Oral Answers to Questions
(3 days, 6 hours ago)
Commons ChamberRead Hansard Text Watch Debate Read Debate Ministerial Extracts
Richard Foord (Honiton and Sidmouth) (LD)
The Minister for Energy (Michael Shanks)
Happy new year to you, Mr Speaker, and to colleagues across the House. I have temporarily lost hearing in one of my ears so if I am shouting or do not hear every detail of the questions, I apologise in advance.
This Government are determined to strengthen our energy security by moving away from volatile fossil fuels and delivering a clean power system. We have switched off the last coal power station in the UK and have consented enough clean power to power the equivalent of 7.5 million homes. That is how we will tackle the climate crisis, strengthen our energy security and create good jobs across the country.
Richard Foord
The International Renewable Energy Agency reports that in 2024, China installed five times more renewable power than Europe and eight times more renewable power than the United States. In the same year, more than two thirds of our liquid natural gas in the UK came from the United States. In the difficult geopolitical situation we find ourselves in, how are the Government making the UK more self-sufficient for our energy supply?
Michael Shanks
It is a hugely important question. In an increasingly uncertain world, our energy security becomes more and more important, and that is why we are determined not only that we build a clean power system to tackle the most existential crisis that the planet faces—the climate crisis—but that we have home-grown power here in the UK that we control; that is hugely important. Every step we are taking to invest in renewable energy and a new generation of nuclear helps us to do that, but it is also, of course, the economic opportunity of the century, which delivers our energy security and jobs at the same time.
Bill Esterson (Sefton Central) (Lab)
Happy new year, Mr Speaker.
I hope that the Minister, in his new year’s resolutions, will commit to building the case for the energy transition through lower consumer bills, secure jobs, public health improvements through reduced emissions, and indeed energy security. Does he agree that those who oppose climate action are denying our children and grandchildren a future? Will he endeavour to make the case also to fight against the misinformation, disinformation and outright myths peddled by some Opposition Members?
Michael Shanks
Typically, my hon. Friend is right on these points, and yes, it is one of my new year’s resolutions—and I suspect one of my ministerial colleagues’ resolutions as well—for us to redouble our efforts to make the case for this. Just this morning I was reading about yet another study that shows that we underestimate the level of support in the general public for climate action. We have to remember that while there is a lot of noise around this at the moment, the reality is that the public back action on the climate, and it is the right thing to do not just for future generations, as my hon. Friend rightly says, but for our energy security and for good jobs.
Dave Doogan (Angus and Perthshire Glens) (SNP)
Refined hydrocarbon fuels are excluded from the Government’s carbon border adjustment mechanism, meaning that although UK refineries face emissions trading scheme costs of £50 per tonne, overseas fuel producers do not. That is clearly incomprehensibly damaging in economic terms and is self-evidently counterproductive when it comes to climate goals. In terms of energy security, it is pure madness. Refining at Grangemouth and Prax Lindsey are two early casualties of Labour’s failure to understand basic economics. Will the Government now act to protect the four remaining refineries in GB, or will Labour continue with its policy of deindustrialisation dressed up as decarbonisation?
Michael Shanks
Well, I say a happy new year to the hon. Gentleman, as we see his sunny disposition back in this House again!
First, we committed in the Budget to looking at the CBAM inclusion and are working to make that happen. Secondly, of course I have been working with all the refineries to make sure that they are as sustainable as possible. Thirdly, I think the hon. Member has an absolute cheek to come here and talk about deindustrialisation when his party has failed to have an industrial strategy in Scotland for the 18 years it has been in power and when, just before Christmas, it published the flimsiest of flimsy plans for energy security in Scotland, which was mostly made up of pictures and not by any detail. His party has absolutely no credibility on these issues whatsoever.
Mr Toby Perkins (Chesterfield) (Lab)
There are many corporate customers who are keen to decarbonise but find that grid connection forecasts of five or more years stand in their way. Will the Minister tell us what he is doing to speed up business connections to the grid and to ensure that we prioritise those business customers who will make the biggest difference in decarbonising?
Michael Shanks
My hon. Friend raises a hugely important point. The future of the grid is going to be absolutely critical not only to how we get clean power to homes and businesses across the country to bring down bills, but to how we deliver the economic growth the country needs. That is why we have taken two key actions, the first of which is to build the grid we need for the future. That has been opposed by some Opposition Members, but it is critical that we build that future grid. Secondly, we are clearing out the connections queue so that there is space for more projects, like the ones he mentions, to join. Both those actions are critical, and those who oppose the building of new grid infrastructure oppose the exact economic opportunities that my hon. Friend has mentioned.
Richard Tice (Boston and Skegness) (Reform)
Could the Minister explain why the Government have rejected a higher bid for the Lindsey oil refinery that would have kept jobs, kept the refinery open and attracted more investment in favour of a lower bid that is destroying jobs, is mothballing the refinery and is against the growth interests that the Government profess? Can he also confirm whether or not the taxpayer is retaining the decommissioning liabilities of the oil refinery?
Michael Shanks
First, on a positive note in the new year, I believe the hon. Gentleman had some good news over Christmas—I congratulate him on it. He is quite wrong, though, on his question. I should set out, as I did in my oral statement on the Lindsey oil refinery, that this was an insolvency process and it was therefore for the official receiver to conclude the sales process, which it has done. It has taken the highest bid that was on the table. P66 will now take forward the future of that site in a sustainable way and I will continue to work with it on that question. The Government do not retain decommissioning liabilities; they were part of the deal and P66 will take them along with the site.
Dr Jeevun Sandher (Loughborough) (Lab)
Happy new year, Mr Speaker.
We are facing an affordability crisis in this country, and indeed across high-income nations, because of our dependence on fossil fuels. That is why energy prices here have risen by 40% since 2021. Our constituents feel that this is damaging our country and, more importantly, it is damaging the faith that people across this nation have in our democracy to deliver for them. Can the Minister set out how our transition to fossil fuels will help to resolve the affordability crisis and restore faith in this place?
Michael Shanks
That is an important question on two fronts. My hon. Friend rightly mentioned that the transition away from fossil fuels is hugely important for our energy security and for future generations. We in this place have a huge responsibility to safeguard the future of our planet for the generations still to come. His second point was, rightly, that we need to make the case for why this is important now. It is about how we get away from the volatility of fossil fuel prices, which so many of our constituents are still paying the price for, and how we industrialise communities right across the country. Tens of thousands of jobs have been created through the renewables that are already in place and we want to see hundreds of thousands of jobs by building much more of this infrastructure in the UK; that is how we get an economic advantage as well as energy security.
Harriet Cross (Gordon and Buchan) (Con)
In the consultation paper on the future of the North sea, the Government defined windfall prices as $90 a barrel for oil and 90p a therm for gas. Can the Minister tell me the prices of oil and gas today?
Michael Shanks
We have been really clear that the energy profits levy comes to an end in 2030. We have also put in place what the future of that scheme looks like to provide certainty for the long-term future. Of course, the energy profits levy was introduced by the hon. Lady’s party in government. We have been really clear that the energy profits levy comes to an end in 2030 unless the price floor is triggered in the meantime. If the Conservatives are in favour of scrapping the levy, they also have to say where the billions of pounds that it generates will come from in order to fund the public services that our constituents rely on.
Harriet Cross
Either the Minister does not know the current price or he does not want to tell us. Oil today is $62 a barrel and gas 72p a therm—up to a third lower than what the Government themselves define as windfall prices. Despite that, they are still punishing our oil and gas industry with massive windfall taxes. The cost is 1,000 jobs lost every month, production set to halve in the next four years and almost complete dependence on foreign imports of oil and gas by 2030. This Government are going to be responsible for the death of one of our most important industries. Will the Government now end the oil and gas supertax, scrap the mad ban on new licences and finally back the North sea?
Michael Shanks
There are a number of points that I would challenge in the hon. Lady’s question. First, the floor was set by the Conservative party in government and we have not changed it. Secondly, she talks about thousands of jobs lost every month. That is from an important study that was done by a university; it is not a reflection of what has actually happened in the last few months. Although I absolutely take seriously modelling like this, I think we do need to base it in the reality of what has actually happened. Every single job that is lost is of course hugely distressing for communities, but the hon. Lady should talk up the opportunities in the North sea. She says that we are talking down the North sea—in fact, it is her party that repeatedly talks down the opportunities for the future of the North sea in carbon capture and storage, hydrogen, oil and gas decommissioning work, and much, much more. She should talk up those opportunities and be ambitious for the future of the North sea, not talk it down.
Dr Danny Chambers (Winchester) (LD)
The Parliamentary Under-Secretary of State for Energy Security and Net Zero (Chris McDonald)
Happy new year and happy Epiphany, Mr Speaker.
Alongside my right hon. Friends the Secretaries of State for Energy Security and Net Zero and for Business and Trade, I am committed to slashing energy costs for British businesses. From April, eligible energy-intensive industries will see an uplift in compensation for electricity network charges, with 90% of costs being covered. We are also consulting on a British industrial competitiveness scheme that includes our plan to exempt over 7,000 businesses from covering the costs of some our historic renewables levies.
Dr Chambers
Small and medium-sized businesses are the absolute lifeblood of our economy. Many of them, including the amazing Bar Lento—a Spanish café in Winchester that I spend a lot of time in—are the beating hearts of our communities. The average electricity bill for a small business is now £240 a month, and 92% of such businesses say that they will increase prices to deal with energy volatility. Unlike households, businesses do not benefit from an energy price cap, so they face the consequences of energy volatility all the time. Does the Minister agree that this is failing small businesses, and will he commit to a review of how to end the wild west of energy regulation?
Chris McDonald
The hon. Gentleman raises the issue of energy volatility. I hope that it was clear in my previous answer that the Government are not satisfied with the position as it is. Of course, that energy volatility has historically been caused by our reliance on oil and gas and on petrostates and dictators. Clearly, the Conservatives wish to return to that policy. This Government’s clean power mission will ensure that we have energy security for the future. Unlike the climate-denying policies of the Conservatives and Reform, which would destroy jobs and investment in this country, our policies will deliver energy security and green energy for our small and large businesses, and for domestic consumers.
