, but a single regulator will need to prioritise its resources, so you may not get the coverage you might with a sectoral approach.
Natalie Black: Having worked in this area for quite some time, I would add that the challenge with a single regulator is that you end up with a race to the bottom, and minimum standards you can apply everywhere. However, with a tailored approach, you can recognise the complexity of the cyber risk and the opportunity to target specific issues—for example, prepositioning and ransomware. That said, we absolutely recognise the challenge for operators and companies in having to bounce between regulators. We hear it all the time, and you will see a real commitment from us to do something about it.
Some of that needs to sit with the Department for Science, Innovation and Technology, which is getting a lot of feedback from all of us about how we need it to co-ordinate and make things as easy as possible for companies—many of which are important investors in our economy, and we absolutely recognise that. We are also doing our bit through the UK Regulators Network and the Digital Regulation Cooperation Forum to find the low-hanging fruit where we can make a difference. To give a tangible example, we think there should be a way to do single reporting of incidents. We do not have the answer for that yet, but that is something we are exploring to try and make companies’ lives easier. To be honest, it will make our lives easier as well, because it wastes our time having to co-ordinate across multiple operators.
Bradley Thomas (Bromsgrove) (Con)
Q
Ian Hulme: Again, to contrast the ICO’s position with that of other colleagues, we have a much larger sector, as it currently exists, and we will have a massively larger sector again in the future. We are also funded slightly differently. The ICO is grant in aid funded from Government, so we are dependent on Government support.
To move from a reactive footing, which is our position at the moment—that is the Government’s guidance to competent authorities and to the ICO specifically—to a proactive footing with a much expanded sector, will need significant uplift in our skills and capability, as well as system development in order to register and ingest intelligence from MSPs and relevant digital service providers in the future.
From our perspective at the ICO, we need significant support from DSIT so that we can transition into the new regulatory regime. It will ultimately be self-funding—it is a sustainable model—but we need continued support during the transition period.
Bradley Thomas
Q
Ian Hulme: At the moment, to give you a few broad numbers our teams are around 15 people, and we anticipate doubling that. In the future, with self-funding, we will be a bit more in control of our own destiny. It is a significant uplift from our perspective.
Natalie Black: The challenge is that the devil is in the detail. Until that detail has worked through secondary legislation, we will have to reserve our position, so that we give you accurate numbers in due course. From Ofcom’s point of view, it is about adding 10s rather than significant numbers. I do not think we are that far off the ICO.
But I want to emphasise that this is about quality, not necessarily quantity. Companies want to work with expert regulators who really know what they are doing. Ofcom is building on the work we are already doing under the Telecommunications (Security) Act 2021. It will be a question of reinforcing that team, rather than setting up a separate one. We want to get the best, high-quality individuals who know how to talk to industry and really know cyber-security, to make sure people have a good experience when engaging with us.
Ian Hulme: To add to that, the one challenge we will face as a group is that we are all fishing in the same pond for skills. MSPs and others will also be fishing in that pond from the sector side. There needs to be recognition that there is going to be a skills challenge in this implementation.
Stuart Okin: To specifically pick up on the numbers, we have a headcount of 43 who are dedicated within cyber regulation. That also includes the investment side. We also have access to the engineering team—the engineering directorate—which is a separate team. There is also our enforcement directorate, as well as the legal side of things. The scope changes proposed in the Bill are just the large load controllers and supply chain, so we are not expecting a major uplift. These will be small numbers in comparison. Unlike my colleagues, we are not expecting a big uplift in resourcing.
Tim Roca (Macclesfield) (Lab)
Q
Ian Hulme: There are two angles to that. From a purely planning and preparation perspective, it is incredibly difficult, without having seen the detail, to know precisely what is expected of MSPs and IDSPs in the future, and therefore what the regulatory activity will be. That is why, when I am answering questions for colleagues, it is difficult to be precise about those numbers.
Equally, we are hearing from industry that it wants that precision as well. What is the expectation on it regarding incident reporting? What does “significant impact” mean? Similarly, with the designation of critical suppliers, precision is needed around the definitions. From a regulatory perspective, without that precision, we will probably find ourselves in a series of potential cases arguing about the definition of an issue. To give an example, if the definition of MSP is vague, and we are saying to an MSP that we think it is in scope, and it is saying, “No, we are not,” then a lot of our time and attention will be taken up with those types of arguments and disputes. Precision will be key for us.
Tim Roca
Q
Ian Hulme: There is a balance to be struck. When something is written on the face of the Bill and things change—and we know that this is a fast-moving sector—it makes it incredibly difficult to change things. There is a balance to be struck between primary and secondary, but what we are hearing and saying is that more precision around some of the definitions will be critical.
Natalie Black: I strongly agree with Ian. A regulator is only as good as the rules that it enforces. If you want us to hold the companies to account, we need to be absolutely clear on what you are asking us to do. The balance is just about right in terms of primary and secondary, particularly because the secondary vehicle gives us the opportunity to ensure that there is a lot of consultation. The Committee will have heard throughout the day—as we do all the time from industry—that that is what industry is looking for. They are looking for periods of business adjustment—we hear that loud and clear—and they really want to be involved in the consultation period. We also want to be involved in looking at what we need to take from the secondary legislation into codes of practice and guidance.
Dr Spencer
Q
Natalie Black: That is a great question, and I am not at all surprised that you have asked it, given everything that is going on at the moment. As well as being group director for infrastructure and connectivity, I am also the executive member of the board, sitting alongside our chief executive officer, so from first-hand experience I can say that Ofcom really recognises how fast technology is changing. I do not think there is another sector that is really at the forefront of change in this way, apart from the communications sector. There are a lot of benefits to being able to sit across all that, because many of the stakeholders and issues are the same, and our organisation is learning to evolve and adapt very quickly with the pace of change. That is why the Bill feels very much like a natural evolution of our responsibility in the security and resilience space.
We already have substantial responsibilities under NIS and the Telecommunications (Security) Act 2021. We are taking on these additional responsibilities, particularly over data centres, but we already know some of the actors and issues. We are using our international team to understand the dynamics that are affecting the Online Safety Act, which will potentially materialise in the security and resilience world. As a collective leadership team, we look across these issues together. The real value comes from joining the dots. In the current environment, that is where you can make a real difference.
Dr Spencer
Q
Natalie Black: That is definitely not what I am saying. You can cut the cake in many different ways. From where I sit—from my experience to date—you need specific sector regulators because you need regulators that understand the business dynamics, the commercial dynamics, the people dynamics and the issues on a day-to-day basis.
We have many people who have worked at Ofcom for a very long time, and who know the history and have seen these issues before. When it comes to threats, which is ultimately what we are dealing with—cyber-security is a threat—it is cross-cutting. It adapts, evolves and impacts in different ways. The knack is having a sector regulator that really understands what is going on. That means that when you are dealing with cyber-incidents, you understand the impact on real people and businesses, and ultimately you can do something more quickly about it.
Dr Spencer
Q
Stuart Okin: We have a clear understanding of the responsibilities within Ofgem. We are the joint competent authority with the Department for Energy Security and Net Zero. The Department does the designation and instant handling, and we do all the rest of the operations, including monitoring, enforcement and inspections. We understand our remit with NCSC. GCHQ is part of the cyber-security incident response team; it is ultimately responsible there.
Going back to your main concern, we are part of an ecosystem. We have to understand where our lines are drawn, where NCSC’s responsibilities are and what the jobs are. To go back to us specifically, we can talk about engineering aspects, electrical engineering, gas engineering and the cyber elements that affect that, including technology resilience—not cyber. As long as we have clear gateways and communication between each other—and I think that the Bill provides those gateways—that will also assist, but there are clear lines of responsibilities.
Natalie Black: It is clear that there is work to do to get in the same place for the Bill. Exactly as Stuart said, the information gateways will make a massive difference. It is too hard, at the moment, to share information between us and with the National Cyber Security Centre. The fact that companies will have to report within 24 hours not only to us but to the NCSC is very welcome.
To return to my earlier point, we think that there is a bit of work for DSIT to do to help to co-ordinate this quite complicated landscape, and I think that industry would really welcome that.
Ian Hulme: I agree with colleagues. From an ICO perspective, we see our responsibilities as a NIS competent authority as complementary to our role as a data protection regulator. If you want secure data, you have to have secure and resilient networks, which are obviously used to process data. We see it as a complementary set of regulations to our function as a data protection regulator.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Q
It strikes me that, if one of the things that this legislation is to guard against is pre-positioning, and there are 14 parallel reporting systems in place, it could be the case that those pre-positioning attacks are not picked up as co-ordinated attacks from another nation state or organisation, because they are not pulled together in time.
Natalie Black: I point to my earlier remarks about information sharing. You are right: that is one of the great benefits of the Bill. To be able to do more, particularly when it comes to pre-positioning attacks, is really important. You will have heard from the NCSC, among others, that that is certainly a threat that we are seeing more and more of.
At the moment, it is too difficult to share information between us. The requirement to have an annual report to the NCSC is a good mechanism for consolidating what we are all seeing, and then for the NCSC to play the role of drawing conclusions. It is worth emphasising that Ofcom is not an operational organisation; we are a regulator. We look to the NCSC to provide threat leadership for what is going on across the piece. I think that that answers your question about where it all comes together.
Stuart Okin: I fully support that. The NSCS will be the hub for that type of threat intel and communications, in terms of risks such as pre-positioning and other areas. The gateways will help us to communicate.
Ian Hulme: Bringing it back to the practicalities of instant reporting, you said that there are potentially 14 lines of incident reporting because there are 14 competent authorities. How that can be consolidated is something to be explored. Put yourself in a position of an organisation that is having to make a report: there needs to be clarity on where it has to make it to and what it needs to report.
David Chadwick
Q
Ian Hulme: As we have already explained, the current regs do not allow us to share the information, which is a bit of a barrier for us. In the future, certainly, we will be working together to try to figure it out. I think that there is also a role for DSIT in that.
Natalie Black: First, we currently have a real problem in that information sharing is much harder than it should be. The Bill makes a big difference in addressing that point, not only among ourselves but with DSIT and NCSC. Secondly, we think that there is an opportunity to improve information reporting, particularly incident reporting, and we would welcome working with DSIT and others—I have mentioned the Digital Regulation Cooperation Forum—to help us find a way to make it easier for industry, because the pace at which we need to move means that we want to ensure that there is no unnecessary rub in the system.
Emily Darlington (Milton Keynes Central) (Lab)
Q
Ian Hulme: We need to think about this as essentially two different regimes. The requirements under data protection legislation to report a data breach are well established, and we have teams, systems and processes that manage all that. There are some notable cases that have been in the public domain in recent months where we have levied fines against organisations for data breaches.
The first thing to realise is that we are still talking about only quite a small sub-sector—digital service providers, including cloud computing service providers, online marketplaces, search engines and, when they are eventually brought into scope, MSPs. A lot of MSPs will provide services for a lot of data controllers so, as I explained, if you have the resilience and security of information networks, that should help to make data more secure in the future.
Lincoln Jopp (Spelthorne) (Con)
Q
I have dealt with the ICO before. Maybe it was the company that I worked in and led, but there was a culture there that, if you had a data breach, you told the ICO. There was no question about it. How are you going to develop your reactions and the behaviours you reward in order to encourage a set of behaviours and cultures of openness within the corporate sector, bearing in mind that, as was said this morning, by opening that door, companies could be opening themselves up to a hefty fine?
Stuart Okin: In the energy sector, we have that culture. It is one of safety and security, and the chief executives and the heads of security really lean into it and understand that particular space. There are many different forums where they communicate and share that type of information with each other and with us. Incident response is really the purview of DESNZ rather than us, but they will speak to us about that from a regulatory perspective.
Ian Hulme: From the ICO’s perspective, we receive hundreds of data-breach reports. The vast majority of those are dealt with through information and guidance to the impacted organisation. It is only a very small number that go through to enforcement activity, and it is in only the most egregious cases—where failures are so egregious that, from a regulatory perspective, it would be a failure on our part not to take action.
I anticipate that is the approach we will take in the future when dealing with the instant reporting regime that the Bill sets out. Our first instinct would be to collaborate with organisations. Only in the most egregious cases would I imagine that we would look to exercise the full range of our powers.
Natalie Black: From Ofcom’s point of view, we have a long history, particularly in the telecoms sector, of dealing with a whole range of incidents, but I certainly hear your point about the victim. When I have personally dealt with some of these incidents, often you are dealing with a chief executive who has woken up that morning to the fact that they might lose their job and they have very stressed-out teams around them. It is always hard to trust the initial information that is coming out because no one really knows what is going on, certainly for the first few hours, so it is the maturity and experience that we would want to bring to this expanded role when it comes to data centres.
Ultimately the best regulatory relationships I have seen is where there is a lot of trust and openness that a regulator is not going to overreact. They are really going to understand what is going on and are very purposeful about what they are trying to achieve. From Ofcom’s point of view it is always about protecting consumers and citizens, particularly with one eye on security, resilience and economic growth. The experience we have had over the years means that we can come to those conversations with a lot of history, a lot of perspective, and, to be honest, a bit of sympathy because sometimes those moments are very difficult for everyone involved.
The Chair
We have only five minutes left for this session, so if we can have concise questions and answers we might get everyone in.
Sarah Russell (Congleton) (Lab)
Q
Stuart Okin: Essentially, we would not go all the way down the supply chain. First, the operators of essential services are defined very much by the thresholds. Ultimately, they are the first point of responsibility. On the critical third party suppliers that have been brought in by the Bill, there will be a small number of those that, for energy, are for the entire systemic system of the UK, not the smaller entities. So we will hold those to account. On the enforcement side of things, if and when it comes to that, they will be in the same situation as the current operators of essential services are today. We welcome the simplification in the Bill and bringing those into the same sectorial powers and the same types of fines that we see today. It will not go down to those minutiae of detail. Again, the secondary legislation gives you the ability to define that.
Natalie Black: To keep it brief, we welcome the supply chain being brought into scope because we are all well aware that the most high-profile recent incidents often emanated from the supply chain. That said, we should be very honest about the complexity of entering this space, exactly for all the points that you have alluded to in terms of volume and scale and everything. We are already using this time to work through what our methodology will be. Engaging with the operators of essential services who are ultimately the customer of these suppliers has to be a starting point in terms of who they are most worried about in their supply chain. As Stuart says, you will see some commonality across all our sectors, so the numbers might not be as big as we might at first think, but this is what we need to work through over the coming months.
Ian Hulme: From an ICO perspective, one of the big tasks that we are going to have in understanding the MSP market is what their supply chains look like. We are perhaps a little behind colleagues in other regulators because of the difference in the regulatory regime, but that is one of the tasks that we will have to get to grips with.
Freddie van Mierlo (Henley and Thame) (LD)
Q
Ian Hulme: Certainly from an ICO perspective, many IDSPs that we currently regulate are operating across boundaries. From our perspective, the focus is on the outcome. If they have operations in other jurisdictions that are providing services into the UK, our focus is on the outcome and getting to understand the UK side of things more than anything else.
Natalie Black: This is a challenge for us every day. Many of the companies that we regulate have a footprint in the UK or multiple footprints around the world. The issue is in making sure that the UK requirements are as clear as possible to give them no excuse to argue exceptionalism. That is why we really welcome the opportunity to get into the detail through secondary legislation, which will be very important in holding all the companies to account that we think need to be held to account.
The Chair
That brings us the end of the allotted time for the Committee to ask questions. On behalf of the Committee, I thank our witnesses for their evidence.
Examination of Witness
Chung Ching Kwong gave evidence.
The Chair
We will now hear oral evidence from Chung Ching Kwong, senior analyst for the Inter-Parliamentary Alliance on China. We have until 3 pm for this session.
Chris Vince
Q
Chung Ching Kwong: Just to give some background, I am a senior analyst for the Inter-Parliamentary Alliance on China, and a PhD candidate in law at the University of Hamburg, focusing on data protection and data transfer. My expertise is not entirely on critical infrastructure security, but I do a lot of analysis on China’s legal system and also how it works in general. That is how I can contribute to this evidence session.
The threat posed by the CCP to our critical national infrastructure, such as water, energy and transportation, has shifted from espionage—stealing secrets—to pre-positioning, or preparing for sabotage. We cannot understand the threat without understanding the civil-military fusion of the Chinese state. Chinese companies operating in our CNI are not independent per se, in the way we would normally think about that in our country—in other words, private entities that operate on their own and have their own decision-making mechanisms. They are legally obligated under at least article 7 of China’s national intelligence law to co-operate with the state, to provide information, to provide help with decryption and to gather information at the request of the Government.
As highlighted by the NCSC, groups such as Volt Typhoon are pre-positioning within utility networks in the States. They do not use malware; they live off the land, using legitimate administrative credentials to proceed undetected for years. That is not for financial gain; they do it until the time is right for them to pull the trigger and cause a crisis.
In the transportation sector, there are a lot of cellular IOT modules embedded in e-buses and EVs. These devices require constant communication with servers in China to function, so they are constantly feeding data back to China for maintenance, remote access of data and that kind of thing. It could all be innocent and a feature for operational and functional purposes, but if—and only if—Beijing orders that data to be handed over and actions to be taken, it will become a problem.
That is the context of the risk we are facing when it comes to China, especially in terms of state-sponsored attacks. All entities, be they foreign companies in China or local Chinese-founded companies, have an obligation under Chinese law.
Chris Vince
Q
Chung Ching Kwong: Gathering information and data is definitely one of the main goals, but it is not limited to data transfer. Right now, in the UK, they do not need to rely only on access to critical infrastructure; under the Data Protection Act here in the UK, it is legal to transfer personal data through contractual clauses, so they can have access to personal data as long as they have that.
Of course, gathering data gives them insight into what is happening in the UK; if they want transportation data or power grid data, they can gather those data by different means. But it is also very important to understand Xi Jinping’s comprehensive national security concept. I think this is the reason why they are so determined to collect information, not only in the UK but worldwide.
In that kind of comprehensive security concept, political security, defined as the survival of the regime, is paramount. It overrides anything—not economic gain, not whether or not the GDP of China is going to grow in the next year, but any information or action that they see as necessary to make sure that the CCP is in control. That means it is gathering data of dissidents overseas, it is gathering data on the power grid, it is gathering data on transportation—anything they might find useful for a different purpose, which is, ultimately, to serve the goal of the survival of the regime.
Dr Spencer
Q
Secondly, it has been reported recently that communications of senior Government aides were hacked by Chinese state affiliates between 2021 and 2024. In view of that threat to telecoms networks, what are the potential cyber-risks to communications infrastructure that you see arising from the intended location of China’s super-embassy in the City of London?
Chung Ching Kwong: On the first question, about what can be done to help sectors understand the risks, education is paramount. At this point, we do not have a comprehensive understanding of what kind of risks state actors like China pose. We are very used to the idea that private entities are private entities, because that is how the UK system works; we do not see that organisations, entities or companies associated with China or the Chinese state are not independent actors as we would expect, or want to expect.
There is a lot of awareness-raising to be done and guidance to be issued around how to deal with these actors. There is a lot of scholarly work that says that every part of Chinese society—overseas companies and so on—is a node of intelligence collection within the system of the CCP. Those things are very important when it comes to educating.
Also, the burden of identifying what is a national security risk and what is not should not be put on small and medium-sized businesses, or even big companies, because they are not trained to understand what the risks are. If you are not someone specialising in the PLA and a lot of other things academically, it would be very difficult to have to deal with those things on a day-to-day basis and identify, “That’s a threat, and that’s a threat.”
Sorry, what was the second question?
Dr Spencer
Q
Chung Ching Kwong: There is not a lot of publicly available information on the sensitive cabling that is around the area, so I cannot confidently say what is really going to happen if they start to build the embassy and have such close contact with those cables. The limit of this Bill when it comes to the Chinese embassy is that it cannot mitigate the risks that are posed by this mega-embassy in the centre of London, because it regulates operators and not neighbours or any random building in the City. If the embassy uses passive interception technology to harvest data from local wi-fi or cellular networks, no UK water or energy company is breached. There is no breach if they are only pre-positioning there to collect information, instead of actually cutting off the cables, so when they do cut off the cables, it will be too late. There will be no report filed under the Bill, even if it is under the scope of the Bill when it comes to regulation. The threat in this case is environmental and really bypasses the Bill’s regulatory scope.
Dave Robertson (Lichfield) (Lab)
Q
Chung Ching Kwong: I think that to a certain extent they will. For hackers or malicious actors aiming for financial gain with more traditional hacking methods, it will definitely do a job in protecting our national security. But the Bill currently views resilience through an IT lens. It is viewing this kind of regulatory framework as a market regulatory tool, instead of something designed to address threats posed by state-sponsored actors. It works for cyber-criminals, but it does not work for state actors such as China, which possess structural leverage over our infrastructure.
As I said before, we have to understand that Chinese vendors are legally obliged to compromise once they are required to. The fine under the Bill is scary, but not as scary as having your existence threatened in China—whether you still have access to that market or you can still exist as a business there. It is not doing the job to address state-sponsored hackers, but it really does help when it comes to traditional hacking, such as phishing attempts, malware and those kinds of things.
Bradley Thomas
Q
Chung Ching Kwong: The US is probably a good example. It passed Executive order 14028 in May 2021, which requires any software vendor selling to the US federal Government to provide something called a software bill of materials—SBOM. That is technically a table of ingredients, but for software, so you can see exactly what components the software is made of. A lot of the time people who code are quite lazy; they will pull in different components that are available on databases online to form a piece of software that we use. By having vendors provide an SBOM, when anything happens, or whenever any kind of vulnerability is detected, you can very easily find out what happened.
That is due to a hack in 2021, in which a tiny, free piece of code called Log4j was found to have a critical vulnerability. It was buried inside thousands of commercial software products. Without that list of ingredients, it would be very difficult for people who had been using the software to find out, because, first, they may not have the technological capabilities and, secondly, they would not even know if their software had that component. This is one of the things the US is doing to mitigate the risks when it comes to software.
Something that is not entirely in the scope of the Bill but is also worth considering is the US’s Uyghur Forced Labour Prevention Act. That is designed to prevent goods made with forced labour from entering the supply chain. The logic of preventing forced labour is probably something that the UK can consider. Because the US realised that it could not inspect every factory in Xinjiang to prove forced labour, it flipped the script: the law creates a rebuttable presumption that all goods from that region are tainted, so the burden of proof is now on the importer to prove, with clear and convincing evidence, that their supply chain is clean.
A similar logic could be considered when it comes to this Bill to protect cyber-security. Any entities that are co-operating with the PLA—the People’s Liberation Army—for example, should be considered as compromised or non-trustworthy until proven otherwise. That way, you are not waiting until problems happen, when you realise, “Oh, this is actually tainted,” but you prevent it before it happens. That is the comparison that I would make.
Tim Roca
Q
Thank you for speaking to us today. May I turn the conversation a little on its head? We have been talking about national security and the threat from China and others. You were an activist in Hong Kong and made a great deal of effort to fight the Chinese Communist party’s invasion of privacy—privacy violations using the national security law—and other things. Do you see any risk in this legislation as regards civil liberties and privacy? We have had a bit of discussion about how much will go into secondary legislation and how broad the Secretary of State’s powers might be.
Chung Ching Kwong: The threat to privacy, especially to my community—the Hong Kong diaspora community in this country—will be in the fact that, under clause 9, we will be allowing remote access for maintenance, patches, updates and so on. If we are dealing with Chinese vendors and Chinese providers, we will have to allow, under the Bill, certain kinds of remote access for those firms to maintain the operation of software of different infrastructures. As a Hongkonger I would be worrying, because I do not know what kind of tier 2 or tier 3 supplier will have access to all those data, and whether or not they will be transmitted back to China or get into the wrong hands. It will be a worry that our data might fall into the wrong hands. Even though we are not talking specifically about personal data, personal data is definitely in scope. Especially for people with bounties on their head, I imagine that it will be a huge worry that there might be more legitimate access to data than there is right now under the Data Protection Act.
Tim Roca
Q
Chung Ching Kwong: It is always a double-edged sword when it comes to regulating against threats. The more that the Secretary of State or the Government are allowed to go into systems and hold powers to turn off, or take over, certain things, the more there is a risk that those powers will be abused, to a certain extent, or cause harm unintentionally. There is always a balance to be struck between giving more protection to privacy for ordinary users and giving power to the Government so that they can act. Obviously, for critical infrastructure like the power grid and water, the Government need control over those things, but for communications and so on, there is, to a certain extent, a question about what the Government can and cannot do. But personally I do not see a lot of concerns in the Bill.
Emily Darlington
Q
Chung Ching Kwong: It should definitely be covered by the Bill, because if we are not regulating to protect hardware as well, we will get hardware that is already embedded with, for example, an opcode attack. Examples in the context of China include the Lenovo Superfish scandal in 2015, in which originally implemented ad software had hijacked the https certificate, which is there to protect your communication with the website, so that nobody sees what activity is happening between you and the website. Having that Superfish injection made that communication transparent. That was done before the product even came out of the factory. This is not a problem that a software solution can fix. If you were sourcing a Lenovo laptop, for example, the laptop, upon arrival, would be a security breach, and a privacy breach in that sense. We should definitely take it a step further and regulate hardware as well, because a lot of the time that is what state-sponsored attacks target as an attack surface.
The Chair
That brings us nicely to the end of the time allotted for the Committee to ask questions. On behalf of the Committee, I thank our witness for her evidence.
Examination of Witness
Professor John Child gave evidence.
The Chair
We will now hear evidence from Professor John Child, professor of criminal law at the University of Birmingham and co-founding director of the Criminal Law Reform Now Network. For this session, we have until 3.20 pm.
Dr Spencer
Q
Professor John Child: My specialism is in criminal law, so this is a bit of a side-step from a number of the pieces of evidence you have heard so far. Indeed, when it comes to the Bill, I will focus on—and the group I work for focuses on—the potential in complementary pieces of legislation, and particularly the Computer Misuse Act 1990, for criminalisation and the role of criminalisation in this field.
I think that speaks directly to the first question, on effective collaboration. It is important to recognise in this field, where you have hostile actors and threats, that you have a process of potential criminalisation, which is obviously designed to be effective as a barrier. But the reality is that, where you have threats that are difficult to identify and mostly originating overseas, the actual potential for criminalisation and criminal prosecution is slight, and that is borne out in the statistics. The best way of protecting against threats is therefore very much through the use of our cyber-security expertise within the jurisdiction.
When we think about pure numbers, and the 70,000-odd cyber-security private experts, compared with a matter of hundreds in the public sector, police and others, better collaboration is absolutely vital for effective resilience in the system. Yet what you have at the moment is a piece of legislation, the Computer Misuse Act, that—perfectly sensibly for 1990—went with a protective criminalisation across-the-board approach, whereby any unauthorised access becomes a criminal offence, without mechanisms to recognise a role for a private sector, because essentially there was not a private sector doing this kind of work at the time.
When we think about potential collaboration, first and foremost for me—from a criminal law perspective—we should make sure we are not criminalising effective cyber-security. The reality is that, when we look at the current system, if any authorised access of any kind becomes a criminal offence, you are routinely criminalising engagement in legitimate cyber-security, which is a matter of course across the board. If you are encouraging those cyber-security experts to step back from those kinds of practices—which may make good sense—you are also lessening that level of protection and/or outsourcing to other jurisdictions or other cyber-security firms, with which you do not necessarily have that effective co-operation, reporting and so on. That is my perspective. Yes, you are absolutely right, but we now have mechanisms in place that actively disincentivise that close collaboration and professionalisation.
Sarah Russell
Q
Professor John Child: Yes. It is not the easiest criminal law tale, if you like. If there were a problem of overcriminalisation in the sense of prosecutions, penalisation, high sentences and so on, the solution would be to look at a whole range of options, including prosecutorial discretion, sentencing or whatever it might be, to try to solve that problem. That is not the problem under the status quo. The current problem is purely the original point of criminalisation. Think of an industry carrying out potentially criminalised activity. Even if no one is going to be prosecuted, the chilling effect is that either the work is not done or it is done under the veil of potential criminalisation, which leads to pretty obvious problems in terms of insurance for that kind of industry, the professionalisation of the industry and making sure that reporting mechanisms are accurate.
We have sat through many meetings with the CPS and those within the cyber-security industry who say that the channels of communication—that back and forth of reporting—is vital. However, a necessary step before that communication can happen is the decriminalisation of basic practices. No industry can effectively be told on the one hand, “What you are doing is vital,” but on the other, “It is a criminal offence, and we would like you to document it and report it to us in an itemised fashion over a period of time.” It is just not a realistic relationship to engender.
The cyber-security industry has evolved in a fragmented way both nationally and internationally, and the only way to get those professionalisation and cyber-resilience pay-offs is by recognising that the criminal law is a barrier—not because it is prosecuting or sentencing, but because of its very existence. It does not allow individuals to say, “If, heaven forbid, I were prosecuted, I can explain that what I was doing was nationally important. That is the basis on which I should not be convicted, not because of the good will of a prosecutor.”
Dr Gardner
Q
Professor John Child: I think the Bill does a lot of things quite effectively. It modernises in a sensible way and it allows for the recognition of change in type of threat. This goes back to my criminalisation point. Crucially, it also allows modernisation and flexibility to move through into secondary legislation, rather than us relying purely on the maturations of primary legislation.
In terms of board-level responsibility, I cannot speak too authoritatively on the civil law aspects, but drawing on my criminal law background, there is something in that as well. At the moment, the potential for criminalisation applies very much to those making unauthorised access to another person’s system. That is the way the criminal law works. We also have potential for corporate liability that can lead all the way up to board rooms, but only if you have a directing mind—so only if a board member is directing that specific activity, which is unlikely, apart from in very small companies.
You can have a legal regime that says, whether through accreditation or simple public interest offences, that there are certain activities that involve unauthorised access to another person’s system, which may be legitimate or indeed necessary. However, we want a professional culture within that; we do not want that outsourced to individuals around the world. You can then build in sensible corporate liability based on consent or connivance, which goes to individuals in the boardroom, or a failure-to-prevent model of criminalisation, which is more popular when it comes to financial crimes. That is where you say, “If this exists in your sector, as an industry and as a company, you can be potentially liable as an entity if you do not make sure these powers are used responsibly, and if you essentially outsource to individuals in order to avoid personal liabilities”.
Dr Gardner
Q
Professor John Child: Again, I have to draw back to the criminal law aspects. I think the Bill does the things it needs to do well; certainly, from the conversations I have had with those in cyber-security and so on, these are welcome steps in the right direction.
However, when you look at critical national infrastructure, although you can create layers of civil responsibility and regulation—which is entirely sensible—most of that will filter down to individuals doing cyber-security and resilience work. It is about empowering those individuals; within a state apparatus, that is one thing, but even with regulators and in-house cyber-security experts, individuals are working only within the confines of what they are allowed to do under the criminal law, as well as the civil regulatory system.
The reason I have been asked here, and what a lot of my work has focused on, is this: if you filter responsibility down to individuals doing security work for national as well as commercial infrastructure, you need to empower them to do that work effectively. The current law does not do that; it creates the problem of either doing that work under the veil of criminalisation, or not doing it, with work being outsourced to places where you do not have the back-and-forth communication and reporting regime you would need.
Dr Gardner
I think you are touching on the old problem of where liability lies when you have this long supply chain of diffused responsibility, but thank you.
Dave Robertson
Q
Professor John Child: That is a good question. It is certainly fair to say that all jurisdictions are somewhat in flux about how to deal with cyber threats, which are mushrooming in ways people would not have expected—certainly not in 1990, but even many years after.
The various international conventions—the OECD, the Budapest convention and so on—require regulation and criminalisation, but those are not nearly as wide as the blanket approach that was taken in this country. Some comparative civil law jurisdictions in the rest of Europe start from a slightly different place, in that they did not necessarily take the maximalist approach to criminalisation we did.
In a number of jurisdictions, you do not have direct criminalisation of all activities, regardless of the intention of the actor, in the same way that we do. So we are starting from a slightly different position. Having said that, we do see a number of jurisdictions making positive strides in this direction, because they need to; indeed, we see that at European Union level as well, where directives are being created to target this area of concern.
There are a few examples. We wrote a comparative report, incidentally, which is openly available. In terms of some highlights from that, there is a provision in French law, for example, where, despite mandatory prosecution being the general model within French criminal law, there is a carve-out relating to cyber-security and legitimate actors, where there is not the same requirement to prosecute. In the Netherlands, there was a scandal around hacking of keycards for public transport. That was done for responsible reasons, and there was a backlash in relation to prosecution there. There were measures taken in terms of prosecutorial discretion. Most recently, in Portugal, we saw a specific cyber-security defence created within the criminal law just last year.
In the US, it varies between states. In a lot of states, you have quite an unhelpful debate between minimalist and maximalist positions, where they either want to have complete hack-back on the one hand or no action at all on the other, but you have a slightly more tolerant regime in terms of prosecution.
So there are varying degrees, but certainly that is the direction of travel. For sensible, criminal law reasons that I would speak to, as well as the commercial benefits that come with a sector that is allowed to do its work properly, and the security benefits, that is certainly the direction of travel.
Dave Robertson
Q
Professor John Child: Yes. As I understand it, it does. This is part of the reason, incidentally, why my organisation, which focuses very much on criminal law aspects, ended up doing some collaborative work with the CyberUp campaign. That is because, from the industry perspective, they can do that kind of business modelling in a way that we do not. Whereas we can make the case for sensible criminal law reform, they can talk about how that reform translates into both the security environment and the commercial environment. Their perspective on this is, first, that we can see that there is already outsourcing of these kinds of services, particularly to the US, Israel and other more permissive jurisdictions. That is simply because, if you are a cyber-security expert in one of those jurisdictions, you are freer to do the work companies would like you to do to make sure their systems are safe here.
There are also the sectoral surveys and so on, and the predictions about what it is likely to do to the profession if you allow it to do these kinds of services in this jurisdiction. That is about the security benefits, but they are also talking about something like a 10% increase in the likely projection of what cyber-security looks like in this jurisdiction—personnel, GDP and so on.
Dr Spencer
Q
Professor John Child: There are obviously a number. It is always more comfortable when you have a beginning point of criminalisation. The argument to decriminalise in an environment where you want to protect against threats is sometimes a slightly unintuitive sell. Is the criminalisation that we have doing the necessary work in terms of actually fighting the threats? To some extent, yes, but it is limited. Is it doing harms? There is an argument to say that it is doing harms.
This comes back to the point that was made earlier, which was perfectly sensible. When you speak to the CPS and others, their position as prosecutors is to say, “Very few people are being prosecuted, and we certainly don’t want to be prosecuting legitimate cyber-security experts, so there is no problem.” Admittedly, that means there is no problem in terms of actual criminalisation and prosecution, but that is the wrong problem. If you focus on the problem being the chilling effect of the existence of the criminalisation in the first place, you simply cannot solve that through prosecutorial discretion, and nor should you, when it comes to identifying what a wrong is that deserves to be criminalised. You certainly cannot resolve it through sentencing provisions.
The only way that you can sensibly resolve this is either by changing the offence—that is very difficult, not least because, from a position of criminalisation, it might be where other civil jurisdictions begin—or by way of defence, which realistically is the best solve from the point we are at now. If you have a defence that can be specifically tailored for cyber-security and legitimate actors, you can build in reverse burdens of proof. You can build in objective standards of what is required in terms of public interest.
The point here is that the worry is one of bad actors taking advantage. The reality is that that is very unlikely. The idea that the bad actors we identify within the system would be able to demonstrate how they are acting in the public best interest is almost ridiculous. Indeed, the prospect of better threat intelligence, better securities and so on provides more information and better information-sharing to the NCSC and others and actually leads to more potential for prosecution of nefarious actors rather than less.
It is a more complicated story than we might like in terms of a standard case for changing the criminal law, but it is nevertheless an important one.
The Chair
That brings us to the end of the time allotted to ask questions. On behalf of the Committee, I thank our witness for his evidence. We move on to our next panel.
Examination of witness
Detective Chief Superintendent Andrew Gould gave evidence.
The Chair
We will now hear oral evidence from Detective Chief Superintendent Andrew Gould, programme lead for the National Police Chiefs’ Council cyber-crime programme. For this session, we have until 3.40 pm. I call Dr Ben Spencer.
Dr Spencer
Q
Secondly, on ransomware attacks, you will know that the Government review states that ransomware is
“the greatest of all serious and organised cybercrime threats”.
In your view, what is the scale of that threat and what sectors and businesses are the primary targets?
DCS Andrew Gould: To take the actors first, they are probably quite well known, in terms of the general groupings. Yes, we have our state actors—the traditional adversaries that we regularly talk about—and they generally offer very much a higher-end capability, as you will all be aware.
The next biggest threat group is organised crime groups. You see a real diversity of capability within that. You will see some that are highly capable, often from foreign jurisdictions—Russian jurisdictions or Russian-speaking. The malware developers are often the more sophisticated as service-type offerings. We see more and more ransomware and other crime types almost operating as franchises—“Here is the capability, off you go, give us a cut.” Then they have less control over how those capabilities are used, so we are seeing a real diversification of the threat, particularly when it comes to ransomware.
Then, where you have that proximity to state-directed, if not quite state-controlled—that crossover between some of those high-end crime groups and the state; I am thinking primarily of Russia—it is a lot harder to attribute the intent behind an attack. There is a blurring of who was it and for what purpose was it done, and there is that element of deniability because it is that one further step away.
Moving back down the levels of the organised crime groups, you have a real profusion of less capable actors within that space, from all around the world, driving huge volumes, often using quite sophisticated tools but not really understanding how they work.
What we have seen is almost like a fragmentation in the criminal marketplace. The barrier to criminal entry is probably lower than it has ever been. You can download these capabilities quite readily—you can watch a tutorial on YouTube or anywhere else on how to use them, and off you go, even if you do not necessarily understand the impact. We certainly saw a real shift post pandemic from traditional criminals and crime groups into more online crime, because it was easier and less risky.
You look more broadly at hacktivists, terrorists—who are probably a lot less capable; they might have the intent but not so much the capability—and then the group that are sometimes slightly patronisingly described as script kiddies. These are young individuals with a real interest in developing their skills. They have an understanding that what they are doing is wrong, but they are probably not financially or criminally motivated. If they were not engaging in that kind of cyber-crime, they probably would not be engaging in other forms of criminality, but they can still do a lot of damage with the tools they can get their hands on, given that so many organisations seem to struggle to deliver even a basic level of cyber-resilience and cyber-security.
One of the things that we really noticed changing over the last 18 months is the diversification of UK threats. Your traditional UK cyber-criminal, if there is such a thing, is primarily focused on hacking for personal benefit, ransomware and other activity. Now we are seeing a diversification, and more of a hybrid, cross-organised crime threat. There are often two factors to that. We often hear it described in the media or by us within law enforcement publicly as the common threat—this emerging community online—otherwise known as Scattered Spider.
There, we are seeing two elements to those sorts of groups. You see an element of maybe more traditional cyber-skills engaged in hacking or using those skills for fraud, but we also see those skills being used for Computer Misuse Act offences, in order to enable other offences. One of the big areas for that at the moment that we see is around intimate image abuse. We see more and more UK-based criminals hacking individuals’ devices to access, they hope, intimate images. They then identify the subject of those intimate images, most predominantly women, and then engage in acts of extortion, bullying or harassment. We have seen some instances of real-world contact away from that online contact.
Think of the scale of that and the challenge that presents to policing. I can think of cases in cyber-crime unit investigations across the country where you have got a handful of individuals who have victimised thousands of women in the UK and abroad. You have got these small cyber-crime units of a handful of people trying to manage 4,000 or 10,000 victims.
It is very difficult and very challenging, but the flipside of that is that, if they are UK-based, we have a much better chance of getting hold of them, so we are seeing a lot more arrests for those cross-hybrid threats, which is a positive. There is definitely an emerging cohort that then starts to blend in with threats like Southport and violence-fixated individuals. There seems to be a real mishmash of online threat coming together and then separating apart in a way that we have never seen historically. That is a real change in the UK threat that is driving a lot of policing activity.
Turning to your ransomware question, what is interesting, in terms of the kinds of organisations that are impacted by ransomware, a lot of the ransomware actors do not want to come to notice for hitting critical national infrastructure. They do not want to do the cloning of pipelines. They do not want to be taking out hospitals and the NHS. They know they will not get paid if they hit UK critical national infrastructure, for starters, so there is a disincentive, but they also do not want that level of Government or law enforcement attention.
Think of the disruptive effect that the UK NCA and policing had on LockBit the year before last. LockBit went from being the No. 1 ransomware strain globally to being out of the top 10 and struggling to come back. We saw a real fragmentation of the ransomware market post that. There is no dominant strain or group within that that has emerged to cover that. A lot of those groups that are coming into that space may be a bit less skilled, sophisticated and successful.
The overall threat to organisations is pretty much the same. The volume is the volume, but it is probably less CNI and more smaller organisations because they are more vulnerable and it is less likely to play out very publicly than if there is a big impact on the economy or critical national infrastructure. As such, there is probably not the level of impact in the areas that people would expect, notwithstanding some of the really high-profile incidents we had last year.
David Chadwick
Q
DCS Andrew Gould: That is a really good question. The international jurisdiction challenge for us is huge. We know that is where most of the volumes are driven from, and obviously we do not have the powers to just go over and get hold of the people we would necessarily want to. You will not be surprised to hear that it really varies between jurisdictions. Some are a lot more keen to address some of the threats emanating from their countries than others. More countries are starting to treat this as more of a priority, but it can take years to investigate an organised crime group or a network, and it takes them seconds to commit the crime. It is a huge challenge.
There are two things that we could do more of better—these are things that are in train already. If you think about the wealth of cyber-crime, online fraud and so on, all the data, and a lot of the skills and expertise to tackle that sit within the private sector, whereas in law enforcement, we have the law enforcement powers to take action to address some of it.
With a recent pilot in the City funded by the Home Office, we have started to move beyond our traditional private sector partnerships. We are working with key existing partners—blockchain analytic companies or open-source intelligence companies—and we are effectively in an openly commercial relationship; we are paying them to undertake operational activity on our behalf. We are saying, “Company a, b or c, we want you to identify UK-based cyber-criminals, online fraudsters, money-laundering and opportunities for crypto-seizure under the Proceeds of Crime Act 2002”. They have the global datasets and the bigger picture; we have only a small piece of the puzzle. By working with them jointly on operations, they might bring a number of targets for us, and we can then develop that into operational activity using some of the other tools and techniques that we have.
It is quite early days with that pilot, but the first investigation we did down in the south-east resulted in a seizure of about £40 million-worth of cryptocurrency. That is off a commercial contract that cost us a couple of hundred grand. There is potential for return on investment and impact as we scale it up. It is a capability that you can point at any area of online threat, not just cyber-crime and fraud, so there are some huge opportunities for it to really start to impact at scale.
One of the other things we do in a much more automated and technical way—again funded by the Home Office—is the replacement of the Action Fraud system with the new Report Fraud system. That will, over the next year or so, start to ingest a lot of private sector datasets from financial institutions, open-source intelligence companies and the like, so we will have a much broader understanding of all those threats and we will also be able to engage in takedowns and disruptions in an automated way at scale, working with a lot of the communication service providers, banks and others.
Instead of the traditional manual way we have always been doing a lot of that protection, we can, through partnerships, start doing it in a much more automated and effective way at scale. Over time, we will be able to design out and remove a lot of the volume you see impacting the UK public now. That is certainly the plan.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Q
DCS Andrew Gould: I love the fact that you have heard of it. One of the things that we struggle with is promoting a lot of these initiatives. Successive Governments actually deserve a lot of credit for the range of services that are provided. We aspire to be a global cyber-power, and in many ways we are. When you look at the range of services, tools, advice and guidance that organisations or the public can get, there is quite a positive story to tell there. I think we struggle to bring that into one single narrative and promote it, which is a real challenge. People just do not know that those services are there.
For those who are not familiar with Police CyberAlarm, it is a Home Office-funded policing tool focused on small and medium-sized organisations that probably do not have the skills or understanding to protect themselves as effectively. They can download that piece of software, and it will sit on their external networks and monitor for attacks. For the first time, it helps us in policing to build a domestic threat picture for small and medium-sized organisations, because everybody has a different piece of the puzzle. GCHQ has great insight into what is coming into the UK infrastructure, but it obviously cannot monitor domestically. Big organisations that provide cyber-security services and monitoring know what is impacting their clients or their organisation, but not everybody else. At policing, we get what is reported, which is a tiny piece of the puzzle. So everyone has a different bit of the jigsaw, and none of it fits together, and, even if it did, there would still be gaps. For SMEs, that is a particular gap.
For us, we get the threat intelligence to drive our operational activity, which has been quite successful for us. The benefit for member organisations—we are up to about 12,000 organisations at the moment, which are mostly schools, because we know that they are the most vulnerable to attack for a variety of reasons—is that, having the free tool available, it can do the monthly vulnerability scans and assessments. So they are getting a report from the police that tells them what they need to fix and what they need to patch.
We do not publicly offer a lifetime monitoring service, because we would not want the liability and responsibility, and we do not have the infrastructure to run that scale of security operation centre. But, in effect, that is actually what we have been doing for a long time—maybe not 24/7, but most of the time—because we have been able to identify precursor activity to ransomware attacks on schools or other organisations, and have been able to step in and prevent it from happening. There have been instances where officers have literally got in cars and gone on a blue light to organisations to say, “You need to shut some stuff off now, because you are about to lose control of your whole organisation.”
To that extent, it has been really impactful, but the challenge for us is how to scale. How do you scale so that people understand that it is there? How do you make it easier for organisations to install? That is one of the things that we are working on at the moment, so that everybody can benefit from the scans and the threat reporting, and we can benefit from a bigger understanding of what is going on.
The flip side of the SME offer from our point of view is our cyber-resilience centres. By working with some of the top student talent in the country, we can scale to offer our member organisations across the country the latest advice and guidance, help them understand what the NCSC advice and guidance is, and then help them to get the right level of security policies, patch their systems and all that kind of thing. It helps them to take the first steps on their cyber-resilience journey, and hopefully be more mature consumers of cyber-security industry services going forward. We are helping to create a market for growth, but also helping those organisations to understand their specific vulnerabilities and improve from a very base level.
Bradley Thomas
Q
DCS Andrew Gould: That is another really good question. Generally, it is financial, but you will often get what is called the double dip, so there is the extraction of data as well as the encryption of it, so that you no longer have access to it. They might take that data as well, primarily personal data, because of the regulatory pressures and challenges that that brings. There is a sense among a lot of criminal groups that, if they have personal data, you are more likely to pay, because you do not want that reputation, embarrassment and all the rest of it, as opposed to if they take intellectual property, for example. But it is not that that does not happen as well. Primarily, it is financial gain.
Chris Vince
Q
DCS Andrew Gould: It is a tricky one. It feels like the technology change is getting ever faster and ever more challenging, but I first went into cyber-crime in the Met back in 2014, and we are giving the same advice now as we were giving then. Sometimes your head can explode with the technical complexity of it, but a lot of the solution just comes down to doing the really boring basics in a world-class way. It is things like patching and doing your software updates. Whether you are a member of the public or running an organisation, finding a way to do those updates and patches means that 50% of the threat has gone, there and then. With something like multi-factor authentication, it seems like most organisations do not want to inconvenience their staff or customers by putting it in place, but that would be another 40% of the problem solved. It is not infallible—nothing is—but if you are thinking about how attacks are still successful, it is pretty basic: a lot of our protections are not in place. Solving that means that 90% of the threat is gone, there and then. That then leaves the 10% of more sophisticated threats—let’s make the criminals work a bit harder.
The Chair
Order. That brings us to the end of the time allotted for the Committee to ask questions. I thank the witness for his evidence.
Examination of Witness
Richard Starnes gave evidence.
The Chair
We will now hear oral evidence from Richard Starnes, chair of the information security panel for the Worshipful Company of Information Technologists. We have until 4 pm for this session.
Dr Spencer
Q
Richard Starnes: The question about effectiveness is difficult to answer. There is the apparent effectiveness and the actual effectiveness. The reason I answer in that way is that you have regulators that are operating in environments where they may choose to not publicly disclose how they are regulating; it may be classified due to the nature of the company that was compromised, or who compromised the company. There may not necessarily be a public view of how much of that regulation is actually going on. That is understandable, but it has the natural downside of creating instances where somebody is being taken to task for not doing it correctly, but that is not exposed to the rest of the world. You do not know that it is happening, so the deterrent effect is not there.