Rachel Taylor (North Warwickshire and Bedworth) (Lab)
Many pupils have returned to cold school classrooms this week. That is why I am delighted that Kingsbury school, St Michael’s Church of England academy and All Saints Church of England academy in Bedworth, and Ash Green school, have all received funding to install solar panels. Will the Minister outline what support those schools will receive to install the panels, and how the panels will help them to cut their energy bills?
Mr Speaker
That kind of relates to education. Can you bring it back to energy, Minister?
Chris McDonald
I think this shows how committed the Government are to supporting a reduction in costs across all our services, including education and health, through the installation of solar panels. We saw a massive increase in solar installations in the UK last year—equivalent to enough energy generation to power 2 million homes. Not only do solar installations benefit our domestic consumers and enable the creation of green energy, but by installing solar on rooftops such as those of schools and hospitals, we are taking maximum advantage.
Tom Collins (Worcester) (Lab)
Ms Polly Billington (East Thanet) (Lab)
The Secretary of State for Energy Security and Net Zero (Ed Miliband)
The 2023 generation costs report published under the previous Government shows the levelised cost of electricity to build and operate a new gas-fired power station to be significantly higher than the cost of onshore wind, solar and offshore wind in the most recent renewables auction round. Renewables are a cheaper technology to build and operate than new gas-fired power stations.
Tom Collins
The National Energy System Operator’s clean power 2030 plan relies on unabated gas power stations, without a clear plan for their decarbonisation after 2030. The forthcoming hydrogen strategy presents a natural opportunity to set long-term goals for the wider integrated energy system, including hydrogen-fired combined cycle gas turbine generation, and long-term salt cavern energy storage at scale. Will that strategy include a quantified pathway with delivery milestones for transitioning dispatchable power, and will NESO be required to incorporate that pathway into its planning?
Ed Miliband
My hon. Friend asks an important question. In our 2030 clean power plan, we talk precisely about the importance of low-carbon dispatchable power as a way forward. I am really proud of what is happening with our carbon capture and storage plans and Net Zero Teesside. Additionally, it will be an important part of our forthcoming hydrogen strategy, as he says.
Ms Billington
Current global instability, from Ukraine to Venezuela, has shown the vital importance of having domestic energy security. Does the Secretary of State agree that investing in renewables will help with both security and cost, particularly because they are cheaper to build and operate, as well as providing us with vital energy security in an uncertain world?
Ed Miliband
My hon. Friend is right. The figures that came out from NESO over Christmas show that we had extra renewable power in 2025 equivalent to powering 2 million homes; that is 2 million homes that will not be powered by imported gas. That gives us the price stability that we never had under the previous Government. The fundamental lesson at a time of geopolitical instability is that home-grown clean power is what gives us the certainty we need.
Wera Hobhouse (Bath) (LD)
According to Government figures, output from new solar projects costs around £41 per megawatt-hour compared with roughly £140 per megawatt-hour for the lifespan costs of new gas power. I know the Secretary of State agrees with me and RenewableUK that clean energy remains the energy with the lowest cost, but how do we ensure that the British public agree with us?
Ed Miliband
The hon. Lady has just done a good job of highlighting the importance of this matter, and she gets to the crucial point. The Opposition parties that reject solar, onshore wind and offshore wind are rejecting cheap, clean, home-grown power for the British people, which we on the Government Benches are in favour of.
Jim Shannon (Strangford) (DUP)
I thank the Secretary of State very much for his answers. Not only is cost important when it comes to looking at gas-fired power stations; it is also important to ensure that communities have an input into the planning process. Has that been central to the formation of any policy on gas-fired power stations? Has he had the opportunity to share those thoughts and that information with the Northern Ireland Assembly, which wishes to look at the possibilities for Northern Ireland?
Ed Miliband
We have regular discussions with the Northern Ireland Assembly and the Executive on a range of issues. On the hon. Gentleman’s point about nationally significant projects, it is absolutely right that communities have input into these questions. Certainly in the case of home-grown low-carbon power, we want communities to see the benefit, because by hosting infrastructure, including low-carbon infrastructure, communities are doing a service to the country.
Claire Coutinho (East Surrey) (Con)
Happy new year, Mr Speaker.
This is just nonsense on stilts from the Secretary of State, and we know this because the biggest AI company in the world has said that it will need gas power to succeed in Britain. If a company wants to build its own gas plant here, at no cost to the British taxpayer, the warped green ideology of this Secretary of State, who is obsessed with domestic emissions above everything else, will block it. Those emissions will still exist, as that company will start somewhere, just not here in Britain. Does he agree that that is a completely mad reason to block the growth we need in Britain?
Ed Miliband
I do not really understand what the question was about, but we are in favour of AI and we are working with our colleagues on AI. I have to say that I am glad the right hon. Lady rose to speak on this question, because she has been rumbled by the figures I produced; they came out when she was the Energy Secretary. She goes around saying how much more expensive renewable power is, but the figures that she produced show that renewable power is cheaper to build and operate than gas-fired power stations. She used to believe that, until she jumped on the latest passing bandwagon to suddenly be a net zero sceptic.
Freddie van Mierlo (Henley and Thame) (LD)
The Minister for Energy (Michael Shanks)
Energy resilience is one of my top priorities and I understand the particular challenge in rural communities, which see more frequent power disruption. We work with industry and with Ofgem to ensure that sufficient investment is made into the rural power networks and that support is provided when power cuts occur. I thank all the engineers and support staff who work in difficult circumstances to reconnect communities when power failure does occur.
Freddie van Mierlo
With the increased frequency of stormy weather as a result of climate change, the rural communities I know are sadly all too familiar with long periods without power. What are the Government doing to ensure that older and more vulnerable residents get the support that they need during cuts? Will the Minister commit to delivering a strategic plan to improve the resilience of rural power networks?
Michael Shanks
We review lessons learned after every significant power failure, particularly after storms. There was a significant review after Storm Arwen in 2022, but after every storm we look at whether there are any areas in which we can improve. I regularly meet the Energy Networks Association, which does much of the work with the distribution network operators to ensure that welfare provisions, in particular, are provided as quickly and efficiently as possible. There is much more we can do, but one of the fundamental things is to invest in the future of the grid, which means building grid infrastructure and improving existing infrastructure. Members across the House have to support that grid infrastructure if they want to see as resilient a grid as possible across the country.
Chris Vince (Harlow) (Lab/Co-op)
Nazeing in my constituency is home to many rural businesses, including—as I mentioned before recess—the Lea Valley Growers Association. It has said to me that the biggest challenges it faces are the considerable increase in the cost of energy and energy security, so how does the Minister think the British industrial competitiveness scheme can support rural businesses in my constituency, and the Nazeing growers in particular?
Michael Shanks
I thank my hon. Friend for his question, and I congratulate the businesses in his constituency on doing such a good job. We are determined to bring down the cost of energy for households and businesses across the country. Schemes such as the one he has mentioned demonstrate our commitment to doing that, but the Chancellor also announced in the Budget that households right across the country will have £150 coming off their bill as a result of the decisions that this Government have made to tackle the cost of living crisis. We are determined to support businesses to do the same, and of course in the long term we will reduce the bills of businesses, industry and households by removing gas from the system and delivering the clean power system that will help all of us to have energy security and cheaper bills.
Perran Moon (Camborne and Redruth) (Lab)
The Secretary of State for Energy Security and Net Zero (Ed Miliband)
The decision by my right hon. Friend the Chancellor to take an average £150 of costs off people’s energy bills from April is a reflection of this Government’s commitment to tackling the cost of living crisis. It will make a difference to families across the country and is estimated to reduce by over 1 million the number of people paying more than 10% of their income in energy costs.
Perran Moon
Kensa, based in my Camborne, Redruth and Hayle constituency, is the largest manufacturer of ground source heat pumps to neighbourhoods and council flats, and I know that the Secretary of State and the Chancellor have both visited that company. This technology delivers low energy bills for family finances, but the sector requires policy certainty and a plan to grow. Ministers have been very generous with their time to date, but will the Secretary of State meet me again to discuss how we can provide the certainty and commitment to public funding that will support this technology?
Ed Miliband
I really enjoyed my visit to Kensa—I would recommend that all Members go—which is a really innovative company that is leading in heat pump manufacture. As my hon. Friend knows, we will shortly be publishing our warm homes plan, which will be really important in driving forward heat pump uptake and helping companies such as Kensa, because there is also a massive jobs story that is part of this.
Dr Caroline Johnson (Sleaford and North Hykeham) (Con)
Socialists do have a habit of taking money from people and then asking them to be grateful for getting some of it back, so could the Secretary of State tell us how much the £150 reduction in fees will actually cost taxpayers?
Ed Miliband
I will tell the hon. Lady. We are proud of the fact that in the Budget we raised taxes on the wealthy so that we could cut bills for millions of families across this country. I am so grateful to her for her question, because it illustrates the difference between our parties. This was not an easy thing to do; it was a decision made by this Government, because for too long this country has been run for the wealthy and powerful by the Conservative party. We are changing that and cutting bills for millions of families across Britain.
Bradley Thomas (Bromsgrove) (Con)
This Government’s promise to cut energy bills by £300 is dead in the water, as bills are now £190 higher than when they took office. Now their big idea is to pull the wool over the eyes of the British public by moving some of the costs of net zero from people’s energy bill to their tax bill. Can the Secretary of State answer a very simple question: after the Government’s supposed bill cut takes place in April, will the average energy bill be higher or lower than when Labour came to power?
Ed Miliband
I can tell the hon. Gentleman that bills are going to be lower. [Interruption.] If he just listens, I will tell him. If we compare 2025 to 2024, energy bills are lower in real terms than they were in 2024, and the price cap is also lower. Because bills are still too high, we will make that situation better by taking £150 off bills. The Conservatives opposed every measure in my right hon. Friend the Chancellor’s Budget, yet they also say that they want £150 off bills—they cannot have both. It is this Government who are delivering on the cost of living crisis.
Mr Speaker
I am intrigued, because question 6 has been transferred. It has even got on to the Order Paper. Why did the Department suddenly find out so late that it has been transferred? I do not think it is good practice, and I hope it will not happen again.