Information sharing and analysis centres started in the United States 20 or 25 years ago, when different companies were in the same boat. The first one that I was aware of was the Financial Services ISAC, which comprises large entities—banks, clearing houses and so on—that share intelligence about the types of attacks that they are receiving internationally. They may be competing with one another in their chosen businesses, but they are all in the same boat with regard to being attacked by whatever entities are attacking them. Those have been relatively good at helping develop defences for those industries.
Dr Spencer
Q
Richard Starnes: Yes. We have FS-ISAC operating in the United Kingdom and in Europe, with all the major banks, but if you took this and replicated it on an industry-by-industry basis, particularly ones in CNI, that would be helpful. It would also help with information sharing with entities like NCSC and GCHQ.
David Chadwick
Q
Richard Starnes: On what you say about the 18-month tenure, one of the problems is stress. A lot of CISOs are burning out and moving to companies that they consider to have boards that are more receptive to what they do for a living. Some companies get it. Some companies support the CISOs, and maybe have them reporting to a parallel to the CIO, or chief information officer. A big discussion among CISOs is that having a CISO reporting to a CIO is a conflict of interest. A CISO is essentially a governance position, so you wind up having to govern your boss, which I would submit is a bit of a challenge.
How do we help CISOs? First, with stringent application of regulatory instruments. We should also look at or discuss the idea of having C-level or board-level executives specifically liable for not doing proper risk governance of cyber-security—that is something that I think needs to be discussed. Section 172 of the Companies Act 2006 states that you must act in the best interests of your company. In this day and age, I would submit that not addressing cyber-risk is a direct attack on your bottom line.
Dr Gardner
Q
Richard Starnes: I think this should flow from the board to the C-level executives. Most boards have a risk committee of some sort, and I think the chair of the risk committee would be a natural place for that responsibility to sit, but there has to be somebody who is ultimately responsible. If the board does not take it seriously, the C-levels will not, and if the C-levels will not, the rest of the company will not.
Dr Gardner
Q
Richard Starnes: That is a very broad question.
Dr Gardner
I know, sorry. I collapsed it down from quite a few.
Richard Starnes: There is any number of different reasons. You have 12 competent authorities, at last count, with varying funding models and access to talent. Those could vary quite a bit, depending on those factors. I am not really sure how to answer that question.
Dr Gardner
Q
Richard Starnes: True, but I would submit that under the Companies Act that liability is already there for all the directors; it just has not been used that way.
Emily Darlington
Q
Richard Starnes: You just stepped on one of my soapbox issues. I would like to see the code of practice become part of the annual Companies House registrations for every registered company. To me, this is an attestation that, “We understand cyber-security, we’ve had it put in front of us, and we have to address it in some way.”
One of the biggest problems, which Andy talked about earlier, is that we have all these wonderful things that the Government are doing with regard to cyber-security, down to the micro-level companies, but there are 5.5 million companies in the United Kingdom that are not enterprise-level companies, and the vast majority of them have 25 employees or fewer. How do we get to these people and say, “This is important. You need to look at this”? This is a societal issue. The code of practice and having it registered through Companies House are the way to do that. We need to start small and move big. Only 3% of businesses are involved in Cyber Essentials, which is just that: the essentials. It is the baseline, so we need to start there.
David Chadwick
Q
Richard Starnes: Throughout my career, I have been involved in cyber incidents from just about day one. One of the biggest problems that you run into in the first 72 hours, for example, is actually determining whether you have been breached. Just because it looks bad does not mean it is bad. More times than not, you have had indicators of compromise, and you have gone through the entire chain, which has taken you a day, or maybe two or three days, of very diligent work with very clever people to determine that, no, you have not been breached; it was a false positive that was difficult to track down. Do you want to open the door to a regulator coming in and then finding out it is a false positive?
You are also going to have a very significant problem with the amount of alerts that you get with a 24-hour notification requirement, because there is going to be an air of caution, particularly with new legislation. Everybody and his brother is going to be saying, “We think we’ve got a problem.” Alternatively, if they do not, then you have a different issue.
The Chair
If there are no further questions, I thank our witness for his evidence. I will suspend the Committee for a few minutes because our next witnesses, who will give evidence online, are not ready yet.
The Chair
We will now hear oral evidence from Brian Miller, head of IT security and compliance, and Stewart Whyte, data protection officer, both from NHS Greater Glasgow and Clyde and joining us online. For this session we have until 4.20 pm. Will the witnesses please introduce themselves for the record?
Brian Miller: Good afternoon, Chair. It is nice to see you all. I am Brian Miller and I head up IT security and compliance at NHS Greater Glasgow and Clyde. It is a privilege to be here, albeit remotely. I have worked at NHS Greater Glasgow and Clyde for four years. Prior to that, I was infrastructure manager at a local authority for 16 years and I spent 10 years at the Ministry of Defence in infrastructure management. I look at the Bill not only through the lens of working with a large health board, but from a personal perspective with a philosophy of “defenders win” across the entire public sector.
Stewart Whyte: Good afternoon, Chair, and everyone. My name is Stewart Whyte and I am the data protection officer at NHS Greater Glasgow and Clyde. I am by no means a cyber-security expert, but hopefully I can provide some insight into the data protection side and how things fit together.
Dr Spencer
Q
Brian Miller: That is a good question. Some of our colleagues mentioned the follow-up secondary legislation that will help us to identify those kinds of things. I suppose there is no difference from where we are at now. We would look at any provision of services from a risk management perspective and say what security controls apply. For example, would they be critical suppliers in terms of infrastructure and cyber-security? Does a cleaning service hold identifiable data? What are the links? Is it intrinsically linked from a technological perspective?
I mentioned looking at this through a “defenders win” lens. Yes, some of these technologies are covered. I saw some of the conversations earlier about local authorities not being in scope, but services are so intrinsically linked that they can well come into scope. It might well be that some of the suppliers you mentioned fall under the category of critical suppliers, but that might be the case just now. There might be provision of a new service for medical devices, which are a good example because they are unique and different compliance standards apply to them. For anything like that, where we stand just now—outside the Bill—we risk assess it. There is such an intrinsic link. A colleague on another panel mentioned data across the services; that is why Stewart is here alongside me. I look after the IT security element and Stewart looks after the data protection element.
Dr Spencer
Q
Brian Miller: Sometimes, but sometimes not. I do not think we had any physical links with Synnovis, but it did work on our behalf. Emails might have been going back and forward, so although there were no physical connections, it was still important in terms of business email compromise and stuff like that—there was a kind of ancillary risk. Again, when things like that come up, we would look at it: do we have connections with a third party, a trusted partner or a local authority? If we do, what information do we send them and what information do we receive?
Chris Vince
Q
Stewart Whyte: Anything that increases or improves our processes in the NHS for a lot of the procured services that we take in, and anything that is going to strengthen the framework between the health board or health service and the suppliers, is welcome for me. One of our problems in the NHS is that the systems we put in are becoming more and more complex. Being able to risk assess them against a particular framework would certainly help from our perspective. A lot of our suppliers, and a lot of our systems and processes, are procured from elsewhere, so we are looking for anything at all within the health service that will improve the process and the links with third party service providers.
Dr Gardner
Q
Brian Miller: That is a great question. I will touch on some different parts, because I might have slightly different information from some of the information you have heard previously. On reporting—Stewart will deal with the data protection element for reporting into the Information Commissioner’s Office—we report to the Scottish Health Competent Authority. It is important that we have an excellent relationship with the people there. To put that in context, I was speaking to them yesterday regarding our transition to the CAF, as part of our new compliance for NHS Greater Glasgow and Clyde. If there was a reportable incident, we would report into the SHCA. The thresholds are really well defined against the confidentiality, integrity and availability triad—it will be patient impact and stuff like that.
Organisationally, we report up the chain to our director of digital services, and we have an information governance steering group. Our senior information risk officer is the director of digital, and the chief information security officer role sits with our director of digital. We report nationally, and we work really closely with National Services Scotland’s Cyber Security Centre of Excellence, which does a lot of our threat protection and secure operations, 24/7, 365 days a year. We work with the Scottish Government through the Scottish Cyber Co-ordination Centre and what are called CREW—cyber resilience early warning—notices for a lot of threat intelligence. If something met the threshold, we would report to the SHCA. Stewart, do you want to come in on the data protection officer?
Stewart Whyte: We would report to the Information Commissioner, and within 72 hours we also report to the Scottish Government information governance and data protection team. We would risk assess the breaches and determine whether they meet the threshold for reporting. Not every data breach is required to be reported.
From the reporting perspective, it would be helpful to report into one individual organisation. I noticed that in the reporting requirements we are looking at doing it within 24 hours, which could be quite difficult, because sometimes we do not know everything about the breach within that time. We might need more information to be able to risk assess it appropriately. Making regulators aware of the breach as soon as possible is always going to be a good thing.
Lincoln Jopp
Q
Brian Miller: We would work with the Scottish Health Competent Authority as our regulator; I cannot speak for other regulators and what that might look like. We are doing work on what assurance for critical suppliers outside the Bill looks like just now, and we are working across the boards in Scotland on identifying critical suppliers. Outside of that, for any suppliers or any new services, we will assess the risk individually, based on the services they are providing.
The Bill is really valuable for me, particularly when it comes to managed service provision. One of the questions I was looking at is: what has changed since 2018? The biggest change for me is that identity has went to the cloud, because of video conferencing and stuff like that. When identity went to the cloud, it then involved managed service providers and data centres. We have put additional controls around that, because the network perimeter extended out into the cloud. We might want to take advantage of those controls for new things that come online, integrating with national identity, but we need to be assured that the companies integrating with national identity are safe. For me, the Bill will be a terrific bit of legislation that will help me with that—if that makes sense.
Lincoln Jopp
Q
Brian Miller: I think we would work with the regulator, but we are looking for more detail in any secondary legislation that comes along. We have read what the designation of critical suppliers would be. I would look to work with the Scottish Health Competent Authority and colleagues in National Services Scotland on what that would look like.
Stewart Whyte: On how we would make that decision, from our perspective we are looking at what the supplier is providing and what sort of data they are processing on our behalf. From the NHS perspective, 90% of the data that we process will be special category, very sensitive information. It could be that, from our side, a lot of the people in the supply chain would fall into that designation, but for some other sectors it might not be so critical. We have a unique challenge in the NHS because of the service we provide, the effect that cyber-crime would have on our organisations, and the sensitivity of the data we process.
Dr Spencer
Q
Stewart Whyte: For me, it would be a slightly different assessment from Brian’s. We would be looking at anything where there is no processing of personal data. For me, that would not be a critical supplier from a data protection perspective. But there might be some other integration with NHS board systems that Brian might have concerns about. There is a crossover in terms of what we do, but my role is to look at how we manage data within the NHS. If there are suppliers where there is no involvement with identifiable data of either staff or patients, I would not see them as a critical supplier under this piece of legislation.
Lincoln Jopp
Q
Brian Miller: I do not want to step out of my lane. There will be clinical stuff that absolutely would be essential. I would not be able to speak in any depth on that part of it; I purely look at the cyber element of it. As an organisation, we would be identifying those kinds of aspects.
In terms of suppliers, you are absolutely right. We have suppliers that supply some sort of IT services to us. If we are procuring anything, we will do a risk assessment—that might be a basic risk assessment because it is relatively low risk, it might be a rapid risk assessment, or it may be a really in-depth assessment for someone that would be a critical supplier or we could deem essential—but there are absolutely suppliers that would not fall under any of that criteria for the board. The board is large in scale, with 40,000 users. It is the largest health board in the country.
Dr Spencer
Q
Stewart Whyte: Yes. There is a lot of information sharing between acute services and primary care via integrated systems. We send discharge letters and information directly to GP practices that then goes straight into the patient record with the GP. There is a lot of integration there, yes.
Dr Spencer
Q
Stewart Whyte: Yes, there is integration between ourselves and the local authorities.
The Chair
If there are no further questions from Members, I thank witnesses for their evidence. We will move on to the next panel.
Examination of Witnesses
Chris Parker MBE and Carla Baker gave evidence.
The Chair
We will now hear oral evidence from Chris Parker, director of government strategy at Fortinet and co-chair of the UK cyber resilience committee at techUK, and Carla Baker, senior director of government affairs in the UK and Ireland at Palo Alto Networks. For this session, we have until 4.50 pm.
Dr Spencer
Q
Carla, from the Palo Alto Networks perspective, what are your views on the changes to the incident reporting regime under the Bill? Will the approach help or hinder regulators in identifying and responding to the most serious threats quickly?
Chris Parker: I should point out that Carla is also co-chair of the cyber resilience committee, so you have both co-chairs here today.
As large cyber companies, we are very proud of one thing that is pertinent to the sector that may not be clear to everybody outside. I have worked in many sectors, and this is the most collaborative—most of it unseen—and sharing sector in the world. It has to be, because cyber does not respect borders. When we go to the most vulnerable organisations, which one would expect cannot afford things and therefore there must be a function of price, such as SMEs—I was an SME owner in a previous life—that is very dear to us. With the technology that is available, what is really good news is that when people buy cyber-security for their small business—in the UK or anywhere in the world—they are actually buying the same technology; it is effectively just a different engine size in most cases. There are different phases of technology. There is the latest stuff that is coming in, which they may not be getting into yet. However, the first thing to say is that it is a very fair system, and pricing-wise, it is a very fair system indeed for SMEs.
The second point is about making sure we are aware of the amount of free training going on across the world, and most of the vendors—the manufacturers—do that. Fortinet has a huge system of free training available for all people. What does that give? It is not just technical training for cyber-security staff; it is for ordinary people, including administrative workers and the people who are sometimes the ones who let the bad actor in. There are a lot of efforts. There is a human factor, as well as technological and commercial factors.
The other thing I would like to mention is that the cyber resilience committee, which Carla and I are lucky to co-chair, is elected. We have elected quite a large proportion of SME members. There is also a separate committee run by techUK. You heard from Stuart McKean earlier today, and he is one of the co-chairs, or the vice chair, of that committee.
Carla Baker: On incident reporting, as I am sure you are aware, the Bill states that organisations must report an incident if it is
“likely to have an impact”.
Our view, and I think that of techUK, is that the definition is far too broad. Anything that is likely to cause an impact could be a phishing email that an organisation has received. Organisations receive lots and lots of spoof emails.
I will give an example. Palo Alto Networks is one of the largest pure-play cyber-security companies. Our security operations centre—the hub of our organisation—processes something like 90 billion alerts a day. That is just our organisation. Through analysis and automation, the number is whittled down to just over 20,000. Then, through technology and capabilities, it is further whittled down, so that we are analysing about 75 alerts.
You can equate it to a car, for example. If you are driving and see a flashing yellow light, something is wrong. That is like 20,000 alerts. It is then whittled down to about 75, so we would potentially have to report up to 75 incidents per day, and that is just one organisation. There are a lot more. The burden on the regulator would be massive because there would be a lot of noise. It would struggle to ascertain what is the real problem—the high-risk incidents that impact the UK as a whole—and the noise would get in the way of that.
We have come up with a suggestion, an amendment to the legislation, that would involve a more tiered approach. There would be a more measurable and proportionate reporting threshold, with three tiers. The first is an incident that causes material service disruption, affecting a core service, a critical customer or a significant portion of users. The second is unauthorised, persistent access to a system. The third is an incident that has compromised core security controls—that is, security systems. Having a threshold that is measurable and proportionate is easier for organisations to understand than referring to an incident that is
“likely to have an impact”,
because, as I said, a phishing email is likely to cause an impact if an organisation does not have the right security measures in place.
David Chadwick
Q
Chris Parker: That is an excellent question. The good news is that a lot is happening already. An enormous amount of collaborative effort is going on at the moment. We must also give grace to the fact that it is a very new sector and a new problem, so everybody is going at it. That leads me on to the fact that the UK has a critical role in this, but it is a global problem, and therefore the amount of international collaboration is significant—not only from law enforcement and cyber-security agencies, but from businesses. Of course, our footprints, as big businesses, mean that we are always collaborating and talking to our teams around the world.
In terms of what the UK can do more of, a lot of the things that have to change are a function of two words: culture and harmonisation—harmonisation of standards. It is about trying not to be too concerned about getting everything absolutely right scientifically, which is quite tempting, but to make sure we can harmonise examples of international cyber-standards. It is about going after some commonality and those sorts of things.
I think the UK could have a unique role in driving that, as we have done with other organisations based out of London, such as the International Maritime Organisation for shipping standards. That is an aspiration, but we should all drive towards it. I think it is something the UK could definitely do because of our unique position in looking at multiple jurisdictions. We also have our own responsibilities, not only with the Commonwealth but with other bodies that we are part of, such as the United Nations.
It is not all good news. The challenge is that, as much as we know that harmonisation is okay, unfortunately everyone is moving. Things have started, and everyone is running hot. An important point to make is that it is one of the busiest sectors in the world right now, and everybody is very busy. This comes back to the UK having a particular eye on regulatory load, versus the important part that other elements of our society want, which is growth and economic prosperity. We talked earlier about SMEs. They do not have the capability to cover compliance and regulatory load easily, and we would probably all accept that. We have to be careful when talking about things such as designating critical suppliers.
All of this wraps up into increasing collaboration through public-private partnerships and building trust, so that when the Government and hard-working civil servants want to see which boundaries are right to push and which are not, bodies such as the UK cyber resilience committee, which Carla and I are on, can use those collaborative examples as much as possible.
There is quite a lot there, but something the UK certainly should be pushing to do is culture change, which we know has to be part of it—things have been talked about today by various speakers—as well as the harmonisation of standards.
Carla Baker: I think we are in a really interesting and exciting part of policy development: we have the Bill, and we have recently had the Government cyber action plan, which you may have heard about; and the national cyber action plan is coming in a few months’ time. The Government cyber action plan is internally facing, looking at what the Government need to do to address their resilience. The national cyber action plan is wider and looks at what the UK must do. We are at a really exciting point, with lots of focus and attention on cyber-security.
To address your point, I think there are three overarching things that we should be looking at. First is incentivising organisations, which is part of the Bill and will hopefully be a big part of the national cyber action plan. We must incentivise organisations to do more around cyber-security to improve their security posture. We heard from previous panellists about the threats that are arising, so organisations have to take a step forward.
Secondly, I think the Government should use their purchasing power and their position to start supporting organisations that are doing the right thing and are championing good cyber-security. There is more that the Government can do there. They could use procurement processes to mandate certain security requirements. We know that Cyber Essentials is nearly always on procurement tenders and all those types of things, but more can be done here to embed the need for enhanced security requirements.
Thirdly, I think a previous witness talked about information sharing. There is a bit of a void at the moment around information sharing. The cyber security information sharing partnership was set up, I think, 10 years ago—
Chris Parker: Yes, 10 years ago.
Carla Baker: It was disbanded a couple of months ago, and that has left a massive void. How does industry share intelligence and information about the threats they are seeing? Likewise, how can they receive information about the threat landscape? We have sector-specific things, but there isn’t a global pool, and there is a slight void at the moment.
David Chadwick
Q
Chris Parker: It is a national problem. We have had a lot of discussion on that at the techUK cyber resilience committee. We think it is not just about skills and bunging lots of training at people, because you have to work out cyber as a whole. A very small component of cyber is people at the wonderfully high-tech end, where they are coding and writing software. There are an awful lot of jobs in places out there that a lot of people are just not aware of, and perhaps would therefore not be volunteering or aiming towards it—even at their school. There are lots of jobs in cyber sales, marketing and analysis that do not require a very high level of mathematics, for example. Some of them do not need a very high level of mathematics at all. I think that some awareness needs to be built there.
Personally, I would like to see more championing of the people who are in the sector at the moment. We have some fantastic young men and women in the sector, but we also need to make sure they are able to have chartered status. It is out there, now that we are starting, but it needs to gather pace, because we need to make sure these people are represented and feel professional, so that it can be reflected.
Another thing to mention is that there is a lot of effort in the cyber growth partnership, which is run through DSIT and techUK. It is initiating an idea where people will be lent from industry into academia, to offer inspiration but also to improve lecture quality and standards, because things move fast and we are running so hot. It is very hard for academia to keep up. There is quite a lot that can be done to increase the workforce and skills, but going back to our original points, with greater public-private collaboration and discussion, we will get it absolutely right on focusing on the right places to spend resources.
Dr Gardner
Q
Carla Baker: My comment on information sharing was about what else the Government could do. It was not necessarily specifically to do with the Bill. If you want me to elaborate on the wider issue of information sharing, I am happy to.
Dr Gardner
Particularly between regulators, and how that would work.
Carla Baker: I cannot necessarily talk in much detail about information sharing across regulators. It is more about information sharing across the technology industry that I can talk about.
Dr Gardner
Q
I will ask my actual question, and I am trying to get my head around this. You recommend mandating that company boards be accountable for mitigating cyber-risks, and as we know from the annual cyber-security breaches survey, there are declining levels of board responsibility for cyber in recent years, which links to whether there should be a statutory duty. I am a little worried about small and microbusinesses having to deal with that regulatory burden, especially if they are designated as critical suppliers. I am trying to marry those two things together, and the concern of where liability sits, because we are very dependent on service providers. I do not know if that makes any sense to you, but could you clarify my thinking?
Chris Parker: It is a concern. I will start off with a small point about where there is a statutory requirement, certainly for large companies. I personally believe—and I am pretty sure that most industry people I speak to would say this—that it would be very surprising if we did not have cyber-focused people on boards and in much bigger governance, as we would in a financial services company, where people who are expert in financial risk are able to govern appropriately. As we get smaller and smaller in scale, that is much harder to do.
The good news is that there are some brilliant—and I really mean that—resources available from probably the most underused website in the world, but the best one, which is the National Cyber Security Centre website. It has some outstanding advice for boards and governance on there. You can effectively make a pack and write a checklist, even if you are a very small company with a board of two people, and go through your own things and make sure your checklists are there.
The data and the capability are there to give support. Whether it is signposted enough, and whether we are helping on a local level, to make sure that people are aware of those things is perhaps something we could do better at in this country. But I am sure that industry will do our part, and we do, to share and reinforce the good sharing of things like that website, to guide good governance for SMEs especially.
Carla Baker: That board-level accountability is really important, and it is crucial for cyber-security. I think it is getting better—from the senior execs that I speak to in industry, there is more understanding—but generally speaking, there is a view that cyber-security is an IT issue, not a business issue. I am sure you have heard throughout the day about understanding the risks we have seen around vulnerabilities, and the incidents that have affected the retail or manufacturing sectors. Those are substantial incidents that have impacted the UK and have systemic knock-on effects. Organisations have to understand the serious nature of cyber-security, and therefore put more emphasis on cyber at the board level.
Should we be mandating board-level governance? That is useful for this debate to seek information and input on, but the burden on SMEs has to be risk-based and proportionate, however it is framed.
Dr Gardner
Q
Chris Parker: That is a harder question. There is precedent here—of course, we can think back to the precedents that this great building has set on allowing things such as, post-Clapham train disaster, the Corporate Manslaughter and Corporate Homicide Act 2007 putting it very firmly on boards, evolving from the Health and Safety at Work etc. Act 1974. We are not there yet, but do not forget that we are starting to legislate, as is everyone else in Europe and America who are on this journey.
I believe that we will see a requirement at some point in the future. We all hope that the requirement is not driven by something terrible, but is driven by sensible, wise methodology through which we can find out how we can ensure that people are liable and accept their liability. We have seen statements stood up on health and safety from CEOs at every office in this country, for good reason, and that sort of evolution may well be the next phase.
Carla and I talk about this a lot, but we have to be careful about how much we put into this Bill. We have to get the important bit about critical national infrastructure under way, and then we can address it all collaboratively at the next stage to deal with very important issues such as that.
Lincoln Jopp
Q
Chris Parker: I was referring to strategic and critical suppliers, which is a list of Government suppliers. We are advocating that the level of governance and regulatory requirement inside an organisation is difficult, and it really is. It requires quite a lot of work and resource, and if we are putting that on to too small a supplier, on the basis that we think it is on the critical path, I would advocate a different system for risk management of that organisation, rather than it being in the regulatory scope of a cyber-resilience Bill. The critical suppliers should be the larger companies. If we start that way in legislation and then work down—the Bill is designed to be flexible, which is excellent—we can try to get that way.
As a last point on flexibility—this is perhaps very obvious to us but less so to people who are less aware of the Bill—there is a huge dynamic going on here where you have a continuum, a line, at one end of which you have the need for clarity, which comes from business. At the other you have a need for flexibility, which quite rightly comes from the Government, who want to adjust and adapt quite quickly to secure the population, society and the economy against a changing threat. That continuum has an opposing dynamic, so the CRB has a big challenge. We must therefore not be too hard on ourselves in finding exactly where to be on that line. Some things will go well, and some will just need to be looked at after a few years of practice—I really believe that. We are not going to get it all right, because of the complexities and different dynamics along that line.
Carla Baker: This debate about whether SMEs should be involved or regulated in this space has been around since we were discussing GDPR back in 2018. It comes down to the systemic nature of the supplier. You can look at the designation of critical dependencies. I am sure you have talked about this, but for example, an SME software company selling to an energy company could be deemed a critical supplier by a regulator, and it is then brought into scope. However, I think it should be the SMEs that are relevant to the whole sector, not just to one organisation. If they are systemic and integral to a number of different sectors, or a number of different organisations within a sector, it is fair enough that they are potentially brought into scope.
It is that risk-based approach again. But if it is just one supplier, one SME, that is selling to one energy company up in the north of England, is it risk-based and proportionate that they are brought into scope? I think that is debatable.
Andrew Cooper (Mid Cheshire) (Lab)
Q
I can imagine that the legislation has been worded as it is to try to capture that situation where activity might occur, but not have an impact. Would you accept that that is important, and how would that fit in with the tiered approach that you described?
Carla Baker: I completely get your point. We have looked at that; my legal colleagues have looked at things such as spyware, where you have malware in the system that is not doing anything but is living there, for example, or pre-emptive, where they are waiting to launch an attack, and we think this amendment would still cover those scenarios. It is not necessarily cause and impact: the lights have not gone out, but if there is, for example, a nation state actor in your network, we think the amendment would still cover that.
Dr Spencer
Q
Chris Parker: Yes, absolutely.
Carla Baker: Yes, completely. That is similar to my point, which was probably not explained well enough: how you are deemed critical should be more about your criticality to the entire ecosystem, not just to one organisation.
Dr Spencer
Q
Carla Baker: I think that is part of the issue about not having clear criteria about how regulators will designate. That also means that different regulators will take different approaches, so we would welcome more clarity and early consultation around the criteria that will be used for the regulators to designate a critical dependency, which prevents having different regulatory approaches across the 12 different regulators, which we obviously do not want, and gives greater harmonisation and greater clarity for organisations to know, “Okay, I might be brought in, because those are the clear criteria the Government will be using.”
David Chadwick
Q
Chris Parker: The consultation has been a best effort and I think it is a best effort as a function of three things. First, we have a new sector, a new Bill—something very new, it is not repeating something. Secondly, we are doing something at pace, it is a moving target, we have to get on with this, and so there is some compulsion involved. Thirdly, there are already some collaborative areas set up, such as techUK, that have been used. Would I personally have liked to have seen more? Yes—but I am realistic about how much time is needed; when you only have a certain resource, some people have got to do some writing and crafting as well as discussing.
One thing that we could look at, if we did the process again, would be more modelling, exercising and testing the Bill until it shakes a bit more—that is something that perhaps we could do, if we were to do this again. With the Telecommunications (Security) Act 2021, that was done at length and collaboratively with industry, on a nearly fortnightly basis, for some time. Beyond that, I think that we are realistic in industry because we understand the pressures on the people trying to bring legislation in. A second point to remember is that we are all volunteers. Carla and I, and all those on the Cyber Resilience Committee, volunteer away from our day jobs—which are busy—to do all this. There is a realistic expectation, if you like—but I would say there has been a best effort.
Carla Baker: I would like to look to the future. We have all the secondary legislation that is coming—and there will be lot—so we recommend early insights, and time to review and consult, in order to provide that industry insight that we are happy to provide. Let us look to the secondary legislation and hope that there is good consultation there.
The Chair
If there are no further questions from Members, I will thank the witnesses for their evidence. We will now move on to our final panel.
Examination of Witness
Kanishka Narayan MP gave evidence.
The Chair
We will now hear oral evidence from the Minister for AI and Online Safety, Kanishka Narayan. For this session, we have until 5.10 pm.
Dr Spencer
Q
Kanishka Narayan: Thank you for the question on definitions. I have two things to say on that. First, observing the evidence today, it is interesting that there are views in both directions on pretty much every definitional question. For example, on the definition of “incident thresholds”, I heard an expert witness at the outset of the day say that it is in exactly the right place, precisely because it adds incidents that have the capability to have an impact, even if not a directness of impact, to cover pre-positioning threats. A subsequent witness said that they felt that that precise definitional point made it not a fitting definition. The starting point is that there is a particular intent behind the definitions used in the Bill, and I am looking forward to going through it clause by clause, but I am glad that some of those tensions have been surfaced.
Secondly, in answer to your question on consultation, a number of the particular priority measures in the Bill were also consulted on under the previous Government. We have been engaging with industry and, in the course of implementation, the team has started setting up engagement with regulators and a whole programme of engagement with industry as well.
Dr Spencer
Q
Kanishka Narayan: I have met a number of companies, but the relevant Minister has also had extensive engagement with both companies and regulators, including on the question of definitions. I do not have a record of her meetings, but if that is of interest, I would be very happy to follow up on it.
Dr Spencer
Q
Kanishka Narayan: I am referring to the Minister for Digital Economy, who is in the other place.
Dr Spencer
Q
Kanishka Narayan: I have had some meetings but, as the Minister in charge of this Bill, she has been very engaged with businesses, so I think that is fitting. We have obviously worked very closely together, as we normally do, in the course of co-ordinating across the two Chambers.
Dr Spencer
Q
Kanishka Narayan: I have spoken to the Secretary of State about the Bill, including the reserve powers, and we have agreed that the policy objective is very clear. I do not think I am in a position to divulge particular details of policy discussions that we have had; I do not think that would be either appropriate or a fitting test of my memory.
Dr Spencer
Q
Kanishka Narayan: I think the guardrails in the Bill are very important, absolutely. The Bill provides that, where there is an impact on organisations or regulators, there is an appropriate requirement for both deep consultation and an affirmative motion of the House. I think that is exactly where it ought to be, and I do not think anything short of that would be acceptable.
Chris Vince
Q
Kanishka Narayan: The primary thing to say is that the range of organisations—commercial ones as well as those from the cyber-security world more generally—coming out to welcome the Bill is testament to the fact that it is deeply needed. I pay tribute to the fact that some of the provisions were engaged on and consulted on by the prior Government, and there is widespread consensus across industry and in the regulatory and enforcement contexts about the necessity and the quality of the Bill. On that front, I feel we are in a good place.
On specific questions, of course, there is debate—we have heard some of that today—but I am very much looking forward to going through clause by clause to explain why the intent of the Bill is reflected in the particular definitions.
Bradley Thomas
Q
Kanishka Narayan: I am shy of making comments on specific incidents, but as a broad brush, clearly the food supply or automotive manufacturing sectors are not directly in scope of the Bill, for reasons I am very much happy to discuss.
Bradley Thomas
Q
Kanishka Narayan: Let me place the focus of this Bill in the global context. As we have heard, there is a range of legislative as well as non-legislative measures on cyber-security. It is deeply important that every organisation, whether in scope of the Bill or not, acts robustly, and we will look at that, not least through the cyber action plan, which I know industry welcomed earlier today and which we are looking forward to publishing very soon.
The particular focus of this Bill is on essential services, the disruption of which would pose an imminent threat—for example, to life and to our economy—in the immediate context. For reasons that we can dive into, if you look at a market such as food supply, the diversity, competitive nature and alternative provision in that market are so obvious that to designate it as fitting the definitional scope I have just highlighted would not be an evidence-led way of engaging.
Bradley Thomas
Q
Kanishka Narayan: As I have said, this legislative vehicle is focused on really high standards of rigour for essential services. I am very keen to ensure that, in the first instance, we are engaging with those companies through the cyber action plan and the National Cyber Security Centre’s framework and to ensure that, as a consequence of those, they are in a robust place.
Bradley Thomas
Q
Kanishka Narayan: This is a great question. There are two things on my mind. One is that the Government have published a cyber action plan, the crux of which is to make sure that, from the point of view of understanding, principles, accountability and, ultimately, skills, there is significant capability in the public sector. The second thing to say is that we have a very broad-based plan on skills more generally across the cyber sector, public and private. For example, I am really proud of the fact that, through the CyberFirst programme, some—I think—415,000 students right across the country have been upskilled in cyber-security. It is deeply important that the public sector ensures that we are standing up to the test of hiring them and making the attraction of the sector clear to them as well. There is a broad-based plan and a specific one for the public sector in the Government context.
Tim Roca
Q
Kanishka Narayan: That is a great question. Broadly, the Bill takes a risk-based and outcomes-focused approach, rather than a technology-specific one. I think that is the right way to go about it. As we have heard today and beyond, there are some areas where frontier technology—new technology such as AI and quantum, which we talked about earlier today—will pose specific risks. There are other areas where the prevalence of legacy systems and legacy database architectures will present particular risks as well.
The Bill effectively says that the sum total of those systems, in their ultimate impact on the risk exposure of an organisation, is the singular focus where regulators should place their emphasis. I would expect that individual regulators will pay heed to the particular prevalence of legacy systems and technical debt as a source of risk in their particular sectors, and as a result to the mitigations that ought to be placed. I think that being technology agnostic is the right approach in this context.
Lincoln Jopp
Q
Kanishka Narayan: Do you mean operators of essential services, or critical suppliers, as in the third party element?
Lincoln Jopp
I meant operators of essential services.
Kanishka Narayan: The Bill effectively specifies operators of essential services as large participants in the essential services sectors. I think that that definition is very straightforward. The hospital in this question would be an operator of an essential service. If the question extends to critical third party suppliers—
Lincoln Jopp
Q
Kanishka Narayan: There are two things to say on this. There is at least a four-step test on the face of the Bill for what would qualify as a critical supplier. First, a critical supplier has to supply to an operator of an essential service, in this case the hospital. Secondly, the supplier itself must engage with important network and information systems. Thirdly, the disruption to that third party supplier would have to cause a material disruption to the operator in question—in this case, if the third party supplier falls over from a cyber-security point of view, there would be material and business continuity disruption to the hospital. Fourthly, not only that, but that disruption would have to be sufficiently severe in its impact to be in scope. That is one set of things. Underlying that is a further test in the Bill, whereby alternative provision of that third party supply could not be secured in a practicable way. The combination of those tests means that the scope set out for the critical third party suppliers is extremely tight and robust.
Then there is still the question, having gone through that five-step test, of the particular burden placed on relevant suppliers in scope. My expectation and hope would be that regulators take a much more proportionate approach there than to set the precise same conditions on those suppliers as they do on the operator in question; in particular, that the burden on them is placed specifically in sight of the directional risk that they pose to the operator, rather than the risk in sum for that third party supplier.
The first thing is therefore that the Bill clearly specifies a very tight scope. The second is that it does not seem to me, as a relative novice to both the medical world and cyber-security, unusual to have a specification of this nature in a Bill. Given my professional context, I am particularly conscious of the very clear and critical third party comparable requirement in the Financial Services and Markets Act 2000, which focuses on both cyber-security and supply chain risks. That has worked relatively proficiently in that context, so I hope that there are some good lessons to learn from that.
Lincoln Jopp
Q
Kanishka Narayan: The way in which I would envisage it is that each individual regulator assesses the critical nature of the risk posed to its regulated operators. If a hospital has a third party supplier, and the presence and nature of its supply means that there is a critical risk exposure for the hospital, that would be in scope for some degree of regulation in the Bill. To your question, if there is a comparable but separate hospital in a part of England that is separately regulated, but has the same third party supplier, there is obviously a question of whether that third party supplier would end up being regulated twice if the criticality threshold is met. In that instance, and in other similar instances of multiple regulators covering the same third party supplier, I would expect a high degree of co-ordination. In fact, the provisions in the Bill, as well as my hopes for subsequent guidance, are focused on our efficiency and proportionality when there are multiple regulators. However, I think the assessment has to be undertaken by each regulator on a separate basis, because the question being assessed is not the nature, the sum risk, of the third party supplier in itself, but the risk posed by its relationship to the operator it is providing to—if that makes sense.
Lincoln Jopp
Q
Kanishka Narayan: Yes, I guess, added together in the sense that they would be separately regulated, but they would all come within the scope of the regulations. Where there is an overlap in the party being regulated, my hope is that the Bill provides for individual regulation, but is very much open to the prospect of a lead regulator engaging in a softer way with the other regulators, as long as each regulator feels that that has assured them of the risk.
Andrew Cooper
Q
We have heard quite a bit about how important it will be, if taking a sectoral approach, to make sure that sharing information between regulators works smoothly, and that there are no information silos. The witness from Ofcom talked about an annual report to the National Cyber Security Centre. That sent chills down my spine, though I am sure she did not mean it quite in that way. How will you ensure that there is an adequate flow of information between regulators in a timely manner? They might not realise that there is cross-sectoral relevance, but when that information is provided to another regulator, it might turn out that there is. How do you address the importance of a single point of reporting that we heard about time and again from witnesses today?
Kanishka Narayan: Those are really important points. In terms of supporting the quality, frequency and depth of information sharing, first, the Bill provides the legal possibility of doing that in a deeper way. It gives the permission and the ability to do that across regulators.
Secondly, in the light of the implicit expectation of that information sharing, the National Cyber Security Centre already brings together all the relevant regulators for deeper conversation and engagement on areas of overlap, best practice sharing, and particularly the sharing of information related to incidents and wider risk as a result. I hope that will continue to be systematic.
On the question of a single reporting avenue, the National Cyber Security Centre, from an incident and operational point of view, is clearly the primary and appropriate location during the implementation of the Bill. From my conversations with the centre and its conversations with the regulators, I know there has been engagement to ensure that it remains a prompt venue for regulators to feed in their information.
Andrew Cooper
Q
Kanishka Narayan: The Bill currently says, “We are now giving you the power to be able to do information sharing.” The Bill, as well as other specific bits of wider legislation, has clear expectations on regulators to carry out their regulatory duty. If there appears to be a challenge in the frequency and quality of information sharing, we will of course look at whether we need to go further, but at the moment, giving them substantive permission and the fact that they have clear regulatory responsibilities individually is a very powerful combination.
David Chadwick
Q
Kanishka Narayan: As I mentioned at the outset, the scope of the sectors is focused on a specific test: are they essential services, the disruption to which could cause an immediate threat to life or have an extremely significant impact on the day-to-day functioning of the country? I do not mean to diminish the significance of electoral services, but, notwithstanding their significant impact on me as a candidate on election day, the test does not appear to be met.
David Chadwick
Q
Kanishka Narayan: It is absolutely critical that boards take their responsibilities to the organisation and the consequences of being in a regulated sector very seriously. The scope of the Bill has been mentioned. The Secretary of State wrote to FTSE 350 businesses, as well as a range of small businesses, to make that point very clear. The cyber assessment framework has particular requirements for boards to take their cyber-security responsibilities seriously. In the course of implementing the Bill and in the secondary legislation process, we will look to ensure that specified security and resilience activities, including the possibility of specific responsibilities, are set out very clearly.
Dr Gardner
Q
Kanishka Narayan: It is an important point. We know that the quality of current regulation for cyber-security varies across regulators. As an earlier panellist said, there is virtue in the fact that we have not set an effective cap on where regulators can go by having a single standard. At the same time, we need to make sure that we are raising a consistent floor of quality and proportionality judgments.
First, there is obviously constant oversight of each regulator through the lead Departments. In my case, for example, we consistently engage with Ofcom on a range of areas, including this one, to ensure the quality of regulation and that proportionality judgment is appropriately applied. Secondly, there is a clear commitment in the Bill for the Secretary of State to report back, on a five-year basis, on the overall implementation of the regime proposed in the Bill. That will be when we can get a global view of how the whole system is working.
The Chair
That brings us to the end of the time allotted for the Committee to ask questions, and to the end of the sitting. On behalf of the Committee, I thank the Minister for his evidence.
Ordered, That further consideration be now adjourned. —(Taiwo Owatemi.)
Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
Thursday 5th February 2026
(3 weeks, 5 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
The Committee divided: - Ayes: 1 / Noes: 9 - Question accordingly negatived.
The Chair
Good morning, everyone. Will you please ensure that all electronic devices are turned off or switched to silent mode? This morning, we begin line-by-line consideration of the Bill. The selection and grouping list for today’s sitting is available in the room and on the parliamentary website; it shows how the clauses, schedules and selected amendments have been grouped for debate.
I remind Members that the Member who has put their name to the lead amendment in a group is called to speak first. In the case of a stand part debate, the Minister will be called to speak first. Other Members will then be free to indicate they wish to speak by bobbing or catching my eye. At the end of a debate on a group of amendments or new clauses, I shall again call the Member who moved the lead amendment or new clause. Before they sit down, they will need to indicate whether they wish to withdraw the amendment or seek a decision. If any Member wishes to press to a vote any other amendments in a group, they need to let me know. That includes grouped new clauses.
The order of decisions will follow the order in which amendments appear on the amendment paper. Any decisions on new clauses will be taken at the end of proceedings on the Bill, after decisions have been taken on all amendments and clauses of the Bill. I shall use my discretion to decide whether to allow a separate stand part debate on individual clauses and schedules following debate on the relevant amendments. I hope that that is helpful.
There is one more point that is not in my script: there are three members of the Committee who have hearing impairments, so it would be helpful if hon. Members could articulate as clearly as possible.
Are there any declarations of interest?
Chris Vince (Harlow) (Lab/Co-op)
I declare an interest: my father-in-law is a professor of cyber-security at City St George’s, University of London. Also, Kao Data has a large data centre in my constituency.
The Chair
Thank you.
Clause 1
Meaning of “the NIS Regulations”
Question proposed, That the clause stand part of the Bill.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
It is a pleasure to see you in the Chair, Mr Stringer. The Bill will make crucial updates that build on the NIS regulations, which are the UK’s only cross-sector cyber-security regulations. As clause 1 sets out, “NIS regulations” refers to the Network and Information Systems Regulations 2018 (S.I., 2018, No. 506).
Clause 2 gives an overview of the Bill’s parts and what they include. It sets out that part 2 amends the NIS regulations by expanding the scope of the regulations to cover data centres, large load controllers and managed service providers. It also introduces powers for regulators to designate suppliers as being critical for their sector. Part 2 also updates the existing incident-reporting regime and includes provisions relating to the recovery of regulators’ costs, information-gathering and sharing powers, and enforcement powers. Part 3 gives new powers to the Secretary of State to specify other sectors as in scope of the regulations in future, to create new regulations relating to the security and resilience of regulated services, and to issue a code of practice and a statement of strategic priorities. It also requires the Secretary of State to report on this legislation and its implementation. Finally, part 4 gives new national security powers for the Secretary of State to issue directions. I commend the clauses to the Committee.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Stringer. I thank all hon. Members on both sides of the Committee for taking part, and the officials for their work on the Committee stage of this important Bill.
The Bill will significantly update and expand the Network and Information Systems Regulations 2018 by bringing new services within scope of regulation, giving sector regulators the power to designate critical suppliers, updating and expanding the reporting regime for cyber-security incidents and making significant changes to the regulatory funding model and regulators’ information-gathering and sharing powers. The Bill will also grant extensive powers to the Secretary of State to respond to emerging cyber-threats, including the power to bring further sectors within the scope of regulation, giving directions to regulated entities and issuing a code of practice that sets out measures for compliance with duties under the NIS regulations. Recognising the increasing role of malicious cyber-activity as a threat to our national security, part 4 will give the Secretary of State far-reaching powers to issue directions to regulated entities for reasons of national security.
Covid turbocharged the digitalisation of all aspects of the economy and our daily lives, bringing new opportunities but at the same time heightening the exposure of digital systems to exploitation by malicious actors. The previous Government recognised that in their post-implementation reviews of the NIS regulations and in a subsequent series of consultations on proposals to improve the cyber-resilience of the entities that are most important to the UK economy. Those consultations included a review of information security risks relating to outsourced IT provision, data centres and organisations controlling large amounts of electrical load. The last Government’s work assessing those threats has informed this Government’s decision to bring data centres, managed service providers and large load controllers within the scope of the NIS regulations.
Industry stakeholders have welcomed the Bill as essential for bringing the cyber rules governing critical infrastructure in line with modern threats, economic realities and technological developments, and for moving our cyber-security regulatory framework into closer alignment with international partners to ease cross-border operations for businesses that provide services overseas.
In some respects, at least, the Bill identifies the right problems, but, crucially, it falls short of providing workable solutions. In embarking on our scrutiny of the Bill, the Committee should be acutely aware of the raft of digital legislation with which businesses and regulators have been asked to grapple in recent years. Many of those new regulations are necessary, but as lawmakers we should be conscious of the burden that we are placing on industries and particularly on small and medium-sized enterprises, which are the lifeblood of the UK economy and which have fewer resources to navigate complex layers of regulation. It is therefore incumbent on all of us to enact laws that are clear and capable of practical implementation.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Does my hon. Friend agree that, although we support the intent behind the Bill, clause 2 does a lot of framing work but does not necessarily consider the extensive perimeter that is coming through and how proportionality will be applied in practice? I suggest that the Committee keep that in mind as we move through the detail.
Dr Spencer
I thank my hon. Friend for her intervention. I am reminded of the Committee’s evidence session earlier this week, in which expert after expert lined up to raise concerns around the scope of the definition. Although they acknowledged the importance of and appreciated the reasons for leaving some things to secondary legislation in a climate as fast-moving as the IT and digital sector’s, they raised concerns about the uncertainty that is coming for business and the need for extensive consultation so that businesses can feed into and have some degree of influence over the regulations that they will have to abide by.
Chris Vince
The hon. Gentleman is making an interesting speech. I recognise his desire to be constructive on the issue. Will he recognise that this is about finding a balance? We want to include some flexibility in the legislation, because of the ever-changing threat that he mentioned. Equally, we recognise the challenge that SMEs may face in complying with the legislation on data sharing, but it is important that they do so, because not complying will have an impact on their business.
Dr Spencer
I thank the hon. Member for his point about balance. I am confident that this is an area to which the Committee will return quite a few times in our line-by-line scrutiny of the Bill, particularly clause 12, which relates to the designation of critical suppliers. Clearly the regulations need to be proportionate, but to make that judgment we will need to know exactly what the regulations are. A lot of the detail is not in the Bill and has instead been left to secondary legislation. As we heard from the experts, it is very difficult to scrutinise legislation that is mostly being left to future regulations rather than being set out in the Bill.
These definitions will be critical if businesses are to have clarity as to whether they will fall within scope. I do not want to go too deeply into clause 12 now, but I see it as an exemplar. How are businesses that could fall within the critical supplier designation to know what they need to do? How is the operator of an essential service to know what information it needs to pass to the regulator on businesses that it may end up regulating? It would be very helpful if the Minister could comment, even at this introductory stage, on how he envisages that balance playing out in the Bill, particularly given that so much of the detail has been left to secondary legislation. Anyway, I digress—I will get back on topic.
Businesses are struggling with legal uncertainty and the increased costs of regulatory burden. Regulators in the sector lack the resources, the teeth and sometimes even the will to carry out effective oversight and enforcement of existing cyber regulation. Uncertainty about which incidents should be reported will dramatically increase the burden on regulated entities and on regulators. All the while, institutional barriers to effective oversight and enforcement remain.
The Bill fails to give the legal certainty and the proportionate framework that businesses need if we are to achieve widespread adoption and hardened cyber-resilience across the sectors that are most critical to the economy and our society. Perhaps most critically, there is little point in granting the Secretary of State extensive powers to make directions to regulated entities for national security purposes if the Government remain wilfully blind to the greatest threats to our national security. In the past few weeks, reports have circulated that a Chinese state-affiliated group hacked the communications of top Downing Street officials between 2021 and 2024, yet the vital organs of our state, central Government Departments and agencies carrying out the most critical functions, are left unprotected and unaccountable for their cyber-resilience under the Bill.
If we do not address these problems, we risk the Bill becoming yet another missed opportunity for the Government. These are opportunities that we can ill afford to miss if we are to safeguard our economy and our national security.
Kanishka Narayan
I welcome some of the Opposition spokesperson’s comments. Let me briefly address his questions about definitions and public sector inclusion. It is customary for the Opposition to oppose for the sake of opposition, at times, and I am afraid that this is one of those times; I have so far set out only two clauses, which are effectively an index to the Bill. Notwithstanding that, I will address his two particular points.
I was delighted that in our evidence sessions we heard from witness after witness who appreciated the flexibility of the Bill. For the Government to prescribe activities or incident thresholds in the finest detail in primary legislation is not how businesses, Government and regulators ought to engage. I hope that the Opposition will come to appreciate that in due course.
On critical suppliers, which no doubt we will come on to, I thought that in response to Opposition comments at our second sitting, I set out a very clear, precise set of tests. I found no opposition to that claim, but I look forward to hearing any original thoughts on that question.
On incident reporting, I was delighted that there was a witness who noticed that the extension of the definition of incident reporting, to include incidents capable of having an impact, was appropriate and exactly in the right place.
On the question about the public sector’s inclusion, we are here not to prescribe and wait for a law to tell us what we ought to do in the public sector, but instead to move fast and fix things. In that spirit, the Bill focuses on essential services.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2 ordered to stand part of the Bill.
Clause 3
Identification of Operators of Essential Services
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 3 makes important distinctions as to which organisations can and cannot be considered operators of essential services for the purposes of the NIS regulations. It clarifies that a person—in practice, an organisation or business—can be an operator of an essential service regardless of whether that person is established in the UK, as long as they are providing essential services in the UK. That means that organisations established outside the UK can be regulated under the NIS regulations.
Clause 3 also makes it clear that the NIS regulations do not apply to public electronic communications networks or to public electronic communications services. Those are telecoms operators, which are regulated separately under the Communications Act 2003. The amendments in clause 3 will prevent telecoms companies from being subject to duplicate regulations; they will also ensure that all essential services in the UK are protected, even if the company operating them is based outside the UK. I commend the clause to the Committee.
Dr Spencer
Clause 3 will amend the relevant provisions of the NIS regulations, stipulating that operators of essential services are within scope of the regulations whether or not they are operating an essential service in the UK, and regardless of jurisdiction in which they are established. Providers of public electronic communications networks and public electronic communications services are excluded from characterisation as operators of essential services, as the Minister says, to avoid duplication with their sector-specific cyber-security regime.
The clause is an important provision to ensure that entities providing essential services in the UK are compliant with domestic standards. Perhaps the most important aspect of the change is ensuring that serious cyber-security risks that appear within the systems of those entities are reported to the UK authorities for action. That is vital for the National Cyber Security Centre to keep abreast of emerging risks and be able to respond to them.
Nevertheless, the complex maze of compliance and regulatory standards across jurisdictions is a growing challenge for businesses of all sizes and particularly for small and medium-sized enterprises. This is also a complicating factor facing UK companies when providing services abroad, particularly in the digital domain. Will the Minister lay out what discussions he has had with industry representatives about easing the complexity of cross-border digital service provision to ensure that the UK is a competitive and attractive place to do business?
Kanishka Narayan
On the question about cross-border compliance and making sure that we have a proportionate and effective regime, we have had a series of engagements at ministerial and official level with representatives of techUK, the industry body. The NCSC has convened a series of organisations—not least managed service providers, but others as well—and there has been a pretty extensive period of consultation on that and every other matter in the Bill.
I feel satisfied that the Bill strikes a good balance in ensuring proportionality in what businesses experience. Critically, as supply chains in this context become increasingly cross-border, it is vital that bodies that may not be resident in the UK but which provide essential services here are included in the scope of the Bill.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4
Data centres to be regulated as essential services
Kanishka Narayan
I beg to move amendment 11, in clause 4, page 3, line 5, column 3, leave out from beginning to “the” in line 6.
This amendment and Amendment 12 would remove the Secretary of State for Science, Innovation and Technology as a joint regulator for the data infrastructure subsector, leaving the Office of Communications acting as the sole regulator for that subsector.
The Chair
With this it will be convenient to discuss the following:
Government amendment 12.
Clause stand part.
Clauses 5 and 6 stand part.
Kanishka Narayan
Clause 4 of the Bill amends the NIS regulations by creating a new regulated sector, data infrastructure, and designating the Secretary of State for Science, Innovation and Technology and Ofcom as joint regulators. We have received clear feedback from the data infrastructure sector expressing concerns that a dual regulator model could create unnecessary complexity and limit accountability. Amendments 11 and 12 will remove the Secretary of State for Science, Innovation and Technology as a regulator, leaving Ofcom as the sole regulator, which will streamline the regulatory model for data infrastructure and resolve the concerns raised by stakeholders.
Ofcom already has proven regulatory expertise and is well placed to oversee the new data infrastructure sector effectively. By adopting a single regulator for data infrastructure, the amendments will reduce administrative burden, simplify engagement, and strengthen accountability. This will ensure a clearer, more effective regulatory framework for this rapidly growing sector.
Clause 4 brings qualifying data centre services into the scope of the NIS regulations, recognising both their vital role in underpinning our economy and public services, and that disruption to them can significantly impact productivity, service delivery, and revenue.
Alison Griffiths
Clause 4 relies heavily on capacity as the trigger for regulation. I understand why that is attractive: it is measurable. But capacity is not the same as criticality, and a high-capacity facility used for redundancy can present less systemic risk than a smaller, highly concentrated one. I simply put on record that the way this threshold is applied in practice will matter more than the number itself.
Kanishka Narayan
I thank the hon. Member for that thoughtful point. One assurance I will offer her is that the direct definition of data centres in scope here rely on capacity as a proxy for their essential independent nature, but when data centres below the capacity threshold but high on the criticality threshold are suppliers to essential services, they would be covered in part by the critical suppliers framework in the Bill. I take her point into account.
Bradley Thomas (Bromsgrove) (Con)
What consideration has been given to the potential conflict between data centres’ contractual obligation regarding customer confidentiality and mandatory rapid reporting? What assurance can the Minister give us that data centres will ensure that the conflict does not impact their future business?
Kanishka Narayan
In the course of engaging with firms we have considered what the timeline for reporting ought to be. It is critical that the initial notification requirement, which is a much lower requirement than the full notification requirement, at least gives the NCSC and other enforcement authorities the ability to counter national security and wider-impact risks. I believe that specification to be proportionate in the Bill, but it is of course a matter for implementation that we will keep a close eye on.
An attack on a data centre can have significant impacts beyond the facility itself. As data centres underpin digital services across multiple sectors, disruption or compromise can cascade through essential services, businesses and public services. Incidents may also pose national security and economic risks, given the concentration of sensitive and critical data. Bringing qualifying data centre services into scope of the NIS framework helps ensure these risks are managed proportionately and incidents are reported promptly.
As per Government amendments 11 and 12, we propose that Ofcom is the regulator. Medium and large third party data centres and very large enterprise centres will be required to manage risks and report to Ofcom. Their thresholds have been carefully calibrated to capture data centres whose disruption could have the greatest impact, while avoiding unnecessary burdens on smaller operators. This will strengthen the cyber-security and resilience of data centres, align with international regulations, and introduce structured oversight, notification, and incident reporting to strengthen national security and economic stability.
Dr Spencer
Clause 4 amends the NIS regulations to bring data centres that meet certain thresholds within scope of the regs as operators of essential services. As drafted, these data centres will be regulated by DSIT and Ofcom, but the amendments moved by the Minister propose that Ofcom will be the sole regulator for the subsector. I thank him for his explanation of why he has tabled these amendments.
Given the oral evidence from Ofcom and other sector regulators earlier this week regarding the challenges of recruiting skilled cyber-security staff to regulate effectively, what assessment has the Minister made of the additional regulatory burden on Ofcom of this decision and its capacity to secure adequate resources to meet it? Clause 5 extends the scope of the regulations to data centres operated by the Government, with the exception of services provided by or on behalf of intelligence services handling classified information.
Data centre infrastructure is increasingly vital to the UK’s society, economy and security. Data centres underpin nearly all aspects of our digital lives, from sending emails to booking GP appointments or ordering shopping online. Businesses of all sizes routinely process their workloads in the cloud, supported by data centres. For those reasons, data centres were designated as critical national infrastructure—CNI—in 2024.
The UK digital sector, which is heavily reliant on data centres, contributed more than 7% of the UK’s total gross value added in mid-2024, growing almost three times faster than the rest of the economy. Data centres are also critical to the UK’s ambition to become an AI superpower. Training artificial intelligence models relies on access to an abundance of processing capacity, or compute, located in secure data centres.
In October last year, Amazon Web Services experienced a glitch in one of its US data centres, which set off a chain reaction that took down online services across the globe.
Bradley Thomas
On the growth of this industry, and with 78% of UK enterprises relying on cloud-based services, 96% of companies expected to use public cloud services, 35% of UK businesses outsourcing IT support and, as of last year, 63% of organisations planning to continue or increase their IT outsourcing over the next 12 months, does my hon. Friend the shadow Minister agree that greater consideration—or at least elaboration—must be given to the vulnerability of the supply chain of large load data centres?
Dr Spencer
My hon. Friend will be aware that the issue regarding the bottleneck in the supply of cloud computing, in which I put data centres, compute more generally and access to large language models, in our country is very much on my mind, and we have been raising it with the Government. At the moment, I understand that around 70% of cloud services directly procured by the Government are coming from the three big US providers. I hear from UK SMEs—not just cloud providers, but SMEs of all types—all the time about the challenge that they face with Government procurement contracts to procure domestic UK-company services, whether that is central Government or otherwise.
We are getting ourselves into a very difficult situation from a resilience perspective: not only are we currently heavily reliant on US big tech, but we are not doing the work we need to do right now to support a burgeoning UK tech industry. In the UK, we have fantastic universities and businesses. We really are a centre of innovation, but the problem is that companies can really struggle to take the next step forwards.
Of course, Government procurement is not the be-all and end-all—although, depending what sort of sector the company is operating in, it might be—but we are certainly not focusing enough on supporting our SME sector. The sector is really good and strong, and it has the potential to be great, but we still have not had a hyperscaler. We have not seen the expansion in the UK digital and tech sector that, all things considered, given our background and where we stand in terms of our academic and business resources, we really should have seen.
Dave Robertson (Lichfield) (Lab)
I am taken by the hon. Member saying that every regulation is a harm; I cannot hear that and not intervene. Regulations do place burdens on businesses—that is absolutely a thing, and we all understand that—but we cannot afford to look at regulation as only negative.
The hon. Member is making a very good point about SMEs and their access to markets and funding but, if SMEs want to grow and thrive in the UK, they need access to data centres whose security they can have confidence in. Part of what we talked about in introducing this Bill was ensuring that SMEs can be confident about the regulatory environment that we have in the UK and providing such reassurance to them. Later on, we talked about large load carriers. SMEs rely on electricity and power supply, and making sure that we have the correct regulations in place to give them the security and confidence in the knowledge that the supply will always be there comes back to the regulatory framework.
I am not in any way trying to step away from the hon. Member—he also spoke about the balance of regulation, and I think he is right on that—but to use a sentence such as “regulation is a harm” steps too far from that balance. We need to make sure that we also see the good side to this regulation, in creating the business confidence to allow SMEs to operate in an environment where they can have confidence in their access to data and energy.
The Chair
Order. Interventions should be short and to the point. If any hon. Member wishes to catch my eye, they should not have any difficulty in doing that, but it is important to keep a distinction between interventions and contributions to the debate.
Dr Spencer
The hon. Member for Lichfield may be aware that my background is in medicine; I used to be a doctor before I came to this place. One of the skills and challenges in medicine is that any medical intervention—apart from a small handful—always has a risk of harm or side effects to the patient. It is always a balancing act between the harm and the benefit. My bread and butter before I came to this place was balancing harms and risks in the best interests of the person in front of me.
Although I have never been a businessperson, and I have certainly never owned or run a data centre, my approach to business burdens is to see the extra things that the Government make businesses do—which are not necessarily what businesses would normally do or see as in their direct interests—as a prima facie harm. I will expand my words a bit if that helps in explaining the logic. The starting point is that it is an extra burden and a harm, but then benefits from other angles can outweigh that harm. It is getting businesses to do something more; if they were doing it anyway, we would not need regulations. It is an additional thing that business is being asked to do. It might be that we have decided that overall it is in the best interests of the sector. Individual businesses cannot regulate and change the sector themselves, so we have decided, “For the good of society, we think businesses should do this.”
I am always a little careful when we politicians say that we know what is better for business in terms of what they are doing. I take the point about how regulatory certainty can be helpful in itself. I also take the point about the overall benefit to society and the business network of having confidence that there are secure and working data centres and that the large load controllers—which we will talk about presently—have control. This Bill is a full-fat compendium of cross-regulations and links. I feel for any business looking through the later chapters and finding themselves subject to those requirements. We have to keep that in mind: all of us in this Committee want our businesses to succeed and do well, and we also want stable and flourishing infrastructure.
Going back to my medical roots, the starting point should be, “Primum non nocere”. That is often misinterpreted as, “First, do no harm”; actually, not doing harm is the main thing that we should do. As a legislator, you should have quite a high threshold before you start saying, “The solution is putting in another law. Let’s create another regulation,” or, “Let’s put another burden on business.”
One of the challenges I had when looking at the Bill when it was first published was understanding why we need it in the first place. What is its starting point? That is something that I have been exploring and thinking about as we have been preparing for this Committee stage. Why is our industry not doing it itself and sorting this out? Why is the Minister here today bringing forward these regulations on business and why is that necessary in the first place as opposed to business sorting it out?
I am sure that this is something that the Committee are going to come back to and explore in more detail when we discuss some of the more high-profile cyber-security impacts, particularly on Jaguar Land Rover and M&S. The hon. Member for Lichfield makes a very good point, and I do not think that this debate is settled in some ways—and I am sure we are going to come back to it quite a few times during the passing of this Bill.
Dr Spencer
I am certainly going to come back to it a few times—if not other Members—and I will invite the Minister to come back to it a few times.
Returning to the point about the dependency on particular sectors, I mentioned the impact that Amazon Web Services had on our society and systems; interestingly, the AWS outage was caused not by a cyber-attack, but it demonstrates the disruption to our lives and businesses that could occur in the event of such an attack. The last Government recognised the vital and growing importance of data centres to the UK economy and people’s lives, as well as the risks of serious interruption to these services. That led to a public consultation on enhancing the security and resilience of UK data infrastructure.
The Conservatives therefore welcome that this vital element of our national infrastructure will be subject to cyber-security regulation. However, for regulation to be robust for cyber-resilience and regulator data centres it is essential that there are high rates of industry compliance. The Government stated in their impact assessment for this Bill that there is an ongoing engagement with the data centre sector. Could the Minister lay out what feedback he has received on the sector’s preparedness to meet the cyber-resilience standards set by the NIS regulations?
Likewise, in terms of ensuring effective regulation, Ofcom will have a dramatically increased role in terms of cyber-security regulation when these provisions come into effect. In view of Ofcom’s current regulatory workload and the challenges with recruitment, which I mentioned earlier and highlighted in the evidence session this week, what ongoing engagement is the Minister having with Ofcom more broadly to make sure that it is sufficiently resourced to play its role?
Before I move on to clause 6, on large load controllers, I feel I need to go back to the discussion about proportionality and the purpose and need for these regulations in the Bill. One of the biggest criticisms of the NIS regulations is that they have not really been enforced. I am not saying that a certain rate of enforcement is a marker of efficacy or compliance, but it is curious, and it has been raised to me, that the level of enforcement indicates that the NIS regulations have not really had teeth or changed anything.
In one bad world, we have regulations that are completely disproportionate and place a huge and unnecessary burden on industry. But in some ways the worst of all worlds, or rather another problem that we would need to deal with, would be for us to legislate, produce this wonderful cyber-security Act, and go away happy as legislators—“Hey-ho, it’s all sorted and finished; we can sleep well in our beds about the cyber-security of the UK.” But if the companies cannot follow the legislation, will not follow it or do not have the resources to do so, then all we will have done is waste our time. Worse, we will have given ourselves a false sense of security, rather than delving into some of the real challenges and problems in the sector, which include overall education, encouraging businesses to take the issue more seriously and encouraging people to do Cyber Essentials.
Alison Griffiths
My hon. Friend is making a very good point, which also applies to improving board awareness and ensuring that the enforcement of the regulations incentivises boards to take the issue seriously and make sure that they are equipped to understand the commercial reality of cyber-security for their businesses. Enforcement is an important part of that.
Dr Spencer
That is something that I know will come up in debate as we go through the Bill. It is curious that we are receiving consistent feedback that some boards are not taking the issue of cyber-security seriously, in terms of allocating resource to it, especially in the light of the very high-profile cyber-attacks on businesses. Obviously, I am all over this issue, given my role as shadow Minister, but I think it is completely insane, certainly for larger companies, not to focus on the challenge of cyber-security. It is a challenge for businesses of all sizes, but I am mindful that implementation is particularly problematic for very small businesses.
Bradley Thomas
Does the shadow Minister agree that the Government should heed the message of Chris Dimitriadis, the chief global strategy officer at the Information Systems Audit and Control Association? He said:
“The era when cyber regulation could focus solely on critical national infrastructure is over. Today, every major employer is part of the digital economy—and therefore part of the threat landscape.”
Surely the Government should heed that message.
Dr Spencer
That is a stark message. Going back to my previous point, I struggle to think how many small businesses can really put in the necessary resource to take these sorts of steps on cyber-security.
There is a broader point here, which goes back to my opening remarks. A chunk of this involves hostile state actors that are attacking our companies, Parliament and the Government, whether directly or through their intermediaries. I find it quite ironic that it was announced earlier this week that our security services are going to work with China’s security services to deal with cyber-security threats. I thought, “Well, hang on a sec. What are they going to say, given that the Chinese Communist party is one of the main drivers of cyber-security threats in the UK?”
Legislating in this area and deciding how to approach it as a society is a particular challenge, given that it is not merely criminals or hacktivists doing this stuff to our companies and institutions; there is also full-fat hostile state inference from Russia, Iran or the Chinese Communist party.
Bradley Thomas
The risk and the threat from hostile states is plain to see. Does my hon. Friend have any sympathy for the ten-minute rule Bill that I introduced a few months ago on the Floor of the House? We need to strike a balance between the risk that bureaucratic administration poses to small businesses and the very real risk that cyber-attacks pose to the economy in general. The Government should have the private sector in scope and look at setting a threshold that does not become burdensome on smaller businesses. My proposal was for any company that turns over £25 million or more to be scope, in order to not bear down too heavily on small companies that would otherwise find the process, the risk and the burden of reporting too onerous.
Dr Spencer
I thank my hon. Friend for his interesting proposal, which attempts to crack the nut of one of the problems subsumed in the Bill.
The Bill cherry-picks certain sectors that need to be regulated entities, and there is a whole host of definitions. Then the Secretary of State can allocate some of the bits that they want to tag on through secondary legislation or the designation of a critical supplier. Then we have the MSP component. But there is something the Bill does not deal with. If I were to ask to the man in the street to identify the biggest cyber-security attack they have heard of in the past year or so, their answer would probably depend on where they live. If they live in the west midlands, they would talk about JLR, which has had a catastrophic effect on the local economy. In other parts of the country, the focus might be on Marks & Spencer or the Co-op. The Bill does not fix that, so what needs to be done? Should there be a threshold based on turnover, so that the process is not so onerous on certain companies, or something to support the insurance industry?
The Bill is silent on this issue, and the Government need to come up with some answers. I totally understand what they are trying to do with the Bill and how it is taking us forward—of course the NIS regulations need updating—but it does not fix the big stuff that has had a huge impact on people’s lives and required a massive bail-out of several billions of pounds-worth of taxpayers’ money. How many more JLRs can the Government afford to bail out until they have to do something to resolve the issue? I suspect we will come back to that, but I am glad that my hon. Friend introduced his ten-minute rule Bill.
We need to have a solution, but at the same time, we should not put onerous burdens on companies that are already struggling because of the Government’s anti-growth agenda and the punitive taxes being imposed on them to pay for profligate spending. This goes back to the discussion about prima facie harms. Taxation is the best example of a prima facie harm.
Dave Robertson
I fear I am about to repeat what I said a moment ago. I am aware that nobody gets up in the morning and is excited to pay tax, but tax pays for our roads, for our infrastructure, for our hospitals, which keep our workforce in good health, for the education of the next round of employees, for our security services, and for the police, who help to prevent crime. It pays for a whole variety of things that are essential for business to succeed, so taking an evangelical view that tax is bad is just not—
The Chair
Order. I want to take this opportunity to again remind the hon. Gentleman and the shadow Minister that this Bill is not about tax. It is relatively narrowly drawn, so I would be grateful if hon. Members can come back to what is on the face of the Bill.
Dr Spencer
As I risk getting into trouble with Mr Stringer, I will not respond to the hon. Member for Lichfield. I look forward to the opportunity to debate this issue again, perhaps in the emergency Budget in the next couple of weeks.
Clause 6 brings large load controllers, which provide the flow of electricity in and out of smart appliances, within scope of the NIS regulations if the load is above 300 MW. I understand that the threshold has been decided through consultation, given that that pressure could have a substantial impact on the grid. There is a challenge in managing peak demand and supply in the grid and big changes in it, so I entirely understand why the Government are introducing this provision. Smart EV devices—I have a smart charging electric vehicle device myself—used system-wide could cause big grid disruptions, particularly as we integrate infrastructure into our homes such as solar panels, batteries and other energy-related smart devices.
In fact, we need the grid to become more smart device-integrated over the next 10, 15 or 20 years. When we look at projections of energy consumption, we see that we will need to enable people to use the grid by expanding technology such as vehicle-to-grid energy supply, so that we can manage peak load. That is part of expanding our energy, reducing energy costs and supporting renewable energy and the transition to net zero. If anything, this issue will become more important and expansive over the years.
On that basis, I have some questions for the Minister about the clause. Why are data centres and large load controllers the two sectors that he has decided to put on the face of the Bill? I say that with particular reference to the NIS2 regulations, which are expanded a bit more. How does he envisage this area expanding in the future? Is he confident that the scope of the clause is sufficient to cover future technologies that are coming down the track? I am thinking of EV charging apps. The list is prescriptive, but does it have sufficient flexibility? Is the Minister able to come back with secondary legislation if he needs to expand the list in the future, given that it is in the Bill in that form? Would it not be better to put that on the face of the Bill and to use secondary legislation to lay it out, in order to have flexibility? The Minister has been trying to ensure flexibility elsewhere, and understandably so—let us not go back into those debates. I just want to understand his reasoning behind that a bit better. That is certainly not a criticism, but I want to know why those particular sectors have been pulled out, and why it has not been left for secondary legislation.
Kanishka Narayan
With your permission, Mr Stringer, I will restrict my comments to clauses in question—in particular, clauses 5 and 6—and the relevant Government amendments. The shadow Minister has auditioned for roles at the Department for Business and Trade in talking about the philosophy of regulation, at the Department of Health and Social Care in talking about his medical background, and at the Treasury in talking about taxation. I will try to restrict myself to none of those and simply speak to the clauses and address three points in response to his comments.
The first relates to the skills and resourcing of our regulators. On that, I welcome the shadow Minister’s prior engagement with me directly and his questions now. The last Government completely gutted our regulators. Having done so, they achieved neither growth nor regulatory quality, which Opposition Members now talk about. As a consequence, it falls to us to make sure that our regulators are fit for purpose and resourced in the way they need to be. This Bill gives them the powers to secure initial and full notifications in a timely way, the powers to share information in an appropriate way and, fundamentally, the ability of cost recovery, to resource themselves in an appropriate way. Alongside that, our wider initiatives on skills in the cyber-sector and technology more broadly are fundamental to achieving our aspirations, not least through the CyberFirst programme, which I mentioned in a witness session.
Kanishka Narayan
I might just make a slight bit of progress. As I mentioned in a previous session, the programme reached 415,000 students, and it has now been evolved into the wider TechFirst scheme as well.
The shadow Minister, as well as the hon. Member for Bromsgrove, made a very important point about resilience in particular and sovereign capability. Particularly for those reasons, I am really proud of two things. One is that the Bill includes suppliers that may not be resident in the UK but provide essential services in the UK. This is a critical means through which we can secure our capabilities here. The second, which is close to my particular interests in the data centre and compute world, is that, through our initiatives on sovereign AI, and having launched a very innovative advance market commitment in the chips part of the stack, which ends up crowding in wider demand—not least through companies such as Nscale, a fundamental part of our AI growth zone in the north-east—this Government are finally rectifying the errors and omissions of the last Government, in making sure that Britain does not do what it did in the last commercial cloud context, but instead, in this AI compute world, has some actual chips on the table.
Thirdly, I will not try to settle the thrilling debate between the shadow Minister and my hon. Friend the Member for Lichfield on the philosophy of regulation. I will simply make the humble suggestion that in this context we have arrived at, not a full-fat compendium, as the shadow Minister described it, but a very targeted Bill, which has been the result of extensive industry engagement—indeed, some of it was carried out by the prior Government—that aligned on the sectors in question and the inclusion of critical suppliers in scope.
On the shadow Minister’s question about the thresholds and definitional specificity of large load controllers in the Bill, I will of course remain very open to ensuring that the secondary powers, which are intended precisely to enable us to move flexibly as the clean power industry moves, give us the flexibility to move with it. At the same time, the threshold of 300 MW reflected the point at which a large load controller could pose an unacceptable risk to the electricity system and our CNI. This threshold was set very clearly in partnership with technical experts, including the National Energy System Operator. Of course, as the market grows, the potential for cyber-incidents will grow, and we will keep that under close review.
Chris Vince
On the point about flexibility, I think we would recognise that the legislative process in this House does not always move as quickly as we might want it to, but there are reasons for that, because scrutiny is really important. Does the Minister agree that the changing nature of the cyber-threats we face and the changing nature of technology, which he understands far more than me, are the reasons why it is so important to have flexibility in the Bill?
Kanishka Narayan
I thank my hon. Friend for that point. The reality is that neither he nor I am placed to judge exactly where the thresholds should be set on a permanent basis. That is exactly why we have secured the flexibilities that we have in the Bill.
Clause 5 brings Crown-operated data centres into scope of the NIS regulations, ensuring that Government data centres meet robust standards comparable to those in the private sector. Bringing Crown data centres within scope closes a critical gap and guarantees that public sector infrastructure is protected against evolving threats. Exemptions will apply only in defined cases in which a data centre service is provided by an intelligence agency or a facility handling highly classified—“Secret” or “Top Secret”—information. These data centre services are already governed separately, and applying the NIS regime could cause conflict. I urge that clause 5 stand part of the Bill.
Finally, clause 6, on large load controllers, introduces the essential new service of load control under the energy subsector of the NIS regulations. This will capture organisations—
The Chair
Order. I am sorry to interrupt the Minister, but can he speak a little more loudly and slowly for the benefit of all Members?
Kanishka Narayan
Loudly and slowly: this will capture organisations remotely managing significant amounts of electrical load via energy-smart appliances, both in a domestic and non-domestic setting. These organisations play an increasingly important role in the management of the electricity system, but are not currently regulated for cyber-security. A cyber-attack could therefore create major disruptions to the national grid, shutting down public services and critical national infrastructure. Capturing load control as an essential service will safeguard the public from these disruptions. It will also reflect the need to bring in new safeguards to manage a more digitalised and dynamic energy landscape in the transition towards net zero.
Dr Spencer
Before the Minister moves on—I was a bit nervous that he was going to finish—I have an additional question about the Crown data centre. What happens if a data centre is providing services commercially to both the public and the Crown? How is that operated within the scope of the Bill?
Kanishka Narayan
I am happy to write to the shadow Minister on that point. My understanding is that a Crown data centre will be in scope if it is providing, as in that particular example, to both the public and the private sector, but I am happy to write to him to clarify that point.
The load control market is growing exponentially and we need to make it cyber-secure. For that reason, I propose that clause 6 stands part of the Bill.
Amendment 11 agreed to.
Amendment made: 12, in clause 4, page 3, line 7, leave out “(acting jointly)”.—(Kanishka Narayan.)
See the explanatory statement for Amendment 11.
Clause 4, as amended, ordered to stand part of the Bill.
Clauses 5 and 6 ordered to stand part of the Bill.
Clause 7
Digital services
Kanishka Narayan
I beg to move amendment 13, in clause 7, page 7, line 7, leave out paragraph (b) and insert—
“(b) a pool of computing resources is ‘scalable’ if the resources are flexibly allocated by the provider of the service, irrespective of the geographical location of the resources, in order to handle fluctuations in demand;
(c) a pool of computing resources is ‘elastic’ if the resources are provided and released according to demand, in order to rapidly increase and decrease available resources depending on workload;
(d) computing resources are ‘shareable’ if—
(i) multiple users share a common access to the service, which is provided from the same electronic equipment, and
(ii) processing is carried out separately for each user.”
This amendment would refine and make further provision about certain aspects of the definition of “cloud computing service”.
Kanishka Narayan
Clause 7 amends the definitions of “relevant digital service provider” and “cloud computing service” in the existing NIS regulations. As in the original NIS regulations, an RDSP is a cloud computing service, online search engine or online marketplace. To be in scope, they must provide a service in the UK and not be a small or microbusiness. That prevents disproportionate business burden, focusing on those larger businesses whose compromise could have a significant impact on the UK’s economy or society. The changes to the definition in the clause clarify that to be in scope, providers cannot be designated as a critical supplier or be subject to public authority oversight, as defined by clause 11. That maintains consistency with the approach to managed services, and minimises dual regulation and unnecessary burden.
Government amendment 13 strengthens the definition of a cloud computing service in clause 7. It introduces precise, clarified and separate definitions of the three core characteristics of cloud computing resources, which is that they are scalable, elastic and shareable.
Alison Griffiths
Clause 7 is definition-heavy, and rightly so; these terms decide who is regulated and who is not. My only observation is that cloud models are, as the Minister knows, evolving quickly because of the AI revolution. Definitions that track architecture too closely will age fast, so the Committee should be alert to whether these terms will still make sense in five years’ time and not just today.
Kanishka Narayan
I very much welcome that point. In talking about broad architecture characteristics—being able to scale compute and to be elastic to multi-tenants by being shareable—rather than setting out the specific nature of resources, we capture both commercial cloud and AI deployments. However, I am keen to ensure that we keep this under review and, where possible, use the flexibilities provided by the Bill to adapt it to changes in technology.
Although the policy intention behind the definition has not changed, amendment 13 will provide certainty for industry, support effective regulatory oversight and ensure that services whose disruption could significantly impact the UK economy and society are properly captured. In addition, the drafting is more aligned with that of our international partners, which will improve efficiency for providers operating across borders.
This targeted, technical improvement will bring greater clarity, consistency and fairness to the NIS regulations. I urge Members to support both the clause and this important amendment.
Dr Spencer
Clause 7 amends the definition of cloud services, which have been within the scope of regulation since the NIS regulations came into force. The expanded definition emphasises remote accessibility and the “on demand” nature of cloud services, and that services may be delivered from multiple locations. It also excludes managed services from the scope of cloud services to avoid duplication of regulatory requirements and oversight.
The Minister proposes changes to this provision in Government amendment 13, which sets out further details regarding the features of in-scope cloud service provision, including common access by multiple users, with each having access to separate processing functions. My question to the Minister builds on the one raised by my hon. Friend the Member for Bognor Regis and Littlehampton. It is obviously difficult—if it is possible at all—to predict how the tech sector will evolve, but what powers will the Government have to adjust these provisions as the cloud ecosystem changes, and what consultation has the Minister done on that within the scope of the Bill?
Kanishka Narayan
On that important point, which the hon. Member for Bognor Regis and Littlehampton also raised, the changes to the definition came about in part through extensive engagement, and in particular by ensuring that the attributes of “elastic” and “scalable” were treated individually rather than jointly and that “shareable”—the ability to have multi-tenants and therefore be a genuine cloud computing service for multiple clients—was considered in scope. As I mentioned to the hon. Member for Bognor Regis and Littlehampton, it is important that we keep this under review, and part of the reason for the secondary powers in the Bill is to make sure it remains both specific, giving clarity and certainty, and flexible at the same time.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Currently, the law requires regulated persons to manage risks to the security of their systems. Amendment 28, tabled by the Liberal Democrats, explicitly inserts “risks arising from fraud” into that duty. It would make it clear that a system cannot be considered secure if it is easily exploited by scammers.
Fraud should be considered a national security issue, and there is clearly a relationship between fraud and cyber-security. Scammers across the world are targeting British citizens. Elderly fraud victims in Dyfed-Powys lose £7,900 a day to a tidal wave of scams perpetrated by scammers from many countries across the world, notably Nigeria. UK-wide, in the first half of 2025 alone, criminals stole over £600 million through scams. Surely, we cannot pass a cyber-security and resilience Bill—
The Chair
Order. I think the hon. Member is discussing the next group of amendments, to clause 8. At the moment, we are discussing amendment 13 to clause 7.
Dr Spencer
If I might just help a colleague, I think the grouping and selection of amendments has changed, so the hon. Member for Brecon, Radnor and Cwm Tawe may have the previous iteration.
The Chair
That is very helpful. Thank you.
Amendment 13 agreed to.
Clause 7, as amended, ordered to stand part of the Bill.
Clause 8
Duties of relevant digital service providers
David Chadwick
I beg to move amendment 25, in clause 8, page 7, line 31, at the end insert—
“(1A) In paragraph (1), after ‘risks’ insert ‘, including risks arising from fraud,’”.
This amendment would explicitly include fraud as one of the risks to the security of network and information systems relevant digital service providers must identify and manage.
The Chair
With this it will be convenient to discuss the following:
Amendment 28, in clause 8, page 8, line 4, at end insert—
“(4) After paragraph (2) insert—
‘(2A) When taking measures to manage risks under paragraph (1), a RDSP must, in the design of the relevant digital service—
(a) eliminate unnecessary functions from system requirements;
(b) where risks cannot be managed by the elimination of functions, replace or substitute features in the architecture of the system;
(c) where risks cannot be managed by the replacement or substitution of features, implement active functional controls;
(d) where risks cannot be managed by the implementation of active functional controls, instruct and implement operational and procedural controls;
(e) as a matter of last resort, apply requirements, conditions of use or instructions to service users.
(2B) For the purposes of paragraph (1), “risks” include those relating to the availability, reliability, safety, integrity, maintainability and confidentiality of the relevant services or systems.’”
Clause stand part.
David Chadwick
Surely, we cannot pass a cyber-security and resilience Bill that ignores a crime that affects thousands of people. We know that cyber-security criminals across the world attack individuals to enable themselves to get into systems. Families are losing life savings, and small businesses are shutting down because of this epidemic.
The Government often treat fraud as a policing issue, but the amendment would establish that it should be regarded as a cyber-security issue that needs action at the national security level. By amending regulation 12(1) of the NIS regulations, we place a legal duty on digital providers to identify these vulnerabilities proactively. If we mandate that providers manage fraud risks before an incident occurs, we will reduce the number of victims and the devastation caused to livelihoods. We cannot claim to protect our digital economy while ignoring the billions of pounds lost to scams.
Dr Spencer
Clause 8 provides a new definition of “relevant digital service” and makes it clear that this category includes online marketplaces, online search engines and cloud computing services. The definition of “relevant digital service provider” is updated to encompass all entities providing a relevant digital service in the UK, regardless of whether they are established here. Entities designated as critical suppliers are excluded from the definition to avoid duplication of duties and regulatory oversight from sector-specific competent authorities.
However, the definition excludes from scope of regulation relevant digital service providers subject to public authority oversight, unless they derive over half their income from commercial activities. The exclusion of organisations overseen by public authorities also applies in relation to relevant managed service providers.
In many respects, clauses 7 and 8 provide necessary updates to reflect the changing nature and use of vital digital services. Once again, including within the scope of regulation companies that deliver services to the UK but are established or headquartered elsewhere helps to ensure that those companies report cyber-security incidents to UK authorities, rather than just authorities in their home states. That means that UK regulators and law enforcement are equipped with the most comprehensive knowledge of emerging threats.
Bradley Thomas
Given the blurring of boundary lines between cyber-attacks and financial crime, I can see the compelling reasons why the amendment has been tabled, but does the shadow Minister agree and acknowledge that fraud detection often requires a different skillset from standard network security, so it is important to strike the right balance?
Dr Spencer
I broadly agree. This is one of those difficult areas where there can be overlap. I have sympathy with the argument that it is important to use any opportunity, and in particular this Bill, to raise fraud.
We focus on financial fraud, but this area is not limited to that, especially when we think about other malicious operators, and about ransomware and hacktivism, where the boundaries are particularly blurred. In a situation where a fraudulent operator, service, provider or organisation has material, whether on social media or subject to search engines, and the police or other competent authorities have flagged it to the provider as fraudulent—as illegal criminal activity—what duties does that provider have to remove it or take it down? Is that something that the Minister is aware of? Has he looked into it, and what is the Government’s plan to crack down on that activity?
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for tabling amendment 25, which would amend the duties for RDSPs in the NIS regulations. I empathise with the source of his concern about fraud; I think many of us in the House know and feel that concern, through either our personal experience or that of our constituents.
That said, the security duties within NIS require RDSPs to identify and take steps to manage the full spectrum of risks posed to the security of their systems. They must prevent and mitigate relevant incidents, regardless of what the threats are or where they emanate from. That includes taking an all-hazards risk-based approach. Entities must manage risks to cyber-security, physical security and broader operational resilience. “Security” includes the ability to resist any action that may compromise the availability, authenticity, integrity or confidentiality of those systems, including risks that may arise from fraud. I caution against highlighting only one particular vector of risk in the clause; that is unnecessary and would not reflect the full range of risks each RDSP faces.
Further, while the Bill clarifies the high-level duty to manage risks, secondary legislation will give further detail on the security and resilience requirements. Guidance and the code of practice will give further detail still on the types of risks to consider. For that reason, I kindly ask the hon. Gentleman to consider withdrawing the amendment.
The shadow Minister asked about the Government’s treatment of fraud, particularly when it has been found on a platform and the authorities have asked that platform to take it down. The Government made a clear commitment in our manifesto to introduce a new fraud strategy, and the Home Office, as the lead Department, has been working at pace to engage deeply in making that an effective reality.
Alongside that, in my wider role in online safety, I am conscious that fraud is a fundamental area of content in which platforms have to look at where it crosses the border into illegality, as it may well do in the instance the shadow Minister described. That has been a central focus since the illegal content duties came into play last year. I believe that such instances are well covered by the pieces of legislation that I have just mentioned. The Bill is clearly more focused on critical national infrastructure and its exposure to network and information systems.
Lincoln Jopp (Spelthorne) (Con)
Members on both sides of the Committee have referred frequently to the fact that the incident that took Jaguar Land Rover down would not have been covered by the Bill. JLR employs a digital service provider, in the form of Tata Consultancy Services. Would that provider not be covered, meaning that JLR is in scope?
Kanishka Narayan
Although I will not rule a particular provider in or out of scope, if the provider in question met the threshold for RDSP coverage, it would be covered, but the locus of that coverage would be limited to the provider rather than to the end-customer entity. I hope that clarifies that sufficiently.
Let me explain how clause 8 was designed to tackle the risks that Committee members have set out. The clause updates the existing duties for RDSPs in the NIS regulations to ensure that they remain resilient against evolving cyber-threats. It clarifies the requirement for those services, making it clearer that they must secure themselves not just to keep the services they provide running and available but to contribute to wider systems security as a whole.
Lincoln Jopp
Given the scenario we just discussed, it is possible that a digital service provider would have an obligation to report under the Bill, but the parent company employing its services would not. Given the requirements for confidentiality that a client company may put upon a digital managed service provider, how can that conflict be managed?
Kanishka Narayan
I appreciate the hon. Gentleman’s question, and I have two comments to make on that front. First, the relevant digital service provider will have a range of different customers, and my expectation would be that the regulators and the NCSC would seek a deep understanding of the risk exposure across the full breadth of that portfolio, rather than for each particular customer. Of course, that would form part of some analysis.
Secondly—the shadow Minister asked a related question —I am happy to write about the interaction between prompt notification responsibilities and commercial confidentiality duties, on the basis of the engagement we have conducted so far. Especially when questions of major risk exposure are concerned, I would hope there are provisions that allow the relevant digital service provider to notify the NCSC, but I am happy to write to the hon. Member for Spelthorne and the shadow Minister to clarify that point.
Clause 8 also removes a reference to the RDSP’s own network and information system to clarify that the duty is intended to cover all network and information systems that the relevant digital service relies on.
The cyber-risk landscape is diffuse and multifaceted. Hostile actors can use a range of routes and techniques to attempt to take services offline, as well as to extort, steal and surveil. These changes to the NIS regulations support a holistic approach to tackling cyber-risk. They ensure that important dependencies are covered and that facets of security such as the confidentiality of data and integrity of systems are not set aside.
The clause also requires RDSPs to have regard to any relevant guidance issued by the Information Commission when carrying out its duties. Finally, it removes a requirement for relevant digital service providers to consider specific duties referenced in EU regulations. I urge the Committee to support the clause unamended.
Question put, That the amendment be made.
Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting)
Thursday 5th February 2026
(3 weeks, 5 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
The Chair
I remind Members to speak loudly and clearly so that everyone is able to hear.
Clause 9
Managed Service Providers
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Amendment 10, in clause 10, page 9, line 29, at end insert—
“(2A) The measures taken by an RMSP under paragraph (1) must ensure that the number of customers to whom the RMSP provides services does not exceed the critical risk threshold.
(2B) In paragraph (2A), the ‘critical risk threshold’ is the number of customers within a sector or subsector where an incident affecting the provision of services to those customers by the RMSP would result in disruption that is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom.
(2C) Paragraph (2D) applies where the number of customers to whom an RMSP provides services exceeds the critical risk threshold by virtue of contracts entered into before the coming into force of section 10 of the Cyber Security and Resilience (Network and Information Systems) Act 2026.
(2D) The RMSP must take steps to reduce the number of customers to below the critical risk threshold, including exercising any right to terminate a contract or vary the terms of a contract.”
This amendment would place a duty on relevant managed service providers (“RMSPs”) to ensure that they do not provide services to manage the technology systems for a number of customers that exceeds a critical risk threshold, such that an incident affecting those services would be likely to result in significant disruption in the United Kingdom. This would prevent an RMSP managing the technology systems for a whole sector or subsector. Provision is also made for a situation where an RMSP is in breach of the critical risk threshold because of contracts entered into before the enactment of the Bill.
Clauses 10 and 11 stand part.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I welcome you, Ms McVey, to the most exciting event in Parliament this week.
Kanishka Narayan
What a pleasure it is to serve with you in the Chair. Clause 9 brings large and medium-sized managed service providers—MSPs—into the scope of the Network and Information Systems Regulations 2018. MSPs are organisations that provide an ongoing IT function, such as an IT help desk or cyber-security support, to an outside client. In doing so, MSPs often have widespread and trusted access to clients’ networks and systems. A single targeted attack can ripple outward, disrupting thousands of other systems. That makes MSPs attractive targets for cyber-attacks. Last year an attack on Collins Aerospace halted check-in and boarding systems at major European airports, causing international disruption. Such attacks highlight what can happen if a single point of failure is compromised, and the importance of managed service providers implementing robust cyber-protections. Despite that, MSPs are not currently regulated for their cyber-security in the UK. As organisations rely more and more on outsourced technology, we must close that gap. The clause provides essential definitions of a “managed service” and of a “relevant managed service provider” to clearly set out which organisations are in scope of the regulations.
Clause 10 imposes new duties on MSPs that have been brought into scope by clause 9. For the first time, such businesses must identify and manage risks posed to the network and information systems that they rely on to provide their managed services. As part of that duty, MSPs must have
“regard to the start of the art”,
meaning that they must consider new tools, technologies, techniques and methods that threat actors may employ. That includes artificial intelligence, and means that providers must deploy the right tools to mitigate the risks and take action to minimise the impact of incidents if they occur. By bringing MSPs into scope of the regulations and imposing such security duties on them, we will strengthen cyber-security and resilience across supply chains, reduce vulnerabilities in outsourced IT services and better protect businesses and services across the UK.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Bringing MSPs into scope is the right direction of travel, and MSPs sit at points of concentrated risk, but they are not all the same and the real risk is not size alone but the level of privileged access and cross-customer dependency. Proportionality will be critical under these provisions if we want better security, not just box-ticking.
Kanishka Narayan
I agree very much with the hon. Member’s point, and a similar sentiment is expressed elsewhere in the Bill, in that it ensures that the focus is primarily on large and medium-sized MSPs, and that small businesses and microbusinesses are dealt with in a deeply proportionate way. That is an important point to take into account.
Clause 11 defines what it means for a digital or managed service provider to be
“subject to public authority oversight”
under the NIS regulations. Public authority oversight is defined as “management or control” by “UK public authorities” or by a board where the majority of members are appointed by those authorities. Such MSPs are already subject to requirements in the Government cyber-security strategy, which is mandatory for Government organisations. That ensures that cyber-resilience standards remain strong for services linked to public functions, while preventing disproportionate burdens on providers already subject to public authority governance.
In response to points raised by hon. Members in prior Committee sittings, I flag the engagement that we have conducted in coming to the definition of MSPs in question. In particular, beyond the provisions of the 2022 consultation, prior to the introduction of the Bill, we conducted a range of bilateral meetings. We have had multiple conversations with the industry body techUK, roundtables with digital firms, and we engaged through the National Cyber Security Centre-led MSP information exchange with 40 providers in this context, and undertook market research mapping the MSP market. As a consequence, adjustments to the definitions at the heart of this provision have been agreed with incredibly deep and broad engagement across the industry to arrive at a widely-welcomed definition.
Lincoln Jopp (Spelthorne) (Con)
It is a pleasure to serve with you in the Chair, Ms McVey. Small and medium-sized enterprises are defined by the headcount of full-time employees, yet in the world of IT, particularly for managed service providers, data centres and digital service providers, that is not a helpful metric to understand size and scale. Did the Department consider reevaluating the size of digital and managed service providers based on the through-flow of transactions or data rather than headcount? When I worked in the world of tech, there was a ratio for headcount that was totally different from other sorts of businesses.
Kanishka Narayan
The hon. Member raises an important point about the operating leverage of technology businesses. The Bill directly focuses on size as one proxy for risk, but it is not a complete or perfect proxy. That is why, through the critical supplier provisions, it ensures that any smaller providers can be caught in scope as essential services.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Ms McVey.
Clause 9 brings within scope of the NIS regulations a new category of technology service providers, known as relevant managed service providers. MSPs play a critical role in the UK economy. Research conducted by the Department for Science, Innovation and Technology under the last Government suggests that 11,000 MSPs were active in the UK in 2023, of which 1,500 to 1,700 were medium or large organisations that would be in scope of the Bill. Micro and small enterprises that offer managed services are excluded from the scope of regulation but have the potential to be designated as critical suppliers under other provisions, which we will come to shortly.
MSPs are critical to the functioning of the multiple businesses that they serve, offering contracted IT services such as helpdesk and technical support, server and network maintenance, and data back-up. In many cases, they also provide managed cyber-security solutions to their customer bases. Consequently, these businesses often have significant access to their clients’ IT networks, infrastructure and data, which makes them attractive and valuable targets.
Chris Vince (Harlow) (Lab/Co-op)
I seek some clarification on the shadow Minister’s statistics about the number of MSPs that are in scope, and what they are as a proportion of the MSPs in the country. Could he clarify that he is talking about individual organisations rather than what they do? For example, if there is one large organisation and nine small ones, but the large one takes up 80% of the market, the proportions are slightly different.
Dr Spencer
The scope and breadth of the organisations regulated by these provisions is one of the most important parts of the debate. If the hon. Member can wait a moment, that point will form the bulk of my speech. It was also mentioned by my constituency neighbour, my hon. Friend the Member for Spelthorne.
The previous Government consulted on bringing MSPs within scope of regulation. Feedback on that consultation indicated strong support, with 86% of respondents in favour. As such, there is a sound policy rationale for imposing cyber-security and instant reporting regulations on MSPs over a certain threshold. Those MSPs will need to take appropriate and proportionate measures to manage risks to the security of the networks and information systems on which they rely to provide managed services in the UK.