Steve Yemm (Mansfield) (Lab)
The Parliamentary Under-Secretary of State for Energy Security and Net Zero (Chris McDonald)
In the autumn Budget, the Chancellor announced the transfer of the £2.3 billion reserve to members of the British Coal staff superannuation scheme. Almost 40,000 former mineworkers and colliery staff received their first bonus increase before Christmas, with an average uplift of £100 a week, or a one-off £5,500 lump sum for backdated pensions. That is the difference that this Labour Government are making for coalfield communities.
Steve Yemm
On behalf of many former mineworkers in my constituency who have had that pension reserve fund returned, I thank the Minister and his colleagues for supporting coalfield communities like mine. He will also be aware of my letter last month asking about the future sharing arrangements for scheme surpluses for both the mineworkers’ pension scheme and the BCSSS. Will he provide some clarity on how the Government intend to proceed to resolve this final outstanding injustice?
Chris McDonald
I thank my hon. Friend for the leadership that he has shown on this issue in the House, and for his letter last month. I can inform him that I am meeting the trustees of the mineworkers’ pension scheme on 4 February and of the British Coal staff superannuation scheme on 18 February. The focus of both those meetings is how we can deal with surplus sharing for the future, and I am keen for it to be resolved as soon as possible.
Peter Lamb (Crawley) (Lab)
The Secretary of State for Energy Security and Net Zero (Ed Miliband)
The Government inherited a legacy of huge under-investment in the grid, which piled up constraint costs and created a chaotic system for grid connection, which left crucial projects facing decade-long delays. We are tackling this with a programme of investment and reform, include sweeping changes to the grid connections process, which saw the National Energy System Operator last month set out a massive overhaul of the queue, cutting its size by two thirds and giving priority to the generation projects that we need.
Peter Lamb
Despite its rural setting, Crawley’s travel-to-work area has a larger economy than many of the UK’s core cities. Despite that, it has been held back over recent years due to a lack of grid capacity at its major connection point with the national grid, resulting in the loss of several major investments under the previous Government. Will the Secretary of State look into what can be done to upgrade the connection point and unleash that restrained economic growth?
Ed Miliband
My hon. Friend makes a crucial point. There was this terrible backlog, where the queue had something like five times as much capacity as was required and the wrong priorities. We also had massive problems for demand connection. Our significant reform to overhaul the queue, which had not been done for years and years, will free up demand projects to connect, and I very much hope that projects in his constituency can benefit.
John Milne (Horsham) (LD)
Access to the grid for new energy suppliers is patchy across the country, and it leads to an overconcentration of solar farm and battery energy farm applications in unexpected places, such as the village of Cowfold in my constituency. What action will the Government take to ensure a fair distribution of renewable energy developments?
Ed Miliband
I know that my hon. Friend the Minister for Energy has had discussions with the hon. Member for Horsham (John Milne), and it is important that we have those discussions with Members. One of the important things for this year—it is slightly for the trainspotters, or energy-spotters—is the strategic spatial energy plan, which will set out a pathway for where we need power in the coming years well beyond 2030. As part of that, we should definitely be looking at where in the country are the right places to put the power we need.
Noah Law (St Austell and Newquay) (Lab)
The Parliamentary Under-Secretary of State for Energy Security and Net Zero (Martin McCluskey)
Happy new year to you, Mr Speaker, and to other hon. Members.
I am proud that the Labour Government have extended the warm home discount to an extra 2.7 million households, extending the total to around 6 million. The Conservatives opposed that change. It will make a vital difference to so many families this winter, including approximately an additional 220,000 households in the south-west. That is almost double the number of households supported year on year.
Noah Law
I greatly welcome these cuts to forthcoming bills. Notwithstanding those potential improvements, many of my constituents in Roche, for example, live in areas not connected to the mains gas grid, and the initial outlay associated with implementing renewable technologies can be prohibitively expensive for people. Can the scope of the warm homes plan be extended so that areas rich in geological resources but exposed to fuel poverty, such as Roche, can benefit from geothermal heat networks and significantly reduce bills on the back of those cheap renewable sources?
Martin McCluskey
My hon. Friend is a champion not just for his own constituency, but for Cornwall as a whole. We support the development of geothermal projects and recognise, in particular, the potential of geothermal heat as a low-carbon source for heat networks. We will have more to say about that in the warm homes plan, which will be published soon.
Mr Joshua Reynolds (Maidenhead) (LD)
Citizens Advice notes that the warm home discount has not kept pace with rising energy bills and will struggle to touch the sides for families in energy debt. Will the Minister therefore commit to a Government review of whether the £150 discount provides sufficient support for the families who really need it right now?
Martin McCluskey
The Government are gripped by the need to get energy bills down. That is why in April we will take £150 off the cost of energy for everyone in the country, and why we extended the warm home discount this year to 6 million households, almost doubling the previous number, and we will continue to take action to reduce bills for people across the country.
Josh Babarinde (Eastbourne) (LD)
The Parliamentary Under-Secretary of State for Energy Security and Net Zero (Katie White)
Happy new year, Mr Speaker.
The Department works closely with the Ministry of Housing, Communities and Local Government. Support for councils includes the local net zero hubs—such as the Greater South East net zero hub, which covers the Eastbourne constituency—and Great British Energy, enabling councils and communities to build a pipeline of local clean energy projects, bringing growth and attracting commercial investment.
Josh Babarinde
Happy new year to you, Mr Speaker, and to the Minister.
Eastbournians without driveways—such as Lauren on Winchcombe Road—are committed to acquiring an electric vehicle in order to reduce their emissions, but they are being let down by Conservative-run East Sussex county council, which has failed to invest in pavement gulleys to allow safe cross-street electric vehicle charging. Will the Minister and her colleagues at MHCLG urge the council to follow the lead of Lib Dem-run Oxfordshire county council and pilot a cross-pavement electric vehicle charging scheme?
Katie White
Local councils play a pivotal role. I work closely with the local net zero delivery group and with UK100, and I have been fortunate enough to visit the Labour-run councils in Leeds and Sheffield to see the excellent local work that they have been doing to support net zero. The hon. Gentleman has made an excellent point about the need to ensure that councils help local people to do what they want to do in this regard, and have the necessary EV infrastructure. It sounds as though there are some good leadership opportunities to learn from other councils.
Anna Dixon (Shipley) (Lab)
Happy new year, Mr Speaker.
I hope that the Minister will join me in commending another council, Bradford council, for its ambitious climate action plan 2025-2028. The plan sets out a pathway to net zero for the Bradford district, including really innovative projects such as a district heat network, new investment in a low-carbon hydrogen industry, creating fantastic jobs, and a massive conversion of street lighting to LED. When it comes to pathways to net zero, does the Minister agree that other councils should learn from councils such as Bradford?
Katie White
I thank my hon. Friend for her excellent question, and for her championing of Bradford council and her constituency. District heat presents a massive opportunity, as I have seen at first hand in Sheffield and Leeds, and, as the Secretary of State pointed out, there are some excellent projects in Cornwall as well. It is great to see Bradford council leading the way. UK100 and councils across the country are at the cutting edge of leading our transition, and it is great to learn from them.
Baggy Shanker (Derby South) (Lab/Co-op)
The Parliamentary Under-Secretary of State for Energy Security and Net Zero (Martin McCluskey)
Tackling fuel poverty is a priority for this Government. We will publish a new fuel poverty strategy for England to ensure that many more fuel-poor households are protected by 2030, at the same time as publishing the warm homes plan. We have also expanded the warm home discount to nearly 6 million households, adding approximately 2.7 million additional households to the scheme.
Baggy Shanker
Everyone deserves a warm and safe place to call home, but for the 20% of families in Derby South who live in fuel poverty this week’s cold snap is a nightmare as they struggle to heat their homes. What longer-term plans are being made so that families can see the benefits of a Labour Government and do not dread this sort of weather?
Martin McCluskey
I thank my hon. Friend for that important question. Energy prices are still far too high because of dither and delay from the Opposition when they were in government. No one should have to make the difficult choices that my hon. Friend describes. The Government are totally focused on reducing the cost of energy and making life easier for people throughout the UK. That focus includes the £150 off the cost of energy from next April—the removal of those costs from bills—and the extension of the warm home discount. We are also working with other Government Departments to improve access to data so that we can properly target support for households. We will come forward with more proposals in due course.
Dr Ellie Chowns (North Herefordshire) (Green)
Charities estimate that more than 6 million households in the UK live in fuel poverty. The Minister’s answer did not even mention the warm homes plan, but he talked about dither and delay. His Government have repeatedly postponed publication of the warm homes plan. They have cancelled previous fuel poverty programmes without replacing them with new insulation programmes. When will the Minister finally publish the warm homes plan? How many of those 6 million households in fuel poverty will benefit from it?
Martin McCluskey
It is worth waiting for the warm homes plan, which will be published very soon. Alongside that there will be an ambitious fuel poverty plan for England. The Chancellor has already announced £15 billion of funding for that. We will set it out very soon and I look forward to constructive discussions with the hon. Member when it is published.
Pippa Heylings (South Cambridgeshire) (LD)
Thank you, Mr Speaker, and happy new year.
It is freezing outside and, tragically, more than 4,000 households in my constituency are living in fuel poverty. The Government’s decision to cut the energy company obligation, which was the key mechanism for delivering home insulation and energy efficiency, without any details about what will replace it, risks pushing more families into fuel poverty. The businesses and supply chains that have fulfilled ECO contracts for more than a decade have been left in limbo. Again, we have heard no date for the plan. Will the Secretary of State or the Minister finally say when it will be released, thus ending uncertainty for businesses and the suffering of households?
Martin McCluskey
The warm homes plan will be published soon and I look forward to conversations with the hon. Member about how we roll out its ambitious measures. ECO did not target those in fuel poverty successfully enough—we spent far too much on something that did not deliver the right results. Instead, the warm homes plan will provide £1.5 billion of additional capital support, targeted at people on low incomes. That is in addition to, for example, local authority grants, which target billions of pounds at low-income households. However, I am more than happy to have further conversations with the hon. Member when the warm homes plan is published.
Mr Luke Charters (York Outer) (Lab)
The Secretary of State for Energy Security and Net Zero (Ed Miliband)
Our clean energy mission offers a transformative opportunity to deliver thousands of high-quality jobs and drive prosperity across the country. In Yorkshire and the Humber, we estimate that there will be up to 20,000 additional jobs by 2030. There are opportunities in offshore wind, hydrogen and nuclear, as well as in many other areas.
Mr Charters
Happy new year, Mr Speaker.
I am proud of York College in my constituency, where talented students are mastering apprenticeships that will power our clean energy future. York College is considering becoming a clean energy technical excellence college under the outstanding leadership of Ken Merry. Will the Secretary of State welcome that and visit the college to see how it leads the way in further education in preparing for the clean energy jobs of the future?
Ed Miliband
I congratulate York College on its work. I know from my constituency in Doncaster, where we are to get a second university technical college specialising in green skills, the importance of that and the excitement of young people about this future. By turning their backs on clean energy, the Opposition turn their backs on young people. Clean energy is the future—it is one of the fastest growing sectors. We want it for Britain, we want it for York and we want it for Doncaster, and we will make it happen.
Martin Vickers (Brigg and Immingham) (Con)
Sadly, it is not job creation that faces many of my constituents, particularly those who work at the Lindsey oil refinery. The Secretary of State knows that Axiom and others submitted bids that would have continued production at the refinery. Instead, we now have a deal with Phillips 66 that transfers the assets but not the business. Will he undertake to make a statement to the House and to answer the many unanswered questions that surround the deal?
Ed Miliband
First of all, what happened at Lindsey—we should be clear that the responsibility lies with the owner, which ran the business into the ground—is tragic for the workers and their families, and I have talked to those workers. The hon. Gentleman will know—my hon. Friend the Energy Minister has spoken to him about this—that the process involved the official receiver, who looked for the best and most viable bid, but there was no viable bid to keep refining going at Lindsey. That is why P66 was chosen, and we are determined to work with the company to maximise the number of jobs that it can deliver for the local community.
Christine Jardine (Edinburgh West) (LD)
The Parliamentary Under-Secretary of State for Business and Trade (Chris McDonald)
The transition to clean energy is the greatest opportunity we have for good job creation across the whole country, with 40,000 extra clean energy jobs in Scotland alone. That is why we published the clean energy jobs plan in October, which sets out how we will work in partnership with industry and trade unions to deliver these jobs.
Christine Jardine
I appreciate the Minister’s answer. Those 40,000 jobs are vital, but they are still outnumbered by the many thousands of jobs in the oil and gas sector. The rate of job losses there is accelerating, and people are increasingly going abroad, creating a concern that the skills necessary for the green transition will be lost. What will the Government do to create transitional training and job movement within those two sectors?
Chris McDonald
This Government recognise the importance of the North sea oil and gas industry, and the importance of oil and gas for decades to come, but we also recognise that the North sea is a declining basin. That is why we published our North sea plan, which supports the transition of workers in the North sea into clean energy jobs, and why we are investing in our clean industry bonus, which incentivises businesses that are investing in offshore wind to ensure that those offshore wind jobs are located here in the UK—a fundamental difference between this Labour Government and the previous Conservative Government, who were happy for those jobs to be based in other countries in Europe.
Torcuil Crichton (Na h-Eileanan an Iar) (Lab)
When it comes to creating clean jobs and local wealth, there is no better example than the community-owned wind farm sector in my Na h-Eileanan an Iar constituency. I welcome what the Government have done to clean up the grid connection queue, but the community-owned wind farm sector in my constituency is still stalled and cannot get access to the national grid. The National Energy System Operator, Ofgem and private companies all want to promote community energy, but unless Ministers direct the regulators and grid operators to give priority to community-owned wind farms, that will not happen. I would like to discuss this issue with Ministers, but I also ask them to come and see how community-owned wind farms create wealth and clean jobs in my area.
Chris McDonald
We do recognise the previous issues around grid connections, and accelerating and prioritising connections is something that this Government have taken by the scruff of the neck. I am sure that the Energy Minister will be very happy to meet my hon. Friend—I think we will have a bit of fight to see which of us has the opportunity to visit his most beautiful part of the country.
Llinos Medi (Ynys Môn) (PC)
The contracts for difference budget is vital for job creation and the growth of the marine energy sector, yet the latest round removed the tidal stream ringfence and cut emerging technology funding. Can the Minister explain why these changes were made, and will he meet me to discuss how marine energy projects, such as Morlais in Ynys Môn, can get the support they need to succeed?
Chris McDonald
Tidal stream is important—I want to be clear about that. We are keen to support it, and we are doing so. The hon. Member mentioned the importance of contracts for difference in supporting marine energy. I previously mentioned the clean industry bonus, and that is exactly how we are doing it: we are using the contracts for difference policy in order to ensure that, through the clean industry bonus, those jobs land in the UK.
Brian Leishman (Alloa and Grangemouth) (Lab)
The Labour Government did excellent work just before Christmas in saving 500 jobs in the chemical industry at Grangemouth. That was real Labour party values in action, but we need to do more. How about investing in or, to be really radical, owning a sustainable aviation fuel-producing refinery at the site? The infrastructure is there, the need for SAF is there, and my people need jobs.
Chris McDonald
I thank my hon. Friend for welcoming that news. I know it was a really big day for him, and his dogged determination to champion his constituents is seen both in his constituency and here in this House. We are supporting Grangemouth, and the MiAlgae project, which was announced by the Chancellor in the Budget, is exactly along the lines that he mentions. He talks about investment in sustainable aviation fuel. Many private companies want to invest in sustainable aviation fuel in Grangemouth, in Teesside, in Humberside and across the whole of the UK, and I am sure we will see more such plants in the future.
Carla Denyer (Bristol Central) (Green)
The Secretary of State for Energy Security and Net Zero (Ed Miliband)
The affordability crisis is the No. 1 issue facing families across our country. That is why we have acted to take £150 of costs off bills for all families, with an additional £150 through the warm home discount for 6 million households this winter. Thanks to our decisions, last year was a record year for wind and solar power, and we have embarked on the biggest nuclear building programme for half a century. That is what it means to deliver on lower bills, good jobs and energy security.
Carla Denyer
Climate change made 2025 the UK’s hottest year on record and fuelled deadly extreme weather events across the globe. We know that every drop of oil and gas used makes those events more likely, so will the Secretary of State confirm how much more new oil and gas could be extracted via the tiebacks that the Government have decided to allow, despite the new oil and gas ban? When developers apply for permission for those tiebacks, will they be required to include scope 3 emissions in their environmental impact assessments?
Ed Miliband
I wish the hon. Lady a happy new year, but I find that question a bit churlish. We have produced a world-leading plan for the North sea, which combines the just transition—the just and prosperous transition—with environmental leadership, while keeping to our manifesto commitment not to issue new licences to explore new fields. It is absolutely right that we have tiebacks to ensure that existing oil and gas fields are kept open for their lifetime. Obviously, the North Sea Transition Authority will consult on the details of how that will work, but it is absolutely the right thing to do for jobs and the environment.
Dame Meg Hillier (Hackney South and Shoreditch) (Lab/Co-op)
Ed Miliband
I congratulate Hackney council—Labour-led Hackney council—on the brilliant job it is doing on green energy. Unlike some who just talk about it, the council is actually delivering, and I congratulate it. I see Hackney as being at the forefront of our local power plan, which will be coming out in the coming months.
Claire Coutinho (East Surrey) (Con)
It is freezing cold outside, and people are worried about their energy bills, yet on top of all the other costs the Secretary of State has lumped on to people’s bills, it is reported that he is about to tax people with gas boilers to pay for people having heat pumps. Can he definitively rule this out for the rest of this Parliament: no new taxes on people heating their homes?
Ed Miliband
I can absolutely rule out that we are going to introduce new levies to the energy system in the warm homes plan. Those reports are complete nonsense. I can tell the shadow Secretary of State that the warm homes plan is going to turn the page on a decade of the Conservatives’ failure, because we are going to invest where they did not, we have a plan where they did not, we will have proper oversight and regulation where they did not, and we will tackle the cost of living crisis they caused—
Mr Speaker
Order. Secretary of State, we are on topicals. I know you want to get carried away, but, please, the new year does not allow for it.
Claire Coutinho
The rumours are that the Secretary of State is pitching himself to be the next Chancellor. He did not rule out taxes on people heating their homes for this Parliament, he is shutting down the North sea, there is a disastrous EU energy deal and a secret deal with China, the industry is fleeing in its droves and energy bills have risen five times on his watch. Does this not show that he has to be the only person in the country who could do a worse job than the current Chancellor?
Ed Miliband
Dear, oh dear, oh dear. What can I say to that, Mr Speaker?
Ed Miliband
Don’t tempt me, Mr Speaker—don’t tempt me!
I want to briefly make one point. In the warm homes plan, which will come soon, we will be making £15 billion of public investment to help people cut their bills. The Conservatives can oppose that if they like, but I think it will be supported across the country, because they were an absolute failure on energy efficiency and all of that, and we are going to succeed.
Luke Murphy (Basingstoke) (Lab)
The Minister for Energy (Michael Shanks)
Network companies have benefited in the past, but Ofgem has moved to correct that in the RIIO-3 price control period so that it cannot happen again. We are working with Ofgem every single day to ensure that we bear down on the costs of energy and that consumers benefit from cheaper bills as quickly as possible.
Pippa Heylings (South Cambridgeshire) (LD)
Brexit excluded us from the EU’s internal energy market, costing the UK a huge £350 million annually. Will the Secretary of State confirm how he will accelerate progress towards the UK-EU internal electricity trading agreement to bring down costs and ensure energy security in these volatile times?
Ed Miliband
The hon. Lady makes an important point, which is that we need to make sure we take advantage of co-operating with our European neighbours. One way we can do that is the internal electricity market, and we will be negotiating on that basis. We will obviously look at the costs and benefits for the UK, but anything we can do to lower costs, lower bills and co-operate with our European neighbours to our advantage is what we should be doing.
Michelle Scrogham (Barrow and Furness) (Lab)
Ed Miliband
It sounds like a really interesting project. My hon. Friend is absolutely right that there are huge opportunities. Opportunities abound when it comes to co-operation with our near neighbours and across the world to help our energy security, deliver clean power and bring down bills.