However, as I said at the outset and as many people said during evidence, the devil really is in the detail as to whether the Bill is effective in protecting the sectors it seeks to regulate. Several industry stakeholders, including officers of MSPs and industry representation bodies, have raised concerns about the broad definition of MSPs in clause 9. As drafted, that definition has the potential to cause confusion among businesses as to whether they are in scope or not. These relevant provisions will be brought into force with secondary legislation before Royal Assent, allowing time for consultation with industry and specific duties. Could the Minister clarify whether his Department will respond to concerns by consulting on a refined definition of what constitutes an MSP, to provide much-needed certainty to businesses operating in the sector?
I will also take this opportunity to speak to amendment 10, which was tabled in the names of many Members, including the right hon. Member for Stone, Great Wyrley and Penkridge (Sir Gavin Williamson), who I know has a keen interest in this area. He represents an area in the west midlands, which, like many parts of the country, has suffered massively from the impact of the problems with Jaguar Land Rover. The amendment relates to legitimate concerns about the compound risk that could occur when MSP systems are accessed by malicious actors, and those MSPs are providing services to a large number of entities within a regulated sector. Clearly, there are many reservations about the desirability of this particular amendment, including its potential to interfere with customer choice and the inconsistency with the approach to freedom of enterprise in other regulated sectors in the Bill.
It is noteworthy that several witnesses who gave evidence to the Committee pointed out the lack of skilled cyber-security professionals available in the UK employment market to help regulated entities with the effective implementation of the Bill. It is conceivable that many regulated businesses, particularly smaller ones, will be forced to look for external expertise to comply with their obligations, and we would not want to artificially restrict access to expertise, even when done with the best of intentions. The point is rightly made that large MSPs and those providing services to the most critical sectors should observe the highest cyber-security standards. A relevant MSP must have regard to any relevant guidance issued by the Information Commissioner when carrying out the duties imposed on it, so will the Minister confirm whether and to what extent the important issues raised by the amendment will be covered in consultation and industry guidance?
The amendment, and some of the debate that we have had, goes to the heart of some of the thresholds and metrics that are being used as gatekeepers in the Bill when an entity is or is not being regulated. As I mentioned this morning, at least 70% of Government cloud procurement goes to the three big US tech actors. Those are clearly huge operators, but when it comes to the criticality of an MSP, as my hon. Friend the Member for Spelthorne mentioned, size does not in itself necessarily indicate its essentialness in the system.
One can imagine that if a particular unique type of service was being offered, such as a cyber-security service, by a big company—Cloudflare and Salesforce, for example, had a substantial impact on the sector—not merely the size of an organisation, but what they provide, could be relevant in terms of producing systemic risks to our economy as a whole.
Lincoln Jopp
Having read the Bill, does my hon. Friend understand that if a managed service provider provides services to, say, a hospital—so it would be covered by the regulations—and a reportable event happens to the managed service provider, there is any obligation for the hospital trust to report it as well, or is it just the managed service provider that has the responsibility? If he is not clear on that, would he ask the Minister?
Dr Spencer
I thank my hon. Friend for the “get out of jail free” card that he gave me at the end of his question; indeed, I pass that question on to the Minister. The point is well made in terms of trying to dissect the interacting and relevant duties in the Bill. The Bill tries to chop up different actors in the digital ecosystem, as well as public an non-public organisations, although a commercial threshold is being used. The Bill also introduces confusion: it rightly tries to make a carve-out for Crown data centres, but what exactly is a Crown data centre? One could argue that a Crown service is something provided by the state. Is a data centre serving a hospital therefore a Crown data centre?
There are so many different components within the Bill. Not only are there 14 regulators, or however many are operating—earlier this week, Amazon told us in evidence that it is regulated by four regulators—there is also confidential information going through, as my hon. Friend the Member for Spelthorne pointed out. It gets even worse in the clause on critical supply networks. It is just incredibly confusing. The Committee—and, dare I say, the Government—should not ignore the evidence we have received from managed service providers time and again saying that although MSPs should be in scope and these regulations help, we need clarity on what exactly that means.
Alison Griffiths
I think my hon. Friend is about to reference the commercial impacts on MSPs. We have already referenced the fact that they are of many different sizes. One of the concerns the Committee will need to consider is whether new contracts will need to be written. The level of uncertainty being created may render the existing frameworks within which they operate redundant.
Dr Spencer
I thank my hon. Friend for that pertinent intervention. The burden she talks about is not just financial; companies could also find themselves in legal jeopardy should they become subject to overlapping and competing duties without realising when the Bill becomes an Act. More than anything else—perhaps even more than a low taxation regime—businesses want certainty about the regulatory environment they operate in. This is made even more complicated by the fact that many organisations operate in different jurisdictions and have to contend with different, competing regulatory frameworks. My understanding is that the majority try to take an approach in one jurisdiction that will also cover them in the other so that they have an overlap, but those are the big companies. They have more capacity and resource to do that. The problem will be for the companies on the margins that are struggling.
Chris Vince
The shadow Minister is always very generous with his time. This is not meant to be a controversial intervention, but does he recognise that micro and small enterprises have been omitted from this legislation because we recognise the challenges they have with the guidance? I appreciate that small can mean mighty when it comes to businesses. The hon. Member for Spelthorne made the point that businesses may have only a small headcount, but a very important role in the cyber-security make-up of this country.
Dr Spencer
Irrespective of their size, whatever definition or metric we use, businesses operate on fine margins for the majority of the time. Regulatory burdens not only impact their ability to operate; they are yet another cost, which means that the cost of services increases. That has a deleterious effect on our economy more generally. Burdens on businesses are passed on to consumers. That makes it more expensive to do business unless there are customers to receive it.
Global business competitiveness, which we have not spoken about yet, is critical. I am very concerned about UK competitiveness in the digital and tech sector. It saddens me to say that we are dwarfed by US big tech in many areas. I want our digital and IT sector to be bigger and better than that of our competitors, but we need a framework to support it. Even for bigger businesses, the regulatory burden is critical, especially as they can choose, to a certain extent, where they incorporate and focus on doing business. We want to ensure that the UK has the best regulations, but the best regulations are often the ones that are least burdensome but that still provide certainty to allow businesses to operate. This is a highly competitive market.
Lincoln Jopp
I thank the shadow Minister for his reply to my hon. Friend the Member for Bognor Regis and Littlehampton. Is he as surprised as I am to read in the impact assessment that the hourly rate for a contract lawyer is to be £34 an hour rather than £300 to £500 an hour, which in my experience is the market rate?
Dr Spencer
I thank my hon. Friend for pointing out that discrepancy in the costings. It goes back to the key principle that business and business modelling are best left to businesspeople, not to Government. The Government have a facilitatory role, but fundamentally their role is to get out of the way of business so that it can succeed and our economy can thrive. We need to ensure, for the good of our economy as a whole, that the critical elements of it are regulated in that way.
Given the interconnected operation of MSPs in our digital sector, any burden that we put on business will limit the growth that we all need and will limit competitiveness. In this footloose market especially, that could result in organisations and companies operating in other sectors, notwithstanding the fact that they will have to comply with UK jurisdictional rules. As a general point, regulations will cause footloose industries to move and operate in different sectors, which will mean less taxation revenue and more costs for clients, making it more difficult to do business.
We need to make sure that our economy is as nimble and free as possible, both for those trading as an MSP and more generally. I cannot labour the point enough: the costs that we impose on businesses under the Bill, in particular in the cyber-security and tech sector, will be felt by our economy as a whole. We will have to pay for that through increased inflation in food, energy or anything else that our critical suppliers provide. Even our NHS provision costs will increase as a consequence of the regulatory burden on businesses as disparate and distant from the NHS as those that we see in the Bill.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
The hon. Member is quite right to say that American companies have captured most of the market that he is talking about, particularly the cloud providers. What does he think is stopping British cloud providers from getting a larger share of the market?
Dr Spencer
The cloud providers I have spoken to talk about several things. They talk about the crippling cost of energy in the UK, something that we need to drive down—
The Lord Commissioner of His Majesty’s Treasury (Taiwo Owatemi)
I am sorry, but this is not in scope.
The Chair
Order. You are telling me that you do not think it is in scope, but we consider that it is.
Dr Spencer
The cloud providers tell me that the energy costs are crippling, which is highly problematic, and that is why we need to drive those costs down. They talk about the challenges of getting data centres built and about planning considerations, which are a concern across the country. They talk about the taxation environment and costs on businesses more generally, particularly when they are footloose, and they talk about the regulatory framework. Pretty much all of those things are not specifically in the Bill, with the exception of the regulatory framework, so there is a lot that is suppressing the opportunities for cloud providers and others in the sector and hindering them from doing business and succeeding.
There is a broader point to make about the Bill and the philosophy behind it, because there is something that we have to avoid. There is a sense in the UK that we are getting gummed up by regulation and obsessing more and more about limitations and restrictions to businesses. In that environment, people and organisations that do well financially, succeed and grow are seen as either targets or cheats—as something that we can go for, tax and punish. We have lost or diminished our can-do attitude when it comes to supporting the risk takers and the entrepreneurs, who are the people and organisations building the MSPs and data centres on which our economy relies.
Over and above that, there is a cultural issue that is impacting our IT and tech sector. As legislators we should ensure that the thing we have direct control over, which is the legislation in front of us, imposes as small a regulatory burden as possible while still ensuring that it is sufficient to meet our aims. We must listen to businesses and hear their concerns. We hear time and again that the lack of clarity, particularly in this part of the Bill, is putting them at financial and legal risk. That is a very substantial concern.
Alison Griffiths
On my hon. Friend’s point about the lack of clarity in the Bill, there is a real possibility that firms will find that an MSP has one view of an issue while their client has another. Unless there is sufficient clarity in the wording of the Bill, we will have issues.
Dr Spencer
I thank my hon. Friend for her intervention. Legal clarity is important. I have absolutely no issue with lawyers, but we do not want to make a load of money for lawyers as a consequence of the definitional challenges around the Bill’s implementation. That is not good for businesses, which need certainty as to how to apply the regulatory framework under which they operate. Regulatory uncertainty will not help a business to make decisions. My assumption is that the default position will be for businesses to assume that they are not regulated entities, which means that they will not take actions that we would like them to take as a result of the Bill. Again, we will be making laws under which everybody loses out.
My final point is about the carve-out in respect of public authority oversight. It is all well and good for the Government to say, “We have an action plan and we’re going to sort out Government IT and the cyber-security risk for Government services,” but it is not playing out that way. Our biggest risks, and the most vulnerable components of our digital IT infrastructure, are those that are linked to Government services. Change is needed. My sense is that when a company interacts and shares data with Government and public sector services, the biggest-cyber security risk is likely to be in the aspects that are provided by Government services. We are making legislation that puts a host of burdens on the private sector, yet we are largely silent about what is happening in the public sector. Putting people at risk in that way is really not good enough. We need to support our overall cyber-security.
Kanishka Narayan
Once again, the shadow Minister is auditioning for roles in the Treasury, by talking about general taxation, and in the Department for Business and Trade, by talking about general philosophies of regulatory reform. I will focus on matters within the scope of our debate, and on four aspects in particular.
First, Opposition Members have raised questions about definition. They have been answered frequently, but I am happy to repeat the answer. The scope of MSP coverage, which focuses on large and medium-sized MSPs, means that something in the order of 11% of MSPs are covered, by number, but 97.6% of the UK’s MSP revenue is covered. I hope that that gives sufficient assurance as to the coverage of the Bill. Of course, the critical supplier provisions cover any others.
Kanishka Narayan
I am happy to proceed and to focus on Crown ownership of data centre provision to others. For those reasons, I continue to commend clauses 9 to 11 to the Committee.
Lincoln Jopp
Will the Minister please clarify whether he thinks that, as page 102 of the impact assessment states, the hourly rate for a lawyer changing a contract is £34?
Kanishka Narayan
I simply point out to the hon. Member that the pricing for law varies materially. I hope that, with the benefit of technology, it continues to be very accessible to all relevant providers.
Lincoln Jopp
I am sorry, but that is nonsense. The footnote on the page that cites £34 an hour for a contract lawyer directs us back to the Office for National Statistics. I hope that the Minister lives in the real world—he has clearly worked in the business world—so he knows that that is nonsense. Does he agree that that pretty well undermines that section of the impact assessment?
Kanishka Narayan
Having closed the debate, I am happy to conclude.
Question put and agreed to.
Clause 9 accordingly ordered to stand part of the Bill.
Dr Spencer
On a point of order, Ms McVey. What mechanism is available to Members who are concerned that there is a factual error in the impact assessment? How can that be corrected?
The Chair
The point has been made clearly on the record. We can take it beyond this room, and perhaps you can write to the Minister afterwards for clarification.
Clauses 10 and 11 ordered to stand part of the Bill.
Clause 12
Critical suppliers
Question put, That the clause stand part of the Bill.
Kanishka Narayan
Clause 12 will introduce a new power for regulators to designate critical suppliers to organisations as in scope of the NIS regulations. These are suppliers that are so pivotal to the provision of essential digital or managed services that a compromise or outage in their systems can cause a disruption that would have serious cascading impacts for our society and economy; I am thinking in particular of the Synnovis incident in 2024, when 11,000 medical appointments were cancelled across London hospitals as a result of an attack on a pathology service provider.
The clause will ensure that the power to designate can be exercised only where suppliers pose a credible risk of systemic disruption and when the regulator has considered whether the risks to the supplier cannot be managed via other means. In other words, it is a very high bar indeed.
The clause provides safeguards for suppliers, which must be consulted and notified during the designation process. It also requires regulators to consult other relevant NIS regulators when they are considering whether to designate, or decide to do so, ensuring that they have an accurate understanding of how suppliers are already regulated.
Finally, the clause provides for designations to be revoked when risks no longer apply or when a supplier has met the thresholds for regulation as a relevant digital service provider or relevant managed service provider. It should be noted that the clause does not set out the security duties on critical suppliers; these will be defined in secondary legislation following an appropriate period of consultation.
By addressing supply chain vulnerabilities, this measure will strengthen the resilience of the UK’s essential and digital services on which the public rely every day. I commend the clause to the Committee.
Alison Griffiths
The clause merits close scrutiny, because it is the point in the Bill where risk is supposed to be addressed beyond the individual operator and into the supply chain. In plain terms, clause 12 will allow the regulator to designate a supplier as critical where disruption to that supplier would have a significant impact on the delivery of an essential or digital service. The trigger is impact, not size or sector. That approach is sensible, but I want to stress-test how it works in the context of operational technology.
Across power, telecoms, transport, water and industry, many essential services rely on the same family of industrial control equipment. Substations, signalling systems and industrial plants may look different, but they often run on identical controlled devices and firmware supplied by a very small number of manufacturers.
The risk is not hypothetical. A single vulnerability in widely deployed OT equipment can create a common mode failure across multiple sectors at the same time, even where each operator is individually compliant with its duties. At the moment, the Bill places obligations squarely on operators of essential services, but in OT environments, operators do not control the design of equipment, the firmware, the vulnerability disclosure process or the remote access arrangements that vendors often require as a condition of support.
As Rik Ferguson highlighted in written evidence to this Committee, uncertainty about how and when suppliers might be brought into scope can lead to defensive behaviour and late engagement. The risk is amplified in OT, where suppliers may discover vulnerabilities before operators do, and where one operator may report an issue, while others in different sectors, using identical equipment, remain unaware.
There is also a traceability problem. OT equipment is frequently sold through integrators and distributors. Manufacturers may not have a clear picture of where the equipment is ultimately deployed. Without that visibility, national-scale vulnerability notification and co-ordinated response become very difficult.
UK Finance has also drawn attention to the complexity of multi-tier supply chains and the need for clear accountability when regulatory reach extends upstream. The clause recognises that reality, but its effectiveness will depend on how consistently and predictably designation decisions are made across sectors.
My concern is not about the existence of the power. It is about whether, in practice, the power will be used early enough and clearly enough to address shared OT risks before they become cross-sector incidents. Operational resilience today depends less on individual sites and more on the security practices of a relatively small— I would say very small—number of OT suppliers that sit behind them. The clause has the potential to address that, but only if its application is focused on genuine systemic risk and supported by clear signals to suppliers and operators alike. For those reasons, the clause warrants careful consideration as the Bill progresses.
Lincoln Jopp
To understand the impact of what we are discussing, we obviously look at the impact assessment. We in this place are often accused of simply making rules and passing laws with no real sense of the impact downstream, particularly on small businesses. Having worked in the tech sector for 10 years, with data centres and managed service providers, and worked to try to grow many small and medium-sized enterprises, I am acutely conscious of the need not to overburden them. It is clearly hugely important that the Government take account of the impact of the measures they are taking and the burdens they are imposing on small and medium-sized enterprises.
To understand the impact of this measure, it is important to know two things: first, how many companies will be impacted and, secondly, how much it is going to cost. While I am sure that the Minister will say that this provision on critical suppliers is great, and all very clear, it cannot really be that clear. Page 110 of the impact assessment states:
“DSIT is not able to estimate at this stage the number of SMEs or SME DSPs that will be designated as critical suppliers”;
so we cannot tell how many there are. The same page also states:
“Specific duties will be set through secondary legislation so the exact cost of security measures is not possible to estimate.”
We do not know how many there are or how much the measure is going to cost, but Government Members will be whipped to say, “That’s okay—that can be done by someone else at another time.” We do not really have a strong sense of the impact on real-world businesses of what we are doing here. We also talked about the legal costs in an earlier sitting. I look forward to hearing the Minister’s reassuring words about how very clear the clause is and how it is not just a blank cheque, even though we do not know how many people it will affect or how much it will cost them.
Dr Spencer
This clause is one of the provisions that has given rise to widespread industry concern regarding its scope and implications. Business supply chains, particularly for large operators of essential services and multinational companies, are becoming ever more complex. The increased digitisation of service provision across the board means that the delivery of essential services can be vulnerable to severe disruption when the systems of critical supply chain entities are interrupted by cyber-attacks.
The Government have pointed to the 2024 cyber-attack on Synnovis, a pathology lab provider serving several London hospitals, as an example of the severe consequences that can flow from a cyber-attack on a key supply chain provider. In that case, the suspension of Synnovis services caused disruption to more than 11,000 appointments and operations. The attack caused at least two cases of serious harm to patients and, tragically, one patient’s death was attributed to the long wait for blood test results. Estimated financial losses from the attack exceeded £30 million.
The previous Government were conscious of intensifying supply chain risk, and consulted on measures to enable regulators to designate individual suppliers as critical if they provided an IT service on which an OES or RDSP was dependent for the provision of its essential service. The response to that consultation showed overwhelming support for the proposal, but stakeholders argued that the designation process would need to be transparent and based on engagement with industry. It is those vital elements of transparency and engagement, or rather the current lack of them, that are causing high levels of concern among supply chain entities that stand to be brought within scope of regulation when these provisions come into effect.
To break that down, preserving agility for the Secretary of State and regulators to respond to emerging risks has been recognised as both a strength and a weakness of the Bill. However, lack of certainty is a particular concern in a context of critical supplier designation, especially as this part of the Bill has the potential to bring in large numbers of small and even microbusinesses within the scope of regulation, potentially by multiple regulators. That is a daunting prospect for smaller companies, even taking into account the caveated duty on competent authorities to co-ordinate in the approach to regulation of critical suppliers in the proposed new paragraph 14L of the NIS regulations.
Several witnesses in oral evidence, including techUK and ISC2, made strong arguments that SMEs often lack the financial and human resources to develop cyber-security expertise and comply with regulation. Those organisations will need additional time to prepare, and a better indication of the criteria that might be used by regulators to determine which supply chain providers are critical. Industry bodies have called on the Government to ensure meaningful consultation on secondary legislation and guidance, to ensure that the measures are fit for purpose and capable of practical implementation. As part of the planned consultation, will the Minister commit to considering whether there are alternative approaches to regulation for increasing cyber-resilience in companies below a certain size?
Alison Griffiths
The clause is drafted broadly, which is understandable, but in practice many of the supply chains, as my hon. Friend has ably demonstrated, involve several layers of providers and sub-providers. I would welcome clarity on how regulators are expected to approach designation in these cases, so that responsibility is clear and preparation can happen upstream, rather than only after an incident.
Dr Spencer
My hon. Friend has figured out what I am going to say in a moment, when it comes to the scoping of the regulator and that communication process. Such is the depth of the rabbit hole that the provision creates that, even though my hon. Friend’s intervention did not go where I thought she was going, another problem has just come to mind.
What happens in the circumstance where a critical supplier that acts as a proxy for multiple critical suppliers? How does designation operate in that fashion? There are suppliers that essentially operate as a marketplace to a certain provision of services. Is it the marketplace that is regulated, or is it each supplier within the marketplace? A locum agency could hypothetically be an umbrella company for multiple different smaller locum agencies, each of which would share the corporate risk as part of that.
Going back to my first point, the idea that access to the IT network or system will somehow be discriminatory, or dichotomise between people who are in scope of this measure and people who are not, seems to me complete nonsense. It is difficult to see what organisations, if they provide a service to a modern OES, will be in scope of it.
Secondly, there is systemic or significant disruption. I often say that, if someone wanted to cripple a hospital, the best way to do that would be to stop the cleaners cleaning rooms, and to stop the porters pushing people around the hospital to get them to their appointments and moving beds. There is often a focus on doctors and on the rest of the core medical and nursing staff— I myself often focus perhaps a bit too much on doctors—but it really is a whole-team effort. In fact, the most critical people are often the people who might not be the subject of the most focus, such as the cleaners and porters.
If the cleaners stop work or do not turn up to work, the hospital grinds to a halt. If taxis are not taking people to and from hospital out of hours, or if the patient transport is not taking people to hospital, out-patient departments grind to a halt. If the locum companies that fill gaps in staff rotas are not available to do that, and there are substantial rota gaps that make the provision of services unsafe, the hospital also grinds to a halt. If it is not possible to get access to critical medicines, if staff cannot maintain the blood gas machine or the blood pressure machine, or if the boiler breaks down, the hospital grinds to a halt.
It is not just something as obvious as the tragic situation with blood and pathology testing that causes a hospital to grind to a halt. Indeed, I cannot think of many private sector provisions that would not have a substantial impact on a hospital if they were to be removed; if any other Member can, I will be very happy to stand corrected. However, just skimming through them, I can see that the removal of most of them would cause the hospital to grind to a halt. The idea that the significant impact definition will be a discriminatory factor regarding suppliers just does not work. Someone might say: “Ben, you’re completely wrong. We found some providers.”, but, if that situation arises, how will the arbitration occur in terms of the threshold?
Chris Vince
I am not going to tell the hon. Gentleman that he is completely wrong—he should not worry about that. I will make another point. I wonder whether the distinction might be how time-sensitive losing a particular service would be. That is just a suggestion.
Dr Spencer
I thank the hon. Member so much for that intervention about the time it would take to find an alternative supplier, because it will bring me on nicely to my point about alternative suppliers.
However, before I move on to that point, the hon. Gentleman made a very good point in his intervention, which I will address. To be subject to these provisions will create a regulatory burden, and therefore a cost burden, for an organisation that is designated to be a national critical supplier. If I was a supplier of services, I would want to have the best provision possible. I would want to be cyber-secure; I would want to have a gold-standard service. However, I might also be nervous of being designated as a critical supplier because of the regulatory burden that would impose on me, which would make me potentially less competitive in getting contracts because of the costs that would ensue. There would need to be an arbitration system where a company that is under threat of being designated a critical supplier could have a discussion or debate about whether that designation was relevant or not.
I will now move on to the point that the hon. Gentleman made about alternative services. I really have no idea at all how we can expect a regulator to delve into the complexities and the minutiae of what is available in a local economy to provide these services that the OES is receiving. Do we expect the relevant regulator to check what taxi services are available—actually available, rather than some sort of fantasy availability where they are available on paper, but not in reality—in the local ecosystem that could supply to that hospital, which is the operator of essential services? What is the scope of research that the regulator would have to do? What considerations would they need to take regarding how much the taxis cost and how effective they are? What about the procurement decisions and processes that have already been gone through?
Most public sector organisations have complex procurement rules when setting up their contracts—and that is before we even begin to consider health and safety concerns that are subject to regulatory provisions. For example, if the regulator decided that taxi services are under threat of becoming a critical supplier, then does the taxi service have the ability to deal with someone who has a cardiac arrest, needs oxygen or has a behavioural disturbance? Can it manage people with physical or mental disabilities? What is the scope of that particular service provision? The experts will be the people who commissioned it in the first place; yet on the face of the Bill there is no objective requirement for the regulator to speak to the OES in the first place about how this provision and service was procured.
In terms of the service being available—as per the point made by the hon. Member for Harlow about the time to shift through—how will that be evidenced and investigated? What resource is going into this? That is just for a taxi company. What about when we expand it—and this is just for the NHS—to cleaners, porters, locum agencies or medicines provision? Is the provision of services geographically circumscribed or will this be across the country? I am sure that one can find alternative services to provide taxis to St Thomas’ in Birkenhead, but that does not necessarily mean that it is available in a reasonable timeframe or sense, in terms of the designation of supplier.
Lincoln Jopp
I do not want to add spurious hypotheticals, so I will talk about the real world. I visited the Maypole special school in my constituency the other day. It has 20 members of staff and 18 pupils. It has people coming from as far away as Wandsworth. It books the transport, and the transport is paid for by the local education authority in which the pupil lives. It is clearly critical that children get to the school—just as it would be for a hospital. Would it be up to members of staff at the Maypole school to find out whether Addison Lee used a managed service provider or a data centre? That seems quite a tricky thing to know about and then to fulfil.
Dr Spencer
I really appreciate my hon. Friend’s intervention. It goes incisively to the heart of the concern about how these provisions are currently drafted. I really struggle to see how an OES that is providing a service to another OES could effectively argue that it is not within the full scope of these regulations. We have a lot of OESs in this country. It may be the Minister’s and the Government’s intention to essentially have a proxy regulatory framework for suppliers to OESs going forward—it is being kept very loose, because there is some flexibility in that, but that in itself will be a problem.
I worry that a lot of providers are going to think to themselves, “Why should we provide to an OES when we might be at risk of being designated as a national critical supplier?” Surely that is a concern that will have a chilling effect on organisations supplying to OESs, because of the risk of being found within the scope of this additional regulatory burden.
Don’t get me wrong; as I have said, companies should be taking cyber-security seriously, as should everyone. However, not everyone should be subject to the various regulations and data-sharing requirements that this Bill provides for. I suspect that many organisations will be very concerned. If there is a risk of designation as a critical supplier, companies will already be instructing lawyers and other organisations to manage that corporate risk.
If an organisation starts supplying to a hospital trust, or to whoever it may be, it might think, “Actually, we’re likely at risk of being designated, so we need to start doing some work and investment, either to challenge that designation or begin doing the preparatory work.” Maybe that is the intention: to effectively regulate the entire sector providing to OESs without actually lifting a finger in terms of regulation through this Bill. If that is the case, I am sort of sad, because I think it is better to be clear-cut about it. I would be grateful if the Minister answered that point directly.
Finally, in terms of OESs, we have already mentioned the fact that Government and local authority IT infrastructure and services are among the biggest risks in our system. I was really struck by the evidence from the NHS on Tuesday, in which our witnesses described data-sharing operations with adult social care, which is of course provided by local authorities.
It seems quite perverse, if I may say so, that a GP surgery, which is a private organisation, could be deemed a critical supplier to a hospital in terms of patient information sharing. Quite frankly, I would like the Minister to answer the question specifically: does he envisage primary care GPs being in scope because of data sharing of hospital records with NHS trusts? GPs could fall within scope as critical suppliers, while social care records, which are provided by local authorities, would not. There are all these weird situations that could emerge because of the scope and the looseness of these provisions, with all the consequent harms and problems. I look forward to hearing the Minister’s responses to my points.
Kanishka Narayan
First, I will respond to the apt and thoughtful points from the hon. Member for Bognor Regis and Littlehampton on operational technology. I can confirm to her that both vendors and providers of operational technologies will be covered by the provision of the five-step test for critical supplier designation. That is an important aspect when thinking about supply chains and the presence of operational technology where it is of critical interest.
The hon. Member for Spelthorne raised a very accurate point about proportionality in the provisions of the Bill, and in particular the impact assessments, statements, or limited statements on critical supplier impacts. As he will know very well, the Bill takes a very nuanced position on proportionality. When a sector is designated, there will be total clarity on the number of suppliers affected and on the ultimate impact. We will have sight of that.
The provision on critical suppliers was asked for by industry. The reason why the Bill does not specify critical suppliers is that it is simply not for the Government to specify how a business can or cannot continue. It is for businesses and regulators to work that through by understanding the depth of expertise that businesses have. We have started to do that, but that is precisely why the critical suppliers provisions have been delegated to secondary legislation and subsequent guidance.
Kanishka Narayan
I commit to giving way to the hon. Gentleman at the end of my speech. He asked about schools. I am happy to confirm that schools are not in the scope of the Bill.
In response to the shadow Minister, I highlight that the five-step test is cumulative: a business must meet all the conditions to be designated as critical, not just one. I think that answers the series of logical puzzles that he tied himself up in.
I am very happy to confirm to the Committee that it is expected that regulators will use information gathered from their oversight of operators of essential services, relevant managed service providers and relevant digital service providers to identify potential critical suppliers for designation. They can also ask organisations for more information to support their assessments. Future supply chain duties will also require organisations to share supply chain risk assessments with regulators. A supplier can be designated only after the regulator has completed an investigation process, including serving notices and holding a consultation, and confirmed that the criteria are met. Designated suppliers will also have the right to challenge decisions through an independent appeals process.
Kanishka Narayan
I commit to giving way at the end of my speech to the shadow Minister and the hon. Member for Spelthorne.
On the question of consultation, I am happy to confirm that the team in question has set up an implementation-focused effort. We have started to engage with regulators already, and there will be an extensive process of engagement on the Bill with business, as has been conducted historically.
The shadow Minister highlighted a number of logical puzzles. I have worked in a range of businesses and public sector organisations, and most have business continuity services. His hypothetical idea that businesses do not understand alternative provision, and whether they are or are not in a position of exposure, is well solved in the real world. I would give more credit to our expert witnesses from NHS Scotland than he did in recognising that they said that they frequently deal with the question of critical suppliers in co-ordination with competent authorities.
Lincoln Jopp
The Minister came back with an answer on proportionality, saying that it is not for Government to decide what is essential. He missed out the next bit, which is, “We’re just going to regulate critical suppliers and pass laws about them, but we don’t know how many there are, and we don’t know how much the policy is going to cost.” Would he accept that characterisation as the logical conclusion of what he said?
The Minister also said that schools were not covered by the Bill. As far as I am aware, patient data and children’s data are two of the most precious things that we have, so I would like to know why schools are not covered by the Bill.
Kanishka Narayan
On the first point, I am afraid that I do not think that was an appropriate characterisation, because where the sectoral scope is clear and where there is a clear risk of critical national infrastructure and essential services being directly exposed, we have specified that in the Bill. We have looked at the impacts set out in the impact assessment. For the critical suppliers in those sectors—I would expect them to be very limited in number—we have made sure that regulators and businesses have the flexibility to set the requirements directly, rather than them being set here in Parliament.
Chris Vince
I was going to intervene on the hon. and gallant Member for Spelthorne, but he is bigger than me. I recognise the points he made about the number of critical suppliers, but I come at the question from the other angle: doing nothing may leave critical suppliers at risk. Although we might not know the exact number, as he correctly asserted, it is important that we do something and introduce the regulations as soon as we can to protect our critical infrastructure.
Kanishka Narayan
I thank my hon. Friend for that point. This issue has not come out of nowhere. Industry and a number of organisations asked that we introduce the measures in the clause.
Beyond the very clear five-step test for critical supplier designation, the Bill provides that the requirements on critical suppliers are proportionate. The reason why we have both the five-step test and the provisions in the Bill is that, in most cases, if the risk assessment suggests so, the security requirements set out in the Bill will be less onerous in most cases. They will be specified in secondary legislation and guidance.
On the question of schools, and more broadly the question of public sector authorities, I entirely accept that the handling of pupil data in schools is a critical aspect of our public service operations. The reason why public service authorities have largely been left out of the Bill’s scope is because we do not need to wait for the legislative process to act. We have been working, not least closely with the Government’s cyber-security strategy and the cyber action plan, to ensure that pupil data is kept securely and robustly.
Dr Spencer
The Minister is, of course, within his rights to snarkily dismiss the questions that I have raised, but I should point out that the stuff that is debated in Parliament, whether in Committee or on the Floor of the Chamber, is relevant when it comes to future legal disputes after a Bill is passed. The questions I have asked about the application of the Bill’s provisions will be important parts of the legal disputes that I expect will arise after its implementation. When people look back through the Minister’s dismissive comments, I hope they have other resources that they can go to for settling legal arguments. However, he may choose to respond fully now, or in writing if he cannot provide me with an answer.
Kanishka Narayan
I believe that where the shadow Minister laid out any specific concerns, I was able to set out answers, not least on the process for the designation of critical suppliers and the availability of an appeals process. Where his points were more in the realm of specific hypothetical puzzles, I have stayed clear for precisely the reasons that he highlights. This is serious stuff that can form the basis of how businesses and others plan, rather than specific judgments that we ought not to speculate about in this House.
Question put and agreed to.
Clause 12 accordingly ordered to stand part of the Bill.
Clause 13
Provision of information by operators of data centre services
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 13 ensures that operators of data centres provide essential information to regulators, enabling them to properly monitor their sector and its cyber-resilience. The clause requires operators to submit key details, such as names, addresses and contact information, within three months of designation, and to update regulators within seven days if anything changes. Regulators are required to maintain a list of designated entities. By keeping regulatory records current, the clause strengthens our ability to monitor and protect essential services and respond to incidents that could affect businesses, public services and national security. The clause plays a key foundational role in the Bill’s wider framework for cyber-security and resilience.
Like clause 13, clause 14 places legal duties on digital and managed services providers to provide essential information to their regulator—in this case, the information commission. Like operators of data centre services, RDSPs and MSPs will be required to register with the information commission within three months, submitting key details, such as names and contact information, and to update regulators within seven days if anything changes. Organisations based outside the UK will be required to nominate a UK representative and provide contact details. To strengthen cross-agency support and recognise the key role that these businesses play in the UK economy and society, the information commission will be required to share its registers of relevant digital and managed service providers with GCHQ. Those proportionate steps will enable authorities to do their job and respond when it matters.
Dr Spencer
Clause 13 requires in-scope data centre operators to provide certain information to their designated competent authorities, which—subject to Government amendment 11, which we passed earlier—will now be solely Ofcom, and to keep that information up to date. The information includes the data centre operator’s address and the names of directors. It must be provided within three months of the data centre operator’s designation. For data centres that meet the threshold criteria, that would be three months after clause 4 comes into force. Other OESs are not subject to an equivalent requirement to provide information to their sector regulator. That reflects the fact that the Government currently have limited information about the data centre sector.
RDSPs are already required, under regulation 14 of the NIS regulations 2018, to provide their contact details to the information commission, as their sector regulator. Clause 14(2) amends regulation 14 to require RDSPs to provide more information, including about their directors and the digital services they provide. It would also require the information commission to share a copy of its register of RDSPs with GCHQ. Clause 14(9) requires RMSPs to register with the information commission and to submit the same contact details as RDSPs. RMSPs must nominate a UK representative if they are based outside the UK. The information commission will be required to maintain a register of RMSPs and to share it with GCHQ. Clauses 13 and 14 give Ofcom and the information commission access to more detailed information about regulated entities and facilitate regulatory oversight of the data centre RDSP and RMSP industries in the UK.
Question put and agreed to.
Clause 13 accordingly ordered to stand part of the Bill.
Clause 14 ordered to stand part of the Bill.
Clause 15
Reporting of Incidents by Regulated Persons
Dr Spencer
I beg to move amendment 1, in clause 15, page 22, line 15, at end insert—
“(f) whether the incident involves failure modes not previously observed in the relevant sector materially involving autonomous or adaptive systems based on machine learning, including where the potential impact of such failure modes was mitigated or prevented.”
The Chair
With this it will be convenient to discuss the following:
Amendment 2, in clause 15, page 22, line 25, at end insert—
“(ea) where the incident was associated with one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;”
Amendment 4, in clause 15, page 23, line 32, at end insert—
“(ea) where the incident involved one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;”
Amendment 5, in clause 15, page 26, line 37, at end insert—
“(h) whether the incident involves failure modes not previously observed in the relevant sector materially involving autonomous or adaptive systems based on machine learning, including where the potential impact of such failure modes was mitigated or prevented.”
Amendment 6, in clause 15, page 27, line 7, at end insert—
“(ea) where the incident was associated with one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;”
Amendment 7, in clause 15, page 30, line 8, at end insert—
“(fa) whether the incident involves failure modes not previously observed in the relevant sector materially involving autonomous or adaptive systems based on machine learning, including where the potential impact of such failure modes was mitigated or prevented;”
Amendment 8, in clause 15, page 30, line 21, at end insert—
“(ea) where the incident was associated with one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;”
Amendment 9, in clause 18, page 40, line 10, at end insert—
“(8A) Where the CSIRT receives notification of an incident under regulation 11, 11A, 12A, or 14E that materially involves autonomous or adaptive systems based on machine learning, the CSIRT must share relevant technical information with the relevant body within 72 hours.
(8B) For the purposes of this regulation, a “relevant body” means the AI Security Institute or any successor or replacement body designated by the Secretary of State.”
Dr Spencer
I will speak to the amendments tabled by the hon. Member for Dewsbury and Batley (Iqbal Mohamed), but wait for the next group to speak to clauses 15 and 16 and the amendments to them in the name of the official Opposition.
From the outset, it is important for me to say that while I have spoken to the hon. Member more generally and responded to a debate he secured on AI, I have not spoken to him specifically regarding these amendments and their precise purpose. However, given his concerns about the AI sector and his background, we can see where he is going with them. Broadly speaking, the amendments would ensure that as part of the reporting requirements under these clauses, there is an ability to measure whether adaptive AI or large language models have been responsible for a cyber-security breach or an incident within the systems themselves.
That derives from what we see happening more generally in the cyber-security sector. We heard evidence that, online, people can essentially purchase a cyber-security hack suite of software. It is possible to pay for people to do hacking and one can get training in it. A lot of hacking and cyber-security breaches are now expanding because of large language models and the use of AI to probe systems. I do not know if we have a sense of scope regarding how much this is a problem specifically in the UK, whether for the individual businesses or organisations that will be regulated under the Bill. I understand, as I interpret them, that the point of the amendments is to get a dataset on where AI or automated decision making has been used to pose a particular cyber-security risk.
The amendments also speak to a more general point. There has been a lot of debate in this place over the years about what we as a country, and equivalent democracies, are doing on the regulation of AI and large language models, building on the Bletchley conferences, innovative work and what guardrails we need to think about in terms of imposing LLMs and AI in the UK, and how we approach AI being used by hostile state actors, such as through bot accounts. I understand that the use of deepfakes, bots and so on is an emerging risk as a method of cyber-attack. There are broader issues with regard to transparency when bots on the internet and social media networks can get into various IT systems and accounts, and effectively pretend to be somebody else to get around the cyber-security system. As with all things, we do not know what we do not know. I understand that the amendments were tabled to increase reporting requirements and give us more evidence of the scope of the problem and the threat posed.
I will be grateful if the Minister gives his sense of how much of a problem this is, particularly with regard to whether reporting requirements are necessary. I believe that the Government’s original plan was to introduce an AI Bill. That would have pros and cons, and I remain agnostic on that, but, speaking for His Majesty’s Opposition, I would like to know the Minister’s plans for the AI landscape and whether, in the upcoming King’s Speech, there is an idea of revisiting an AI Bill, which might make such amendments obsolete.
Kanishka Narayan
I appreciate the intent behind the amendments and the shadow Minister’s position of understanding but not supporting them, which I share. I share his concerns about the potential for emerging risks posed by AI systems, not least in the realm of cyber-security. At the same time, I am conscious that we have not specified any risk factors in the Bill from a reporting point of view for the National Cyber Security Centre or the regulators. To do so in this context would place an undue priority on one category or source of risk.
For those reasons, although I understand the motivation behind the amendments and I am conscious of the risks posed by AI systems, I urge the hon. Member not to press them. The Bill is technology-agnostic rather than focused on particular areas of risk. The Government continue to work on mitigating AI risks, primarily at the point of use, but also through extensive Government capability, not least in the AI Security Institute.
Dr Spencer
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Ordered, That further consideration be now adjourned. —(Taiwo Owatemi.)
Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting)
Tuesday 10th February 2026
(3 weeks ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
The Chair
Good morning, everyone. I remind Members to send their speaking notes via email to Hansard and to switch electronic devices to silent. Beverages are not allowed. I ask people to speak clearly and precisely for the benefit of other colleagues and Hansard. Were they to give an early indication that they wish to speak, that would be much appreciated.
Lincoln Jopp (Spelthorne) (Con)
On a point of order, Dr Murrison. In Thursday’s session, I asked the Minister why pupil data was not within the remit of this Bill. He said:
“On the question of schools, and more broadly the question of public sector authorities, I entirely accept that the handling of pupil data in schools is a critical aspect of our public service operations. The reason why public service authorities have largely been left out of the Bill’s scope is because we do not need to wait for the legislative process to act. We have been working, not least closely with the Government’s cyber-security strategy and the cyber action plan, to ensure that pupil data is kept securely and robustly.” ––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 5 February 2026; c. 137.]
Since then, I have been researching any action taken in respect of the Government’s cyber-security strategy and the cyber action plan, and can find no record of them dealing with the issue of pupil data. I wonder whether, this morning, the Minister could specify what he meant last Thursday or commit to coming back to the Committee with that detail.
The Chair
I am sure that the Minister will have heard what the hon. Member has said. He may wish to reflect on it, but it is not really a matter for the Chair. Nevertheless, it is on the record.
Lincoln Jopp
On a point of order, Dr Murrison. Yesterday, I spoke in a petition debate in Westminster Hall. The petition was signed by 114,000 members of the public calling for a public inquiry into Russian influence in British democracy. In researching my response on behalf of His Majesty’s Opposition, I came upon the Government’s statement about this Bill, which said that it would
“require organisations in critical sectors to further protect their IT systems”.
The split infinitive notwithstanding, I do not believe that the Bill requires any organisations in critical sectors to further protect their IT systems. If the Minister thinks that the Government are correct in saying that, would he like to direct us to that requirement in the Bill?
The Chair
Once again, if the Minister wishes to respond to that, it is open to him to do so. The hon. Member for Spelthorne, who is very adept at these things, will be able to weave any further comments he might have into his contributions during our proceedings.
Clause 15
Reporting of incidents by regulated persons
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss:
Clause 16 stand part.
New clause 6—Inclusion of ransomware attacks in the NIS Regulations—
“In regulation 1(2) (interpretation) of the NIS Regulations—
(a) in the definition of ‘incident’, after ‘systems’ insert ‘or a ransomware attack which is targeted at the security of network and information systems’;
(b) after the definition of ‘online search engine’ insert—
‘ransomware attack’ means a cyber-attack involving a type of malicious software that infects a victim's computer systems, can prevent the victim from accessing systems or data, impairs the use of systems or data or facilitate theft of data, and in relation to which a ransom is demanded for access to be restored or for data not to be published.”
This new clause would include ransomware attacks in the definition of “incident” in the NIS Regulations.
New clause 7—Impact of reporting requirements on relevant bodies—
“(1) The Secretary of State must, within 12 months of the passing of this Act, publish and lay before Parliament—
(a) a review of the impact, on relevant bodies, of—
(i) the requirements relating to the notification of incidents in Parts 3 and 4 of the NIS Regulations (as amended by this Act); and
(ii) any additional incident notification requirements made by regulations under this Act; and
(b) proposals for the creation of a single cyber incident reporting channel for relevant bodies.
(2) A review under this section must consider –
(a) the costs of requirements on relevant bodies; and
(b) interactions with other incident reporting regimes.
(3) In this section, ‘relevant bodies’ means operators of essential services, critical suppliers or digital service providers, as defined by the NIS Regulations.”
This new clause would require the Secretary of State to review the impact of incident reporting requirements on relevant bodies, and to set out proposals for a single incident reporting channel.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I will begin by discussing clauses 15 and 16. Clause 15 updates the incident reporting provisions in the Network and Information Systems Regulations 2018. Under the current regulations, organisations are required to report incidents only once they have had a significant impact on service continuity. It is widely recognised that this is too narrow, and results in a range of concerning incidents going unreported and a distorted picture of how secure and resilient the UK’s essential services actually are.
To take two examples: a ransomware attack where confidential data has been exfiltrated from an organisation without an immediate impact on service would not be reportable; nor would a pre-positioning attack, where a hostile actor has hacked into a network and is in a position to cause significant disruption down the line, such as to the provision of drinking water. That cannot be right, and does not reflect the cyber-threats that critical services face.
To ensure such incidents are caught, the clause sets a new, wider definition of incidents that must be reported. The focus is now on incidents that have successfully affected the security or operation of an organisation’s network and are likely to have a significant UK impact, which will ensure that regulators and the National Cyber Security Centre are fully aware of the range of cyber-threats affecting the UK’s essential services.
The Bill sets out the factors that should be considered when assessing whether an incident has had, or is likely to have, a significant impact in the UK—including, crucially, whether the confidentiality, authenticity, integrity and availability of data has been compromised. The Government will provide further clarity in secondary legislation, setting out thresholds for each sector for when an incident is considered to have had, or be likely to have, a significant impact. That will be consulted on before it is introduced. Taken together, it means that only meaningful incidents are reported. Over-reporting has been a concern raised by hon. Members throughout the Bill’s progress, so I stress this point: things such as unsuccessful phishing emails will clearly not be reportable, as they would not be likely to have a significant impact.
Given our economy’s systemic dependence on data centre facilities, for that sector alone we will also ensure that Ofcom and the NCSC receive reports on a wider range of potential incidents and near misses. That ensures that not only immediate disruptions but incidents posing future risks are reported.
Clause 15 also streamlines the reporting process for all NIS sectors. It ensures that incident notifications and reports go to the NCSC at the same time as the regulator. It also sets out what those organisations can do with the information they receive, including how the information can be shared to manage the wider impacts of an incident or prevent future incidents. Finally, the clause introduces faster reporting, so that the NCSC and regulators are informed within 24 hours of entities becoming aware that a reportable incident is taking place.
The 24-hour notification will be light touch, but will enable the NCSC and regulators to offer faster support to minimise the negative impacts of the incident. Fuller details will need to be reported within 72 hours of the entity becoming aware that a reportable incident is happening. The changes will protect the UK’s essential services, ensuring that the NCSC and regulators are able to provide the best support that they can.
Clause 16 sets out requirements for managed service providers, relevant digital service providers, and operators of data centres to inform customers who are likely to have been adversely affected by a reportable incident. Under the current regulations, there is no requirement for any regulated entity to inform its customers if it has been impacted by a reportable incident. That may have made sense when the NIS regulations were more heavily focused on operators of essential services and the primary concern was service disruption, but it would be an inexcusable omission now that the Bill is expanding to include managed service providers and operators of data centres, in addition to the digital service providers already in scope.
These are organisations that, if compromised, could leave their customers’ systems, data or services exposed or inaccessible. In such circumstances, it is vital that their customers are notified, so that they can take whatever steps they need to in order to mitigate those risks.
Bradley Thomas (Bromsgrove) (Con)
I have two points for the Minister to address. First, could he clarify whether an organisation would face repercussions if a regulator believed in retrospect that notification should have been provided sooner? Secondly, on customer notification, can the Minister address the concern around striking the right balance between informing the customer and ensuring that the update that they receive is meaningful and not so vague that it causes further distress or worry?
Kanishka Narayan
I thank the hon. Member for those two thoughtful points. On the first, in terms of retrospective regulatory action on the adequacy of notification, I expect that the regulators will set out—in their guidance and by working closely with the entities in scope—their expectations about the nature and timeliness of the notification. That will be one input into a regulator’s broader assessment of entities’ compliance with the regime. I expect that timely notification will be assessed on an ongoing basis by the regulator, but I would not expect it to be an exclusive or primary aspect.
On the question of customer notifications being proportionate, I share the hon. Member’s concern about ensuring that it is timely and efficient and at the same time meaningful for the relevant customers. I hope that exactly those principles are embodied in the guidance that regulators share about notification requirements.
Customers being notified is all the more important given that in many cases, those customers will themselves be operators of essential services and other critical national infrastructure. The Bill therefore places new transparency requirements on managed service providers, relevant digital service providers and operators of data centres. Similar requirements were introduced under the NIS2 regulations in the European Union.