Vikki Slade (Mid Dorset and North Poole) (LD)
Ed Miliband
The hon. Lady asks an important question. As part of the warm homes plan, we are putting in an additional £1.5 billion of public investment and replacing the ECO scheme, which I am afraid had failed in a number of different ways—no disrespect to some of the installers. That will be designed to help bridge the transition for companies like the one that Andrew runs.
Sonia Kumar (Dudley) (Lab)
The Parliamentary Under-Secretary of State for Energy Security and Net Zero (Martin McCluskey)
My hon. Friend is right to highlight the work of the Brockmoor Energy and Environment Scheme. I met Richard Parker recently, and I hope to come and see some of these projects myself in the future. We will soon publish the warm homes plan, which will set out further plans to support such projects, but we have already allocated £1.8 billion to local authorities and social housing providers through the warm homes local grant, and the warm homes social housing fund.
Mr Peter Bedford (Mid Leicestershire) (Con)
Ed Miliband
The hon. Gentleman is wrong, if he listened to my answer earlier, because actually bills across 2025 were lower than in 2024. He should welcome our measures to cut bills by £150, but I am afraid that those on his Front Bench do not support us.
Alex Mayer (Dunstable and Leighton Buzzard) (Lab)
Michael Shanks
That is exactly the work we are looking at as part of the local power plan. As my hon. Friend points out, we are determined to unlock much more community-owned energy, to make it as easy as possible for communities to connect to the grid, and for these projects to deliver not just clean energy, but real social and economic benefits for communities. We will publish the local power plan very soon.
Olly Glover (Didcot and Wantage) (LD)
Michael Shanks
We are genuinely excited about any new technologies that come forward, so we are very interested in innovation like that. We need a real mix of technologies to achieve our target, so I am very happy to find out more about that. I am just trying to work out whether I can somehow get a visit to space to see these projects.
Rachael Maskell (York Central) (Lab/Co-op)
We are really excited about the University of York’s work to develop deep geothermal heat, and we believe that greater cost efficiencies can be achieved by sequencing projects, especially when it comes to hiring the drilling rig and equipment. How are the Government driving efficiencies in deep geothermal heat, so that future developments, such as that in York Central, are more viable?
Michael Shanks
I was delighted to meet my hon. Friend recently to talk about this exciting project in York and the wider developments that go alongside it. We see huge potential from geothermal. As she rightly says, how we structure these projects is important if we are to take them forward as quickly as possible. My noble Friend Lord Whitehead has a particular focus on geothermal, and I am sure that he will be very happy to meet my hon. Friend.
Sarah Olney (Richmond Park) (LD)
Mr Speaker,
“We owe it to future generations not just to have good environmental principles but to act on them. That is why I will be voting against the third runway at Heathrow”—
not my words, but the words of the Secretary of State in 2018. Given that Heathrow is already the biggest single source of carbon emissions in the UK, and that expansion will add an extra 8 to 9 megatonnes of carbon dioxide into our atmosphere, can the Secretary of State confirm that it is still his intention to vote against a third runway at Heathrow?
The Parliamentary Under-Secretary of State for Energy Security and Net Zero (Katie White)
The Secretary of State regularly meets Cabinet colleagues about these issues. This Government are absolutely clear that any expansion of Heathrow must be compatible with our legally binding carbon budgets and net zero targets. We are committed to ensuring that the economic benefits of airport expansions are delivered in line with our environmental and climate objectives.
Chris Webb (Blackpool South) (Lab)
Blackpool and The Fylde college has excellent courses that are training young people in the area in use of the vital renewable energy equipment that we need to go forward, but there are no jobs for those young people locally. Will the Secretary of State meet me to discuss how we can create those jobs? He is welcome any time to come to a sunny and slightly chilly Blackpool to see those students and the excellent work that they are doing.
Ed Miliband
My hon. Friend is a brilliant advocate for his constituency, and indeed for Blackpool. I would be very happy to meet him to talk about how we can ensure that the jobs that those young people want come to Blackpool.
Dr Luke Evans (Hinckley and Bosworth) (Con)
In Hinckley and Burbage, if you look one way, you can see the rooftops of lots of logistics businesses, because we are the heart of the logistics sector; looking the other way, to Barlestone and Nailstone, you see agricultural land that has been turned into solar farms. My constituents rightly ask why we cannot have more solar panels on commercial properties. What conversations is the Department having with the Ministry of Housing, Communities and Local Government to ensure that that is a possibility?
Michael Shanks
The hon. Gentleman is right: we should have many, many more solar panels on rooftops. We agree with him on that. I met the UK Warehousing Association recently to look at some of the technical difficulties around ownership and insurance. We want to do whatever we can to unlock the potential, because we have rooftops across the country that can play a huge part in helping us to achieve our clean power mission.
Tom Hayes (Bournemouth East) (Lab)
Once the political situation is stabilised in Venezuela and foreign companies can be enticed to invest somewhere between £100 billion and £200 billion there, it will take emergency repairs, workforce modernisation and retraining and many more things to get the infrastructure and industry in Venezuela up to historical peak capacity. That could take up until 2040. Is it not easier and speedier for the UK to invest in home-grown renewables and nuclear, so that we can guarantee energy independence, and get off the fossil fuel rollercoaster—
Ed Miliband
Yes; my hon. Friend is entirely right. Home-grown clean power is what will give us energy security.
Helen Maguire (Epsom and Ewell) (LD)
An estimated 50,000 diesel-powered transport refrigeration units operate across the UK, consuming around 235 million litres of fuel annually. These generators emit up to 400 times as many particles as truck exhausts do. High-emitting diesel engines face no real regulation and create a significant burden on the NHS and the environment, but there is a solution. Zero-emission renewable transport refrigeration technologies are commercially available and being manufactured in the UK today. Government intervention would help. Will the Secretary of State come and see the fantastic work of Sunswap, which is championing this technology in my constituency, and can he—
Mr Speaker
Order. We are doing topicals, and that is definitely not a topical.
The Parliamentary Under-Secretary of State for Energy Security and Net Zero (Chris McDonald)
Having slightly strayed into the area of the Department for Education earlier, I think it best that I stay out of the area of the Department for Transport. I will, however, ensure that the question is passed on to the relevant Ministers for a response.
Dr Beccy Cooper (Worthing West) (Lab)
My hometown of Worthing is already delivering a major heat network, but it is not yet designated as a heat network zone. Could the Minister please consider making this designation at the earliest possible opportunity, and ensuring that grid capacity supports early designation for advanced schemes?
Martin McCluskey
Heat networks are crucial to future decarbonisation. I would be more than happy to meet my hon. Friend to discuss that in detail.
Iqbal Mohamed (Dewsbury and Batley) (Ind)
Pozitive Energy is a supplier to businesses in my constituency. It has provided inaccurate contracts and bills to customers, and has tried to bill them for premises that they do not occupy. It has disconnected customers from the electricity supply without notice, and fraudulently sent electricity bills for a meter that it disconnected. Now Pozitive Energy is demanding payment of the standing charge for a meter. Will the Secretary of State investigate rogue suppliers, and advise on how we will protect customers?
Martin McCluskey
If the hon. Member sends me the details, I would be more than happy to look into it. That would be a matter for Ofgem, but there is also recourse available through the Energy Ombudsman.
Alistair Strathern (Hitchin) (Lab)
I am delighted that we are investing in more rooftop solar. GB Energy supports the deployment of rooftop solar on schools and hospitals in my constituency, and the Government are taking up my proposal that it be a requirement to have it on all new housing, but how can we make sure that we are not missing out on the opportunity to use other rooftops, from those on car parks to those on commercial warehouses?
Michael Shanks
My hon. Friend is absolutely right. We need a mix of technologies to achieve our clean power targets, and rooftops are an obvious place to use. I think there is broad consensus about how much we can use rooftops, even from those who disagree with other measures. GBE has invested to bring down bills for public institutions, including schools and hospitals, but we want to see much more solar on car parks and warehouses—everywhere we can possibly have it.
Caroline Voaden (South Devon) (LD)
Happy new year, Mr Speaker. This weekend, 4,600 properties in my constituency had their gas supply cut off, on the coldest weekend of the year. I commend Wales & West Utilities, which worked tirelessly to get people reconnected, but its efforts have been hampered by the inability to communicate effectively with residents, as it does not have a direct relationship with its customers. It has had to rely on social media, which is not great in an area with lots of elderly people. We have also been hampered by the high number of second homes, as engineers have not been able to gain access to those properties. Will the Minister meet me to discuss how providers such as Wales & West Utilities can communicate with households—
Michael Shanks
I thank the hon. Lady for engaging with me over the weekend on this issue. I am genuinely sorry that there are still so many customers who are not connected. The engineers are doing a fantastic job, but as she rightly says, the challenge is that they cannot reconnect until households are present to disconnect. That is causing significant problems, but they are doing everything they can. I am very happy to discuss this further.
Peter Swallow (Bracknell) (Lab)
Bracknell Forest council has submitted a bid to the Heat Networks Delivery Unit for a feasibility study on a district heat network that would stretch across our town centre. Does the Minister agree that such schemes can support local businesses and residents in cutting emissions and bills?
Martin McCluskey
My hon. Friend will have heard me say earlier how important heat networks are to decarbonisation. They will play such an important role in providing energy across our country in future. I am more than happy to meet my hon. Friend to discuss that.
Lee Anderson (Ashfield) (Reform)
In November last year, the Energy Secretary and his entourage attended COP30 in Brazil. That was an event where a rainforest was chopped down so that the Energy Secretary could talk about saving rainforests. Does he understand the hypocrisy of it all?
Ed Miliband
I do not understand the hon. Gentleman, if I am honest. The truth is that he would give up on young people. He would sell them down the river, as he would today’s generation, the future generation, and all generations to come. I do not think that is a very good platform to stand on.
Tim Farron (Westmorland and Lonsdale) (LD)
Some 25% of the houses in my constituency were built before 1900. They are expensive to heat and very difficult to insulate. When will there be a bespoke plan for insulating those properties, using the right materials, and, crucially, for the insulation to be installed by specialists?
Martin McCluskey
I have had very constructive conversations with the hon. Member about this. The warm homes plan will be published soon, and we will have something to say in that.
Andrew Lewin (Welwyn Hatfield) (Lab)
Happy new year to you and your team, Mr Speaker. It was a happy start to the new year, because we learned that in 2025, more renewable energy was generated in this country than at any time on record. That was driven by growth in solar in particular. Will my right hon. Friend make it a new year’s resolution that the Government will continue to drive that growth forward, and will surpass that amount in 2026?
Ed Miliband
Absolutely. This is about delivering what we promised when we were elected: home-grown clean power, so that we can get bills down, create jobs, get energy security and, crucially, do the right thing for future generations.
Max Wilkinson (Cheltenham) (LD)
Almost a year ago, the Housing and Planning Minister and I had a wonderful discussion about my sunshine Bill, which would require all new homes to include solar panels on their roof. I understand that the Government are on the cusp of making an announcement about that. Can we be reassured that this will be the year when we finally force all developers to make us have nice, green energy on our roofs?
Katie White
I enjoyed being part of the hon. Gentleman’s sunshine debate. I have been excited to work closely with the Minister of State for Housing and Planning, who is with us in the Chamber, and we look forward to the future homes standards coming shortly.
Darren Paffey (Southampton Itchen) (Lab)
Southampton is Europe’s leading cruise port and the second-biggest container terminal in the country. Our industry stands ready to invest millions in decarbonisation, but that is being held up by grid constraints at the Nursling supply point. Will the Minister meet me and local industry leaders to see how we can unlock the obvious environmental and economic benefits that this change would bring?
Ed Miliband
Our team would be happy to meet my hon. Friend. That question, and so many others, shows the huge opportunities arising from home-grown, clean power, including in fantastic Southampton.
Bradley Thomas (Bromsgrove) (Con)
On a point of order, Mr Speaker. In response to my question about whether bills in April 2026 will be lower than in July 2024, the Secretary of State claimed that they would be. However, the price cap would suggest otherwise: it was £1,568 in July 2024 and is projected to be £1,620 in April 2026. Can you advise on how the House can seek a correction of the record?
Mr Speaker
You have certainly put that on the record. We are not going to continue the debate unless the Secretary of State wants to respond, which I doubt.
Ed Miliband
Further to that point of order, Mr Speaker. I am happy to respond, because we are going to deal in the facts. Bills were lower in 2025 than in 2024 in real terms, and the price cap was lower—and, of course, making a seasonal comparison makes no sense. We are going to trade in the facts.
Sarah Olney
On a point of order, Mr Speaker. I asked the Secretary of State a direct question about his former statements and how they conflict with current Government policy. Would you agree that the Secretary of State should have directly answered me?
Mr Speaker
I do not have an opinion, and I am not responsible for that, but you have certainly got that on the record.
Bills Presented
Property (Registration and Valuation)
Tuesday 6th January 2026
(3 days, 6 hours ago)
Commons ChamberProperty (Registration and Valuation) Bill 2024-26 View all Property (Registration and Valuation) Bill 2024-26 Debates Read Hansard Text Watch Debate
A Ten Minute Rule Bill is a First Reading of a Private Members Bill, but with the sponsor permitted to make a ten minute speech outlining the reasons for the proposed legislation.
There is little chance of the Bill proceeding further unless there is unanimous consent for the Bill or the Government elects to support the Bill directly.
For more information see: Ten Minute Bills
This information is provided by Parallel Parliament and does not comprise part of the offical record
Jodie Gosling (Nuneaton) (Lab)
I beg to move,
That leave be given to bring in a Bill to make provision about requirements relating to the registration and valuation of domestic and non-domestic property; to make provision about exemptions from such requirements; and for connected purposes.
Happy new year to you and all your team, Mr Speaker. For thriving communities, we need warm homes, and safe places where people can live, thrive and survive, bring up their children and start their businesses.
We want to see our high streets thriving, with every shop filled, and restored to the proud places they once were as the beating hearts of our communities. My residents in Nuneaton have grown all too used to high streets and residential areas littered with empty properties. Shuttered-up shops and empty storefronts on our local high street deter shoppers and much-needed investment. Vacant homes in disrepair are wasteful and leave hundreds of residents on waiting lists for housing and young families struggling to get on to the property ladder.
The figures for my local area show that Nuneaton and Bedworth borough council has over 1,800 empty properties—that is equivalent to one in every 24. Local leaders in Nuneaton, including council leader Councillor Chris Watkins and Councillor Steve Hey, have fought to address the issue, recognising the deep impact it has on our communities—it is literally a waste of space, instead of providing hope and security. I know that they are supportive of the second-home surcharge, as well as additional charges on long-term empty properties. Those are important levers for local authorities that have been strengthened by this Labour Government. However, those measures alone do not account for the full picture or scale of the problem that local authorities such as Nuneaton and Bedworth face.
When a property is derelict, it is often removed from the valuation list. That is because it is no longer considered habitable or usable; it is no longer an asset. That measure was originally intended to enable renovations to take place on properties without additional costs being incurred. We support some of that and do not wish to remove the legislation as a whole; we merely wish to time-limit the exclusion, because a deregistered property does not appear on the valuation list unless it is brought back into use. That has led to the situation where properties can lie unoccupied for years. Potential is wasted and properties become an eyesore, attracting antisocial behaviour and restricting local authorities’ capacity to transform our neighbourhoods and high streets.
Nuneaton has seen properties left dormant for decades. The former Kingsholme pub has stood empty since 2008 and two houses on Stoney Road were removed from the valuation list in 2000. Those homes have stood empty for a quarter of a century, while we face a national housing crisis and children sleep in temporary accommodation. Nuneaton is growing and the houses we need are being built, but we also have to use the houses and properties that we already have effectively. Nationally, an estimated 260,000 residences are long-term empty. That is a quarter of a million, many of which have been zero-rated and do not pay back to their local councils.
I know that many honourable colleagues have the pleasure of getting the train through my constituency each week as they travel down the west coast main line to Westminster. Those who venture further into Nuneaton will see at first hand the impacts that the regulations are having. Nuneaton’s transformed town centre, Grayson Place, is due to open later this year, which is a real opportunity to redefine our town. Yet at the town end of Coton Road, as people enter the brilliant redeveloped site, there is a row of empty properties with buddleia sprouting out of the roofs. Three of those properties are nil-rated—they hold no value—preventing the council from charging an empty property levy and from holding the owners to account for the neglect of buildings that blight my community.
At the other end of Coton Road, next to the Coton arches, honourable colleagues will find the Cube, which was formerly a church and has been left to fall into disrepair. Despite the property no longer being owned by a church, it still receives its place of worship exemption, again meaning that it pays nothing. There is no incentive to bring it back from the brink or to make such properties the assets that my town needs them to be, and no responsibility for the impact on the area. Further, once a property has left the register, it becomes increasingly difficult to trace those responsible for it.
Nuneaton and Bedworth borough council welcomes the increased powers, but those powers can only do so much. Like many councils, after a decade of harsh austerity, it lacks the financial capacity to compulsorily purchase or restore the sheer number of properties. Nuneaton and Bedworth council leaders view the reorganisation of the Valuation Office Agency as a welcome step forward, but it is clear that the registration and exemption regimes need to be updated to ensure that councils have the power to hold the owners of empty properties accountable for the state of their buildings and turn those eyesores back into assets. That is why my Bill proposes that all properties should remain on the register unless they are demolished, that all properties are given a value, and that all exemptions become time-limited, ensuring that all exempt properties are being used for their exempt purpose.
As has been noted by my hon. Friend the Member for North Durham (Luke Akehurst), this is an issue that impacts almost all our constituencies. Updating our registration and exemption rules will provide us with the tools to embrace regeneration and remove the barriers that hold us back. I hope that my hon. Friends and colleagues will support this Bill and the measures within it today. We all want to see the effective use of our assets and to ensure that all our buildings are put to use to house our residents who need homes and that our local high streets are open for business.
Question put and agreed to.
Ordered,
That Jodie Gosling, Rachel Taylor and Cat Eccles present the Bill.
Jodie Gosling accordingly presented the Bill.
Bill read the First time; to be read a Second time on Friday 16 January, and to be printed (Bill 354).
Cyber Security and Resilience (Network and Information Systems) Bill
Tuesday 6th January 2026
(3 days, 6 hours ago)
Commons ChamberCyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Minister for Digital Government and Data (Ian Murray)
I beg to move, That the Bill be now read a Second time.
A happy new year to you, Mr Speaker, and to all the House staff. This is the first opportunity I have had to say that to you.
On 3 June 2024, a busy Monday morning in south-east London, criminals attacked Synnovis, an organisation that processes blood tests on behalf of our national health service. They did not turn up physically, but logged on to computers thousands of miles away and set off ransomware—malicious software that encrypts files from afar, making them unusable. The attack had a ripple effect across London hospitals. It delayed 11,000 appointments, blood transfusions had to be suspended and the company lost tens of millions of pounds.
This was not an isolated case. In the year leading up to September 2025, the National Cyber Security Centre dealt with 204 “nationally significant” incidents, meaning that they seriously disrupted central Government or our critical public services. That is more than double the 89 incidents in 2024. No one disputes that we must do everything we can to protect the UK from these attacks. The UK is the most targeted country by cyber-attacks in Europe, and it was the fifth most targeted nation in 2024 by nation state-affiliated threat actors. In 2024, it is estimated that UK businesses experienced over 8.5 million cyber-crimes in the 12 months preceding the survey, and that in that year more than four in 10, or 43%, of UK businesses were subject to a cyber-attack, affecting more than 600,000 businesses in total.
Significantly, cyber-attacks are estimated to cost UK businesses almost £15 billion each year, equivalent to 0.5% of the UK’s annual GDP, notwithstanding the wider economic effects of intellectual property theft or the experience of patients, as in the first example. The average cost of a significant cyber-attack for an individual business in the United Kingdom is estimated to be just over £190,000. There has been a 200% increase in global cyber-attacks on rail systems in the past five years, increasing the likelihood of severe disruption to the economy and to people’s daily lives.
Chris Vince (Harlow) (Lab/Co-op)
Does the Minister agree that, as we become more and more reliant on IT systems—I am thinking in particular about the new patient registration system at the Princess Alexandra hospital in my constituency—it is more and more important that we combat potential cyber-attacks, particularly from foreign powers and enemies of this country? That is why the Bill is so crucial.