Clause 16 requires those regulated entities to take steps to establish which of their customers, if any, are likely to be adversely affected by a reported incident. It then sets out the information that the entity must share with those identified customers. These new requirements will support the overall resilience of the UK’s essential services and economy, which depend so heavily on these services, and reduce the overall impact of disruptive cyber-attacks.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
New clauses 6 and 7 sit together and are linked by the same practical concern regarding clarity and workability when an incident is unfolding.
I will start with new clause 6. Ransomware is no longer an occasional or unusual cyber-event; it is now one of the most common and disruptive threats facing essential services, digital providers and their supply chains. Written evidence to this Committee was clear that ransomware incidents are now routine, high-impact events, and that uncertainty at the outset of an attack often makes the consequences worse. The Bill rightly broadens the definition of an incident to capture events that are capable of causing harm, not just those that already have. That is the right direction of travel, but when organisations are under pressure, particularly in the first 24 hours of an incident, uncertainty slows action. Time is lost debating definitions rather than focusing on containment, escalation and reporting.
New clause 6 addresses that problem directly. It makes it explicit that a ransomware attack is an incident for the purposes of the NIS regulations, and sets out clearly what is meant by ransomware attack. It would not create a new duty; it would remove doubt from an existing one. Clear definitions support better behaviour when organisations are operating under real pressure.
New clause 7 follows naturally from that point. If we want faster and clearer reporting, the system into which organisations are reporting has to work in practice, not just on paper. The Bill expands reporting requirements and introduces new notification duties. That is understandable, but UK Finance told the Committee that many firms already support cyber-incidents under multiple regulatory regimes and that additional reporting layers risk duplication rather than resilience. When an incident is live, that duplication causes friction, slows the response and increases costs. It can reduce the quality of information being shared because teams are stretched across parallel processes rather than focused on managing the incident itself.
We do not seek in new clause 7 to reopen the policy intent of the Bill; the new clause would require a review, once these changes are in force, of how the reporting requirements are working in practice. That review would consider costs and interactions with other reporting frameworks. The new clause would also require that proposals for a single cyber-incident reporting channel be published. That is not a bureaucratic exercise; it reflects concerns raised in evidence that resilience is undermined, not strengthened, when reporting becomes fragmented at moments of stress.
Taken together, new clauses 6 and 7 are about making the system clearer at the front end and more usable overall. Clear definitions encourage timely reporting and coherent reporting channels make that reporting effective. I hope that the Committee will give serious consideration to both new clauses.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Dr Murrison, and it is always a pleasure to follow my hon. Friend the Member for Bognor Regis and Littlehampton. I will speak to clauses 15 and 16 and to new clauses 6 and 7, tabled in my name on behalf of His Majesty’s loyal Opposition.
The previous Government stated in their consultation covering the subject of cyber-incident reporting that security breaches that did not result in a successful attack could still leave organisations open to follow-up attacks. It was identified that reporting how the breach took place would also allow regulators and other organisations to prepare for similar attacks in the future. It is therefore a welcome development that clause 15 significantly increases the scope and speed of cyber-incident reporting by regulated entities to competent authorities and the NCSC.
That increase in scope is achieved by broadening the definition of reportable incidents from the current position, where only cyber-attacks having an actual adverse effect are reportable, to a position to where cyber-incidents that are capable of having an adverse effect on the operation or security of network and information systems must also be reported. The Government’s explanatory notes for the Bill state that this change in definition
“is designed to include incidents that have compromised the integrity or security of a system without causing significant disruption yet, but that could have potential significant impacts in the future.”
This has been broadly welcomed by industry stakeholders as a measure that should provide regulators with greater intelligence about emerging threats, leading to improved risk management and hardened resilience in their sectors.
On the importance of intelligence gathering, we heard evidence from David Cook of DLA Piper and Chung Ching Kwong of the Inter-Parliamentary Alliance on China, among others, about the increasing use of prepositioning and “live off the land” technologies deployed by malicious actors. Once systems are infiltrated, attackers remain in systems, sometimes harvesting data, waiting for the moment when they can cause maximum harm and disruption. Those serious risks should be flagged to regulators wherever they are identified.
Dr Sanjana Mehta of ISC2 described problems of underreporting in relation to the existing NIS regulations regime, and welcomed the principle of expanding reporting, as did Jill Broom of techUK. However, both cautioned that while some high-level factors have been provided as to the criteria indicating whether an attack should be reported, such as the number of users, impact, duration of interruption and geographical reach, what is not clear at present are the thresholds that are linked to those criteria. Those details are vital if reporting is to be successful in ensuring that regulators are kept appraised of the most serious threats.
Dr Mehta summarised that concern succinctly in her comment:
“In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators”. ––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 16, Q14.]
Likewise, techUK has stated in its written briefings on the Bill that
“technically any phishing email is ‘capable of’ having a significant impact if the organisation lacks adequate detection or response capabilities. This will lead to over-reporting of low-level incidents and potentially overwhelm regulators, thereby distracting attention from genuinely significant threats.”
As in many aspects of the Bill, the problem is not on the principle but in the detail. We heard in oral evidence about the concerns of industry and regulators regarding the availability of suitably qualified personnel to build capacity for effective regulatory oversight. We must be alive to that important consideration in ensuring that thresholds are proportionate and risk-based.
The Government have stated in their factsheets on the Bill that they intend
“to introduce thresholds through secondary legislation before this measure is brought into in force”
and after a period of consultation. They have also said that those thresholds will
“clarify the points at which we would consider the impact of an incident to be ‘significant’, and therefore reportable to regulators”.
What discussions has the Minister had to date with regulated entities and regulators about the approach to consultation on these thresholds? What is the feedback on what those organisations consider to be reporting priorities?
Chris Vince
I thank the shadow Minister for remembering my consistency—I have not mentioned Harlow. How is the new clause helpful, given the potential confusion it causes with listing a specific kind of incident as well as the generic one?
Dr Spencer
The Opposition are trying to make it clear that ransomware needs to be in the scope of the reporting. It is really for the Minister to answer if he thinks there are problems with the new clause, and if so, how the Government will go about taking that forward. The widespread and highly damaging nature of ransomware attacks—which are often perpetrated by criminal groups at scale and speed—means that regulators need to have a detailed oversight of this area to prevent those attacks from being deployed more widely. Therefore, the new clause is intended to ensure that all ransomware attacks on regulated entities are reported, regardless of severity or potential severity, so that the risks are picked up.
In tabling new clause 6, I am acutely aware of the existing reporting burden for regulated entities and regulators. Since tabling it, we have heard impactful evidence from Carla Baker from Palo Alto, who highlighted the number of cyber incidents and false positives that many companies encounter each day. As I said in response to an intervention, in the absence of measures brought forward by the Government to address the widespread and urgent risks presented by ransomware attacks—and as the Government themselves identify as part of the Home Office’s review—it would be proportionate to make specific reference to ransomware in the reporting requirements on regulated entities in the Bill.
New clause 7 reflects the concerns of regulated bodies and industry representatives who have set out many, many times—in oral evidence and beyond—the need to ensure that reporting obligations are clear and, as far as possible, simplified across the many different incident reporting regimes that exist for providers of digital services. The new clause would compel the Secretary of State to publish an assessment of the impact of the new reporting regime on regulated entities in the Bill within 12 months of Royal Assent. Importantly, in line with the clear requests articulated by many stakeholders who gave evidence last Tuesday, it requires the Government to publish proposals for the creation of a single cyber incident reporting channel for relevant bodies.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
I worked for the AI and digital regulations service in the NHS. We were linking with all of the regulators to try to have a one stop, one shop door approach to how we do things. It was incredibly difficult, and three years on we were still ironing out all the glitches. New clause 7 is laudable, but because I know how difficult it is, a 12-month proposal is a very tight timeframe in which to try to get this right.
Dr Spencer
I thank the hon. Lady for her intervention. New clause 7 puts forward an assessment of the impact. It is not intended to make definitive changes, but to give time. I have confidence in the Government and the Minister that within 12 months—it is the kiss of death to say that one has confidence at the minute, is it not? [Laughter.] I apologise to the Minister.
Dr Gardner
I will defend myself: my point was not a criticism of the Government. I just know how hard it is for regulators to work together and iron out cross-working. They were very confident in their information-sharing skills, but it is more difficult than that. It was just a kindly meant reminder that there is not an easy solution, and that 12 months is a bit of a tight timeframe.
Dr Spencer
I very much take the hon. Lady’s point and the constructive spirit in which it was presented. Twelve months is a long time for the operations of Government to function, and I have faith—I will change my words—in the Government and all of their powers if they wanted to put their minds to bringing this forward. If there are concerns about the ability of the Department for Science, Innovation and Technology to take this forward, those concerns would spill over into all of the consultation requirements that have to be met to make sure that this Bill functions in the correct way. The argument on what we are debating today could swing both ways.
Industry stakeholders have expressed strong concerns regarding the diverse incident reporting requirements that exist in several pieces of legislation, including UK GDPR, sector-specific regulation and the Telecommunications (Security) Act 2021. As we have already discussed, the Home Office may also bring forward guidelines for reporting ransomware incidents in future. Additional reporting requirements and procedures included in the Bill are viewed as adding a further layer of complexity to a legislative environment that is already very challenging to navigate. Stakeholders report that the current approach, with multiple different reporting procedures and platforms, increases regulatory compliance costs on businesses and detracts from the resources available to implement effective improvements in cyber-resilience. In view of that, will the Minister support this urgently needed review clause to assure industries that the Government have heard their serious and vital concerns on the matter?
Bradley Thomas
It is a pleasure to serve under your chairmanship, Dr Murrison.
When introducing new legislation, it is essential that those who fall under its new regulations be clearly identified and given adequate time to prepare for compliance. However, despite the aims of the Bill and the wish to avoid worsening a cyber-attack incident, the Bill still presents far too much ambiguity. It is right to recognise the cyber landscape as continuously evolving. There is no dispute that this terrain becomes increasingly complex each day, requiring a level of flexibility in legislation to ensure that it keeps pace. However, this desire to safeguard such adaptability, and the goal of future-proofing, must not come at the expense of the effectiveness of legislation in the present day.
The powers afforded to the Secretary of State to change the classification of essential activity, and to bring new sectors into scope of the Bill at any time, undoubtedly create uncertainty for many sectors and cast a shadow over long-term compliance. To be clear, we want organisations to comply with this legislation. We want to improve national cyber-resilience, gather vital intelligence and restore public confidence in our security. Why, then, would there not be a significant effort to make these regulations as easy to apply as possible, rather than leaving thousands of businesses second-guessing whether they fall within scope, with the pressure of large financial penalties hanging over their heads?
In addition, many will know that I am a firm supporter of parliamentary process. I support the notion that all legislation should receive the scrutiny it is due by the democratically elected Members of the House of Commons. That is why I believe the Bill must not only set out clearer guidelines for who is in scope, but require an official amendment, debated in the House, to permanently bring any new sectors into scope after the Bill has been passed.
I understand that, in times of emergency, the longer process of House of Commons scrutiny may not always be possible. That is why the Secretary of State should have powers to bring in sectors necessary in an emergency temporarily into scope, with less imposing of non-compliance penalties until their inclusion is made permanent by the House. Such an approach would not only allow for the quick reactions that cyber-security demands, but respect parliamentary processes and safeguard against organisations’ being unaware that they had suddenly been brought into scope until they received a potentially financially ruinous penalty notice for non-compliance.
Looking at the need for more definitive guidelines on who will be regulated under the Bill, we have already heard from numerous industry stakeholders that are unsure whether they, or other organisations in their sector, will fall within the mandatory scope. In addition, industry experts have publicly shared concerns about how far the net may be cast in some sectors, leading to the unintentional inclusion of organisations that are critical only to a single larger organisation, rather than to our national security, while ignoring other essential sectors altogether. Looking at recent cyber-attacks that have had a significant impact on our country, it is concerning that the definition of essential services may not include them within scope.
While it is predicted that many of Jaguar Land Rover’s supply chains will be in scope, it has been publicly questioned whether it will be included. As the largest car manufacturer in the United Kingdom, it directly employs over 30,000 people across the UK and supports around 100,000 jobs indirectly. It is therefore no surprise that the cyber-attack it endured, estimated to have had a financial impact of over £1 billion, was significant to many, including more than 5,000 organisations impacted and many of my constituents, with JLR being one of the largest direct and indirect employers in the west midlands region. How, then, if a key aim of the Bill is to ensure that all essential services whose disruption would profoundly impact our nation in the event of a cyber-attack report all major incidents, can the vagueness of the definition of essential services be allowed to stand—especially when it creates a situation in which previous key victims are excluded?
Of course, JLR is not the only victim where questions of inclusion remain. Also potentially falling outside the regulatory reach is Marks & Spencer, whose recent cyber-attack was another stark reminder of the rapidly advancing cyber-crimes scene and caused significant disruption, with costs estimated to run into the millions of pounds. Having met with M&S representatives recently, I had the opportunity to discuss their experience of enduring such an attack. Archie Norman, M&S chair, gave evidence to the Business and Trade Sub-Committee on Economic Security, Arms and Export Controls, where he said that “a growth economy” is “a cyber-resilient economy”.
Having a cyber-resilient UK, and making the UK the safest place to do business, is a competitive advantage. I agree with that sentiment and firmly believe that increasing our cyber-resilience can only benefit our economy. It is imperative that we get this right. These cyber-threats are not going away; they are only going to get stronger and more technically advanced. We have seen that in the past year, with the National Cyber Security Centre reporting a 50% increase in British cyber-incidents deemed highly significant. Indeed, representatives of M&S told me that, at times, they found it much easier to get updates and information from the United States FBI than they did from our own authorities. We also know that foreign hostile states are becoming bolder in their actions against us.
A few months ago—as a reason for introducing my ten-minute rule Bill, the Cyber Extortion and Ransomware (Reporting) Bill—I stated that research had revealed that 74% of UK IT leaders cited China and 71% cited Russia as their top cyber-security concerns. It is undisputable that last year’s espionage trials threw a harsh spotlight on the threatening scale of state-sponsored cyber-attacks.
Improving our national cyber-resilience, and safeguarding all our infrastructure and essential services, including in the private sector, is vital in order to secure a prosperous economy and reinforce public confidence in our ability to defend ourselves against such threats.
Emily Darlington (Milton Keynes Central) (Lab)
I have a few questions for the Minister. I appreciate the clarity that the Bill brings to many of the services in its scope. I would like to understand how the definition of “incidents” will relate to hardware vulnerabilities that are discovered within a company, as we heard from some of the people who gave evidence to the Committee. It is unclear in the Bill. Perhaps it will be further defined in secondary legislation.
I want to understand how an incident in which someone discovers a vulnerability in hardware—such as in a system-in-package—is reported, and how that information is then delivered by the regulator to other companies in the sector that may have similar technology, and to the other regulators, which may also want to flag that technology as a particular vulnerability. Is that defined as an “incident” or is it defined somewhere else in the Bill? I am a bit confused and am looking for some clarity.
Kanishka Narayan
Having been promoted from a position of mere confidence to faith, I will tackle questions from the hon. Member for Runnymede and Weybridge first and foremost. On the question of thresholds of incident, the Bill sets out the severity of the sorts of incidents that we expect reporting obligations to apply to, and at the same time it ensures that it is proportionate in understanding that sector-specific thresholds ought to be precisely that—sector specific, set closely with relevant entities in that sector, and working with the expertise of the relevant regulators. For that reason, it has not been specified more fully on the face of the Bill.
On information sharing, not only is there provision for the specific sets of purposes for which information sharing ought to take place between regulators, but there is a further check on the proportionality of that, through a particular requirement, to ensure that information that is shared in incident contexts is done precisely for the purposes set out in the Bill, and in a way that is proportionate.
My hon. Friend the Member for Milton Keynes Central raised the question of hardware impacts. While the focus of the Bill is primarily on network and information systems, the test, as I think of it, would look at whether any compromise in network and information systems related to a piece of hardware triggers the severity of the impact, or potential impact, to be reportable. In the event that it is reportable, in its severity and potential impact, it will require notification—to the regulator and, when customers are directly impacted in the way that is set out in the Bill, also to the customers. The test is focused on whether network and information systems are engaged, and whether the impact of any incident is likely to be severe enough, in light of the thresholds set out in the Bill.
Lincoln Jopp
My hon. Friend the Member for Bromsgrove raised the case of M&S, which would clearly be out of the scope of the Bill. However, it has a managed service provider, so it is a bit like the JLR case. I am still looking for some certainty as to whether JLR and M&S would come within the scope of the Bill by dint of the fact that they have managed service providers, which are within the scope. I am still not 100% clear on the answer to that question. I would be grateful for greater clarity from the Minister.
Kanishka Narayan
I hope this does offer the clarity that the hon. Member seeks. While I will not refer to specific businesses, broadly speaking the sector of food supply is not within the scope of the Bill; the obligations on operators of essential services or direct entities that are within the scope of the Bill will not apply.
However, if—in a hypothetical situation—a managed service provider within the scope of the Bill supplies to that business, the managed service provider would be within the scope of the Bill’s requirements. The customer—in this case, the food supply business—may, if the severity applies, be in receipt of reports from the relevant MSP, in this particular context. They will not be caught up in the full set of obligations in the Bill, but we would expect customers to be notified of incidents where the severity thresholds are met. I hope that gives the hon. Member some clarity.
Lincoln Jopp
I am grateful to the Minister for giving way a second time. I understand his answer, but, to be clear, if an incident that meets the severity threshold is reported to a client who is out of scope, would that bring any obligation to report in the normal way?
Kanishka Narayan
Under the provisions of this Bill alone, only the entities specified as critical suppliers or operators of essential services—the relevant digital providers and so on—would be caught up in obligations if an event occurred. Assuming neither of those is true of a food supply business, the Bill’s provisions would not apply.
At the same time, in the sort of incident that the hon. Member describes, we would expect the NCSC to be deeply engaged, assuming severity thresholds and wider risks are applied. We would work closely on that operationally and I am sure we would look at how that business could be supported more widely. But the Bill’s provisions are really focused on the sectors, and entities within those sectors, that have an immediate threat to day-to-day operations such as a potential threat to life. There are reasons, which we can get into later, as we have done previously, why we set the sectoral scope in that way.
New clause 6 seeks to clarify that a ransomware attack falls under the definition of “incident” within the NIS regulations. I share the concerns of the shadow Minister and the hon. Member for Bognor Regis and Littlehampton about the significant disruption that ransomware attacks can cause. Indeed, last year we saw the impact of the ransomware attack on Synnovis, a supplier to the NHS, which resulted in the delay of 11,000 out-patient and elective procedure appointments. The hon. Member for Bognor Regis and Littlehampton and the shadow Minister are quite right that this kind of attack should be considered an incident under the NIS regime. Because of the changes to incident reporting introduced by the Bill, I can confirm to the Committee that ransomware attacks will be in scope.
The Bill updates the definition of “incident” so that it applies to any event that has, or is capable of having, an adverse effect on the operation or security of network and information systems. Ransomware attacks already fall well within that definition. Although I welcome the principle and intent behind the new clause, its content is already addressed by the Bill. I hope that assures hon. Members across the Committee.
New clause 7 would require the Government to publish a review of the new incident reporting regime within a year of the Bill’s receiving Royal Assent. It is important that the effectiveness of the NIS regulations, including the reforms to incident reporting introduced by the Bill, should be reviewed periodically. That is why the Bill requires the Government to conduct a review and lay it before Parliament once every five years. That timeframe will enable the new regime to bed in and allow a meaningful period of time to measure change before the Government report on its effectiveness. As my hon. Friend the Member for Stoke-on-Trent South said, notwithstanding her and the shadow Minister’s confidence in me and the Government, to publish a review after only one year would risk giving an incomplete picture, as regulators and regulated entities may still be transitioning to the new processes.
The new clause would also require the Government to publish proposals for a single reporting platform for cyber-incidents, again within a year of the Bill’s passing. We have heard the clear ask from businesses to minimise the time they spend filling in different reporting templates following an attack, to ensure they can prioritise the technical response. I share the concerns of the hon. Member for Bognor Regis and Littlehampton, and we are exploring all options to enable a proportionate and efficient reporting system. That said, setting a fixed time limit of one year to develop proposals does not reflect the inherent complexity of the task and the need to get it absolutely right for the businesses in scope of the Bill, not least because the proposals will need to be rigorously evidenced, consulted on and tested. For those reasons, I am unable to accept the new clause.
Question put and agreed to.
Clause 15 accordingly ordered to stand part of the Bill.
Clause 16 ordered to stand part of the Bill.
Clause 17
Powers to impose charges
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 17 introduces new charging powers for NIS regulators, enabling them to recover the full costs of their regulatory functions under the NIS regime. This is an important reform that will help to ensure that regulators are effectively funded as they take on their expanded responsibilities under the Bill. It will allow them to move away from a funding model that relies on ad hoc invoicing or Government grants, and to approach their duties with greater confidence and certainty.
The clause sets out detailed procedural requirements that determine how and when the charging powers can be used. These will ensure that regulated organisations know what to expect from regulators; fees will be set proportionately and regulators will provide satisfactory accounting for the sums they have charged.
The first requirement is that regulators consult and publish a charging scheme. It must specify what functions the fees are covering, the amount of fees being charged or how those fees will be calculated, and the charging period they cover. Crucially, regulators will be able to set different levels of fee for different types of organisations—for example, varying charges according to size or turnover, or excluding organisations from the charging scheme if it would be disproportionate or counter-productive to include them.
Bradley Thomas
I have two points for the Minister to address. First, can he address concerns around whether funds raised will be directly reinvested into improving cyber-security, rather than covering administrative overheads? Secondly, there is no specific reference to turnover thresholds, so how can the Minister be sure that a one-size-fits-all approach will not be used, causing many similar organisations to suffer financially?
Kanishka Narayan
I thank the hon. Member for those thoughtful points. On the first question, the charging scheme applies to relevant costs, which are costs that regulators incur precisely when they carry out functions under the NIS regulations relating to cyber-security specifically. Those can include the cost of audits, inspections, handling incident reports or enforcement action, as well as other aspects, such as assessments of cyber-security and the provision of advice. It is important to acknowledge that regulators can decide to recover costs in relation to specific functions or their costs relating in particular to the Bill’s provisions. I hope to have assured the hon. Member that the charging scheme has a clear, tight scope that is related to cyber-security functions.
On the second question, regulators probably ought to look at turnover in a way that is sector-specific, in part because there are already a range of ways in which other regulatory regimes define turnover in particular sectors, so the appropriate definitions for their sectors will be familiar to both regulators and regulated entities. At a later date, secondary legislation may be used if it is found necessary to set out factors that regulators ought to consider in setting up charging schemes, including the possibility of nuanced definitions of turnover. Any future regulations for this purpose will be subject to consultation requirements and the affirmative procedure. I would very much expect, at a sector level, a clear and proportionate definition and charging structure in relation to turnover.
The second requirement is to set out, transparently and clearly, what fees have been paid, what fees are still due, and what costs have been incurred in a given charging period. On Second Reading, many hon. Members discussed the need for properly resourced regulators to successfully implement the Bill. I share that concern, and this clause seeks to achieve exactly that, in a way that is fair and proportionate to regulated organisations.
I commend the clause to the Committee.
Dr Spencer
Clause 17 will amend the NIS regulations to provide a framework for regulators to impose charges on regulated entities to recover the costs incurred by them in carrying out their supervision and enforcement functions. The Government’s explanatory factsheet supporting the Bill suggests that those changes are needed to ensure that regulators are
“better resourced to carry out their responsibilities.”
We have heard at length from witnesses in oral evidence sessions that resourcing is a key consideration for regulators in meeting their new and expanded obligations under the Bill. The concept of our regulators’ being better funded is good. However, as with much of the Bill, the lack of detail around the regulator charging model is causing uncertainty among regulated entities that would be liable to meet the associated costs.
Kanishka Narayan
The shadow Minister raised two main points that I am keen to address. The first was about ensuring that I committed to next steps on potential guidance for the charging scheme. I can confirm that the Government will issue guidance for competent authorities. That will include general directions on how the fee regime ought to be implemented. At the same time, we do not intend to be prescriptive as to how competent authorities should recover costs to benefit from their experience and practice in setting up these regimes. It is important that each regulator is able to tailor their fee regime in a way that is consistent with and complementary to the state of their sector.
Lincoln Jopp
On the subject of charging and money, has the Minister had the opportunity to revisit his own impact assessment on the basis that there might be a glitch in the matrix? It says on multiple occasions that the hourly salary for a contract lawyer is £34 an hour. When we discussed it last week, I contended that this was totally unrealistic, probably to a factor of 10.
Kanishka Narayan
I am reminded of the hon. Member’s point last week. I am happy to write to him on the basis of the precise figure in the impact assessment, which I understand to be based on not just an extensive survey but the application of subsequent uplifts. I am more than happy to continue that conversation in correspondence.
On factors that ought to be considered in setting up charging schemes, I mentioned some, such as size and turnover, but I will flag that those are suggestive and indicative rather than exhaustive factors that regulators may consider. Regulators ought to be able to set different levels of fee for different types of organisations. There is also provision to exclude organisations from a charging scheme altogether if it would be disproportionate or counterproductive to include them. It is appropriate that regulators and competent authorities can vary their charging schemes in the light of that.
On current regulatory performance and its correlation with charging schemes, I have not observed any direct correlation. What I have seen, simply, is that some regulators are clearly doing well. We heard in evidence from a range of participants that in some cases things are working particularly well and that, in others, there is more scope for improvement. That is precisely why the Bill sets no fundamental lowest common denominator for how regulators ought to approach either charging or their enforcement duties; instead, it ensures that we are conducting oversight of each regulator as robustly as possible. I assure hon. Members that the question of regulatory enforcement is central and that the motivation behind the charging scheme is precisely to ensure that regulators are well resourced to implement the Bill.
Question put and agreed to.
Clause 17 accordingly ordered to stand part of the Bill.
Clause 18
Sharing and use of information under the NIS regulations etc
Kanishka Narayan
I beg to move amendment 14, in clause 18, page 38, line 31, at end insert—
“(aa) otherwise in connection with—
(i) the security and resilience of network and information systems, or
(ii) any other matter relating to cyber security and resilience,”.
This amendment would allow NIS enforcement authorities to share information with persons listed in regulation 6(2) (inserted by clause 18), and such persons to share information with NIS enforcement authorities, for purposes relating to the security and resilience of network and information systems or cyber security and resilience.
The Chair
With this it will be convenient to discuss the following:
Government amendments 15 to 18
Clause stand part.
Kanishka Narayan
The clause introduces vital reforms to how information can be shared in the context of the NIS framework. Right now, as we have heard again and again from both hon. Members across the Committee and witnesses, the NIS regulations have limitations that restrict how and with whom information can be shared. That has serious implications for the effectiveness and efficiency of the regime including business burdens as well as the ability of the UK’s authorities to act on national security or criminal intelligence.
One important limitation in the current regulations is the inability of regulators to share information with many public authorities in the UK and vice versa. For example, NIS regulators currently cannot share information to support the evaluation of the NIS framework or policy development relating to cyber-resilience and national security. The clause addresses those concerns by enabling information to be shared between NIS regulators and UK public authorities, including the Government. That will be done for the purposes of supporting the NIS regulations as well as wider objectives alike, reducing business burdens and for national security and crime purposes.
The clause also imposes strict requirements and safeguards on how the information can be further shared. The net effect of the changes will be fewer burdens on business, better and more informed regulatory decision making, joined-up incident response and improved security for the United Kingdom.
Government amendment 14 makes targeted but important changes to the clause. It proposes a further ground for sharing information focused on wider cyber-security and resilience outside the context of the NIS regulations and NIS sectors. In practice, it means that NIS regulators will be able to share information with regulators who are responsible for overseeing the cyber-security and resilience of other vital sectors under different regulatory frameworks and vice versa.
The amendment is a crucial addition to the Bill. It means that the UK’s regulators can think holistically about the risks that their sectors are facing, the interventions they propose to take and the obligations they are placing on business. That in turn will mean better outcomes, more effective and informed incident response, more co-ordinated oversight and lower business burdens.
The amendment will be particularly important in supporting co-ordination with the financial regulators responsible for the critical third parties regime, which could be used to designate organisations already in scope of the NIS regulations such as cloud service providers. It also anticipates the need for co-ordination for other sectors, such as civil nuclear and space, in the future. In short, the amendment is necessary to ensure that UK regulators can take a more co-ordinated approach to protecting the UK’s most essential services.
Government amendments 15 to 18 are consequential on amendment 14. I urge the Committee to support the amendments, and I commend clause 18 to the Committee.
Dr Spencer
Clause 18, which the Government seek to modify through amendments 14 to 18, creates new pathways for information sharing between regulators, public authorities and Government Departments. It also creates a power for NIS enforcement authorities to share information with relevant overseas authorities for specified purposes. The new regime is intended to remove gaps and ambiguities in the existing framework governing the sharing of information obtained in the course of competent authorities and the oversight role of NCSC, and to create legal certainty in this domain.
In turn, it is anticipated that greater information sharing will assist with the detection of crime, enforcement activity and awareness of emerging cyber-risks and with ascertaining the effectiveness of the NIS regulations in building UK cyber-resilience. In particular, the Bill creates a new gateway to ensure that NIS regulators can share information with UK public authorities, and vice versa, as well as sharing and receiving information from organisations outside of the NIS framework, for example other regulators or bodies such as Companies House.
The Bill strengthens safeguards on how information can be used once it has been shared under the NIS regulations by restricting onward disclosure. More effective information sharing will be vital for competent authorities to keep up to date with emerging risks and building resilience in their sectors, and the new measures were broadly welcomed by regulators in our oral evidence session.
However, industry bodies such as techUK have called for further detail on the new information-sharing regime. What steps are the Government taking to ensure that regulators share responsibility for protecting sensitive data, and that information-sharing processes are coherent, proportionate and secure? Could the Minister elaborate on the discussions he has had with regulators on those matters, and on how secure information sharing will work in practice?
Finally, on the detail of the text in Government amendment 14, proposed new paragraph (aa)(ii) refers to persons
“otherwise in connection with…any other matter relating to cyber security and resilience,”.
Given that this is an information-sharing power, that seems a remarkably broad “any other matter” provision. What disclosures that are not already covered in the Bill does the Minister conceive will come up in that scope? What guidance or consultation will the Minister produce to make sure that such powers are proportionate and not at risk of abuse?
Emily Darlington
Again, I welcome the Government amendments and clause 18; they are important to enabling us to share our vulnerabilities in an appropriate way with those people who may be involved. However, some of the aspects of those vulnerabilities that security services—GCHQ, His Majesty’s Government Communications Centre and others—raised with us relate particularly to not only foreign interference, but the potential for interference through technology embedded in our networks. How does the Minister see the measures working within our co-operation with different foreign nations, particularly during these volatile times?
Kanishka Narayan
In response to the shadow Minister’s first question about ensuring sensitive handling of shared information and proportionality, all information handled by regulators ought to be treated carefully and with awareness of its importance. The regulators have to act reasonably, and the NIS regulations specifically require information obtained from inspections to be held securely. Of course, data protection laws apply to regulators as well. Alongside that, regulators will be required to consider the relevance and proportionality of sharing their information to the purposes set out in the Bill; as I have mentioned, the Bill includes specific purposes for why information might be shared.
Kanishka Narayan
Clause 19 sets out that regulators must provide guidance on specific issues, including security requirements and incident reporting notifications. Guidance already plays an important role in supporting the implementation of the NIS regime. We have, however, identified some areas where regulated entities would benefit from additional clarity. The clause ensures that every regulated sector has the guidance they need from their sectoral regulators to help them to comply. To ensure consistency across regulators, the clause also requires regulators to co-ordinate with each other when preparing guidance relating to designating critical suppliers. The clause also requires regulators to consider guidance published by the Secretary of State such as the code of practice when preparing guidance on the security and resilience requirements. That will ensure that regulators consider good practice recommendations and take more consistent approaches to preparing guidance.
Dr Spencer
Clause 19 amends the NIS regulations and will require regulators to publish guidance on the security and instant reporting requirements of regulated sectors. In formulating their guidance, regulators are under a duty to co-ordinate and consult with other regulators to ensure consistency as far as is reasonably possible. Relevant provisions in the code of practice, to be issued by the Secretary of State under clause 36, must also be taken into account. Newly regulated entities will, no doubt, welcome proportionate guidance on meeting obligations, and existing regulated entities will appreciate any streamlining that comes from consultation between regulators and their approach. Can the Minister provide further details about whether consultation between regulators and the Secretary of State is under way on a consistent approach to regulation?
Kanishka Narayan
As I have mentioned to the shadow Minister, the Minister for Digital Economy, the Secretary of State and I have engaged with a number of the regulators in scope here. Both those conversations, and the broader framework of this Bill, are intended to drive consistency across sectors through common security requirements, clear guidance and a statement of strategic priorities, which will set objectives that regulators must seek to achieve. I hope that is sufficient assurance not only that those conversations have started, but that they will be a fundamental focus as we ensure consistent regulation across the board.
Question put and agreed to.
Clause 19 accordingly ordered to stand part of the Bill.
Clause 20
Powers to require information
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 20 introduces important updates to the information-gathering powers that regulators have under the NIS regime. It ensures that regulators are able to collect any information that they might reasonably require to exercise, or to decide whether to exercise, their functions under the regulations.
While the clause sets out some of the purposes for which a regulator might particularly wish to collect information—for example, to determine whether an organisation should be designated as a critical supplier—this is an explicitly non-exhaustive list. The clause also allows regulators to collect information through the issuing of an information notice. It sets out the details that must be included in such a notice, and the form that it may take. An information notice must, for example, explain why the information is being sought and the form in which it must be provided.
New regulation 15A, as introduced by the clause, makes clear that an information notice can be given to an organisation based outside the UK and can apply to information held outside the UK. An information notice may require the obtaining, generating, collecting or retaining of information or documents. Those changes are critical in ensuring that regulators can access the information they need properly to enforce the NIS regulations. I commend this clause to the Committee.
Bradley Thomas
Can the Minister elaborate on how he will ensure that regulators have the capacity to cope with large-scale data reports?
Dr Spencer
Clause 20 grants regulators wide-ranging information-gathering powers, in relation both to regulated entities and to organisations currently outside the scope of the regulations. These new powers will be important to competent authorities in gaining access to the information necessary to consider which businesses should be designated as critical suppliers for their sectors. The Minister will remember that we had a very extensive discussion about the allocation, or otherwise, of critical suppliers. What assurance can he give that requests for information under this new clause will be exercised proportionately? That is especially relevant for SMEs, which might struggle administratively to meet broad requests for information within short deadlines.
I know I will be told off by the Chair if I try to rehash the previous debate on clause 12, but one of the points I made during that debate was that the scope of what could fall under the definition of a critical supplier could, in my view, include any supplier to an operator of an essential service. Potentially, therefore, a request for information under this provision could be incredibly broad. Can the Minister give some reassurance about how this will work in practice, relating to the proportionality of data collection? The concern is that this could become a fishing or dredging exercise, rather than something that is proportionate and targeted on the most high-risk suppliers.
Lincoln Jopp
In terms of scope, could the Minister give us some sense, when it comes to managed service providers, whether the purpose behind this clause is to enable regulators to find out their entire client list? I would be grateful for some clarity on that point.
Kanishka Narayan
I will take each of those three questions in order. The hon. Member for Bromsgrove raised a very important point—shared, I think, in sentiment across the House—about ensuring that regulators have the capacity to deal with the volume and quality of information they might receive under the provisions of this clause. Precisely for that reason, we have set out a charging scheme possibility here that allows regulators to equip themselves. Of course, that is initially a question of resourcing, rather than the quality or capability of that resourcing. We will therefore continue to ensure, through our oversight of regulators in appropriate ways, that we are pressing home the importance of enforcement quality and regulatory capability.
To the shadow Minister’s point on proportionality, I share the focus on ensuring that designation and information requirements are proportionate, not least for critical suppliers. Like him, I will avoid repeating the previous debate, but the five-step test for the designation of critical suppliers, combined with the fact that the Bill allows for secondary legislation and guidance to specify more proportionate burdens on them, rather than on key regulated entities, alongside the fact that information notices ought to be proportionate and focus primarily on the purposes of the Bill, gives me—and, I hope, him—assurance about the proportionality embedded in the Bill.
Dr Spencer
Will the Minister talk through what the data exchange flow chart will look like? How will it work in practice? Will the OES proactively contact the regulator and say, “We have all these suppliers—go play”? Will the regulator contact the OES and say, “Give us a list of all your suppliers, and then we are going to start an investigation programme and decide what data we need”? What is the direction of communication in practice? Or—perhaps even worse—will the burden be on suppliers to an OES to contact the regulator and say, “Could we possibly be in scope?” How will it shake out in practice?
Kanishka Narayan
Although I will not specify prescriptively what the activity and flow ought to be, I can share from my experience that many large-scale businesses—and indeed many medium and small-sized businesses—have a very clear business continuity plan mapping their critical suppliers. In this case, I would expect the regulator and the regulated entities to engage. Who sends the email first is an open question, and I would not want to specify it in the Bill, but I would expect each regulator and their regulated entities to work very closely to understand the critical suppliers that meet the tests specified in the Bill, and to engage with those critical suppliers as a consequence.
Dr Spencer
The Minister has mentioned business continuity plans a second time as a justification for not going into detail on this, but the whole reason for the Government bringing in the powers in clause 12, and the designation of critical suppliers, is that there was no business continuity plan in place in the example of Synnovis. I do not see how that argument gets away from the need for clarity, for organisations that could be at risk of being in scope of being assessed and designated as a critical supplier, about what actions they have to take in response to regulation, proactively or otherwise, and the burdens on them. We have just discussed the cost of enforcement, which risks essentially becoming a cyber-security tax.
Kanishka Narayan
I would not want to imply that every organisation has a business continuity plan, but the simple point is that the framework for assessing critical third-party suppliers is established in business and other regulatory regimes, as I have mentioned. The novelty or ambiguity that the shadow Minister suggests simply does not apply. That is not to say that there will not be cases in which new critical third-party suppliers will be designated—that is the point of the provisions of the Bill. The practice will of course need rigour, efficiency and proportionality, but it will be grounded in existing, widely understood frameworks.
I need the hon. Member for Spelthorne to remind me of his question, if I might ask him to do that.
Lincoln Jopp
I might have to remind myself. I asked the Minister whether the purpose of this clause is for a regulator to be able to ask a managed service provider what their entire client list is, in order to make various assessments.
Kanishka Narayan
I thank the hon. Member for asking and repeating the question. The purposes of the provisions on information requirements are focused on ensuring that regulators can conduct their duties as provided by the Bill. I would not expect information notices to require an exhaustive list in every instance, but instead to primarily focus on a more proportionate set of asks relating to risk vectors to the security of the regulated entities and to wider national security and cyber-security.
Question put and agreed to.
Clause 20 accordingly ordered to stand part of the Bill.
Clause 21
Financial penalties
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 21 reforms the enforcement regime for the NIS regulations. It seeks to ensure that providers of the UK’s most essential services are complying with their obligations under those regulations. Where they are not, it will allow for more meaningful penalties that reflect the risks they introduce to our society and economy as a whole. To do that, the clause makes a number of critical changes.
First, the clause introduces a new penalty maximum based on turnover. The current maximum penalty is £17 million, which can appear disproportionately large for smaller organisations, but could also easily be absorbed by larger ones as the “cost of doing business.” The clause therefore increases the penalty limits from £17 million to a maximum of £17 million or 4% of annual turnover, whichever is higher. I am confident that that strikes the right balance within the UK regulatory context. It brings the regime in line with other UK legislation that regulates cyber-security, such as part 1 of the Product Security and Telecommunications Infrastructure Act 2022, without rushing uncritically to the more severe penalties we see in other CNI regulation.
The second change is to create a simple two-band penalty structure that will provide much-needed clarity to regulators and industry about the penalty tiers for specific acts of non-compliance.
Bradley Thomas
On the point about banding, can the Minister assure us that there will be consistency applied across regulators so that different events are not differentially penalised depending on the regulatory body? On the question of turnover and the financial penalty, can the Minister elaborate on how the figure was derived?
Kanishka Narayan
I thank the hon. Member on both fronts. On the penalty bands, clearly defined parameters are set out in the Bill, and my hope is that that increases the effectiveness, the clarity and—at the heart of it, to his question—the consistency of application we expect across regulatory regimes.
As I mentioned, the 4% figure for the maximum penalty in part referenced existing UK regulatory regimes and legislation that were felt to be the most comparable. In part, it was judged to be an appropriate, proportionate maximum, based on relevant concerns around the appropriate level of deterrent effect, the proportionate level of fine, the regulatory precedent and the broader impact on investment and the economy as a whole, notwithstanding the significant cyber-security costs businesses already experience.
The second change in the clause is intended to eliminate the confusion surrounding the definition of a “material contravention” in the current regulations. Finally, the clause ensures that regulators can consider a wider range of factors when determining what constitutes an appropriate penalty. Where mitigating steps have been taken to address a breach, that should be acknowledged, but so too should the impacts of the breach and any history of compliance or non-compliance.
To conclude, an effective regulatory regime must be backed by fair but effective penalties to ensure that it is followed.
Lincoln Jopp
This is really where the regulatory rubber hits the road. Earlier, we described cases involving a client who is not in the Bill’s scope but who employs a managed service provider that is, and that is therefore vulnerable to these charges. What happens when there is an interface between a client employee operating an IT system and what the managed service provider does? For example, someone could bring in a data stick, shove it in the side of a computer and break the rules, eliciting some form of ransomware. How will it work when the regulator goes to the managed service provider and says, “Here’s your £10 million fine,” and the client says, “That is down to you”? It is going to be a lawyer-fest, isn’t it? Even lawyers who get paid more than £34 an hour are going to make quite a lot of money.
Kanishka Narayan
Just so that I am clear, not least for future records, I think the case described is one where the client is not in the Bill’s scope but is provided to by an MSP that is in the Bill’s scope, and where the relevant responsible individual is in the client business as an employee or agent of that business. The hon. Gentleman raises an important point. Both the obligations and the defined focus of the Bill are on regulated entities. In this instance, if the individual is not in the regulated entity and the regulated entity has complied with the entirety of the wider cyber-security reporting obligations in the Bill, we would look to other venues of legal action against the individual in question. It would be challenging for a Bill that does not regulate the entire economy to ensure that every individual and firm unregulated by it are brought into its scope as well. But that is not to diminish the significance of requiring other pieces of law to act on individuals elsewhere.
Dr Spencer
I will come to my speech, but as we are having a debate on this point, but does the Minister’s answer not risk a gilded defensive posture being set up by MSPs? If they list terms and conditions for the use of their services that essentially bar everything, they can say that any liability—if there is ransomware or they get hacked—is completely on the client, as opposed to themselves. Does the Minister’s explanation not risk MSPs taking a very defensive posture to ensure that the client is liable for any problem? Given that the clients are usually not regulated entities, this provision effectively becomes meaningless.
Kanishka Narayan
I can see the shadow Minister’s hypothetical point, but I assure him that if there is some universal, consistent practice on the part of an MSP to avoid liability, where liability should reside with them, that should be in scope of how the regulator assesses the performance of that MSP. Secondly, I assure him that there remains a degree of competition in the MSP market, given the attractiveness of the UK customer and end user market for MSPs. I would therefore very much expect any MSP that adopts a falsely defensive posture of the sort that the shadow Minister describes not only to be assessed as doing so by the regulator, but to fall foul of the competitive market context that we have and want in the UK.
To conclude, an effective regulatory regime must be backed by fair but effective penalties to ensure that it is followed. The clause ensures that that is the case for NIS regulations, and for that reason I commend it to the Bill.
Dr Spencer
I think I will follow up in writing on my intervention to try to dig down into the explanation of how liability will be laid down when the client is not a regulated entity but is receiving services from regulated entities. That is an important point, because these are quite hefty fines. As my hon. Friend the Member for Spelthorne pointed out, even with £34 an hour lawyers, there will be a lot of industry activity to try to avoid liability in the context of a substantial cyber breach, which can be significant.
More generally, the clause makes significant changes to enforcement practices under the NIS regulations, including to increase the financial penalties regulators can impose for infringement of the regulations, and to set out a clearer system of tiered penalties, based on the severity of infringements. The Government’s impact assessment states that these changes have been made because of concerns reported by regulators that
“enforcement under the NIS Regulations has been constrained by unclear band structures and a maximum penalty which is insufficient to deter non-compliance across all NIS sectors”,
which goes back to my previous point. Enforcement activity under the NIS regulations has been sparse, inconsistent and insufficiently effective to increase cyber-resilience to the levels necessary to meet the proliferating cyber-security risks to our most critical sectors.
Fundamentally, the existing approach to enforcement has not achieved the necessary change in attitude to cyber-risk at the highest levels of regulated entities. It is concerning that board level responsibility for cyber-security has steadily declined among businesses since 2021, with 38% of businesses having a board member responsible for cyber-security in 2021, compared with 27% in 2025.
The enforcement model clearly needs to be more effective, and increasing fines is only one part of that. Regulatory capacity to undertake supervision and enforcement remains a concern, as does perceived reticence on the part of regulators to impose fines on critical infrastructure providers, due to the risk of destabilising essential services and increasing costs for consumers. In our oral evidence sessions, many witnesses, including Richard Starnes of the Worshipful Company of Information Technologists, raised the issue of greater responsibility at the highest levels of management for cyber-resilience. What assessment has the Secretary of State undertaken of whether changes to the penalty regime are likely to influence board-level attitudes towards cyber-security?
Kanishka Narayan
The shadow Minister makes a really important point: cyber-security must be taken seriously at the highest level—at board level. It is part of the cyber assessment framework, which the Government have put at the heart of how we think about assessing cyber-security in firms as well as public sector organisations. It is also part of the guidance we are looking at in the cyber action plan and our wider cyber-security strategy. I take those very seriously. In terms of making sure that businesses have a razor sharp focus, the intent of the fine regime is to ensure that there is a deterrent effect and that it is felt at decision-making levels, which must include boards.
Question put and agreed to.
Clause 21 accordingly ordered to stand part of the Bill.
Clause 22
Enforcement and appeals
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Government amendment 19.
Schedule 1.
Kanishka Narayan
Clause 22 sets out, through schedule 1, consequential changes to the regulations in relation to enforcement and appeals. That is to ensure that the regulations work effectively in relation to the new entities brought into scope, such as managed service providers, data centres and large load controllers, so that the enforcement and appeal systems work as intended. Government amendment 19 makes a minor drafting correction. I commend clause 22 and schedule 1 to the Committee.
Question put and agreed to.
Clause 22 accordingly ordered to stand part of the Bill.
Schedule 1
Enforcement and appeals
Amendment made: 19, in schedule 1, page 86, line 33, at end insert—
“(ea) in sub-paragraph (da), after ‘14A;’ insert ‘or’;”.—(Kanishka Narayan.)
This amendment would make a minor drafting correction.
Schedule 1, as amended, agreed to.
Clause 23
Minor and consequential amendments etc
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Government amendments 20 to 22.
Schedule 2.
Kanishka Narayan
Clause 23, through schedule 2, introduces a number of minor and consequential amendments to the NIS regulations, necessitated by the more substantive changes introduced by the Bill. Among other technical changes, the schedule revokes assimilated EU legislation, removes the requirement for an NIS national strategy to be published once a statement of strategic priorities has been designed in its place, and updates references in the regulations to reflect the new clause numbering. Government amendments 20 and 21 make minor drafting corrections.
Government amendment 22 aligns the process for issuing documents, notices and directions under the NIS regulations with the Bill. As it stands, regulators will be required to follow two different procedures for issuing documents, notices and directions under the NIS regulations and under the national security powers in part 4 of the Bill, which is unnecessarily confusing for regulators and regulated entities. Amendment 22 resolves the issue by aligning regulation 24 with clause 57, as amended by Government amendments 23 and 24. I commend amendments 20 to 22, clause 23 and schedule 2 to the Committee.
Question put and agreed to.
Clause 23 accordingly ordered to stand part of the Bill.
Schedule 2
Minor and consequential amendments etc
Amendments made: 20, in schedule 2, page 89, line 35, at end insert—
“(ia) omit the ‘and’ at the end of the definition of ‘relevant law-enforcement authority’;”.
This amendment would make a minor drafting correction to regulation 1(2) of the Network and Information Systems Regulations 2018.