Ian Murray
I could not agree more. I gave the example of the Synnovis incident that brought blood transfusions in London to a halt, affecting thousands of patients. Our everyday lives are affected by this. As we modernise and digitise our economy and our Government, we have to ensure that our systems are as secure as possible, and cyber-security is right at the heart of that. This is not just a defensive issue; it is very much an economic growth issue as well, as we can see from the impact it has on our economy, our public services and the day-to-day lives of people, as in the example of our train systems that I just mentioned.
Mr Toby Perkins (Chesterfield) (Lab)
I am grateful to my hon. Friend for giving way, and it is great to see him in his post. On economic growth, how has he sought in the Bill to balance the absolute need for a regulatory framework that businesses can have confidence in alongside the ability to attract continued investment, and to ensure that we do not end up with an over-regulatory framework that stifles investment? How did he find that balance?
Ian Murray
The Bill builds on the 2018 regulations, which were a hangover from the EU when we adopted them in this country. The Bill expands on those. As my hon. Friend the Member for Harlow (Chris Vince) just suggested, this is about economic growth as well as protecting our systems, so we have to find a balance between ensuring that our regulators have the powers and tools to regulate properly and giving businesses and our public services the confidence to use digital technology knowing that we have the most secure cyber-security in Europe, if not the world. We are very good at this stuff, and that is the balance to be sought. This Bill is about economic growth rather than about the over-regulation of businesses. I do not say this flippantly, but cyber-security is one of those areas where if everything is working, nobody notices, but when it is not working, suddenly everyone notices and it is everyone’s problem. That is why we are bringing the Bill forward and extending the scope of the powers.
Jim Shannon (Strangford) (DUP)
I thank the Minister very much for what he is saying and bringing forward. There is much in the Bill that we should encourage. I know that he is a regular visitor to Northern Ireland, and Northern Ireland is home to 130 cyber-security companies with some 2,750 employees. It is therefore essential that this legislation protects those jobs and enhances the capacity for more. Does he believe that the Bill both protects us and provides the opportunity for growth in Northern Ireland and, indeed, across the whole of the United Kingdom?
Ian Murray
Indeed it does. It is one of a number of provisions that the Government are bringing forward to create growth across the country, not just in Northern Ireland. The Secretary of State’s passion is to make sure that those jobs are everywhere, right across the United Kingdom, including in Northern Ireland. The Under-Secretary of State for Science, Innovation and Technology, my hon. Friend the Member for Vale of Glamorgan (Kanishka Narayan), has been in Belfast recently discussing this legislation and wider cyber-security issues with the industry in Northern Ireland, so I can assure the hon. Member for Strangford (Jim Shannon) that that is indeed the case.
Dame Meg Hillier (Hackney South and Shoreditch) (Lab/Co-op)
Hackney council was the subject of a major cyber-attack in 2020. It did a good job, though it was very slow because of the nature of the challenge of getting things back up and running. The Bill is therefore very welcome but, pursuant to the answer to my hon. Friend the Member for Chesterfield (Mr Perkins), there are challenges for some of the smaller companies. I represent Shoreditch, which has many tech companies that need to maintain a standard on cyber-security but are small. How is the Minister going to balance the regulation for those smaller companies to ensure that they can keep abreast of things but are not so dampened down that they cannot progress and grow?
Ian Murray
This is about making sure that we extend the scope of the 2018 regulations into other parts of the economy, and I will come on to that later in my contribution. It is about reporting things more quickly to ensure that the attacks can be seen and action can be taken more quickly. It is also about reporting to the regulators to give the regulators confidence and powers across a wider scope of sectors in the economy, and to give businesses the confidence that those sectors have to report to the regulators when things are going wrong so that swifter action can be taken. We can see from the host of recent high-profile issues, including at Hackney council, that it is important to ensure that this legislation goes through quickly and does the job that it is intended to do.
Chris Vince
I thank the Minister for giving way; I apologise for intervening again. Is there a piece of work we need to do on culture? When businesses or the public sector are victims of cyber-crime, there is a danger that employees may feel embarrassed or nervous about reporting their concerns. We need to encourage people if they are victims of cyber-crime to come forward quicker and to recognise the challenges, rather than trying to hide them away and the issue becoming worse.
Ian Murray
While physical security and national security are issues for all of us, so is cyber-security. The Bill builds on the 2018 regulations to widen the scope into other areas of the economy where such issues have become much more prevalent—for example, data centres. I hope that doing so will give industries and sectors, including their employees, the confidence to report things to the regulators. Giving powers to the regulators will give businesses the confidence that they can report stuff; it is not a regulatory heavy hand dampening businesses. I hope that I can assure my hon. Friend and the rest of the House on that.
Before that significant number of interventions, I was talking about why this issue matters and gave statistics for recent cyber-security activity in the United Kingdom. As a result of all that, one of the very first things we did as a new Government after the election was announce this new cyber-security Bill, just 10 working days in. Since then, the Department has been talking to cyber experts, businesses and regulators to turn these proposals into the comprehensive, serious and proportionate piece of legislation that we present for Second Reading today—one that protects the public and strengthens national security without placing undue burdens on businesses. I appreciate that that is a fine balance, but I think that this Bill finds that balance, so I am confident that the whole House will support it.
Pete Wishart (Perth and Kinross-shire) (SNP)
We support this Bill and its efforts to tackle cyber-security, but it does not address the mass unauthorised scraping of trusted news content by generative AI systems. That content, as the Minister knows, is often taken without consent or compensation. As the Bill progresses, will he be prepared to look at some measures—maybe something like a bot register where people have to declare their intent when it comes to this type of activity? Will the Government look at this seriously so that news can be protected in this new environment?
Ian Murray
The hon. Gentleman is ingenious in the way in which he uses interventions on pieces of legislation. I know AI copyright is close to his heart as a former, or perhaps current, professional musician and, indeed, one of the key musicians in MP4—let’s not push that to a Division! AI copyright is, of course, a key issue that the Government are looking at. The Secretary of State for Science, Innovation and Technology and the Secretary of State for Culture, Media and Sport are working closely together on this issue. I think the legislation means that there has to be a report to Parliament in March—I am sure the hon. Gentleman will be very interested in that. We are bringing together the industry and tech companies to try to find a way through that particular issue. We know that it is a huge issue. It is not in the scope of this Bill, which has been kept very tight to deal with these specific and serious cyber-security issues.
As we know, the first duty of Government is to keep people safe. The question is how precisely the Bill will achieve that goal. The answer is simple. The UK’s main cyber-rules—the Network and Information Systems Regulations 2018, or the NIS regime—were first introduced seven years ago and have not been updated since. Those rules require operators of essential services such as energy, water and hospitals, as well as some digital service providers such as online search engines, to take steps to protect the services they provide and the data they hold from cyber-threats.
As Members might expect, a lot has changed in the cyber-landscape in the past eight years. We have had the rise of AI, which cyber-criminals are using to their advantage. Data centres have become a firm fixture of modern life, and we want to see more of them. Since the rules were introduced, criminals tactics have evolved to exploit loopholes in the regulations, as they did in the attack on the NHS supplier that I mentioned, which revealed how hackers can target third parties, such as IT companies, or supply chains as a back-door way to bringing down a wider system. As always, the story is one of technology and cyber-threats moving faster than policymakers can possibly keep up with.
Dave Robertson (Lichfield) (Lab)
My right hon. Friend is right to mention the impact on supply chains. In the west midlands, we recently had the cyber-attack on Jaguar Land Rover. That had a significant impact not just on that company, but on the supply chain, which has its roots right through the west midlands. That essential part of our economy was brought to a grinding halt by a cyber-attack. Will he confirm that this Bill will help prevent such instances from happening in the future?
Ian Murray
I thank my hon. Friend for all he did on the issues facing Jaguar Land Rover. I know that the matter is close to his heart and, indeed, it was a really big issue across the country, showing how a cyber-attack can affect not just one company, but has a ripple effect throughout the economy. Of course, the Government stepped in to unlock a £1.5 billion bolster to Jaguar Land Rover’s cash reserves to help it through that problem.
I should say to my hon. Friend, and I will come to it later, that Jaguar Land Rover and other private organisations are not in the scope of this Bill. The reason is that individual private companies should take their own cyber-security seriously and ensure that the risks of such incidents and threats are minimised as much as possible. The Bill widens the scope of the existing regulations, which do not include that, but of course the Government are working closely with Jaguar Land Rover, Marks & Spencer and other high-profile cases, because we know the impact they can have on our economy. Indeed, had the Government not stepped in and resolved that issue, the impact on Jaguar Land Rover, and the tens of thousands of employees at the plants and in the supply chain, would have been catastrophic and is not worth thinking about. I thank my hon. Friend for raising that issue.
As I said, as always, the story is one of technology and cyber-threats moving faster than policymakers can possibly keep up with, but today we are fixing that. The first change in the Bill is to widen the scope of the 2018 regulations. To keep up with the changes of the past eight years, we are adding a few new things to that list, starting with large-load controllers. That includes any organisation that manages a significant flow of electricity to or from a smart appliance. It might be a company that supports electric car charging, for example. Bringing these entities into scope will safeguard our power supply and give consumers confidence in using energy-smart appliances, all of which are critical as we advance towards our clean power 2030 mission and net zero.
The second change is that we are adding large data centres in recognition of their growing importance to our day-to-day lives and to the economy. These are vast digital warehouses for the United Kingdom, home to servers that host everything from patient records to their bank details. This is the data that underpins modern life and all our lives and communities, and it must be protected.
We are expanding the scope of the regulations to include managed service providers as well. Those are organisations that provide ongoing functions, such as an IT help desk, to an outside client. Their access makes them an attractive target for cyber-attacks as criminals can find one weak spot and bring countless organisations down. For example, in 2014, an attack on a service provider for the Ministry of Defence compromised the personal data of around 270,000 people—military personnel, reservists and veterans. As organisations rely more and more on outsourced tech, we have to close this gap. In fact, weaknesses in the supply chain have become such a risk that we will go even further by allowing regulators to designate certain organisations as critical suppliers. That includes certain suppliers to essential services that could have a significant impact on the economy or society as a whole—for example, key suppliers to water companies, grid operators or air traffic control. These critical suppliers will be subject to cyber-security duties, which we will set out in secondary legislation.