Amendment 21, in schedule 2, page 89, line 37, at end insert—
“(iia) omit the ‘and’ at the end of the definition of ‘representative’;”.
This amendment would make a minor drafting correction to regulation 1(2) of the Network and Information Systems Regulations 2018.
Amendment 22, in schedule 2, page 91, line 4, at end insert—
“11A (1) Regulation 24 (service of documents) is amended as follows.
(2) In paragraph (1)—
(a) in the words before sub-paragraph (a)—
(i) for ‘or notice’ substitute ‘, notice or direction’;
(ii) after ‘served on’ insert ‘or given to’;
(iii) after ‘served’, in the second place it occurs, insert ‘or given’;
(b) omit the ‘or’ at the end of sub-paragraph (b);
(c) for sub-paragraph (c) substitute—
‘(c) sending it by post to the person’s proper address or by email to the person’s email address.’
(3) In each of paragraphs (2) and (3)—
(a) after ‘document’ insert ‘, notice or direction’;
(b) after ‘served on’ insert ‘or given to’.
(4) In paragraph (4), for ‘service’ substitute ‘documents, notices and directions’.
(5) For paragraph (5) substitute—
‘(5) For the purposes of this regulation, a person’s “proper address” is—
(a) in a case where the person is a body corporate with a registered office in the United Kingdom, that office;
(b) in a case where paragraph (a) does not apply and the person is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office;
(c) in any other case, an address in the United Kingdom at which the person serving or giving the document, notice or direction believes, on reasonable grounds, that it will come to the attention of the person on whom it is to be served or to whom it is to be given.
(5A) For the purposes of this regulation, a person’s email address is—
(a) an email address provided to a NIS enforcement authority as an address for contacting that person,
(b) an email address published for the time being by that person as an address for contacting that person, or
(c) if no email address has been so provided or published, an email address by means of which the person serving or giving the document, notice or direction believes, on reasonable grounds, that it will come to the attention of that person.’
(6) After paragraph (5A) (inserted by sub-paragraph (5)) insert—
‘(5B) A document, notice or direction sent to a person by email is, unless the contrary is proved, to be treated as having been served or given at 9am on the working day immediately following the day on which it was sent.
(5C) In paragraph (5B) “working day” means a day other than a Saturday, a Sunday, Christmas Day, Good Friday or a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom.’”—(Kanishka Narayan.)
This amendment would align regulation 24 of the NIS Regulations with the provisions about giving of directions and notices in clause 57 of the Bill, as amended by Amendments 23 and 24.
Schedule 2, as amended, agreed to.
Clause 24
Key definitions in Part 3
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following: ‘Food supply Food supply chain The Secretary of State for Environment, Food and Rural Affairs (United Kingdom)’ ‘Local Government Local Government The Secretary of State for Housing, Communities and Local Government’ ‘Elections Electoral infrastructure The Electoral Commission’ ‘Government Political parties The Secretary of State for Housing, Communities and Local Government’
New clause 1—Food supply chain to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The food supply chain subsector
11 — (1) This paragraph describes the threshold requirements which apply to essential services in the food supply chain subsector.
(2) For the essential service of the food supply chain in the United Kingdom the threshold requirement is that the person is in the food supply chain and does not qualify as small or a micro-entity (or is excluded) within the meaning of Part 15 of the Companies Act 2006.
(3) after paragraph 10 insert—
(a) a “food supply chain” is a supply chain for providing individuals with items of food or drink for personal consumption, where the items consist of or include, or have been produced to any extent using—
(i) anything grown or otherwise produced in carrying on agriculture, or
(ii) anything taken, grown or otherwise produced in carrying on fishing or aquaculture;
(b) a person is “in” a food supply chain if that person is a producer or an intermediary in a food supply chain.
(4) In paragraph (3)(b)—
(a) “producer” means a person who is carrying on agriculture, fishing or aquaculture;
(b) “intermediary” means a person in the food supply chain between a producer and the individuals referred to in paragraph (3)(a).
(5) In this paragraph—
“agriculture” includes any growing of plants, and any keeping of animals, for the production of food or drink;
“aquaculture” means the breeding, rearing, growing or cultivation of—
(a) any fish or other aquatic animal,
(b) seaweed or any other aquatic plant, or
(c) any other aquatic organism;
“plants” include fungi.
(6) In regulation 8A of the NIS Regulations (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
(c) provides an essential service of a kind referred to in paragraph 12 of Schedule 2 (food supply chain sector) within the United Kingdom.’”
This new clause would designate those in the food supply chain that rely on network and information systems as “operators of essential services” within the meaning of the Network and Information Systems Regulations 2018, thereby placing them under duties to manage risks to those systems and to provide notification regarding any incidents that have an impact on the food supply chain.
New clause 8—Local authorities to be regulated as essential services—
“(1) The NIS Regulations are amended as follows.
(2) In table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The Local Government Sector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector.
(2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register.
(3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records.
(4) In this paragraph “local authority means”—
(a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly;
(b) in Wales, a county council or a county borough council;
(c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994;
(d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.’”
This new clause would bring local authorities within the scope of the NIS Regulations as operators of essential services in relation to their functions managing electoral rolls and social care records. This ensures that public sector bodies holding sensitive data such as electoral rolls and social care records are subject to the same statutory protections as other critical infrastructure.
New clause 9—Critical manufacturing and retail sectors—
“(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities—
(a) the manufacture of critical transport equipment;
(b) the industrial production and processing of food products; and
(c) the retail sale of food and essential goods via large-scale distribution chains.
(2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors.”
This new clause would require the Secretary of State to designate the manufacturing of critical transport equipment and retail of food and essential goods (when part of a large-scale distribution chain) as essential activities, bringing them within the scope of Part 3 of the Bill.
New clause 11—Electoral infrastructure to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The electoral infrastructure subsector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector.
(2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to—
(a) maintain a register of electors containing more than 50,000 entries;
(b) issue, receive, or process postal ballots for a parliamentary or local government election; or
(c) count or aggregate votes cast in a parliamentary, mayoral or local government election.
(3) In this paragraph—
“parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom;
“network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026.
(4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
“(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.”’”
This new clause would designate the administration of elections and maintenance of voter registers as an “essential service” within the meaning of the NIS Regulations.
New clause 12—Political parties to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The political parties subsector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector.
(2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons
(3) In this paragraph—
“registered political party” means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000.’”
This new clause would designate political parties as providing essential services for the purposes of cyber security.
Kanishka Narayan
Clause 24 defines key terms for this part of the Bill, and in doing so introduces two delegated powers. Those powers enable the Government to bring new sectors into the scope of the NIS regime and to designate regulators to oversee them. The power will be used only in relation to activities that are truly essential to our society and economy—in other words, where disruption could pose risks to life or the economic stability of the UK.
The powers are essential in the rapidly changing world we occupy. As we have seen with data centres and managed service providers, our society and economy can quickly become reliant on new services that are acutely vulnerable to cyber-attacks and system outages. Our legislation must be able to keep up with those changes and protect the services that matter most to our country.
Alison Griffiths
I want to use new clause 1 as a lens to view a wider question that sits underneath clause 24, rather than as a verdict on the clause itself. That question is how we decide, in a disciplined and credible way, which activities are sufficiently critical to be brought into the scope of the regime, and how that judgment is applied consistently over time.
New clause 1 would bring much of the food supply chain directly into scope through primary legislation. I understand the instinct behind that. Food supply is fundamental to public confidence, and disruption would be felt very quickly. However, if the underlying test for inclusion is systemic impact, food is not the only sector that raises these questions. I am vice-Chair of the Business and Trade Committee, and over the past year we have taken evidence on economic security from major UK firms that have experienced serious cyber-incidents. One example everyone here will be familiar with is Jaguar Land Rover. Evidence to our Committee indicated that the cyber-incident there contributed to UK GDP being around 0.1% lower than expected in the third quarter last year, which was not a marginal effect. That reflected disruption to tightly integrated manufacturing systems, with production lines brought to a halt and knock-on impacts across just-in-time supply chains and regional economies.
I make that point to underline something simple: cyber-risk presents simultaneously as operational, financial and reputational risk, and in combination those effects can be felt economy-wide. If that is the rationale for bringing food into scope early, it inevitably raises questions about other high-value sectors where a single incident can have national economic consequences.
That brings us back to clause 24 and the role of the Secretary of State. The Bill is clearly designed to allow scope for provisions to evolve through secondary legislation as risks change. That flexibility is sensible, but flexibility works only if the criteria for widening scope are clear, predictable and capable of being explained to industry, regulators and Parliament. If decisions appear to be reactive or driven by the most recent or most visible incident, confidence in the regime will suffer rather than strengthen.
That concern is reflected in the written evidence we have received. The Association of British Insurers, for example, supports higher standards of cyber-resilience, but it also emphasises the importance of clear definitions and coherence between regimes, particularly where firms are already subject to overlapping regulatory requirements. Its point is not about resisting regulation, but about avoiding uncertainty and duplication, which do not improve resilience.
My questions are ones of principle rather than position. First, what is the settled test that the Secretary of State will apply when deciding to bring a sector into scope under the clause 24 powers, and how will that judgment be made transparent to Parliament? Secondly, if Parliament were to require rapid expansion of scope, how confident are the Government that regulators would have the capacity to supervise a much larger and more diverse population without diluting oversight elsewhere?
I am not seeking to land a conclusion on new clause 1 today—I understand why it has been tabled and I recognise the seriousness of the issues that it highlights—but if we are going to widen scope, to food or otherwise, the Committee is entitled to press the Government on the discipline and guardrails that will sit behind those decisions. This needs to remain a targeted and credible regime, rather than one that expands without a clear and consistent logic.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
New clauses 8 and 9 would close a dangerous gap at the heart of the Government’s cyber-security strategy. Right now, the Bill creates a two-tier system. Private companies running critical national infrastructure face strict legal duties, enforcement and oversight, yet the very public institutions that hold our democracy together and protect our most vulnerable citizens are left outside statutory protection. Nowhere is that more alarming than with our local authorities. Indeed, that is where the Government’s approach diverges from some EU member states. For example, the Netherlands is applying its equivalent legislation to local authorities.
When a council suffers a cyber-attack, it is not just an IT inconvenience; it means real life grinding to halt. Members of the Committee who have served on local authorities will be well aware that a cyber-attack hitting a local authority creates problems with welfare payments, housing services, processing benefits payments, accessing social care for the most vulnerable in our society and collecting bins. Those are crucial activities in the day-to-day life of our society and our democracy. A cyber-attack can leave families without support, vulnerable children without protection and elderly residents without care, yet the Minister has suggested that these services are not necessary to the day-to-day functioning of society. I disagree with that.
We have already seen the consequences at Tewkesbury borough council, where a cyber-attack was so severe that it triggered a major incident and crippled core services. Likewise, the attack on Gloucester city council cost the taxpayer more than £1 million and put at risk some of the most sensitive information held on UK residents, particularly if one considers the nature of employment in Gloucestershire. The reporting from those attacks showed that local authorities, which are cash-strapped and struggling to make do as they are, had to divert staffing resources into addressing those incidents.
Bradley Thomas
I have much sympathy with the hon. Gentleman’s arguments about the importance of local government, and I believe that it should be within scope of the Bill. Essential services are provided by councils on a day-to-day basis, but local councils are increasingly cash-strapped. Does he share my concern about the burden of compliance falling on councils, many of which differ in size and scale from their adjacent neighbours? They have differing degrees of IT infrastructure capability. We run the risk of increasing the compliance and regulatory burden on councils at a time when they may already have stretched budgets and lack the resource and capacity in the system to accommodate that additional burden.
David Chadwick
The hon. Gentleman makes an important point. We cannot allow these services to be interrupted. He will be well aware of the impact that bins not being collected has on our streets.
Councils are being targeted because they hold sensitive personal data and provide much-needed services to the most vulnerable in society, yet they are being left as soft targets, without statutory requirements and the ringfenced resources that accompany them. We cannot claim to be building a cyber-secure Britain while leaving the frontline of public services unprotected. Resilience must extend beyond councils.
Our new clauses also ask that our political parties and electoral infrastructure are properly protected, because we know that hostile states and non-state actors are actively seeking to undermine democratic systems. An attack does not need to change an electoral result to be devastating; it need only cast doubt on the integrity of the count or prevent legitimate voters from casting their ballots. We know that trust, once lost, is extraordinarily hard to rebuild. The security of our elections is too important to be left to secondary legislation made at some future date.
Finally, our new clauses would require the Government to bring critical manufacturing, food production and large-scale retail distribution into scope. When British companies such as JLR lose billions to cyber-incidents, or when national retailers such as Marks & Spencer are paralysed, it is not just a private commercial issue, but a blow to national economic security, and there is no economic security without cyber-security. The Minister will be aware that the ramifications of the JLR attack were felt across south Wales because of the link to the steel industry supply chain. Our neighbours in the European Union already recognise this issue through the NIS2 framework, which covers food production and transport manufacturing as essential sectors. The new clauses simply ask the Government to match that seriousness.
At their heart, our new clauses are about ending the two-tier approach. We seek the Government’s recognition that councils, political parties, electoral infrastructure and core supply chains are just as critical to national resilience as power stations and data centres. A country is not secure if its public services, at any level, are exposed. Its elections are vulnerable, and its economy can be brought to a standstill by a single cyber-attack. These new clauses hope to close those gaps and make Britain safer.
Dr Spencer
Part 3 is a very important part of the Bill. It gives the Secretary of State a range of powers, including ones to bring additional sectors into the scope of regulation, to update the NIS regulations, to publish statements of strategic priorities for regulators and to publish codes of practice that set out cyber-security measures for entities to comply with their regulatory duties.
Clause 24 includes a power enabling the Secretary of State to specify new services that can be brought into the scope of the NIS regulations, and to designate additional regulatory authorities. Those powers are intended to allow the Secretary of State to identify additional critical sectors and respond to emerging threats quickly. That agility introduced by this measure has been broadly welcomed as appropriate, given the fast-evolving nature of malicious cyber-activity.
Given the extent of the Secretary of State’s new powers, however, it is important to put in place guardrails to ensure that the appropriate response to emerging threats is indeed further regulation, rather than market-led or insurance-based mitigations. Can the Minister provide any further information at this stage about the procedure that will be followed in deciding whether to expand the scope of regulation to ensure consistency and transparency?
Hon. Members have tabled several new clauses that would prompt the Secretary of State to use her duties under clause 24. I will speak to new clause 1, tabled by the hon. Member for Warwick and Leamington (Matt Western), and new clause 9, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe, together, as they have some thematic overlap. New clause 1 seeks to bring all entities, other than small businesses and microbusinesses, in the food production, distribution and retail supply chain into the scope of regulation as operators of essential services. New clause 9 also touches on the regulation of food supply chains. It would require the Secretary of State to designate retailers of
“food and essential goods (when part of a large-scale distribution chain)”
and manufacturers of “critical transport equipment” as providers of essential services to be brought into the scope of regulation.
Those new clauses reflect concerns about the cyber-attacks targeting the food retailers M&S and Co-op last year. New clause 9 reflects issues raised by the major attack on JLR, which cause such disruption and threatened the stability of regional jobs and supply chains. Those attacks caused significant public concern, but they would all remain out of scope after the Bill comes into effect.
Cyber Security and Resilience (Network and Information Systems) Bill (Sixth sitting)
Tuesday 10th February 2026
(3 weeks ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
The Chair
I remind the Committee that with this it will be convenient to discuss the following: ‘Food supply Food supply chain The Secretary of State for Environment, Food and Rural Affairs (United Kingdom)’ ‘Local Government Local Government The Secretary of State for Housing, Communities and Local Government’ ‘Elections Electoral infrastructure The Electoral Commission’ ‘Government Political parties The Secretary of State for Housing, Communities and Local Government’
New clause 1—Food supply chain to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The food supply chain subsector
11 — (1) This paragraph describes the threshold requirements which apply to essential services in the food supply chain subsector.
(2) For the essential service of the food supply chain in the United Kingdom the threshold requirement is that the person is in the food supply chain and does not qualify as small or a micro-entity (or is excluded) within the meaning of Part 15 of the Companies Act 2006.
(3) after paragraph 10 insert—
(a) a “food supply chain” is a supply chain for providing individuals with items of food or drink for personal consumption, where the items consist of or include, or have been produced to any extent using—
(i) anything grown or otherwise produced in carrying on agriculture, or
(ii) anything taken, grown or otherwise produced in carrying on fishing or aquaculture;
(b) a person is “in” a food supply chain if that person is a producer or an intermediary in a food supply chain.
(4) In paragraph (3)(b)—
(a) “producer” means a person who is carrying on agriculture, fishing or aquaculture;
(b) “intermediary” means a person in the food supply chain between a producer and the individuals referred to in paragraph (3)(a).
(5) In this paragraph—
“agriculture” includes any growing of plants, and any keeping of animals, for the production of food or drink;
“aquaculture” means the breeding, rearing, growing or cultivation of—
(a) any fish or other aquatic animal,
(b) seaweed or any other aquatic plant, or
(c) any other aquatic organism;
“plants” include fungi.
(6) In regulation 8A of the NIS Regulations (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
(c) provides an essential service of a kind referred to in paragraph 12 of Schedule 2 (food supply chain sector) within the United Kingdom.’”
This new clause would designate those in the food supply chain that rely on network and information systems as “operators of essential services” within the meaning of the Network and Information Systems Regulations 2018, thereby placing them under duties to manage risks to those systems and to provide notification regarding any incidents that have an impact on the food supply chain.
New clause 8—Local authorities to be regulated as essential services—
“(1) The NIS Regulations are amended as follows.
(2) In table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The Local Government Sector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector.
(2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register.
(3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records.
(4) In this paragraph “local authority means”—
(a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly;
(b) in Wales, a county council or a county borough council;
(c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994;
(d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.’”
This new clause would bring local authorities within the scope of the NIS Regulations as operators of essential services in relation to their functions managing electoral rolls and social care records. This ensures that public sector bodies holding sensitive data such as electoral rolls and social care records are subject to the same statutory protections as other critical infrastructure.
New clause 9—Critical manufacturing and retail sectors—
“(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities—
(a) the manufacture of critical transport equipment;
(b) the industrial production and processing of food products; and
(c) the retail sale of food and essential goods via large-scale distribution chains.
(2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors.”
This new clause would require the Secretary of State to designate the manufacturing of critical transport equipment and retail of food and essential goods (when part of a large-scale distribution chain) as essential activities, bringing them within the scope of Part 3 of the Bill.
New clause 11—Electoral infrastructure to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The electoral infrastructure subsector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector.
(2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to—
(a) maintain a register of electors containing more than 50,000 entries;
(b) issue, receive, or process postal ballots for a parliamentary or local government election; or
(c) count or aggregate votes cast in a parliamentary, mayoral or local government election.
(3) In this paragraph—
“parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom;
“network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026.
(4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
“(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.”’”
This new clause would designate the administration of elections and maintenance of voter registers as an “essential service” within the meaning of the NIS Regulations.
New clause 12—Political parties to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The political parties subsector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector.
(2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons
(3) In this paragraph—
“registered political party” means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000.’”
This new clause would designate political parties as providing essential services for the purposes of cyber security.
Lincoln Jopp (Spelthorne) (Con)
It is a pleasure to serve under your chairship, Mr Stringer. When we left off, we were considering the powers of the Secretary of State to bring new organisations within scope. I am a Conservative, and my view is that the best form of regulation is usually competition, so I am not actually volunteering these sectors for the guards. However, I want to understand the underlying logic as to why certain things have been included and certain things have not.
We have a fairly good guide as to what is essential. The reason we do is that we went through a global pandemic, and the following groups and organisations were designated as absolutely essential for the running of the state: health and social care, which is included; education and childcare, which is not; anything to do with the justice system; religious staff; public service broadcasters; local and national Government, which again is not in the Bill; food and other goods, which, as we discussed, are also not in the Bill, although they are in the new clauses; public safety and national security; transport; utilities; communications; financial services; and postal services.
That is the analogue I am putting to the Minister: we found out which things we really needed, we designated them as essential and we allowed them to continue during the covid pandemic. None of us particularly relishes being reminded of that time, but we owe it to the people who will be subject to the Bill to ask the Minister exactly what has been argued in and what has been argued out of scope, to understand how vulnerable the blank cheque we are issuing to the Secretary of State is to their including more and more in it, come the day of the races.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I will start by addressing the questions raised by hon. Members, including the hon. Member for Spelthorne, who concluded by setting out a general philosophy of how we thought about what is in and out of scope, and then I will address some of the more specific concerns in the new clauses.
The overarching philosophy has not at all been to deny, as the hon. Members for Spelthorne and for Brecon, Radnor and Cwm Tawe argued, that there are a series of services that are absolutely essential. There is a category of critical national infrastructure, and there is a category of essential sectors and services that we identified in the pandemic. Although there is some overlap, a distinct segment for the Bill is operators of essential services such as digital services and managed service providers. The assessment there has been more about the immediacy and severity of the impact, and the availability of alternative provision in a very short time, which has meant that those sectors have been ruled in. I will lay out the logic of our position on the new clauses, which might help clarify this question, although I would be happy to engage further with hon. Members on it.
I am conscious that the hon. Member for Bognor Regis and Littlehampton and the shadow Minister raised very appropriate points about robustness and proportionality in relation to the Secretary of State exercising the powers in the Bill, so I will lay out the process and the role of Parliament.
In terms of the process for bringing new sectors or activities in scope, something must meet a specific, rigorous test to be defined as a new essential activity for the purposes of the Bill. The Secretary of State must be satisfied that the activity is essential to our economy or society. As I have mentioned, that is reserved for the most vital activities to our nation and acts as a high bar for inclusion, on the terms I mentioned to the hon. Member for Spelthorne.
In reaching a decision, the relevant Departments will need to carry out risk assessments and impact assessments and consider whether inclusion of those sectors and activities is proportionate. That is part of the normal policy development process. After that, the proposals will be subject to consultations and the affirmative procedure, ensuring the necessary scrutiny. Parliament will have the final say on the use of any expansive powers, as the vast majority of the changes I mentioned will be made through delegated powers and subject to the affirmative procedure. If a new sector is then brought into scope, we will undertake a phased implementation wherever possible, and organisations will be given adequate time to comply. Alongside that, regulations will be made in a controlled way and include consultations with relevant stakeholders before secondary legislation is laid before Parliament.
I make one final observation on the points that have been made, not least about Jaguar Land Rover. The UK Export Finance export development guarantee is not a bailout. UKEF receives payments for providing its guarantees, ensuring that the Government are appropriately compensated for the risk taken. In that context, a different assessment was made, as I hope to come to shortly.
More broadly, the Committee heard from expert witnesses that although the purpose of the Bill is clear, and its impact is a significant help for our national cyber-security and essential services, it or any other singular move is no silver bullet when it comes to our cyber-security. Different levers are effective in different parts of the economy and must be applied appropriately.
The most stringent lever the Government have at their disposal is legislation. As we have discussed in this and prior sittings, proportionality is key to the exercise of that lever. Regulation creates obligations and requires resources, so the pros of regulating must outweigh the costs. In the context of the Bill, that means protecting our society and economy from unacceptable risks with an immediacy of threat to our day-to-day life, not least our national security. That means things like keeping the lights on, the taps running and the NHS going, where there is little or no alterative provision of such services. We must also avoid creating unnecessary burdens where other measures are available.
In that context, I turn first to new clauses 1 and 9. The Government and the National Cyber Security Centre are clear that all organisations, whether a food supplier, an automotive giant, a supermarket or any other business operating in the UK, should take steps to protect their cyber-security and increase their resilience. That is why in October the Government wrote to FTSE 350 companies urging them to take three actions to strengthen their defences. First, they should make cyber-risk a board-level priority, and I know that that sentiment is shared across the Committee. Secondly, they should require suppliers to have baseline cyber-security through Cyber Essentials. Thirdly, they should sign up to the NCSC’s early-warning service.
The response has been encouraging already. A significant proportion of organisations have responded, with many of those responses coming directly from chief executive officers and chairs, showing the seriousness accorded to this by boards. Following the letter, we have seen increased interest in the Cyber Essentials website, uptake in early-warning registrations, and uptake in registrations for the IASME supplier check tool, which organisations can use to identify suppliers with Cyber Essentials certificates.
Beyond that, Departments and the NCSC deliver sector-specific support for key parts of the economy. On food specifically, the Department for Environment, Food and Rural Affairs and the wider Government have worked with the food and retail sector on cyber-resilience for many years, and we always stand ready to protect the UK food supply chain. During last year’s incidents involving Marks & Spencer and the Co-op, the NCSC and DEFRA worked closely with the affected retailers to support their response, to communicate advice and guidance and to assess the risk to food security. Following the attack, DEFRA Ministers wrote to major retailers to invite further collaboration on cyber-matters. Officials from both the NCSC and DEFRA are working with retailers to understand how we can best support them and the resilience of our food supply chain in the future.
Crucially, the food sector is unique among critical sectors for its high levels of industrial and geographic diversity. There are approximately 20,000 small and medium-sized food manufacturers alone spread across the UK, and many more farms, distribution centres, retailers and other types of businesses that form the UK’s food supply chain. As a result, it is a sector with few single points of failure. Its resilience is further strengthened by the steps that individual operators and suppliers are taking.
Finally, it is worth mentioning that the cyber-attack on Marks & Spencer last year, which hon. Members have raised, specifically involved the social engineering of a third party managed service provider. As the Committee is aware, the Bill brings large and medium-sized managed service providers into scope. That important change delivers downstream benefits across the wider economy, including for food retailers.
I will move on to new clause 8. The Government recognise that a step change in cyber and digital resilience is required across the public sector, including in local authorities. The Government’s cyber action plan is the overarching strategy to improve the cyber-resilience of Government. It will hold the public sector, including local government, to equivalent requirements to organisations regulated by the Bill. At the outset, the hon. Member for Spelthorne raised a question about schools and pupil data; where local authorities are the lead affected departments in that context, they would be expected to maintain very close oversight and compliance with the requirements and asks of the cyber plan, including in schools and the maintenance of pupil data.
Local authorities in England are accountable for their own cyber-security and resilience. The Ministry of Housing, Communities and Local Government, as the lead Government Department, is accountable for the sector-wide resilience of English local government, and is already taking a range of steps to support the sector, strengthen its cyber-resilience and manage its risks more effectively. For example, MHCLG has already provided £23 million of cyber grant funding and technical support to local government. That includes the delivery of clear cyber-security standards through the adoption of the cyber assessment framework—CAF—for local government. It is also aligned with the wider approach taken by organisations already in scope of the network and information systems regulations.
On social care specifically, as the lead Government Department for adult social care, the Department of Health and Social Care is working to ensure that the standards applied by adult social care providers are consistent with those used across Government and the wider public sector. The DHSC is investing a further £21 million over this Parliament to give care providers the support and guidance they need to improve their cyber-resilience and to enhance cyber-security standards to align with the cyber assessment framework. The MHCLG has also launched a local government cyber-incident response service to support English local authorities to respond to severe cyber-incidents, helping to limit the impact these have on data and services.
I now move on to new clauses 11 and 12, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe. The joint election security and preparedness unit—JESP—sits jointly between the MHCLG and the Cabinet Office. It was created by the defending democracy taskforce, a cross-Government unit, and works to protect UK elections and referendums by co-ordinating work across Government to respond to threats, including on cyber-security.
I know that the shadow Minister takes a keen interest in these questions on the run-up to elections, and he raised some important points. JESP works closely with the NCSC, which produces guidance for organisations involved in delivering elections, including local authorities. That includes advice to help IT practitioners implement security measures that will help prevent common cyber-attacks, as well as offers for direct NCSC support, including the NCSC’s active cyber-defence services.
The MHCLG as a whole is responsible for centrally managed digital electoral services covering voter registration, a postal or proxy vote, or a voter authority certificate. All systems and suppliers involved in developing and maintaining digital electoral services must meet strict cyber-security requirements, not least the MHCLG cyber-security assurance framework.
I will move on to political parties. JESP and the NCSC regularly engage with political party representatives to understand their requirements, monitor any cyber-infrastructure vulnerabilities and raise awareness about Government cyber-defence services. The NCSC’s active cyber-defence programme provides free security tools to help UK organisations, including political parties and local authorities, reduce exposure to common cyber- threats. The NCSC encourages all political parties to sign up to these, and offers individual candidate briefings to parties that wish to take them up.
Everything I have said reflects the Government’s current assessment of where regulation is needed to protect the core of our society and economy. Of course, we have seen that what is considered an essential service can change, and we also know that cyber-threats are constantly evolving. That is why the Bill will enable the Government to bring more essential activities and services into scope in future, and to take swift action if UK national security is at risk, in scenarios where the evidence suggests the pros outweigh the costs. However, at this stage we do not think that that is the case for new sectors. I therefore ask hon. Members not to press their new clauses.
Question put and agreed to.
Clause 24 accordingly ordered to stand part of the Bill.
Clause 25
Statement of strategic priorities etc
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 25 introduces a power for the Secretary of State to designate a statement of strategic priorities for the implementation of the NIS regulations. The NIS regulations are enforced by 12 different sectoral regulators. Although that allows each regulator to apply its sectoral expertise, it also means that at times they have taken divergent approaches to their regulatory responsibilities. Clause 25 addresses that by allowing the Secretary of State to set overarching objectives for regulators in the wider context of a statement of strategic priorities. The statement will replace the NIS national strategy, which the Government were previously required to produce under the NIS regulations. It will set out the Government’s priorities for the security and resilience of essential services.
To ensure that the objectives remain stable enough to enable regulators to plan their work, the clause will prevent a statement from being withdrawn or amended within three years of its designation. However, that three-year rule will not apply if there has been a general election, or a significant change in the threat landscape or in Government policy. That will allow for flexibility where appropriate. In sum, clause 25 empowers the Government to drive a more effective and consistent application of the NIS regulations.
Clause 26 establishes the process through which a statement of strategic priorities can be designated. It requires that there must be consultation with regulators, and that the statement be laid before Parliament, where it will be subject to the negative procedure. It establishes that the Government must share a draft of a proposed statement with the NIS regulators, and that the regulators must be given at least 40 days to provide comments to the Government on that draft statement. The Government must consider whether it is appropriate to make any changes to the draft statement in the light of that consultation. Once any changes have been made, they must lay the statement before Parliament, where it will be subject to the negative procedure. Following that, the Secretary of State may designate the statement.
Clause 27 establishes the legal duties that regulators will have in relation to a statement of strategic priorities. It sets out that regulators must
“have regard to the statement”
when carrying out their NIS functions, as introduced by parts 3 and 4 of the Bill. It also introduces a requirement for regulators to “seek to achieve” the objectives included in the statement.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
As we heard in written evidence from the ABI, clarity about roles really matters. Can the Minister confirm that the statement of strategic priorities is not intended to operate as indirect instruction, and that regulators will retain clear discretion where sector evidence points in a different direction?
Kanishka Narayan
I thank the hon. Member for her point. Perhaps I can give a flavour of the objectives I might expect in a statement and assure her of the independence of sector regulators. Subject to consultation, which we would expect in the build-up to any such statement, a statement might include objectives such as encouraging regulators to seek to ensure that their sectors have plans in place to increase security, or focusing on regulatory activity in areas of greatest horizontal risk. To the hon. Member’s point about sector-specific expertise and the independence of regulators, the statement is intended to set objectives to be achieved within the parameters of regulators’ existing statutory duties, and what the overarching risks are. Of course, regulators will be free to do that in the ways they think most appropriate for their sectors, in the light of their own expertise and experience. I hope that gives the hon. Member some assurance.
Clause 28 requires the Secretary of State to publish an annual report setting out, in general terms, how NIS regulators have complied with their duties in relation to a statement of strategic priorities over the previous 12 months, and how they intend to meet their duties in the following 12 months.
Alison Griffiths
As the Minister is saying, clause 28 is meant to help Parliament understand how regulators are responding to the statement of strategic priorities. Can he say a little about how substantive that reporting will be, and whether it will genuinely allow Parliament to assess how those duties are being exercised in practice?
Kanishka Narayan
The hon. Member raises a very important point. We want Parliament to play an important role in the scrutiny of the overarching regime as a whole, but particularly in the operation of the statement. Perhaps I can break it into two parts: scrutiny of the statement in the first instance, and scrutiny of regulators’ compliance with the statement. Once a draft statement has been consulted on, the Government will be required to lay it before Parliament, and that will be subject to the negative procedure. Parliament will have 40 days to scrutinise the proposed statement and express disagreement with it, which is very similar to the procedure for statements of strategic priorities in other areas—not least online safety. In terms of confidence in Parliament about actions that regulators have taken, the Secretary of State will be required to publish an annual report setting out, in general terms, the activity undertaken by regulators in the prior 12 months, alongside activity planned for the following 12 months. My expectation is that, very similarly, Parliament will have sight of that, and have the ability to scrutinise it and ask questions of the Secretary of State in the usual way.
Kanishka Narayan
I am grateful to my hon. Friend the Member for Harlow for his affirmation of that important point of parliamentary scrutiny.
As I mentioned, the report in question will set out how NIS regulators have sought and will seek to achieve the objectives in the statement through the exercise of their regulatory functions. The clause requires the Secretary of State to lay the annual report before Parliament, as well as to publish it in an appropriate manner. Clause 28 also introduces information-gathering powers for the Secretary of State so that they can collect the necessary information from regulators to draft the report. I commend the clauses to the Committee.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Stringer.
Clause 25 introduces a power for the Secretary of State to issue a statement of the Government’s strategic priorities in relation to the security and resilience of network and information systems with regard to essential activities. The statement will set out the responsibilities of regulators and specify objectives to secure the Government’s priorities. Competent authorities must be consulted in the drafting of the statement, and the Secretary of State must issue a report in every 12-month period on regulators’ compliance with meeting the objectives within it.
The changes aim to address important challenges around consistency in the approach to regulation that were identified by the previous Government’s second post-implementation review of the NIS regulations. Importantly, the measures also provide for a regular review of competent authorities’ approach to discharging their regulatory obligations. That measure is necessary given the inconsistent approach to oversight and enforcement of the NIS regulations so far.
We know that there are existing challenges relating to the capacity of competent authorities and there is the ongoing issue of securing sufficient cyber-security professionals to staff the teams. It is all well and good making statements, but they need to be followed. What strategies does the Minister anticipate will be needed and used to support—and, where necessary, drive up—standards of regulatory oversight when competent authorities fall short of the aims set out in the statement?
Kanishka Narayan
I thank the shadow Minister for raising an important point. His broader question is one of the most important in this context: Bills are only as good as the ultimate enforcement capability, capacity and framework in which regulators enforce them. Particular aspects of the Bill are focused on that question. One ensures that regulators have not just the resource through the cost recovery and charging schemes that the Bill allows for, but the information through the information-gathering powers—and not just the information, but a statement of strategic priorities as new horizontal risks emerge across sectors. So regulators are armed with resource, information and strategic priorities that emerge from time to time.
Alongside all those resources, data and information powers, regulators need also to have accountability, of course. In that context, the statement of strategic priorities is intended to be one vehicle through which regulators’ compliance with overarching objectives of the Bill will be looked at as well, alongside ongoing oversight of each of the regulators through the usual departmental channels.
Alison Griffiths
Having worked in business, I know that the words we use to ensure that the capabilities are there are easy to say but not always easy to deliver. How will the Minister ensure that when we have a multi-sector issue, which could easily come up—particularly, as we have already discussed, around OT and the use of IEDs across multiple sectors—the National Cyber Security Centre and other regulators will have access to the skills, people and resources necessary to manage what could be a catastrophic incident? We already know that cyber-skills are in short supply as it is, even in the commercial sector.
Kanishka Narayan
The hon. Member raises an important point. Two or three things are really important channels of impact when it comes to skills. First, the NCSC as a convening body across regulatory areas will be able to make sure that different regulators come together and learn by being able to share information not just between themselves, but through the NCSC itself as the convening body for sharing good and prompt understanding of emerging risks.
Secondly, on broader skills, the cost recovery schemes allowed under the Bill create a way for regulators to ensure they are resourced up and have the ultimate financial firepower to be able to enforce the requirements of the Bill.
Alison Griffiths
I thank the Minister for his patience. He mentions a specific example of where he will ensure that the NCSC is resourced up. Do we have specific examples that have happened already of those powers having been put in place successfully? From conversations with the NCSC, I understand that it is reliant on its accredited bodies across the country, but we have not yet—I am touching the wood of my desk, as I speak—had to respond to a complex multi-sector issue. I challenge the Minister on whether he is confident about our capability to respond to one.
Kanishka Narayan
I share the hon. Member’s recognition and her gratitude that we have not experienced the sort of incident that she described. The NCSC has told her, me and other Committee members that it brings regulators together and has done so on a number of occasions in the past to share cross-sectorally an understanding of emerging risks as well as incident-specific impacts. I take no sense of complacency from that precedent, but I do take some confidence from it. As the Minister in charge, I will ensure that the Department keeps a close eye on the ongoing implementation of the co-ordination powers under the Bill.
Dr Spencer
The Minister is being generous with his time during this important debate. I was just thinking through his earlier response to the point made by my hon. Friend the Member for Bognor Regis and Littlehampton about using the cost reclaims to employ cyber-security professionals. That goes to the heart of the concerns about the Bill and its approach to regulation.
We have heard that the industry, including regulators, is struggling to recruit cyber-security professionals. What gives the Minister confidence that, just because some money will be sloshing around in the regulators, there will be the ability to recruit cyber-security professionals, who are going to be essential to the implementation of the Bill?
Kanishka Narayan
First, I will provide some context for agreement. We want more people to be trained in cyber-security so that they can serve in the public and private sectors. Through the Bill, as well as a range of other initiatives, we are making sure that at every stage of the pipeline, there is resourcing, confidence and a demand signal that so more people can benefit from cyber-skills and serve in the industry.
There is a clear financing path for regulators to at least start to hire. Earlier in the pipeline, we are looking at a series of cyber-skills programmes all the way from schools through CyberFirst—I think about 415,000 students have gone through that programme. Ultimately, we want to create a long-term pipeline so that regulators and private companies can make the most of those skills.
Chris Vince
I am going to mention Harlow, because Harlow has young people with amazing potential. The point that the shadow Minister and other Opposition Members have made is really important. We need to make sure that this and the next generation of young people are trained up in these skills, because this is an emerging threat. I encourage the Minister to promote the Bill and what the Government are doing in cyber-security, because it is important that the wider public know that these important skills and jobs are available.
Kanishka Narayan
I am, of course, very happy to take on my hon. Friend’s recommendation that I be the promoter and ambassador for the Bill across the country. I am only sad not to have been invited to visit his constituency in the act of promoting said Bill, but I take his point seriously.
On the broader point about skills, I entirely agree with both my hon. Friend and the Opposition in recognising that skills are central to the enforcement of the programme. I hope that the funding and the earlier focus on skills across the life cycle give some assurance that the Government are committed to that.
Question put and agreed to.
Clause 25 accordingly ordered to stand part of the Bill.
Clauses 26 to 28 ordered to stand part of the Bill.
Clause 29
Regulations relating to security and resilience of network and information systems
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 29 is the key pillar of the Bill’s future-proofing powers. It allows the Secretary of State to update, amend or replace the NIS regulatory framework by creating new regulations. This is a critical provision. Due to the way in which the NIS regulations were transposed into UK law, the Government lack a way of updating the framework other than through primary legislation. As a result, our regulations have remained static amid a rapidly evolving threat landscape, leaving our essential and digital services vulnerable to attack and our resilience falling behind the EU. The clause is an important response to that problem. It will ensure that the Government can take swift action so that our cyber regulations remain relevant. It is a more proportionate and effective approach than always relying on primary legislation.
I know the use of delegated powers can be a source of concern, so I will be clear that the clause is not a carte blanche—or a blank cheque, which the hon. Member for Spelthorne might be worried about—to smuggle in anything and everything under the guise of cyber-security. It is tightly constrained to ensure that any new regulations align with the original purposes of the NIS regulations. New regulations can be made only for the purposes of strengthening the cyber-security and resilience of the UK’s most critical activities, and only where they are genuinely essential to the functioning of the UK’s society and economy. Cyber-criminals will always find ways around regulations, but with this power we can stop them in their tracks.
I have already explained the critical role that clause 29 plays in enabling new regulations to be made for the purposes of cyber-security and resilience. However, I want to be clear about how those regulations will be used and reassure the Committee of their checks and balances. Clauses 30 to 35 set out what the regulations can do.
Clause 30 enables the Secretary of State to use the regulation-making powers to impose requirements on regulated persons. It clarifies who can be made subject to requirements and the types of requirement that can be imposed on them.
Alison Griffiths
My question relates to clause 29 but also clause 30. As the Minister says, the powers are deliberately wide. The Institution of Engineering and Technology noted in evidence that predictability matters more than compliance. Will the Minister explain exactly how the Government will judge when risks require new statutory duties rather than updated guidance, so that businesses are not left guessing?
Kanishka Narayan
Any legislation made under clause 29 will need to align with the Bill’s clearly specified purposes to protect the systems that underpin our vital services. In any case, secondary legislation will require deep consultation to ensure that businesses have the sense of clarity that they require. There is a specific bar to pass for the scope of any further provisions, and it is a high bar given the definition of the sectors and the activities covered in the Bill.
Clause 30 has been designed with some clear use cases in mind. It will enable the security duties on regulated organisations to be updated with appropriate technical details. It will also ensure that more detailed thresholds for incident reporting can be set, and it is the mechanism through which we will set out the regulatory requirements for designated critical suppliers. In other words, the clause will help us to operationalise the provisions of the Bill and update the technical details of regulatory requirements in response to new risks or technology.
Clause 31 enables the Secretary of State to confer functions on regulators through the Bill’s regulation-making powers. These may be existing NIS regulators or newly appointed regulators. The types of functions that can be conferred are those concerned with compliance: monitoring and securing compliance, and investigating and managing non-compliance. To carry out such functions effectively, regulators must be able to impose penalties. Clause 31 also provides for that while putting in place important safeguards so that regulated organisations have a means of appealing penalties. The clause is essential for future-proofing the regulatory regime. It ensures that regulators can be equipped with the functions and powers they need to ensure the compliance and security of the UK’s most essential services.
Clause 32 sets out details and safeguards for how the regulation-making powers can be used when they impose or amend financial penalties. Crucially, it establishes upper limits on what the penalties can be—the greater of £17 million or 10% of turnover for an undertaking, or £17 million for a non-undertaking, or £17 million for an undertaking adjusted as needed to account for inflation. The 10% threshold has been chosen as a defensible outer limit for a regulatory regime concerned with national resilience and security. It aligns with penalties for non-compliance in legislation regulating critical national infrastructure and with the Bill’s own national security powers.
The clause further clarifies that regulations can define “turnover” and “undertaking”, where needed, to calculate a penalty. Together, these provisions create important safeguards and flexibility. They establish proportionate and transparent parameters within which penalty amounts can be set. They also enable the Secretary of State to define and consult on terms that are essential for operationalising the Bill’s new turnover-based penalties.
Like clause 31, clause 33 enables the Secretary of State to make regulations conferring functions on regulators. The functions specified in clause 33 complement the core compliance functions outlined in clause 31. They relate to the disclosure of information, issuing of guidance, record-keeping, preparation of reports, undertaking of reviews, and co-operation. The clause also enables the Secretary of State to impose functions on organisations that are not regulators but that play a public role related to the cyber-security and resilience of essential services. GCHQ, in its capacity as the UK’s computer security incident response team and technical authority, is the most important. Like clause 31, this clause is essential for future-proofing NIS regulations. It allows organisations that oversee and facilitate the cyber-security and resilience of essential services to be equipped with the tools and functions they need.
Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs using the powers under clause 29(1). These are the costs incurred through their functions under the NIS regulations or other obligations imposed through parts 3 and 4 of the Bill.
In practice, the clause ensures that the Secretary of State can make changes and updates to the way that regulators carry out their cost recovery function under the NIS regime. It could, for example, be used to specify further factors that regulators need to consider when establishing approaches for charging fees in the charging schemes, in addition to those already set out in clause 17. That might be needed to deliver greater consistency in how the cost recovery measures are being applied and is something that the Government will keep under review.
Alison Griffiths
As the Association of British Insurers has highlighted in its written evidence, the way cost recovery operates will shape behaviour on the ground. Can the Minister reassure the Committee that changes made under clause 34 will be transparent and proportionate and will not inadvertently discourage investment in cyber-resilience, particularly for smaller firms in supply chains?
On a personal point, could I ask him to speak more slowly? I am really struggling to hear him.
Kanishka Narayan
I apologise for the pace of my speech; I will try to make sure I am speaking more slowly.
On the particular point on transparency and ensuring that any amendments to cost recovery are both transparent and grounded in specific provisions, I can set out the sorts of expectations we have had for circumstances in which amendments might be made. In particular, the Bill’s powers will enable regulators to set up charging schemes, but it is not prescriptive—
Kanishka Narayan
The Bill’s new powers enable regulators to set up charging schemes, but it is not prescriptive about how it should do that beyond certain baseline requirements. More specific requirements, as provided for in the Bill, could become clear, such as if cost recovery mechanisms are not working effectively or if regulators are diverging unhelpfully.
All regulators must consult on charging schemes. In doing so, the industry should have ample opportunity to scrutinise the approach that regulators are taking and, importantly, Parliament should be able to add to that scrutiny as well. Like clause 31, clause 34 is essential for the future-proofing of NIS regulations.
Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs; I have mentioned examples of the sorts of factors we might specify in that context. Together with clauses 29 to 33, 35 and 41, clause 34 is necessary to ensure that the Secretary of State can update and amend the functions of regulators as needed in the future, and is an integral part of the Bill’s future-proofing powers.
Clause 35 is the final clause that clarifies the limits and prospective uses of the regulation-making power in clause 29. It confirms that the regulations may confer functions and allow certain functions to be delegated to others—for example, it could enable a regulator to delegate functions to inspectors. It also clarifies that regulations can be made to require a person to have regard to guidance or codes of practice, or that make provision by reference to another document or piece of guidance. In short, the clause provides helpful clarity about how the regulations could be applied.
Sarah Russell (Congleton) (Lab)
On a point of order, Mr Stringer. I am not sure whether this strictly meets the criteria for a point of order, but it is clear that some people in the room cannot hear what is happening. I know the convention is that only the Whips and Ministers sit on the front row, but if those who are struggling to hear wish to sit closer, could we abandon that convention? It would be a reasonable adjustment so that everyone can participate properly, because this is discriminatory.
The Chair
I thank the hon. Lady for her point of order. It is a convention, and if the hon. Lady or any other Member wishes to sit on the Front Bench to make life easier, they certainly have my permission to do so.
Alison Griffiths
Further to that point of order, Mr Stringer. Genuinely, I simply need the Minister to speak slowly and clearly. Yes, I am wearing hearing aids; I am sure that others wear them too. I am doing my very best to make sure that I can lip-read, but that is almost impossible given the speed the Minister is speaking at. One cannot lip read when he is looking down all the time either.
The Chair
I thank the hon. Lady for her point of order. I know the Minister is trying very hard; his normal rate of speech is much faster, so he is trying. If you catch my eye, I will interrupt the Minister, or anybody else who is speaking, and remind them. It is important that every Member can hear so that they can participate in the debate.
Dr Spencer
I confess, Mr Stringer, that I suspect I am also guilty of speaking a bit fast in our previous debates. I will do my best to slow down and speak in a lower tone, as I know that can also help, particularly with certain types of hearing impairment.
To continue the theme of agile regulation, clause 29 enables the Secretary of State to update the NIS regulations through secondary legislation. Clause 30 enables the Secretary of State to impose requirements on regulated entities, which may include directions to take specific actions to increase cyber-resilience, to report on certain matters and to appoint a UK representative if the entity is based outside the UK.
Furthermore, clause 31 specifies that the Secretary of State may direct competent authorities to undertake certain activities, including mandating functions in connection with monitoring and securing compliance with relevant requirements, investigating suspected non-compliance and mitigating the effects of non-compliance on the part of regulated entities. Clauses 32 to 35 provide for the Secretary of State to issue ancillary directions to facilitate information-gathering, investigation and enforcement activities on the part of regulators.
Taken together, the clauses give the Secretary of State a strong suite of powers to respond to emerging cyber-security risks. Again, I recognise the necessity of being able to respond quickly in fast-changing circumstances. However, the Government should clearly be reporting on the Secretary of State’s exercise of the powers at regular intervals to ensure transparency. We will discuss that in due course when we come to clause 40, on the report on network and information systems legislation.
Kanishka Narayan
No.
Question put and agreed to.
Clause 29 accordingly ordered to stand part of the Bill.
Clauses 30 to 35 ordered to stand part of the Bill.
Clause 36
Code of practice
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 36 sets out that the Secretary of State may issue a code of practice for regulated entities. The code will describe recommended steps to help these entities to comply with their duties and requirements under the NIS regulations and any new regulations made under the Bill. This will make it simpler for regulated persons to understand what is expected of them, thereby driving consistency and complementing sector-specific guidance from regulators.
The clause will also make enforcement clearer and more effective, as regulators must take the code into account when they assess compliance. The code is designed to be flexible: it can be updated as threats and technology change, and can be tailored to different types of organisations, ensuring that guidance is current, relevant and practical for all.
Given the importance of the measure in providing practical recommendations to regulated entities, it must be consulted on before it is prepared or revised, and this process is set out in clause 37. Before the code can be brought into force, a draft must be laid before Parliament, providing ample opportunity to scrutinise and, if necessary, reject it within a 40 day period. If either House objects, the Secretary of State cannot proceed with that version and may prepare a new draft. If the draft is approved by Parliament, the Secretary of State may issue it and must publish it, and it then comes into effect immediately, unless otherwise specified. The clause also clarifies how the 40-day period is calculated, to ensure consistency and transparency in the process.
As we know too well, cyber-threats continue to evolve as new tactics and technologies are deployed, which is why the clause includes a power for the Secretary of State to amend the procedure for issuing the code. The Secretary of State may, for example, wish to add or amend consultation requirements or extend the 40-day period.
Clause 38 establishes how the code of practice will be used and treated in legal and regulatory settings, to ensure it has the intended effect. For regulated persons, the code of practice is intended to be formal guidance, with recommendations on how to comply with their duties, but not to be legally binding itself.
As we know, there can be more than one way for businesses to meet their obligations and ensure that they have in place appropriate and proportionate security and resilience measures. It is therefore important that there is a degree of flexibility in how they do this, to accommodate sector-specific nuances and business needs. None the less, it is crucial that the code has sufficient legal status and that the good practice it contains is not simply ignored. That is why the code can be admissible as evidence in court when deciding whether legal obligations have been met, and why the courts and regulators must consider it as evidence when assessing compliance.
Clause 39 establishes a formal process for the withdrawal of the code of practice, in case that is ever needed.
Dr Spencer
Clause 36 provides that the Secretary of State may issue a code of practice for regulated entities to set out measures that they should take to demonstrate compliance with their duties under the NIS regulations, or any requirements imposed by the Secretary of State under clause 29. If done well, the code could be a repository of best practice, setting proportionate, consistent and effective standards for regulated industries. That will require constructive and open consultation with regulated sectors to identify the challenges facing those sectors and how best to address them.
One issue that came up in oral evidence was the question of the lag between regulation making and industry adoption. David Cook of DLA Piper commented that, after laws come into effect, the process of businesses understanding where they need to get to
“often requires a multi-year programme of reform.”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 5, Q1.]
The code of practice is not envisaged to be legally binding, in the sense that a failure to comply is not of itself evidence of a failure to meet obligations under the NIS regulations or the Bill. However, clause 38 states that it would be admissible as evidence in legal proceedings so, in that sense, the code is binding in all but name. In view of that, and the fact that codes can be revoked and reissued, can the Minister provide reassurance to regulated industries that a lead-in time will be built into any requirements to allow businesses to prepare to achieve full compliance?
Kanishka Narayan
First, to ensure that the shadow Minister and I are representing the intent behind the code clearly, in legal terms it is not the case that an organisation that fails to follow the code of practice is automatically a regulated organisation that has broken the law. Clause 38 makes it clear that not following the code does not by itself constitute a breach of duty or mean that an organisation is automatically liable to legal action. Organisations can take different approaches to complying with security duties, but if they adopt an approach that is not within the code, they may need to explain why their approach still meets the required standards set out in the regulations, and regulators will be required to take the code into account when preparing guidance.
On the shadow Minister’s question about ensuring appropriate timing and preparation for companies, I would very much expect that the regulators in question would be closely regulated entities to ensure the proportionate implementation of codes.
Alison Griffiths
We heard from the Information Systems Audit and Control Association that codes work best when they reflect operational reality. Given their evidential status, can the Minister reassure the Committee that codes will remain practical and iterative and not quietly harden into rigid compliance rules?
Kanishka Narayan
I am very happy to give the broad assurance that we will keep codes under review from time to time, and that any changes to the code will require deep consultation with regulators and businesses to ensure that the codes keep in touch with moving technology.
Dr Spencer
For the sake of clarity on the legal status of the codes, I entirely agree with the Minister that it is important to get this right, and my understanding of codes of practice in a different area—statutory codes of practice relating to the Mental Health Act—is that case law says that deviation from the code of practice should be done only for cogent reasons. That is a pretty high bar to pass in terms of deviations. I should declare an interest as a former consultant psychiatrist and someone who operated subject to that particular code of practice.
For absolute certainty, will the Minister write to the Committee and make the status very clear, along with reference to relevant case law in terms of other codes of practice? Does the clause override that jurisprudence or not? That would settle the question as the Bill goes through Parliament.
The Chair
Order. Interventions are getting a bit out of control again. I remind hon. Members that they should be brief.
Kanishka Narayan
I agree with the shadow Minister. The Bill’s focus is on the assessment of compliance with ultimate security duties. The codes of practice will set out approaches to do so, but they will not be the only approaches. I would be happy to write to the shadow Minister and the Committee on the particular legal interpretation, and any relevant case law that might apply.
Question put and agreed to.
Clause 36 accordingly ordered to stand part of the Bill.
Clauses 37 to 39 ordered to stand part of the Bill.
Clause 40
Report on network and information systems legislation
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
I beg to move amendment 26, in clause 40, page 63, line 7, leave out “5” and insert “3”.
This amendment would increase the frequency of the reports that must be published under Clause 40, from every five years to every three years.
David Chadwick
Amendment 26, tabled by my hon. Friend the Member for Henley and Thame, seeks to ensure that the Bill keeps pace with the reality that it seeks to regulate. In the world of cyber-security, five years is a lifetime. In the past five years, the size and scale of cyber-attacks has continued to advance at pace, and we can expect the next five years to be the same. In that context, waiting five years for the first formal parliamentary review of the Bill seems dangerous. It risks leaving us with a regulatory framework designed for the threats of yesterday and not tomorrow. The cyber-threat is real, evolving and urgent.
The NCSC has reported that nationally significant cyber-incidents more than doubled in 2025 alone. That is why the amendment would change the reporting cycle to once every three years. That is a pragmatic timeline, which allows the Government to identify gaps and close them before they are exploited. The EU’s NIS2 directive explicitly mandates a review by the Commission every three years, and it is not clear why the Government have decided to diverge from that standard. Is it because they believe that the cyber-threat here is considerably less than the one facing European member states? It is simply not clear, which adds to the general sense of bewilderment about this provision. If our European neighbours are reviewing their cyber-security approach every three years, why are the UK Government content to wait for five?
Dr Spencer
Clause 40 requires the Secretary of State to publish a report every five years on the operation of the NIS regulations and parts 3 and 4 of the Bill. Reports should include a review of any exercise of powers under parts 3 and 4 by the Secretary of State. Given the wide-ranging powers granted to the Secretary of State under those parts, I have some sympathy for amendment 26, tabled by the hon. Member for Henley and Thame, which seeks to reduce reporting intervals from five years to three.
The shadow Secretary of State, my hon. Friend the Member for Hornchurch and Upminster (Julia Lopez), raised this issue on Second Reading. She suggested that annual or biannual reviews might allow for effective parliamentary scrutiny of the NIS regulations and of the Secretary of State’s exercise of powers to respond to emerging threats. In view of the concerns voiced by the hon. Members for Henley and Thame and for Brecon, Radnor and Cwm Tawe, and by the shadow ministerial team, will the Minister explain why five-year intervals have been selected and whether the Government will look at this important issue again?
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for moving amendment 26, in the name of the hon. Member for Henley and Thame. It seeks to reduce the period for publishing a report on the operation of the legislation from at least every five years to at least every three. I reassure him that the Government recognise the importance of regular assessments of the regime to ensure that it is as effective as possible. The legislation sets five years as the minimum period. That is an appropriate and proportionate timeframe in which to meaningfully assess the progress, at a regular frequency, of the entire regime set out in the Bill, following the approach set by existing legislation such as the Online Safety Act 2023.
David Chadwick
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 40 ordered to stand part of the Bill.
Clause 41
Regulations under section 24 or Chapter 3
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 41 gives further detail on the sorts of provisions that can be included in regulations made under clause 24 and chapter 3 as a whole. It confirms that regulations can make different provisions for different purposes, different categories of person or different areas; can make provisions for how those regulations apply to the Crown or UK territorial waters; and can include consequential, supplementary, incidental, transitional or saving provisions. The clause also defines how certain terms used in regulations should be interpreted, such as “relevant UK waters” or “primary legislation”. In summary, the clause provides important points of clarification about how the regulation-making powers in the Bill can operate. I propose that clause 41 stand part of the Bill.
Clause 42 sets out the consultation requirements and parliamentary procedure that apply where regulations are used to designate new essential services or regulators, to impose regulatory requirements or change regulator functions, or to amend requirements for the five-yearly legislative review.
Alison Griffiths
These procedures are standard, but the powers they apply to are significant. Where regulations under part 3 would materially expand duties or bring new actors into scope, have the Government considered whether those should receive deeper scrutiny in practice, even if the formal procedure remains the usual one?
Kanishka Narayan
I thank the hon. Member for that important point. The expectation is that the powers used here are scrutinised appropriately. If it helps, I can set out which uses of the power, particularly under clause 42, will trigger consultation requirements and the affirmative procedure, which will perhaps give her the assurance she seeks.
In essence, all changes that may have considerable impact on how the NIS regime operates will be subject to consultation and the affirmative procedure. In practice, this means that regulations concerning the designation of essential services, as well as changes to the duties of regulated entities and functions of regulators, will be subject to both consultation and affirmative procedure requirements.
In each of the cases I mentioned, clause 42 requires the Secretary of State to undertake consultation with appropriate persons before any regulations can be made. It also specifies that regulations of this kind can be approved only through the affirmative parliamentary procedure. These provisions ensure that any substantive regulations made through the Bill’s future-proofing powers will be properly tested. They provide the necessary checks and balances that such wide-ranging powers require, and they will ensure the credibility and legitimacy of future regulations made using these powers. For those reasons, I propose that clause 42 stand part of the Bill.
Dr Spencer
I have two questions for the Minister. Given the impact on devolved legislation, can he confirm that the consultation will extend to devolved authorities should it impact on them? My second question is more generally on the theme of devolved authorities. Can he confirm that, as part of the publicised “reset” negotiations with the European Union, bringing Northern Ireland into scope of NIS2 regulations is totally off the table?
Kanishka Narayan
On the broader point about application to the devolved Administrations, changes in UK legislation may indeed need to be reflected in devolved legislation, such as where it refers to and references the name of UK legislation. In those contexts, it is important that consequential provision can be made to ensure coherence. We will continue to engage with our devolved colleagues on the implementation. I am very happy to write to the hon. Gentleman and the Committee, particularly on the Northern Ireland point.
Question put and agreed to.
Clause 41 accordingly ordered to stand part of the Bill.
Clause 42 ordered to stand part of the Bill.
Clause 43
Directions to regulated persons
David Chadwick
I beg to move amendment 27, in clause 43, page 66, line 11, at end insert—
“(fa) a requirement to remove, disable or modify hardware, software or other facilities;”
This amendment would enable the Secretary of State to issue directions to remove, disable or modify hardware, software or other facilities for national security purposes.
David Chadwick
Amendment 27, which I move on behalf of my hon. Friend the Member for Henley and Thame, would give the Government the ability to remove, disable or modify hardware and software that could be used to infiltrate British national infrastructure, such as the cables underneath the now approved Chinese mega-embassy in Tower Hamlets.
The Prime Minister’s greenlighting of the Chinese super-embassy in the heart of London is a grave mistake that presents an open door for the ramping up of Chinese espionage in our country. It sends a regrettable and shameful message to Hongkongers—many of whom have already been targeted, intimidated and coerced by the Chinese Communist party—that trade deals are being prioritised over their safety. The Government must take a robust stance with hostile states such as China.
Dr Spencer
Clause 43 grants the Secretary of State powers to issue directions to regulate entities where there is a risk to national security, or where an action must be taken in the interests of national security. Directions can include requirements relating to the management of systems, the yielding of information and the removal or modification of goods and services. The Secretary of State may also require a regulated entity to engage the services of a skilled person to comply with directions issued. The Secretary of State has wide discretion to dispense with providing reasons for directions or consulting with the affected parties on the basis of national security considerations.
Clause 44 clarifies that the Secretary of State’s directions under part 4 prevail if there is a conflict between those directions and another statutory requirement. The exercise of these powers by the Secretary of State could have far-reaching consequences for businesses, which may experience interruption to their commercial activities, as well as the potentially considerable time and expense in adhering to a request made on national security grounds.
I have spoken on several occasions in the House and in this Committee about the critical risks posed to our cyber-security and national security by hostile state actors and their affiliates. It is, of course, right that the Secretary of State should have this power, but it should be used only in extremis. Like other extensive powers granted to the Secretary of State under part 3, it must be subject to oversight and guardrails. A report to Parliament, which may well be redacted, on the exercise of functions under part 4 will not be sufficient to ensure that this power is used proportionately. Has the Department considered introducing an obligation for the Secretary of State to report to the Intelligence and Security Committee when she exercises powers under part 4?
We discussed the Chinese super-embassy earlier. Later in the Committee’s proceedings, I will talk about an Opposition new clause that would deal with that problem effectively.
Emily Darlington (Milton Keynes Central) (Lab)
As the Minister will be aware, I have spoken consistently of my concern about our reliance on hardware and tech that comes from potentially non-favourable state actors abroad. That also relates to Government procurement, which I have raised before, as the Minister will know.
The Committee has already discussed how local government and Government Departments are not covered by this legislation, and how there is a separate strategy and document. Can the Minister expand on how protections against a reliance on foreign tech within critical infrastructure, in either the private or the public sector, are being dealt with in the Bill or in the strategy that has been published for the public sector? How will that be continually reviewed as our global geopolitical situation remains unstable?
Kanishka Narayan
I will start by addressing amendment 27, moved by the hon. Member for Brecon, Radnor and Cwm Tawe, which would add to the non-exhaustive list of requirements that could be included in a national security direction. It specifies that a direction could include requirements to
“remove, disable or modify hardware, software or other facilities”.
I reassure him that the Bill, as currently drafted, allows the Secretary of State to impose those types of requirements. Clause 43(3)(f) specifies that a direction may include
“a requirement relating to removing, disabling or modifying goods or facilities or modifying services”.
That already encompasses the types of requirements specified in amendment 27.
Furthermore, clause 43(3) lists the requirements that may “in particular” be included in a direction. The list is therefore not exhaustive, and for good reason. It is not possible or desirable to specify every action that might be needed to address a national security risk. That would restrict the Government’s potential avenues to address urgent national security threats, and would risk the legislation being too narrow to address novel threats to the UK’s national security.
Dr Spencer
I really do not understand the Minister’s answer. If it has not been published on national security grounds, how will we know that it has been laid? The whole thing could be entirely secret. Surely it has to go to the ISC as an accountability mechanism.
Kanishka Narayan
The Bill currently provides for clear parliamentary scrutiny. The Secretary of State is responsible for coming to Parliament, although some information may not be able to be presented in public. I am happy to write to the shadow Minister about the mechanisms that other similar regimes have used to ensure that Parliament’s scrutiny is informed in those cases, whether in Committee or otherwise. The primary mechanism is the one we use for constant parliamentary scrutiny, and it would be unfair for any of us to suggest that most of those channels would not be appropriate for the sort of scrutiny we are looking at.
Dr Spencer
I think the Minister is saying that there will be a parliamentary scrutiny mechanism under these powers. Is that what he is saying?
Kanishka Narayan
To repeat, exactly as I said: once a direction is issued, it will be laid before Parliament for scrutiny. If there is any misunderstanding, I am happy for the shadow Minister to write to me so that I can confirm it.
Dr Spencer
I really think we should be very critical about this. What we are doing now is parliamentary scrutiny. There will be directions in future, which we expect to be laid, and they will also be subject to parliamentary scrutiny. Even where they are redacted because of national security concerns, somebody, or some mechanism of Parliament, will be able to scrutinise them. Can the Minister confirm that?
Kanishka Narayan
To return to the point made by my hon. Friend the Member for Milton Keynes Central about the Bill’s provisions, the Bill looks at particular risks posed by hostile states, related actors and a wide range of other actors. Network and information systems for essential services and the identity of risk sources may be one consideration for organisations and regulators as well as the NCSC. The Bill does not look at specific actors but the outcome of the risk. Of course, hostile actors are an important part of that. I am happy to write to my hon. Friend about wider initiatives outside the Bill, particularly in the public sector, which I know is an important concern for her in relation to hostile state actors. There are a range of initiatives that the Government are taking forward in that context.
Clause 43 grants the Secretary of State the power to direct an NIS-regulated entity to take necessary and proportionate actions in response to national security threats. The power can be used where the entity’s network and information systems have been compromised or there is a threat of such compromise. The clause sets out the sorts of action that a direction could require. A direction could, for example, require an energy provider to take action to remove a hostile actor’s presence from their networks, in response to intelligence that a hostile state actor was pre-positioned for an attack.
Cyber-attacks on NIS sectors represent a serious and growing threat to the UK’s national security. High-capability actors and hostile states can mount increasingly targeted and sophisticated attacks. At present, however, the Government lack powers to require regulated entities to take necessary action in response. That gap could be exploited with increasing frequency and impact. The clause will remedy that, ensuring that the Government have the necessary powers to act quickly to protect our national security.
Lincoln Jopp
To take this a little bit beyond the theoretical, is the Minister suggesting that, where it is discovered that, for example, a major offshore wind power generation facility was fitted with remotely triggerable kill switches, triggerable by a foreign state or sub-state actor, the Secretary of State could require that energy company to remove whatever piece of hardware or software was producing that threat?
Kanishka Narayan
I could not judge a specific situation but, broadly speaking, that is the sort of situation, especially if it is an NIS-regulated entity, and in particular where the exercise of the power is focused on the entity’s network and information systems, that I would expect to come in scope of the powers specified here.
Under clause 44, a direction can be issued only when necessary for national security. It is possible that, in some circumstances, what is needed to protect UK national security could conflict with standard regulatory duties. For example, a direction might relate to a particularly sensitive national security risk, where only those involved in addressing the risk should be aware of it. That is to minimise the risk of hostile actors becoming aware of a vulnerability. A direction could therefore require an entity not to report that national security risk for the period in which the risk was being remedied. They may ordinarily have had to report that national security risk to comply with standard reporting requirements. The clause will resolve that conflict and provide certainty to recipients of directions about what they must do to ensure that the national security risks in a direction are addressed.
David Chadwick
Given the reassurances from the Minister, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 43 ordered to stand part of the Bill.
Clause 44 ordered to stand part of the Bill.
Clause 45
Monitoring by regulatory authorities
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
This group of clauses concerns how compliance with national security directions will be monitored. Clause 45 enables the Secretary of State to delegate the task of monitoring compliance with the direction issued under clause 43 to a NIS regulator. Regulators have valuable sectoral expertise and existing relationships with the entities they regulate. As such, it may be effective to delegate monitoring of compliance to the relevant regulator. The Secretary of State will retain the sole ability to make judgments about whether non-compliance has occurred, or if any penalty is appropriate. The regulator would be required to obtain information relating to compliance, to be shared with the Secretary of State. The Secretary of State would then determine how they would like to receive this information—for example, in reports or at regular intervals.
Clause 46 grants information-gathering powers to the Secretary of State and to regulators that are subject to a monitoring direction or request. In order to determine whether an incident or threat meets the bar for issuing a direction, or whether a regulated entity is complying with the direction, the Secretary of State will need information from that entity and potentially other parties. The clause establishes the power for the Secretary of State to request that information. As the monitoring of compliance with the direction may be delegated to NIS regulators, the clause also equips those regulators with the power to request information needed for their monitoring functions.
Clause 47 grants the Secretary of State the power to carry out or delegate inspections needed to assess compliance with a direction, or with a confirmation decision specifying actions to be taken in the event of non-compliance. The Secretary of State is responsible for judging whether a regulated entity is complying with a direction, and therefore needs access to relevant information that the regulated entity holds. In some cases, this may not be possible to verify without physical attendance. To ensure the effective use of time and resources, the Secretary of State will have the power to appoint a person to carry out an inspection on their behalf, or to direct the recipient of a direction to appoint an approved inspector. The clause also grants these powers to regulators, where the regulator has been directed or requested to monitor compliance on behalf of the Secretary of State. This will ensure that they can provide the Secretary of State with the most accurate information. I commend the clauses to the Committee.
Dr Spencer
Clause 45 gives the Secretary of State powers to require regulatory authorities to monitor and report on regulated entities’ compliance with directions given under clause 43 for reasons of national security. Clause 46 provides the Secretary of State with extensive information-gathering powers through the use of information notices to facilitate the giving of directions and monitoring of compliance with directions under clause 45(4). Clause 47 empowers the Secretary of State to conduct inspections to assess whether a regulated entity is complying with directions issued under clause 45(4). The Secretary of State may appoint a third party to conduct the inspection, and require the regulated entity to meet the costs associated with this.
I reiterate the point that these powers are necessary; however, given the potential for significant cost and administrative burden for businesses, they should be subject to contemporaneous or near-contemporaneous oversight by parliamentary authorities, observing the necessary confidentiality protocols. I also make the point that these information-gathering powers apply extraterritorially and may lead to conflict with regulated entities’ data privacy obligations in other jurisdictions. What discussions has the Secretary of State conducted with industry and law enforcement counterparts in other countries about the approach to information sharing for this purpose, and the implications for companies operating services on a cross-border basis?
Kanishka Narayan
I am grateful to the hon. Gentleman for his points about proportionality and scrutiny. I want to give him assurances about that, as I did in our earlier conversation.
On cross-border compliance, the hon. Gentleman rightly points out that relevant information can be requested, regardless of whether it is held the UK. I am very happy to write to him with further detail on our ongoing engagement with counterparts elsewhere. During this process, we have engaged more broadly to understand other regulatory regimes and ensure compliance with them.
Question put and agreed to.
Clause 45 accordingly ordered to stand part of the Bill.
Clauses 46 and 47 ordered to stand part of the Bill.
Clause 48
Notification of contravention
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
This group of clauses concerns the enforcement of directions issued by the Secretary of State. I shall speak to them in turn.
Clause 48 grants the Secretary of State the power to issue a notice of contravention where they believe an entity is failing or has failed to comply with requirements relating to a direction. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will also be able to issue a notification of contravention relating to an information notice or inspection issued by the regulator. It would not be appropriate for a regulator to judge compliance with a direction issued under clause 43 or any other requirement imposed by the Secretary of State.
Lincoln Jopp
What happens when the Secretary of State, via his various proxies—the regulator or whomsoever—gives a direction to a company to do something in the interests of national security, and the entity disagrees and says, “That simply won’t work, and it won’t solve the problem that you are seeking to address”?
Kanishka Narayan
I am reluctant to engage in the specifics of incidents without knowing the full range, but I would expect there to be an initial period of engagement to get to a position of agreement. Where the Secretary of State’s directions are not complied with in the context of a disagreement of the sort that the hon. Gentleman points out, penalties for non-compliance will be available to the Secretary of State. They will have to be justified both in the moment and subsequently, in the light of the particular provisions of the Bill.
The clause sets out the circumstances in which the Secretary of State and relevant regulators can issue a notice of contravention and the details that such a notice should contain, including the steps that an entity should take to rectify or remedy an act of non-compliance and the penalties that are being considered. The ability to issue a notice of contravention is an important procedural mechanism. It gives directed entities the opportunity to address non-compliance before penalties are imposed through a final confirmation decision, and increases the likelihood that the requirements of a direction will be met. That is vital, given the national security risks that a direction is intended to address.
Clause 49 empowers the Secretary of State to determine appropriate and proportionate penalties for non-compliance with a direction. It sets an upper threshold on what the penalties can be. For non-compliance with a direction, penalties are fixed at the greater of £17 million or 10% of turnover for undertakings, subject to turnover and undertaking being defined in regulations, and £17 million for non-undertakings. For requirements concerning the provision of information or inspections, the maximum penalty for non-compliance is set at £10 million.
Clause 49 also provides for daily penalties to be issued. These are set at £100,000 a day for non-compliance with a direction and £50,000 a day for related requirements. They will continue in force until the entity has complied with the relevant requirement. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will be able to issue penalties for non-compliance with an information notice or inspection issued by the regulator.
These provisions have been designed to reflect the gravity of non-compliance with a national security direction and the necessity of ensuring that directed entities comply with the requirements that directions impose. It is also why the maximum penalties have been set at a significantly higher level than they have for the updated NIS enforcement regulations in clause 21. The better comparison in that context is the penalty threshold for national security powers in the Telecommunications (Security) Act 2021, which align with the provisions in clause 49.
Clause 50 grants the Secretary of State and, where relevant, regulators the power to issue a final confirmation notice for non-compliance with a direction or related requirements. The clause specifies that the Secretary of State or regulator can issue a confirmation notice where they have previously notified an entity of suspected non-compliance, and where they are now satisfied that non-compliance has occurred. The notice of confirmation is the mechanism through which the Secretary of State or regulator can issue their final determination about the actions an entity needs to undertake to correct or remedy a contravention, and the penalties it will need to pay, in accordance with the provisions in clause 49.
A confirmation decision can be issued only after a directed entity has had the opportunity to make representations about an earlier notice of contravention. Once it has been issued, the directed entity must comply with it, and this duty can be enforced through civil proceedings. In short, clause 50 ensures that a direction can be enforced effectively and appropriate action taken to penalise non-compliance.
Clause 51 sets out how penalties will be recoverable across the nations of the UK in the event of non-payment. Clause 52 grants the Secretary of State the power to enforce non-disclosure requirements imposed in relation to the issuing of a direction, notice of contravention or final confirmation notice. Failure to respect these requirements could harm national security, for example by exposing vulnerabilities in the UK’s essential services or the security mitigations being put in place to protect their network and information systems. As a result, it is crucial that the Secretary of State has adequate powers to enforce non-disclosure requirements. Clause 52 largely replicates the enforcement process for non-compliance with other requirements of directions issued by the Secretary of State. The maximum penalties will be £10 million or £50,000 per day.
I ask the Committee to support the clauses in order to enable the effective enforcement of directions issued by the Secretary of State to protect the UK’s national security.
Dr Spencer
Clauses 48 to 52 deal with notifications and financial penalties where a regulated entity is deemed not to be compliant with directions issued by the Secretary of State under part 4. In particular, clause 48 would grant enforcement authorities powers to issue a contravention notice if they believe a person has failed to comply with a requirement under part 4. The notice must set out details of remedial steps to address the failure, as well as the financial penalty that the enforcement authority intends to impose.
Clause 49 would require penalties to be set at a level that is appropriate and proportionate, with the maximum penalty being £17 million or 10% of turnover. A maximum daily penalty of £100,000 applies to ongoing breaches. The maximum fines for failing to comply with an information notice or an inspection would be set at £10 million.
Kanishka Narayan
I have two points to make to the shadow Minister on defining turnover. As he will be well aware, “turnover” is a technical term that is best defined in secondary legislation, to keep up to date with accounting principles that at times vary from sector to sector. He asked for factors that might contribute to definitions. The specific determination of turnover will be set out secondary legislation, but we intend to establish a presumption that only the turnover of the regulated entity that breaches the direction will be considered for determining penalties on this point.
Question put and agreed to.
Clause 48 accordingly ordered to stand part of the Bill.
Clauses 49 to 52 ordered to stand part of the Bill.
Clause 53
Power to direct regulatory authorities
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to consider the following:
Clauses 54 to 56 stand part.
Government amendments 23 and 24.
Clauses 57 and 58 stand part.
Kanishka Narayan
This group concerns the power for the Secretary of State to issue directions to the NIS regulators, as well as general provisions relating to the power and the power to direct regulated entities. That includes the procedure for reviewing, varying or revoking directions, the procedure whereby Parliament can scrutinise these directions, how information concerning directions can be shared, the means by which directions can be issued and the clarifications of key terms concerning part 4 of the Bill. I shall speak to each clause in turn.
Clause 53 grants the Secretary of State the power to direct NIS regulators in the exercise of their NIS functions, where it is necessary and proportionate in the interests of national security. The current system requires regulated entities to undertake “appropriate and proportionate” measures to secure themselves against cyber-threats. Regulators issue guidance to their sectors to help them to interpret that duty. However, geopolitical or technological developments could lead to rapid, unexpected increases in the cyber-threat that quickly leave whole sectors vulnerable and create a national security risk.
In such circumstances, it is essential that the Secretary of State can leverage the expertise and powers of NIS regulators to drive the implementation of enhanced security procedures and practices. For example, they may need to direct a regulator to issue an urgent advisory to its sector regarding new cyber-threats or to update guidance on what measures are “appropriate and proportionate” for them to take. This power will not extend to other Government Departments or devolved Governments, for which any actions to mitigate significant national security threats will be agreed through engagement.
Given the changing nature of national security threats, there may be times at which a national security direction needs to be varied or revoked. Clause 54 introduces powers for the Secretary of State to change the content of a direction, or revoke it altogether, where it is necessary and proportionate to do so in the interests of national security. The Secretary of State will be able to vary a direction to add new requirements, or to simplify directions by removing requirements that are no longer needed. To ensure that regulated entities are able to make representations, the Secretary of State is required to consult them before a direction is varied, where practicable. This requirement does not apply if consultation would be detrimental to the interests of national security.
Dr Spencer
Clause 53 would grant the Secretary of State powers to issue directions to regulators where this is necessary for national security reasons, and to allow a reasonable period for the regulator to comply with that direction. Clause 54 provides that directions may be amended or revoked by the Secretary of State. Under clause 55, directions to regulated entities or regulators must be laid before Parliament unless that
“would be contrary to the interests of national security.”
I repeat my earlier question about the ISC’s role regarding scrutiny. Clause 56 would permit the Secretary of State and regulatory authorities to share any information obtained under part 4 with each other and the NCSC. The provision also allows for the sharing of information with other UK or overseas public authorities with equivalent cyber-security or national security functions. Government amendments 23 and 24 seek to amend that clause to provide for directions and notices issued under this part to be sent by email to relevant persons who provided those contact details to regulatory authorities.
Some reassurance on the extent of information sharing for businesses is delivered through provisions specifying that disclosures of information should be limited to that which is relevant and proportionate. However, those are high-level and subjective terms, open to interpretation by the authority sharing the information. Can the Minister provide any update on the development of protocols between authorities to ensure that information shared is limited to that which is necessary for effective oversight and enforcement in relation to national security risks?
Kanishka Narayan
On the shadow Minister’s first point, I repeat what I said earlier and, of course, acknowledge his concern. I assure him that, while a direction can only be issued out of necessity for national security, it does not follow that public knowledge of that direction or its contents would compromise national security. I would expect a pretty extensive scope of such directions and, therefore, an appropriate channel of scrutiny in Parliament.
On his question of protocols to ensure information shared is not just proportionate in general, but specific to the purpose of national security specified, I am happy to give him the assurance that the Bill contains it and that, in the process of working out implementation, we will make sure that regulators are focused on developing those protocols.
Question put and agreed to.
Clause 53 accordingly ordered to stand part of the Bill.
Clauses 54 to 56 ordered to stand part of the Bill.
Clause 57
Means of giving directions and notices
Amendments made: 23, in clause 57, page 83, line 8, at end insert—
“(za) an email address provided to a regulatory authority as an address for contacting that person,”
This amendment would ensure that a direction or notice can be given to a person using an email address which has been provided to a regulatory authority as a contact email address.
Amendment 24, in clause 57, page 83, line 11, leave out
“there is no such published address”
and insert—
“no email address has been so provided or published”.—(Kanishka Narayan.)
This amendment is consequential on Amendment 23.
Clause 57, as amended, ordered to stand part of the Bill.
Clause 58 ordered to stand part of the Bill.
Clause 59
Extent
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
I will speak to clauses 59, 60 and 61 in turn. Clause 59 clarifies that the Bill’s provisions apply to England and Wales, Scotland and Northern Ireland. That is consistent with the Network and Information Systems Regulations 2018.
Effective implementation is key to a successful regime. Clause 60 outlines the phased commencement timings of the provisions, ensuring that they commence at an appropriate time. Some of the provisions will commence upon Royal Assent, or two months after Royal Assent, allowing the Government to begin implementing the regime without delay. That includes powers for the Secretary of State to lay important secondary legislation required to operationalise some measures in the Bill upon Royal Assent, and the power to publish a statement of strategic priorities at month two. All remaining measures will be brought into force via regulations, allowing the Secretary of State to sequence implementation in a way that is practical and proportionate, allowing for transitional arrangements and business adjustments. That also allows sufficient time for the implementing regulations to be made and scrutinised, and is required to make operational and implement the new, stronger framework.
Clause 61 clarifies that the Bill can be referred to as the Cyber Security and Resilience (Network and Information Systems) Act 2026 once passed.
Question put and agreed to.
Clause 59 accordingly ordered to stand part of the Bill.
Clauses 60 and 61 ordered to stand part of the Bill.
New Clause 2
Register of foreign powers for the purposes of Part 4
“(1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must, by regulations, establish and maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom’s critical network and information systems within six months of the passing of this Act.
(2) Foreign powers designated by the Secretary of State under subsection (1) must include states –
(a) which have been confirmed by GCHQ as having—
(i) perpetrated, or attempted to perpetrate, a cyber-attack in the UK in the preceding seven years,
(ii) targeted, or intended to target, that attack at the network or information systems of one or more operators of an essential service or critical suppliers, or
(iii) carried out, or intended to carry out, that attack through a state department, agency or affiliate group,
(b) which GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.
(3) Regulations under this section are subject to the affirmative resolution procedure.
(4) In this section, “foreign power" means–
(a) the sovereign or other head of a foreign state in their public capacity;
(b) a foreign government, or part of a foreign government;
(c) an agency or authority of a foreign government, or of part of a foreign government;
(d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or
(e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government—
(i) hold those posts as a result of, or in the course of, their membership of the party, or
(ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party.”
This new clause would require the Government to maintain a register of state actors posing a threat to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of the Act, which enable the giving of directions in the interests of national security.—(Dr Spencer.)
Brought up, and read the First time.
The Chair
With this it will be convenient to discuss the following:
New clause 3—Register of foreign powers for the purposes of Part 4: review of nature of risk—
“(1) For each foreign power added to the register established under section [Register of foreign powers for the purposes of Part 4], the Secretary of State must review the extent and nature of the risk posed to the network and information systems of operators of essential services and critical suppliers, including whether the risk arises –
(a) from activities undertaken outside of the UK, or
(b) from foreign owned or controlled infrastructure or locations within the UK.
(2) Within six months of the establishment of the register under section [Register of foreign powers for the purposes of Part 4(1)], the Secretary of State must lay before Parliament a report containing –
(a) the findings and conclusions of the review conducted under subsection (1), and
(b) the Government’s plan for addressing the risks identified.
(3) If the Secretary of State considers that laying a report, or any portion of a report, under subsection (2) would be contrary to the interests of national security, the Secretary of State must make a statement to Parliament confirming that –
(a) a review has been conducted under subsection (1), and
(b) that the report, or a portion of the report, cannot be laid before Parliament for reasons of national security.”
This new clause would require the Government to report on the risk to relevant network and information systems posed by foreign powers appearing on the register established by NC2 considering whether such risks arise from extra-territorial activities and infrastructure or premises owned or controlled by foreign powers.
New clause 13—Statement on risks posed to systems by foreign interference—
“(1) The Secretary of State must, within 12 months of the passing of this Act, publish a statement of the Government’s plans in relation to risks to the security and resilience of network and information systems arising from foreign interference.
(2) Any statement under this section must—
(a) set out the Government’s intentions to assess, manage and mitigate the risks posed, or which could potentially be posed, to the security and resilience of network and information systems by foreign interference in such systems;
(b) include risks associated with—
(i) hardware,
(ii) software,
(iii) supply chains,
(iv) procurement processes, and
(v) the use of, or reliance on, foreign technologies or systems;
(c) include a specific focus on government digital procurement processes.
(d) where risks are identified under (2)(b)(v), state whether the Government intends to address these risks by encouraging or supporting the use of domestic technologies or systems.”
This new clause would require the Government to publish a statement of how it intends to address and mitigate any risks to network and information systems posed by foreign interference.
New clause 15—Review of high-risk bodies—
“(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies.
(2) A review under this section must assess—
(a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise;
(b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and
(c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities.
(3) In this section—
“relevant body” means—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.
“foreign state-owned enterprise” means a body corporate in which a foreign state has a controlling interest;
“network and information systems” has the meaning given by section 24(1).”
This new clause would require the Government to review the security risks posed by critical suppliers and essential service providers linked to foreign states and evaluate whether current powers are sufficient to address these threats.
Dr Spencer
New clause 2 contains an obligation for the Secretary of State to establish and maintain by regulation a list of foreign powers presenting a significant cyber-security risk to the UK. The list must include states that have been confirmed by GCHQ as having perpetrated a cyber-attack, whether by a state department, agency or affiliate, on the UK in the preceding seven years. It must also include foreign powers that GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.
New clause 3 would compel the Secretary of State to review and report to Parliament on the risk to networks and information systems posed by foreign powers appearing on the register under new clause 2, with specific regard to activities undertaken from abroad and the risk posed by locations or premises controlled by those states in the United Kingdom. New clauses 13 and 15, in the name of the hon. Member for Henley and Thame, look as if they have been tabled in the same spirit of genuine concern about the risk of foreign hostile state interference and control in critical systems and supply chains.
There is an established precedent in UK legislation for maintaining registers or lists of hostile state actors and other entities presenting a threat to our national security for use by Government. That includes the foreign influence registration scheme under the National Security Act 2023, which came into effect last year. Russia and Iran were placed on an enhanced tier of the scheme, which applies to foreign powers considered to pose a risk to the UK’s safety or interests. The Government said that that was in response to those countries being identified as presenting an elevated national security risk. China was conspicuous by its absence, despite the director of GCHQ having confirmed in 2024 that her organisation devotes more resource to China than to any other single mission.
Chris Vince
The shadow Minister will forgive me for taking the opportunity to defend the Government and the Prime Minister; I was not expecting to do that in this Committee this week. I reassure Members across the House that this Prime Minister and Government put national security first. The shadow Minister will know that intelligence agencies have been consulted about the relocation of the Chinese embassy. He will also be aware that the proposed new site at Royal Mint Court is actually further away from this place than the current site.
Dr Spencer
Frankly, I find it astounding that, according to my understanding, in response to the planning decision being granted our security services said that they would take measures to start moving sensitive digital cables. It strikes me that a decision about sensitive digital cables should have been pertinent to the planning application in the first place.
The Government remain reluctant to name China as a threat to UK national security, despite the overwhelming and growing portfolio of evidence. In case the Government are still in any doubt, we need look only at the oral testimony given to this Committee by the Inter-Parliamentary Alliance on China for a clear picture of the role of China and its state affiliates at the forefront of the cyber-security threats to our critical sectors.
Given that established and growing threat, new clause 3 would compel the Secretary of State to review, among other matters, the cyber-security risk to surrounding critical networks in the vicinity of the super-embassy site in the City of London. In the Commons debate on the embassy application in June last year, my hon. Friend the Member for Thirsk and Malton (Kevin Hollinrake) reminded the Minister for Housing and Planning that the Government’s own cyber-security experts, Innovate UK, have warned about the threat to the City of London from the embassy. My hon. Friend made specific reference to the Wapping telephone and internet exchange that would be surrounded on three sides by this new embassy—not to mention the fibre cables I referred to earlier, which carry highly sensitive information and run beneath this site.
Chris Vince
I recognise that the shadow Minister cares passionately about the security of this country—as do I, which is why we are discussing the Bill. But does he not recognise that the site was purchased by the Chinese Government in 2018? There is a potential threat whether or not the new embassy is built there.
Dr Spencer
I do not want to repeat the discussion that we had a moment ago. I think it is complete lunacy to permit the building of a super-embassy—one of the biggest in the region—next to highly critical data transmission. I am also concerned by media reports that the Prime Minister’s recent visit to China was greenlighted only following the final approval of the embassy. I am deeply depressed that, following the visit, Jimmy Lai has been effectively sentenced for life. I respect the tone and constructive way in which the hon. Member for Harlow approaches this debate, but it is fair to say that the Government are sadly weak on standing up to hostile state actors such as the Chinese Communist party.
As I said at the start, there is simply no point in granting the Secretary of State powers to issue directions on the basis of national security if the Government are not willing to be clear-eyed about the most critical cyber-security risks to the nation. I therefore submit that the new clauses are a vital addition to the Bill to focus the attentions of the Secretary of State to ensure that her functions under part 4 are carried out in the best interests of our national security. No responsible Government would or should vote against such provisions. Parliament should make it crystal clear that the Chinese Communist party is a threat to the United Kingdom. We must support new clauses 2 and 3.
Ordered, That the debate be now adjourned.— (Taiwo Owatemi.)
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Tuesday 24th February 2026
(1 week ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 24 February 2026 - (24 Feb 2026)
The Committee divided: - Ayes: 6 / Noes: 8 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 2 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 2 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 2 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 2 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 2 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 2 / Noes: 9 - Question accordingly negatived.
The Chair
I remind Members to send their speaking notes by email to Hansard and to switch electronic devices to silent. Tea and coffee are not allowed during sittings. I remind all Members, particularly the Minister and the shadow Minister, to speak loudly, slowly and clearly in support of others in the room.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
On a point of order, Ms McVey. I seek your advice with reference to the debate on clause 43, on 10 February. I draw Members’ attention to my question to the Minister in Hansard about parliamentary scrutiny of directions:
“Even where they are redacted because of national security concerns, somebody, or some mechanism of Parliament, will be able to scrutinise them. Can the Minister confirm that?”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 10 February 2026; c. 212.]
The Minister responded: “Yes.”
We received a letter over the recess dated 19 February—we are very grateful to the Minister for writing to us—which states something slightly different:
“The Government’s default position is that copies of directions will be laid in Parliament, to enable all parliamentarians to scrutinise the Government’s use of…powers. Where this is not possible for national security reasons, alternative options for scrutiny could be used, such as allowing for directions to be read in private reading rooms or briefing individual shadow ministers. As such, we are confident that alternative options are available for scrutiny when directions cannot be laid in Parliament for national security reasons.”
“Will” is different from “could” and “are available”. Given that we have moved beyond the debate on clause 43, what options are there for the Minister to either clarify those remarks or correct the record?
The Chair
I thank the shadow Minister for getting those comments on the record. Would the Minister like to address those points?
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I am happy to write to the hon. Member.
The Chair
The shadow Minister can keep us updated on whether that has happened.
New Clause 2
Register of foreign powers for the purposes of Part 4
“(1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must, by regulations, establish and maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom’s critical network and information systems within six months of the passing of this Act.
(2) Foreign powers designated by the Secretary of State under subsection (1) must include states –
(a) which have been confirmed by GCHQ as having—
(i) perpetrated, or attempted to perpetrate, a cyber-attack in the UK in the preceding seven years,
(ii) targeted, or intended to target, that attack at the network or information systems of one or more operators of an essential service or critical suppliers, or
(iii) carried out, or intended to carry out, that attack through a state department, agency or affiliate group,
(b) which GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.
(3) Regulations under this section are subject to the affirmative resolution procedure.
(4) In this section, ‘foreign power’ means–
(a) the sovereign or other head of a foreign state in their public capacity;
(b) a foreign government, or part of a foreign government;
(c) an agency or authority of a foreign government, or of part of a foreign government;
(d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or
(e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government—
(i) hold those posts as a result of, or in the course of, their membership of the party, or
(ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party.”—(Dr Ben Spencer.)
This new clause would require the Government to maintain a register of state actors posing a threat to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of the Act, which enable the giving of directions in the interests of national security.
Brought up, read the First time, and Question proposed (10 February), That the clause be read a Second time.
Question again proposed.
The Chair
I remind the Committee that with this we are considering the following:
New clause 3—Register of foreign powers for the purposes of Part 4: review of nature of risk—
“(1) For each foreign power added to the register established under section [Register of foreign powers for the purposes of Part 4], the Secretary of State must review the extent and nature of the risk posed to the network and information systems of operators of essential services and critical suppliers, including whether the risk arises –
(a) from activities undertaken outside of the UK, or
(b) from foreign owned or controlled infrastructure or locations within the UK.
(2) Within six months of the establishment of the register under section [Register of foreign powers for the purposes of Part 4(1)], the Secretary of State must lay before Parliament a report containing –
(a) the findings and conclusions of the review conducted under subsection (1), and
(b) the Government’s plan for addressing the risks identified.
(3) If the Secretary of State considers that laying a report, or any portion of a report, under subsection (2) would be contrary to the interests of national security, the Secretary of State must make a statement to Parliament confirming that –
(a) a review has been conducted under subsection (1), and
(b) that the report, or a portion of the report, cannot be laid before Parliament for reasons of national security.”
This new clause would require the Government to report on the risk to relevant network and information systems posed by foreign powers appearing on the register established by NC2 considering whether such risks arise from extra-territorial activities and infrastructure or premises owned or controlled by foreign powers.
New clause 13—Statement on risks posed to systems by foreign interference—
“(1) The Secretary of State must, within 12 months of the passing of this Act, publish a statement of the Government’s plans in relation to risks to the security and resilience of network and information systems arising from foreign interference.
(2) Any statement under this section must—
(a) set out the Government’s intentions to assess, manage and mitigate the risks posed, or which could potentially be posed, to the security and resilience of network and information systems by foreign interference in such systems;
(b) include risks associated with—
(i) hardware,
(ii) software,
(iii) supply chains,
(iv) procurement processes, and
(v) the use of, or reliance on, foreign technologies or systems;
(c) include a specific focus on government digital procurement processes.
(d) where risks are identified under (2)(b)(v), state whether the Government intends to address these risks by encouraging or supporting the use of domestic technologies or systems.”
This new clause would require the Government to publish a statement of how it intends to address and mitigate any risks to network and information systems posed by foreign interference.
New clause 15—Review of high-risk bodies—
“(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies.
(2) A review under this section must assess—
(a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise;
(b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and
(c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities.
(3) In this section—
‘relevant body’ means—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.
‘foreign state-owned enterprise’ means a body corporate in which a foreign state has a controlling interest;
‘network and information systems’ has the meaning given by section 24(1).”
This new clause would require the Government to review the security risks posed by critical suppliers and essential service providers linked to foreign states and evaluate whether current powers are sufficient to address these threats.
Freddie van Mierlo (Henley and Thame) (LD)
I rise to speak to new clauses 13 and 15, standing in my name.
New clause 13 would require the Secretary of State to publish, within 12 months, a comprehensive statement on how the Government intend to manage the risks of foreign interference in our critical systems. It calls for steps to be taken to assess the need for a digital sovereignty strategy. We need to know not just how we will fight cyber-threats but whose technology we will rely on to do it. The new clause would force the Government to set out a plan to explicitly assess risks in hardware, software and supply chains.
We should ask what is being done to support UK tech and home-grown cyber-security. We cannot claim to be serious about national resilience if the very infrastructure protecting our critical systems is outsourced abroad to vendors we cannot fully trust. New clause 13 would require the Government to explain how they intend to mitigate the risks associated with reliance on foreign technologies. It would also require the Government to assess the need to encourage and support the use of domestic technologies. That would turn cyber-security into an engine for growth. By identifying high-risk foreign vendors, and pivoting to trusted, home-grown alternatives, we could improve our security and create high-skilled jobs here in the UK. For those reasons, I will press new clause 13 to a vote.
I now turn to new clause 15. How can we be serious about national resilience when the very infrastructure protecting our critical systems could be entirely outsourced abroad? New clause 15 would ensure transparency and force the Government to look at the threat of foreign ownership. The threat to British democracy from foreign interference is clear and present. From Russian money flooding into politics, and Chinese surveillance and intimidation, to foreign oligarchs buying influence, our democratic institutions are under sustained attack. The previous Conservative Government failed the UK. They failed to take the threat posed by Russia seriously, they weakened the Electoral Commission and they allowed foreign money to distort our politics. They withdrew from international commitments at precisely the wrong moment.
This Government have made some welcome moves, but they do not go far enough. Over the last few years, we have seen a rise in cyber-attacks on critical infrastructure. Across the country, schools have closed, airports have been shut, local councils have been hacked and retail stores have been crippled. New clause 15 would require the Government to review the security risks posed by critical suppliers and essential service providers, and to flag which of those are linked to foreign states. It would also push the Government to evaluate whether current powers are sufficient to address these threats. I intend to push new clause 15 to a vote.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
In our previous sitting, the hon. Member for Runnymede and Weybridge set out clearly the cyber-threat posed by China, and argued that, through new clause 2, China should be explicitly recognised as a foreign power presenting a significant risk to the United Kingdom. He rightly highlighted the precedent in UK legislation for maintaining registers of hostile or high-risk state actors to protect national security. I agree that Parliament should be unequivocal in recognising the Chinese Communist party as a strategic cyber-threat, particularly given evidence of state-linked cyber-espionage, infrastructure compromise and the targeting of critical national infrastructure.
We have seen data from the Cabinet Office last week indicating that the Government plan to drastically reduce the integrated security fund spending on domestic cyber and tech to counter cyber-attacks. It will be cut from £113.3 million to £95 million by 2028-29, which is a reduction of 16%. Domestic spending to counter Russian threats in the same period will incur a drop of more than 20%. Those reductions leave us dangerously exposed and are in direct opposition to the Government’s promises to support the UK’s national security priorities. New clause 2 offers the chance to identify and monitor state actors that pose a threat to UK cyber-security.
The register must also reflect the evolving nature of cyber-risk. Threats do not arise solely from formally hostile states, but also from jurisdictions where hostile cyber-actors operate at scale, using digital infrastructure to target UK systems and citizens. We have seen that in countries such as India and Nigeria, where organised cyber-criminal networks have run sophisticated international operations against the UK, exploiting cloud services and telecommunications infrastructure. In India, law enforcement has dismantled major cyber-crime hubs linked to international targeting, including operations specifically affecting large numbers of British victims.
In 2025, the National Crime Agency worked in partnership with India’s Central Bureau of Investigation to raid an organised crime group in Uttar Pradesh, which had targeted more than 100 UK citizens with pop-ups stating that their devices had been compromised, losing them more than £390,000. That is not only an unacceptable financial loss for our citizens, but a significant waste of resources. In Nigeria, long-established cyber-criminal networks continue to conduct large-scale digital fraud campaigns aimed at overseas targets including the United Kingdom. Interpol’s Operation Serengeti in 2025 tackled high-impact cyber-crimes in Nigeria and 17 other nations, arresting 1,209 suspects and recovering nearly $100 million that had been stolen through cyber-fraud.
Although these states might not be hostile in a geopolitical sense, hostile cyber-actors operating within their borders are none the less inflicting sustained harm and placing heavy burdens on our cyber-defence and law enforcement resources. I support the aims of new clause 2, but urge Ministers to ensure that the framework is flexible enough to capture not only hostile states but jurisdictions that consistently serve as bases for large-scale hostile cyber-activity. Data from the Cabinet Office shows that integrated security fund spending on Russia is set to fall over 20% between 2026 and 2029, which shows that the Government are not taking threats from Russia, or other hostile nations, seriously enough.
Kanishka Narayan
It is a pleasure to serve with you in the Chair, Ms McVey.
I thank the shadow Minister, the hon. Member for Runnymede and Weybridge, for the new clauses in his name, which would require the Secretary of State to create a register of foreign powers that pose a threat to UK cyber-security, to review that register, and to lay a report before Parliament. This is intended to inform the use of powers granted under part 4 of the Bill. I empathise with the shadow Minister’s concerns that hostile foreign actors could target the network and information systems of operators of essential services or critical supplies. That is a clear risk, and one that we are addressing through the Bill.
As drafted, the Bill grants the Secretary of State new powers to issue national security directions to regulated entities or regulators where their compromise poses a national security risk. So long as those tests are met, the powers may be used by the Secretary of State irrespective of the actor that is causing the national security incident or threat.
New clause 2 would require the creation of a register of foreign states that pose a risk to the UK based on GCHQ advice. I reassure the shadow Minister that regardless of the proposed new clause, any decision to use the powers in this part of the Bill will be informed by expert national security advice from GCHQ. As a result, it is unclear what additional support the proposed register would provide to the Secretary of State when, for example, deciding whether to issue a direction to a regulated entity.
Additionally, the report required by new clause 3 would effectively be a list of the vulnerabilities of the network and information systems of our essential services, and would therefore be an asset to malicious actors. That would be counterproductive to national security. The new clause would allow the Secretary of State not to publish part or all of the report, if publishing would be contrary to the interests of national security. However, it is unclear how even part of the report could be published without harming national security, given its intended content.
Drafting a report of vulnerabilities that cannot be disclosed to Parliament without harming national security would simply duplicate existing assessments, and run the risk of distracting Government from more effective measures to protect from hostile foreign actors. That is not to say that we shirk transparency about these kinds of risk. The Government are already able to communicate with Parliament and the public about such cyber-security risks where it is appropriate to do so, through things such as the National Cyber Security Centre’s annual report and advisories. I therefore kindly ask that the shadow Minister withdraw the new clause.
I thank the hon. Member for Henley and Thame for the Liberal Democrat new clauses in his name, which would require the Secretary of State to publish a statement of how the Government intend to address risks posed by foreign actors to UK network and information systems, and to assess how many entities regulated by the NIS regime are owned in part or in full by foreign states.
Let me reassure the hon. Member that the Government take the risks posed by foreign interference seriously. The NCSC’s annual reviews continue to highlight cyber-risks to the UK from foreign actors, as well as measures to mitigate those risks. We have robust processes for assessing such threats, drawing on the expertise of the intelligence community, including the National Cyber Security Centre and the National Protective Security Authority.
The measures introduced by the Bill will boost the security and resilience of network and information systems across essential services, managed services and relevant digital services, protecting them from the risks of foreign interference. Where that is not enough, the Bill provides a backstop: the new direction powers in the Bill will enable the Government to protect our critical services from exactly those kinds of national security risks. We will be able to require a regulated entity to undertake any action that is necessary and proportionate for national security in response to the threat of a compromise. Conducting assessments of the ownership structures of the many thousands of in-scope entities within six months would be disproportionately resource intensive, distracting Government from more effective measures to protect our services.
Publishing a review identifying national security risks caused by foreign state ownership, or assessing whether our powers are adequate, as the Opposition’s new clause 3 would require, would provide valuable insight to our adversaries. As I have previously set out, there is a clear pathway for Government to communicate with Parliament and the public about such cyber-risks where it is appropriate to do so, but where we identify specific concerns, it is right that we retain the ability to assess and respond without disclosing our conclusions to those who might exploit them.
Finally, it is worth pointing out that, as drafted, new clause 13 is not aligned with the intended scope of the Bill. The Bill is solely concerned with entities that are currently, or could one day be, regulated under the NIS regulations. This new clause would require a statement on the risks posed to all UK network and information systems, which is a significant broadening of the scope of NIS-regulated entities and sectors. Similarly, the focus on Government procurement seems outside that scope, given that Government network and information systems are not wholly regulated by the Bill. For those reasons, I ask that the hon. Member for Henley and Thame kindly consider not pressing his amendment.
Dr Spencer
I am grateful to the Minister for his response, but we have seen over the past six months, especially with the alleged spying incidents in Parliament, the Government’s resistance to recognising the Chinese Communist party as a threat. When it comes to our new clause 3 and concerns over transparency, we have also seen, in the last few weeks, that there are mechanisms—for example, the Intelligence and Security Committee—to ensure the disclosure of documents, while preserving national security. I would therefore like to press new clauses 2 and 3 to a vote.
Question put, That the clause be read a Second time.
Dr Spencer
I beg to move, That the clause be read a Second time.
This new clause would require the Secretary of State to review the effect of existing information sharing and analysis centres, with a view to determining whether further such centres should be established. The financial services industry has successful voluntary schemes—the Cyber Defence Alliance, and the Financial Services Information Sharing and Analysis Centre—which act as hubs for collaboration on all matters relating to the prevention, detection, mitigation and investigation of cyber-threats and criminality impacting members. These organisations provide an essential alerting and co-ordinating role for their members, including providing intelligence and technical support during ongoing incidents. They can assist in building partnerships contextualised to particular sector risks.
According to Richard Starnes of the Worshipful Company of Information Technologists, companies
“may be competing with one another in their chosen businesses, but they are all in the same boat with regard to being attacked by whatever entities are attacking them.”
And he said that if the FS-ISAC were replicated
“on an industry-by-industry basis, particularly ones in CNI, that would be helpful. It would also help with information sharing with entities like NCSC and GCHQ.”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 64, Q75-76.]
Bradley Thomas (Bromsgrove) (Con)
On the point about information sharing with a view to bolstering resilience, Marks and Spencer reported to me that it was surprised to have received more information from the FBI on the origin and impact of the cyber-attack that it suffered than it received from UK authorities. That should adequately demonstrate why sufficient data sharing is required to underpin our resilience and bolster our strength.
Dr Spencer
That information is concerning. I entirely agree with my hon. Friend that information sharing is important when dealing with evolving threats.
Lincoln Jopp (Spelthorne) (Con)
I am grateful to the shadow Minister for giving way, if only to repeat what my hon. Friend the Member for Bromsgrove has just said. The Minister and the Government Whip were both on their phones, and I do not think they were fully concentrating on the fact that M&S has reported that it got more information about its information loss from the FBI than from our own agencies. I repeat that for the record so that the Minister has a chance to concentrate on that very important information.
Dr Spencer
I thank my hon. Friend for his intervention, which is more for the Minister and the Government Whip’s benefit than mine.
Properly established ISACs will not only increase real-time awareness of cyber-risks and mitigations, but could also alleviate some of the burden on regulators in terms of sector-specific intelligence analysis. Industry feedback and experience from the adoption of the Network and Information Systems Regulations 2018 indicate that sectoral regulators are unlikely to have the capacity to assist with intelligence sharing in relation to real-time cyber-risks.
We know from the sectoral regulators’ oral evidence that building sufficient capacity for effective regulatory oversight is a challenge. Where we have models for sector-led and market-led good practice in hardening cyber-resilience, we should look at how it can be rolled out further. Seeing more of these organisations emerge could even lead to broader adoption beyond NIS-regulated areas to other industries. ISACs have the potential to become integral nodes in improving whole-of-society cyber-resilience, and it is an approach called for by many cyber industry stakeholders. I therefore commend new clause 4.
Kanishka Narayan
I thank the shadow Minister for this amendment, which would require the Secretary of State to review how information sharing and analysis centres support the functioning of the NIS regime and what steps the Government can take to improve them.
I recognise the intent of this new clause. These centres play a key role in promoting collaboration and co-ordination in the cyber-security space, allowing organisations to share information, intelligence and best practice. In fact, the UK already benefits from a range of such initiatives, many of which are facilitated by the National Cyber Security Centre. In its latest annual report, the NCSC noted that more than 200 companies now meet regularly in trust groups to exchange intelligence and best practice, and to support each other in incident response. NIS regulators also support organisations to share information with each other in sector-specific groups.
However, while I fully endorse the value of those initiatives, I do not believe it is the Government’s role to review how they operate or to mandate how or where they are established. Such centres are meant to be a forum in which organisations can voluntarily engage in the exchange of information. As such, they operate most effectively where the initiative for participation comes from the organisations themselves or from technical authorities such as the NCSC.
The Government are, of course, committed to ensuring that the information-sharing provisions within the Bill are effective, and that will be assessed through the formal review of the legislation already required under clause 40. I kindly ask the shadow Minister to withdraw the new clause.
Dr Spencer
In response to the Minister’s comments, clause 40 is about a review; it does not provide any direction, other than for the Secretary of State to do their job in reviewing this area. I will press new clause 4 to a vote.
Question put, That the clause be read a Second time.
Dr Spencer
I beg to move, That the clause be read a Second time.
The National Audit Office’s 2025 report on cyber-resilience highlighted that Government Departments and agencies are among the weakest links in the UK’s cyber-security ecosystem and lack a credible plan to become cyber-resilient in the short to medium term. The Government play a key role in the management of certain critical national industries, but the continuing cyber-security vulnerabilities in the IT systems used to operate CNI expose the UK to the threat of serious attacks that could undermine national security and the economy.
That is not to mention the risk to enormous amounts of highly sensitive data held on Government systems. Dr Sanjana Mehta of ISC2 said in her oral evidence that the Department for Work and Pensions administered £288 billion of benefits over the past year, with more than 23 million people claiming benefits of some kind. That activity involves processing vast amounts of personal, medical and financial data, which presents rich pickings for malicious actors.
The feedback from industry stakeholders, many of whom are being asked by the Government to take on onerous security and reporting obligations under this Bill, echoes those concerns regarding Government cyber-immaturity. There is a strong sentiment that the Government should be leading by example, as Chris Anley of the NCC Group commented in the Committee’s oral evidence sessions.
In view of the growing risk posed to UK cyber-security by hostile state actors, by their affiliates and by criminal gangs, improving Government cyber-security is urgent. It is clear from the NAO’s findings and other recent reports that Government Departments have lacked the clear goals and necessary accountability to incentivise tackling this significant challenge.
In his letter of 19 February to members of the Committee, the Minister said:
“Government will be held to equivalent cyber security requirements that we expect of the essential and digital services in scope of the Cyber Security and Resilience (Network and Information Systems) Bill.”
But as matters stand, there are no effective legal mechanisms for accountability to Parliament on increasing Government cyber-resilience to the standards necessary to meet the intensifying threats facing our Government Departments and agencies.
New clause 5 would compel the Secretary of State to make yearly reports to Parliament setting out the Government’s progress towards meeting the recommendations of the National Audit Office’s 2025 report on Government cyber-resilience and towards meeting the standards they set themselves in their recent cyber action plan. Where necessary, the Secretary of State would have to account for failures to meet deadlines for implementation and issue a new plan to achieve compliance.
In moving this new clause, I am aware of the challenges that successive Governments have faced in driving up cyber-resilience standards. There are serious practical and budgetary obstacles that can impede progress, such as the vast amount of legacy IT equipment that remains in use, which is inherently more vulnerable to attack. Moreover, there is the ongoing problem of recruiting highly skilled cyber-security professionals to work in these roles, given the competition in the recruitment market and constraints on public sector salaries. Illustrative of that challenge is the worrying statistic, cited by Chris Anley of the NCC Group, that
“almost a third of cyber-security posts in Government are presently unfilled”.––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 24, Q29.]
None the less, the Government have now put in place a plan that they consider achievable, and they should be held to account for it. The new clause creates a mechanism for that much-needed accountability.
Lincoln Jopp
Does the shadow Minister agree that if Labour Members vote against new clause 5, it would be a classic case of “Do as I say, not as I do”? If they are happy to go on the record as voting it down on that basis, does the shadow Minister agree there would be an element of what is politely termed “variable geometry”? The more direct word is “hypocrisy”.
Dave Robertson (Lichfield) (Lab)
It is interesting to hear the hon. Member for Spelthorne say that this is apparently hypocrisy and the shadow Minister agree with him. The National Audit Office report was published on 29 January 2025, barely six months after the general election, so it was really commenting on 14 years of Conservative-led Governments. I think it is pertinent to put it on record there has been a lack of focus in this area for far too long, and I am glad that the Government are introducing legislation. If we are to have comments such as that made by the hon. Member for Spelthorne, I feel it is appropriate to have something on the record to counter it.
Dr Spencer
I agree about the importance of putting things on the record. Since the hon. Member obviously has not been listening to my speech, he can check it out on the record. I acknowledged the challenges in this area—[Interruption.] Does the Government Whip want to intervene, or was she just chuntering? I will continue.
Given that the Bill puts quite a burden on the private sector, as we discussed over several sittings before the parliamentary recess, I think it is important that the Government recognise, as my hon. Friend the Member for Spelthorne said, it would be pretty shameless not to vote for accountability for themselves while putting it on other people. Let us see how the vote goes. I commend new clause 5 to the Committee.
Kanishka Narayan
I thank the shadow Minister for moving new clause 5, which seeks to require annual reporting on progress towards meeting the recommendations of the National Audit Office’s report on Government cyber-resilience and meeting the implementation milestones of the Government’s cyber action plan.
We recognise the value of accessing the expertise of Parliament to hold the Government accountable for the changes required for our cyber-resilience. That is why, notwithstanding the hon. Member for Spelthorne acknowledging the embarrassment of the Conservative party owning its hypocrisy, this Government have already strongly welcomed the recent reports from the Public Accounts Committee and the National Audit Office on Government cyber-resilience.
Chris Vince (Harlow) (Lab/Co-op)
I declare an interest as a member of the Public Accounts Commission, which regularly scrutinises the National Audit Office. Can the Minister give some reassurance to Labour Members, who are being accused of hypocrisy, that we do make sure that the highest levels of cyber-security are met?
Kanishka Narayan
My hon. Friend is right. Where the Conservative party did absolutely nothing and continues with its hypocrisy, I am glad to inform hon. Members that this Government have already adopted a duty to provide biannual reporting on progress against the recommendations of these two reports.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
New clause 5 simply asks the Government to commit to reporting back on meeting the milestones they have set themselves for increasing cyber-security standards. Is the Minister confident in the Government’s ability to deliver on their cyber strategy, or is the document not worth the paper it is written on?
Kanishka Narayan
I simply repeat my prior sentence: this Government have already adopted a duty to provide biannual reporting on progress against the recommendations of these two reports.
In addition, the Government’s cyber action plan was published in January this year. It sets out how the Government will rapidly improve the cyber-security and resilience of public services to deliver a step change in cyber and digital resilience across the public sector. The plan sets out clear accountability structures to ensure that cyber-risks at all levels of Government are actively owned and effectively managed, with those responsible held to account.
Alison Griffiths
The continued use of legacy IT equipment is a particular vulnerability across the Government estate. That will take some time to address entirely, but is there a strategy in place to prioritise the upgrading of this legacy equipment, given that it is one of the greatest areas of exposure?
Kanishka Narayan
The hon. Member makes a very important point. We have heard of two major sources of risk from a cyber point of view: legacy technology and technology debt, and frontier AI attacks. The Government’s cyber action plan is not technology-specific, but both those sources of risk are very much on my mind, and I will make sure they are also on the mind of those implementing the Government’s cyber action plan.
I assure Members that we will continue to work with Parliament to support oversight of the plan’s implementation and to explore additional avenues for scrutiny of the Government’s cyber-resilience to guarantee the right level of accountability. I therefore kindly ask the shadow Minister to withdraw his new clause.
Question put, That the clause be read a Second time.
David Chadwick
I beg to move, That the clause be read a Second time.
The purpose of new clause 10 is to ensure that regulatory authorities and regulated persons have adequate resources and capabilities to carry out their responsibilities. Fundamentally, this is a question of state capacity. Surely it is hard to disagree with that statement. We can pass legislation in this House, but if the regulators tasked with enforcing that legislation lack the resources and capabilities to fulfil their duties, and if the businesses subject to the new requirements lack clarity about what is required of them, the Bill will remain little more than words on a page.
Cyber-resilience cannot be achieved through legislation alone, poor and weak though this piece of legislation is; it must be delivered by regulators with properly trained staff, clear guidance and sustained investment in enforcement and oversight. Without that foundation, even the strongest legal framework risks becoming ineffective. The new clause would create a vital statutory reality check. It would require the Secretary of State within one year of the Act coming into force to consult with regulators and regulated organisations, and report to Parliament on whether the regulatory system is equipped to function under the new rules. The new clause asks a simple but essential question: do the bodies responsible for protecting our critical digital infrastructure have the people, funding, tools and skills that they need to succeed?
Laws work only if the people enforcing them have the time, money, expertise and systems to do so properly. The scale of the challenge is already clear. Research from ISC2 shows that 88% of organisations that have suffered cyber-incidents link those breaches directly to skills shortages. If regulators themselves face similar skills or operational shortages, enforcement will be slow, inconsistent and ultimately ineffective, and may leave businesses facing uncertainty about what is required of them.
The new clause would help to ensure that issues are identified early and addressed proactively, rather than after a major cyber-security incident exposes weaknesses in our regulatory system. For this legislation to work, it requires fully funded and effective regulators. That is why I will press the new clause to a vote.
Dr Spencer
This new clause, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe, would require the Secretary of State to consult and report within one year on whether regulatory authorities and regulated persons have sufficient resources and capabilities to meet their statutory obligations. Historical levels of regulatory oversight and enforcement in relation to the NIS regulations 2018 have fallen short of what is necessary to achieve meaningful cyber-resilience across regulated sectors. The second post-implementation review of the NIS regs 2018, conducted in 2022, found that incident reporting on the part of regulated entities was very low, with only 13, 12 and 22 NIS incidents reported in 2019, 2020 and 2021 respectively.
A review conducted by the Worshipful Company of Information Technologists identified a near total absence of formal financial sanctions under the NIS regulations, with zero confirmed major penalties from 2021 to 2024. The model has not been conducive to effective discharge of regulatory responsibilities, with knock-on effects for cyber-resilience and regulated industries, yet regulators will be expected to oversee a far larger pool of regulated bodies and process a far larger number of incident reports under the Bill’s provisions. It is therefore right for us to scrutinise carefully whether regulators are in a position to meet these obligations.
In the evidence sessions, many of my questions to witnesses, including those from Ofgem, Ofcom and the Information Commissioner’s Office, focused on their preparations to meet the demands of their expanded roles. It was clear from feedback that although regulators understand what they need to do to prepare, the practical challenges associated with securing sufficient resource are far from resolved. I would therefore be grateful if the Minister could clarify his plans to review regulators’ progress and what the key milestones will be to ensure that regulators can discharge their new duties alongside their existing ones when these provisions come into effect.
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for his new clause, which seeks to require a consultation on the resourcing and capabilities of regulators and regulated entities, assessment on whether additional Government support is needed, and a report on the findings. I reassure the hon. Gentleman that the Bill was developed in close collaboration with regulators and industry to ensure that regulators have the right information and tools to implement it.
The Bill already requires the Government to produce two regular reports to monitor the effectiveness of the legislation, and those would naturally include reviews of whether resourcing and capability were impacting on the effectiveness of the regime. The first of those is the annual report on regulator activities in relation to the statement of strategic priorities. The second is the report on the operation of the legislation, which must take place at least every five years.
Lincoln Jopp
While we are talking about resources and the application of the Bill, I raise with the Minister that, on page 102 of the impact assessment, it states that the going rate for a contract lawyer is £34 an hour. To my mind, that is out by a factor of probably 10. In the 10 days since our last sitting, has the Minister had a chance to re-examine the impact assessment and discover whether that was a genuine error? That number gets multiplied many times in the impact assessment. Has he had a chance to look into that?
Kanishka Narayan
The hon. Member has made that point a couple of times before. I am happy to write to him about the calculations, so that he is able to understand the survey and the significant uplift on which the figures are based.
In response to the hon. Member for Brecon, Radnor and Cwm Tawe, given that the two reports can already include the topics addressed by his new clause, adding another report would risk confusing their purposes and increasing administrative burdens on those involved unnecessarily. The Government will not hesitate to adapt our support offering based on the findings of those reports. That will include using our flexible mechanisms—for example, updating our guidance to regulators, the statement of strategic priorities and the code of practice. Beyond that, we will continue to engage with regulators as the Bill is implemented, and consider whether any other means of improving regulators’ and regulated entities’ resourcing and capabilities are necessary and proportionate. For those reasons, I ask the hon. Member to withdraw his new clause.
Question put, That the clause be read a Second time.
Freddie van Mierlo
I beg to move, That the clause be read a Second time.
The new clause would place a statutory duty on the Secretary of State to establish a support service dedicated to improving the resilience of small and medium-sized enterprises and, crucially, to provide them with assistance when the worst happens. SMEs are the backbone of our economy. Their growth and continue operation are essential to a strong economy. We heard evidence that even large corporations find it hard to justify the investment in cyber-security and resilience when faced with competing priorities and investment needs. It forms the rationale of the Bill putting this need on a statutory footing, but small and medium-sized businesses undoubtedly find it even harder to make the investments required in cyber-security.
I know from having worked in SMEs at the start of my career that companies experience growing pains and need support in navigating complex statutory requirements. It is not just support for SMEs before an attack takes place that the clause would provide for, but also after. For SMEs, a cyber-attack is not just a disruption; it can be an existential threat to their existence. The clause would ensure that when an SME is hit, they have access to the support they need.
Bradley Thomas
Given that the threshold for a significant impact event will likely be much lower for an SME than for a larger corporation, and while acknowledging and agreeing that SMEs are the backbone of the economy and make up the vast majority of companies that employ people in this country, how does the hon. Gentleman propose to strike the relevant balance between ensuring that SMEs are supported, and at the same time that they are not inundated and overwhelmed as a result of that significant impact threshold likely being much lower for SMEs?
Freddie van Mierlo
The thresholds have been set out in the new clause. Australia already provides support for small businesses during and after attacks. The clause would simply bring the UK up to speed with international partners, ensuring our businesses are not at a competitive disadvantage on cyber-security support. If Australia can support its SMEs, why can we not? It is only fair that if we are increasing the regulatory burden, the Government provide the support required to navigate it. I will press the new clause to a vote.
Dr Spencer
New clause 14, tabled by the hon. Member for Henley and Thame, addresses concerns regarding the capacity of SMEs to comply with their regulatory obligations, should they be brought within the scope of the Bill. That matter has been discussed on several occasions by the Committee. That is only right given that, according to figures provided by NCC Group, SMEs make up over 99% of businesses in the UK but too often lack the skills and budgets to implement proportionate cyber-protections, leaving them particularly exposed.
SME cyber assistance schemes akin to the one proposed by the new clause have been rolled out in Scotland on a limited basis and in Australia, where the Government are investing 8 million Australian dollars over three years to provide free person-to-person support for small businesses during and after a cyber-attack. Those schemes have enjoyed some success in hardening cyber-resilience among SMEs that have been able to access them. That can only be welcomed.
There is a case for looking more closely at whether regulation is the appropriate first step to address the cyber-resilience of the smallest organisations that might be brought within the scope of regulation, as legal compliance efforts could detract from already pressured operational defence budgets. In giving evidence to the Committee, Jill Broom of techUK called for strategies
“such as financial incentives, or…tax credits”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 18, Q20.]
to help SMEs improve their cyber-resilience, and techUK has suggested that funding or relief could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first. In the light of those considerations, what analysis has the Minister’s Department conducted of the likely return on investment, in terms of sustainability and growth among smaller companies, of a cyber support service for UK SMEs?
Kanishka Narayan
New clause 14 would require the Government to establish a dedicated support service for small and medium-sized enterprises that are operators of essential services, relevant digital service providers, relevant managed service providers or critical suppliers. That would include provision of advice, technical assistance and recovery guidance following a cyber-incident. It is worth noting that the Bill exempts small and micro enterprises from the regulations as relevant digital service providers or relevant managed service providers. Although regulators can designate a small or micro entity as a critical supplier, very few are expected to meet the threshold for criticality in practice. Similarly, there are limited examples of small or micro operators of essential services.
Improving the cyber-security of our nation’s small and medium-sized businesses is important for the resilience of our wider economy. That is why the Government have developed a wide range of free tools, guidance and training to help those businesses implement cyber-security measures. Such tools include the recently launched cyber action toolkit, which provides small and medium-sized businesses with tailored advice and the offer of free 30-minute consultations with NCSC-certified cyber advisers. Report Fraud, a reporting service for cyber-crime and fraud, runs a 24/7 cyber business incident reporting line, with regional cyber-resilience centres across England and Wales also providing support for small and medium-sized businesses, including incident response and business continuity advice in line with NCSC standards.
I hope that reassures the hon. Member for Henley and Thame that there is already considerable support available for small and medium-sized entities. Considering that, a new dedicated service is unnecessary, and it could divert resources from existing Government and NCSC schemes and impact our efficacy. For those reasons, I hope he will withdraw the new clause.
Question put, That the clause be read a Second time.
The Chair
With this it will be convenient to discuss new clause 17—Requirement for regular testing of network and information systems—
“(1) A relevant body must undertake regular testing of the security and resilience of the network and information systems on which it relies in the provision of its services.
(2) Testing undertaken in accordance with this section must –
(a) be proportionate, having regard to the size, nature and risk profile of the business; and
(b) be conducted periodically, at intervals that are appropriate to the risks identified by the body.
(3) A relevant body must document –
(a) the outcomes of testing undertaken in accordance with this section; and
(b) any remedial actions required or taken in response to the testing.
(4) Information documented under subsection (3) must be provided to the relevant regulatory authority upon request.
(5) For the purposes of this section, a relevant body is one which is –
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.”
This new clause would require bodies to carry out proportionate, periodic testing of the security and resilience of their network and information systems and provide the results to regulatory bodies upon request.
David Chadwick
New clauses 16 and 17 work in tandem to align the Bill with best practice among our European neighbours, introducing measures that would strengthen ongoing oversight and enhance preparation, therefore improving the UK’s cyber-resilience before incidents occur.
New clause 16 would make cyber-resilience a core responsibility of organisational leadership. It would require boards to oversee security arrangements, approve risk management approaches, satisfy themselves that protections are working on an ongoing basis and, importantly, be accountable. Numerous witnesses that we have spoken to over the past month told us that cyber-security deserves the most senior level of oversight. In fact, those professionals from within the industry told us that they desperately need this to happen to make sure that they can do the job that the Government are asking of them. ISACA, an organisation that I remember looking up to when I was working in cyber-security, has said that it supports both our new clauses.
Bradley Thomas
While I agree with the hon. Member, and acknowledge witnesses’ evidence suggesting that cyber-security should be a board-level responsibility, does he share my concern that, given the complexity and technical nature of cyber-security, there is perhaps a risk of, for want of a better phrase, window dressing? It may be that non-competent people without the relevant technical expertise could be reliant on reports issued by other technical staff who do not sit at board level. We have to strike the right balance. Does the hon. Member share that concern, and how does he propose we address that?
David Chadwick
One of the measures that the new clause would introduce is a requirement for board members to receive education. Clearly, it is necessary for boards to understand cyber-security risk, and the new clause is about putting that into legislation. Board accountability is the cornerstone of corporate governance. Corporate governance is one of the reasons for the Bill. We have seen drastic failures in corporate governance across the UK in numerous sectors. Financial services, historically, is one sector that corporate governance has completely failed in, yet the Conservatives continued to support it with tax cuts.
All we are saying with our new clause is that boards need to be held accountable for the cyber-risk that they pose, and that making boards responsible for that obligation helps the cyber-security professionals responsible for securing those organisations to do their jobs properly. ISACA has 8,000 members. They are the people who will be carrying out this work. Surely, we should listen to them when they tell us that this is what they need. It was not just one organisation that told us that either.
Boards have an obligation to oversee financial risk, for which they need financial literacy. Cyber-risk deserves the same treatment. Importantly, this would bring the UK into line with international best practice. The European Union’s NIS2 framework explicitly places cyber accountability at senior management level, and makes the same demands of board oversight in these areas. That is why it is confusing again to see the Government diverging from that framework without a clear explanation of why. It is not clear why the UK should be settling for less. Why have the Government taken that out?
Lincoln Jopp
I am a little confused—which is easily done, I hasten to add. The new clause says:
“The management body may be held accountable for failures by the body to comply with duties relating to the security and resilience of its network and information systems.”
Does the hon. Member not think that the directors of companies are already responsible and accountable for their companies? Why does the state need to tell them more about those responsibilities?
David Chadwick
I think this once more comes down to state capacity and how we see the state’s role. Clearly there needs to be an expansion of the state’s powers—that is why the Bill was introduced—to mandate in writing various requirements of the companies that provide the critical infrastructure upon which our country relies. The hon. Member will remember the numerous witnesses who told us that board accountability was crucial. Some told us that in public and some in private. They are the people who are doing this job, and whom the Government are asking to do this job. That is why we should listen to them and why we will press the new clauses to a vote.
Emily Darlington (Milton Keynes Central) (Lab)
The new clauses raise a really important point about security by design implemented within companies, and within the companies that provide cyber-security technology to them. An hon. Friend of mine tabled an amendment, which we are not speaking about today, on a similar subject.
Security and safety by design is something that we talk about quite often in this area. It may not be appropriate for this Bill, but I am keen to hear how we will progress those discussions, because ultimately we do want to prevent cyber-attacks. We need to make sure that companies, small and medium-sized enterprises, major infrastructure and local government all have access to technology and infrastructure that looks at security by design in its own design right from the outset, because that is what makes us most secure.
How will we take forward those discussions, and extend the idea that already exists in legislation, through the Online Safety Act 2023, about safety by design, in order to ensure that products around cyber-security have this at their heart, and deliver the prevention mechanism that I think we all want to see—especially the small businesses and organisations that are victims of such attacks?
Dr Spencer
New clause 16 would require active board oversight of security and resilience measures and accountability for board members where they fail in those oversight duties, whereas new clause 17 would require regulated entities to carry out proportionate, periodic testing of the security and resilience of their network and information systems, and provide the results to regulatory bodies upon request.
On board accountability, as we have already discussed in this Committee, the existing regulatory model under NIS regulations has not been sufficiently effective in driving up cyber-resilience standards to meet emerging threats. Board engagement is a key part of that, but the stat I quoted previously in this Committee indicates that engagement is going in the wrong direction. What assessment has the Minister made of the potential advantages and disadvantages of direct accountability in the adoption of effective cyber-resilience measures, based on a roll-out of the NIS2 regulations?
Proportionate testing of systems may be a useful tool in detecting and managing cyber-security risk. What consideration has the Minister’s Department given to how that topic should be approached in the Secretary of State’s code of practice?
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for his new clauses. I will speak first to new clause 16, which seeks to require boards or equivalent management bodies of operators of essential services, relevant digital service providers, relevant managed service providers and critical suppliers to take specific measures to oversee the security and resilience of their network and information systems.
Board-level engagement is a necessary part of proactively and effectively managing cyber-risks. That is why we published the cyber governance code of practice last spring, as part of a wider package of action to support boards in more effectively governing digital risks to enhance their organisation’s cyber-resilience. More recently, the Secretary of State, together with the Chancellor, the Business Secretary, the Security Minister, and leaders of the NCSC and NSA, wrote to the CEOs and chairs of the UK’s leading organisations, asking them to make cyber-risk a board level priority.
I agree with the hon. Member that going further on board-level responsibility is necessary. That is why we will introduce security and resilience requirements in secondary legislation, following consultation. We will consult on proposals that are consistent with the NCSC’s cyber assessment framework, as we confirmed in our policy statement last year. The cyber assessment framework includes comprehensive measures on good cyber governance, including clear board level responsibility. It is important that industry is consulted on those measures, that they form part of a holistic package on security and resilience, and that they can be updated flexibly over time. We intend to consult on proposals for security and resilience requirements and wider implementation plans later this year.
New clause 17 seeks to require all organisations in scope of the Bill to test the security and resilience of their network and information systems. We agree that proportionate cyber-security testing is critical to identifying and mitigating vulnerabilities in systems and networks. Organisations in scope need to take appropriate and proportionate measures to manage risks to network and information systems on which they rely, and that can include testing of network and information systems. In particular, relevant digital service providers are already required to account for testing as part of their overarching security duty. Additionally, all regulators can use their powers to mandate testing by an inspector, or by the regulated entity, to verify compliance or investigate potential failures.
I reassure the hon. Member that we are going further. We will be updating and providing more detail on the measures that regulated entities need to take, as well as setting strategic objectives for regulators. As I have said before, our proposals for the security and resilience requirements in secondary legislation will be consistent with the NCSC’s cyber assessment framework, which includes measures on appropriate testing.
David Chadwick
Is the Minister aware that the financial services industry is required to conduct regular testing of its systems, and that sectors like aviation and nuclear have designated individuals in their security organisations who are responsible for overseeing those sorts of practices?
Kanishka Narayan
I thank the hon. Member for his point. I am also aware that the National Cyber Security Centre’s cyber assessment framework has very specific measures on appropriate testing as well. It already exists, and we want to make sure that it is an important part of specific security and resilience requirements in secondary legislation.
It is crucial that industry is consulted on the nature of any requirements related to testing. As mentioned, we intend to consult on the proposals later in the year. We will also issue a statement of strategic priorities for regulators, and will explore whether that is an appropriate vehicle for driving consistency in the behaviours of regulators in respect of their approach to testing for their sector.
Overall, any approach to going further on proportionate and regular testing must be developed alongside the full set of security and resilience requirements, and co-ordinated and communicated with a wider package of implementing measures. That will allow the impact of options to be assessed, and provide the industry with clarity on the overall approach, including how the components fit together.
The shadow Minister asked about the consideration of NIS2 requirements. We have looked at NIS2 provisions, and variability in member states’ implementation of it, as part of a wider set of considerations on which we will be consulting regarding secondary legislation on governance.
My hon. Friend the Member for Milton Keynes Central made an incredibly important point about security by design, which I very much take into account. The Government Digital Service is already working on a secure by design standard. We want to make sure that it is as robust as possible, and extend it across not just the public sector but parts of the private sector. I will make sure that security by design remains at the heart of the Government’s cyber action plan, as well as that of the private sector.
Emily Darlington
I thank the Minister for that commitment. Would he consider setting up a meeting between GDS and those MPs who have expertise in this area, so that we can share our expertise and reassure ourselves that this is going in the right direction and at the speed that is necessary?
Kanishka Narayan
My hon. Friend has extensive expertise, from which I benefit extensively. I will be keen to make sure that the Government Digital Service does so too.
In the light of those commitments, I kindly ask the hon. Member for Brecon, Radnor and Cwm Tawe not to press the new clauses.
David Chadwick
During the evidence sessions, numerous very knowledgeable witnesses called for these new clauses, so I will push them both to a vote.
Question put, That the clause be read a Second time.
The Chair
With this it will be convenient to discuss new clause 19—Vulnerability research: review of the merits of a statutory defence—
“(1) The Secretary of State must, within twelve months of the passing of this Act, review the extent to which an amendment to section 1 of the Computer Misuse Act, with the effect of introducing a statutory defence available to individuals undertaking ethical vulnerability research, would improve the security of the network and information systems of relevant bodies.
(2) A review under this section must consider whether a statutory defence would enable relevant bodies to improve the resilience of their network and information systems via enhanced vulnerability testing and research.
(3) For the purposes of this section—
(a) ‘ethical vulnerability research’ means access, whether authorised or otherwise, to computer material with the intention of identifying vulnerabilities to cyber attacks, where—
(i) the research is aimed at enhancing the resilience of the network and information system of a relevant body or relevant bodies, and
(ii) the findings of the research are kept securely, shared only with those responsible for the security or resilience of the network and information system concerned, and shared solely for the purpose of enhancing the security or resilience of the network and information system concerned;
(b) ‘relevant bodies’ means operators of essential services, critical suppliers, digital service providers or managed service providers, as defined by the NIS Regulations.”
This new clause would require the Government to review whether the resilience of relevant organisations could be enhanced by introducing a statutory defence to s1 of the Computer Misuse Act, so that a person could be deemed not guilty if they engage in vulnerability research in the public interest.
Freddie van Mierlo
New clause 18 would place a duty on the Government to review within 12 months whether our over-30-year-old Computer Misuse Act is holding back the very cyber-resilience that the Bill seeks to build. The Government’s own impact assessment for the Bill identifies a key market failure: imperfect information. It states that businesses lack awareness of their own cyber-risks, leading to under-investment in security. We must ask why that information is imperfect. We believe that it is partly because the Computer Misuse Act 1990 prevents cyber-security professionals from undertaking legitimate public interest activity to identify those risks, so ethical hackers cannot provide the necessary information.
New clause 18 ties the review specifically to the security and resilience of network and information systems regulated by the Bill. It asks a simple question: does the Computer Misuse Act 1990 help or hinder the resilience of our critical infrastructure? For that reason, I wish to seek a vote on new clause 18.
Dr Spencer
I will speak to new clause 19, tabled in my name on behalf of His Majesty’s official Opposition. The new clause would compel the Secretary of State, within 12 months of Royal Assent, to review the need for a statutory defence, encompassing legitimate cyber-research activities, to criminal offences under clause 1 of the Computer Misuse Act 1990, which is about unauthorised access to computer programs.
The campaign for reform in this area, CyberUp, has argued that, in its current form, the CMA inadvertently criminalises critical activity such as vulnerability research and threat intelligence, both of which are essential for defending the nation’s digital systems. The new clause would also require the Secretary of State’s review to evaluate whether the creation of such a defence would enable regulated bodies to improve the resilience of their network and information systems via enhanced vulnerability testing and research.
New clause 18, tabled by the hon. Member for Henley and Thame, relates to the same important topic and would require the Secretary of State to review, and report to Parliament within 12 months of the Bill’s entering into law, whether amending the Computer Misuse Act could improve the resilience of network and information systems.
Hon. Members will recall the insightful oral evidence of Professor John Child of the University of Birmingham. Professor Child made a clear and compelling case for the need to amend the Computer Misuse Act to provide statutory defences for legitimate cyber-research—sometimes called ethical hacking activities. Likewise, campaign groups, industry specialists and parliamentarians have all argued that the Computer Misuse Act, which was written before the modern internet, is no longer fit for purpose.
At present, the Act fails to distinguish between malicious attackers and cyber professionals acting in the public interest, inadvertently criminalising a large proportion of research that UK cyber-security professionals can carry out to protect UK critical infrastructure and the UK’s technological ecosystem. This means that cyber-security professionals working to defend UK organisations from real-world threats risk prosecution. That has created a chilling effect—talent is being lost, investment is stifled and security gaps are going unidentified.
If we are to have true UK cyber-resilience—not just among regulated sectors, but across businesses of all types and throughout society—we need a multifaceted approach. Industry and private sector-led initiatives will play a strong role in that. Professor Child made clear that countries that have implemented more favourable regimes, such as the US and Israel, are benefiting from increased cyber-resilience as a result of cyber-research activity.
The Government have acknowledged that reform of the CMA is a pressing issue. Indeed, the Home Office has been reviewing that question for some time. Further, the Minister for Security, the hon. Member for Barnsley North (Dan Jarvis), highlighted the urgent need for changes to the law in this area in a recent speech, stating that Government have
“heard the criticisms about the Computer Misuse Act, and how it can leave many cyber security experts feeling constrained in the activity that they can undertake.”
He went on to say:
“These researchers play an important role in increasing the resilience of UK systems, and securing them from…vulnerabilities.
We shouldn’t be shutting these people out, we should be welcoming them and their work.”
Yet the Home Office has brought forward no specific proposals for reform. Parliament is unlikely to legislate again in the cyber-security domain for some considerable time; we cannot afford to kick the can down the road on this vital issue any longer if we are to have a credible plan for whole-of-society cyber-resilience.
David Chadwick
Can the hon. Gentleman address the point of who he thinks would benefit if that Act was repealed?
Dr Spencer
I am a bit unclear about the hon. Gentleman’s intervention. The point I was making was that there is legitimate concern that people doing research into this area and doing threat assessments risk prosecution, so, across the whole of our society, that work is not being done. We have heard quite a lot of evidence from cyber campaigns about the benefits that changes to this law would make to the system, which is why we tabled the new clause. I commend new clause 19 to the Committee. I hope the Minister agrees that now is the time to address the issue.
I suspect that this will be my last, or penultimate, time speaking to the Committee, so I would like to finish by thanking Members on both sides of the Committee for a fun and, at times, robust debate over the past month. I thank the Chairs, the Clerks and all the teams working on the Bill—and Sophie Thorley from my office, who has done incredible research on the Bill.
Kanishka Narayan
I thank hon. Members for their new clauses; I recognise the strong feeling and thoughtful contributions about reforming the Computer Misuse Act.
I speak first to new clause 18, which seeks to place a duty on the Secretary of State to review whether amendments to the Computer Misuse Act could support the security and resilience of network and information systems used for carrying out essential activities. I assure the hon. Member for Runnymede and Weybridge that the Government remain committed to ensuring that the Act remains up to date and effective.
The Home Office is already conducting a review of the Computer Misuse Act, and is developing proposals that arise from its findings. That includes careful consideration of proposals to introduce a statutory defence that would allow researchers to spot and share vulnerabilities. It will provide an update as soon as the proposals are finalised. However, limiting a defence to only the sectors covered by the NIS regime would be impractical. Any package of workable defence would need to be broad enough to apply economy-wide.
New clause 19 raises the introduction of a statutory defence to the Computer Misuse Act. I acknowledge the strong sentiment regarding reform of the CMA. There is no doubt that UK cyber-security professionals play a significant role in maintaining the country’s overall security and resilience. Supporting them is vital.
I agree with the principle behind the new clause: that a defence to section 1 of the Computer Misuse Act could strengthen the resilience of network and information systems by allowing researchers to spot and share vulnerabilities. The Government are already conducting a review of the Computer Misuse Act, and we have made significant progress in developing a proposal for a limited defence to the offence provided for in section 1 of the Computer Misuse Act.
Andrew Cooper (Mid Cheshire) (Lab)
Many of us, on both sides of the House, are sympathetic to both new clauses. We heard very clearly in evidence sessions that the Computer Misuse Act, as it is today, has a chilling effect on the operation of the cyber-security industry in this country and on whether such companies want to locate here as opposed to other countries.
I absolutely hear what the Minister says about the Home Office developing proposals. I wonder whether he can set out a timescale for when those proposals are likely to be brought forward—whether he expects that to be in this parliamentary Session or the next one. The issue is clearly holding back the cyber-security industry in this country, and we would all like to see it resolved.
Kanishka Narayan
My hon. Friend is absolutely right to recognise the shared sense on the principle of reforming the Computer Misuse Act. Although I am not in a position to give him a specific timeline, I absolutely take into account his recognition that the work needs to proceed at pace. Having held an industry engagement recently on specific proposals, with more than 75 attendees from a range of cyber-security organisations, the Home Office is now reviewing specific feedback as a particular proposal. The question is not whether we will reform the Computer Misuse Act, but simply how.
Freddie van Mierlo
I am grateful to the Minister for his reassurances on the ongoing review of the Computer Misuse Act. On that basis, I would like to say that I will withdraw the new clause.
David Chadwick
Will the Minister clarify what he thinks ethical vulnerability research actually constitutes?
Kanishka Narayan
Sure. I would not wish to define it technically, but my understanding is that it is research aimed at ethical hacking. It is effectively trying to find vulnerabilities through simulated attack systems, which can broaden our understanding of risks and vulnerabilities and allow us to mitigate them accordingly.
I return to new clause 19. Limiting a defence to just the sectors covered by the NIS regime would be impractical; any proposal for a workable defence needs to be broad enough to apply across the economy. That is why we are making sure that, through the Home Office, we are working as promptly as possible to ensure a proposal that is strong in its safeguards to prevent misuse. Engagement, including with the cyber-security industry, is already under way to refine our approach.
Dr Spencer
We are a responsible Opposition and we are pleased to hear about the work that the Minister and his Department have been doing and about the shared purpose in getting this done and getting it right. Would he give us a bit more detail of the timescales and plans for public consultation? I understand that he has been doing some personal consultation in private, but will there be a public consultation? Given that the reform crosses two Departments, which Department will be taking it forward? What I am really looking for from him is a confirmation at the Dispatch Box that he is personally committed to getting this piece of work over the line during this parliamentary term.
Kanishka Narayan
I thank the shadow Minister for his recognition of our shared approach on this question. Reform of the Computer Misuse Act is led by the Home Office. I have given my personal commitment to ensuring that reform, but I will also write to him and members of the Committee with as much detail as possible on the timeline to ensure that we are moving fast on it.
In that spirit, I thank hon. Members for their work on this question of the amendment to the Computer Misuse Act and use this opportunity to thank you, Ms McVey, the entire Committee staff and hon. Members for their expertise and perhaps for their sense of fun as well. I thank all staff members, in particular the Bill team in the Department, which has been fabulous throughout the entire process.
Freddie van Mierlo
I beg to ask leave to withdraw the clause.
Clause, by leave, withdrawn.
Bill, as amended, to be reported.