Dame Meg Hillier
Last year, the Treasury Committee wrote to the top 10 banks in the UK because there had been a number of outages. There was no suggestion that cyber-security attacks were involved in most cases. A trend in the responses was that third-party software providers are often the source of the issue. What is the Minister’s thinking about how to involve the banking sector in the scope of the Bill?
Ian Murray
The banking sector is obviously in the regulators’ scope for cyber-security, and there have been a number of outages, as my hon. Friend mentions. The general principle is that cyber-attacks no longer come in through the front door, but through third parties and suppliers. We have seen that, for example, in the recent incidents at Heathrow and in cloud outages with Amazon Web Services and other such companies. They are covered by their own regulations. As I said in answer to my hon. Friend the Member for Lichfield (Dave Robertson) about Jaguar Land Rover, those companies will not be in the scope of the Bill, but we hope that the financial services sector, which is a leader in cyber-security for a whole host of fairly obvious reasons, will take that forward.
The recent attacks on British icons such as Marks & Spencer and Jaguar Land Rover will loom large in people’s minds. Many Members across the Chamber have already mentioned them. Supply chains were thrown into chaos, with small businesses paying the price, which clearly shows the ripple effect across the economy—on other businesses, smaller businesses and patients, such as in the public service examples mentioned earlier—when one part of the system is attacked.
We are clear that all businesses—that covers financial services, Jaguar Land Rover, Marks & Spencer and others—must take immediate steps to protect themselves. That is why, in October, members of the Cabinet wrote to the FTSE 350 companies urging them to strengthen their defences by doing three things: first, to make cyber risk a board priority; secondly, to require suppliers to have a cyber essentials certificate; and thirdly to sign up to the early warning service. That was followed by a similar letter to entrepreneurs and small businesses in November with bespoke advice for smaller teams. We know that those actions work. Organisations with cyber essentials are 92% less likely to claim on cyber insurance than those that do not. Businesses know best how to protect themselves; we are not here to regulate for the sake of regulating.
Government are taking action too. As I announced this morning, the Government cyber action plan sets a radically new model for how Government will strengthen their cyber-resilience and is backed by over £210 million of investment. Government Departments will be held to standards equivalent to those set out in the Bill. That is why the public sector and the Government are not included in the scope of the Bill. The Government should not need to legislate for themselves; we should just get on with making sure that we are leading the charge and that the cyber action plan strengthens the Government’s cyber-resilience. [Interruption.] I do not know if that was an attempt at an intervention from the Opposition Front Bench, but I am happy to take it.
Sir Oliver Dowden (Hertsmere) (Con)
I welcome the Minister’s comments about the obligation on the public sector. However, I caution him that, in my experience, cyber-security is one of those things that Ministers talk about, but then other priorities overtake it. The advantage of legislative requirements is that they force Ministers to think about it. I urge the Minister to look at that point again as the Bill passes through Parliament. There is a case for putting more stringent requirements on the public sector in order to force Ministers’ minds on the point.
Ian Murray
The right hon. Gentleman would have had some involvement in this when he was in government; indeed, the 2018 regulations came from the previous Government. We are all trying to make sure that we are catching up with the technology as quickly as it moves. He makes a very interesting point that I am very conscious of and happy to take away. We are determined to deliver the cyber-security action plan, which is backed by £210 million.
The actions that the previous Government took did not come to fruition in terms of their 2030 target, which is why we have refreshed the action plan and brought it forward with some significant cash. It is important for Ministers to take that forward. I hope that the right hon. Gentleman will hold us to account to ensure that we are fulfilling that promise in the cyber-security action plan. Public services, and indeed central Government, must take the leading role to show businesses that the approach to take is to ensure that all our systems are as secure as possible, not just on economic grounds, but for the people that we all seek to represent.
Dame Chi Onwurah (Newcastle upon Tyne Central and West) (Lab)
I thank the Minister for the excellent points he is making on the importance of cyber-security and the cyber-security action plan. Can he say a little bit about how the success of the cyber-security action plan will be measured, monitored and communicated to the House? He is probably aware that only 33,000 cyber essentials certificates were issued in 2024, for example, so an increased take-up of cyber essentials and the guidance in the action plan are essential.
Ian Murray
There are some key dates to monitor progress in the action plan itself. I wrote to my hon. Friend, the Chair of the Science, Innovation and Technology Committee, this morning on the publication of the action plan to lay out some of those issues; the letter will be landing soon. I would be happy to discuss that in front of the Committee in more detail. I hope that the Committee, and indeed the Opposition and our own Labour Members, hold us to account for delivering on this, because it is fundamentally important to Government, whether it be digitisation, modernising Government or winning the case with the public about why digitisation is so important and why Government should be as secure as possible and lead the charge on that across the whole economy. I hope that we and the Committee can take that forward in the weeks and months ahead.
As I said, the Government cyber action plan launched this morning is backed by over £210 million of investment and Government Departments will be held to standards equivalent to those set out in the Bill. I hope that that partially answers the question from my hon. Friend the Chair of the Science, Innovation and Technology Committee. Although the focus of the Bill is on essential services, it will also indirectly help businesses, including those damaged by the recent attacks, and Government. Almost all organisations today rely on data centres, outsourced IT or some kind of external supplier. By extending the Bill’s oversight, we are preventing attacks that could, in theory, reach thousands of organisations.
The Bill also gives new powers to regulators responsible for enforcing the NIS framework. Effective compliance is crucial to the success of any regime. These reforms could be world-leading on paper, but without proper enforcement they are meaningless.
David Reed (Exmouth and Exeter East) (Con)
We have talked about the regulators having new powers to designate critical national infrastructure in regard to cyber-security threats, but who actually has accountability? The Bill refers to
“regulations made by the Secretary of State.”
Which Secretary of State is that, given that this is a cross-departmental and cross-Government approach?
Ian Murray
Cyber-security is the responsibility of the Department for Science, Innovation and Technology, but the Cabinet Office has a clear resilience issue as well, as we heard from the right hon. Member for Hertsmere (Sir Oliver Dowden), who was in the Cabinet Office previously. The DSIT Secretary of State will make those regulations, but a plethora of regulators are involved in this process—energy, water and data centres all have different regulators. The regulators that regulate those sectors are being empowered through the expanded number of sectors being brought into the legislation to take the responsibility.
Sir Julian Lewis (New Forest East) (Con)
I am extremely grateful to the Minister for giving way. On the point about regulators, the industry has issued a brief, which points out, quite sensibly, that these regulators are going to have a lot of extra duties to perform and they will therefore need extra resources to be able to perform those duties, but the extra resources they require will only be unlocked when the Bill has passed. Is there not a danger of a transition period where duties will be laid on regulators to fulfil their role before they have the resources to carry it out?
Ian Murray
We have to pass the legislation first. It may be amended during its passage through both Houses. Therefore, the regulators will not know what they are regulating until the Bill has passed. However, as I mentioned at the start of my contribution, we have been working with regulators, businesses, organisations and cyber-security experts in the run-up to producing the Bill to make sure that it is in the right place—that it is proportionate on businesses and regulators—and that it is effective, which is the most important thing. I am sure that we will have debates on those kinds of issues as we go through Committee and on to Third Reading, but I very much acknowledge what the right hon. Gentleman said.
The Bill will strengthen the powers of the NIS regulators, ranging from Ofgem to the Civil Aviation Authority, which work together to uphold the UK’s cyber rules across those different sectors—I may have taken the previous intervention 10 seconds too early! We are raising the maximum fine that they can impose, for example, while simplifying the penalty bands to make them clearer. The key driving force for this measure is not to punish rulebreakers or raise revenue, but to incentivise firms to be vigilant. Our goal is 100% compliance and zero fines.
We will also ask regulated organisations to change the way they report attacks and expand both the types of instance they have to report and the timeframe in which they have to report them. This is a small but crucial change. Under the current rules, regulators get notified about a breach only once it has already caused significant disruption—when traffic lights have failed or the heating has shut off. The system does not include cases with the potential to cause a crisis much later, like a hospital’s computer system quietly being spied on as hackers wait for their moment to strike. Under the Bill, if an organisation is within scope, it will have to tell its regulator and the National Cyber Security Centre about these types of breaches within 24 hours and provide a full report within three days. Pace and speed are of the essence. This will not only give us better information, but help agencies to warn others, should they need to, before they become the next targets.
The Bill will also allow the Government to set clear and consistent outcomes for regulations to work towards. One of the virtues of having a regime enforced by different agencies is that each has sector-specific expertise—Ofgem understands the complex digital systems that underpin the national grid, and the Civil Aviation Authority knows the precise threats to air traffic control, for example—but that approach has sometimes led to inconsistencies in how the regime is applied. Some bodies interpret the rules differently from others. The Bill aims to fix that with a single set of objectives issued by central Government and applied across the board. That will send the message that no sector is an easy target in the UK.
We will also improve the way in which regulators, intelligence agencies and law enforcement share information with each other by providing greater clarity on what regulators can share and receive. It is important that regulators have the resources to do their job, as the right hon. Member for New Forest East (Sir Julian Lewis) said. The Bill will also give them new powers to cover the full costs associated with their regulatory duties. To ensure transparency, regulators will consult on how fees are calculated and publish a statement each year to show how the funds are being used. Together, the measures add up to a much more consistent and effective regime with better reporting and much clearer guidance for all involved.
The Bill ensures that the UK’s cyber-security regime is not only fit for today but flexible enough to head off future threats as well. I have mentioned a few things that have changed in the past eight years—shifts in technology and the nature of cyber-attacks, artificial intelligence, data centres and the economy—but one of the biggest changes was, of course, Brexit. Since our exit from the European Union in January 2020, we have been unable to amend the NIS regulations without primary legislation, because the rules were originally part of European Union law. That has slowed the process and made it difficult for us to keep pace with new emerging threats and technology. Meanwhile, Brussels is pressing ahead with NIS2—its forward-looking update—while we lag behind.
That procedural quirk has left essential UK services more exposed, which perhaps tells us something about why the UK has such appalling figures compared with some of our EU counterparts, as hackers and cyber criminals exploit gaps in our dated laws. That is an unacceptable risk, so the Bill includes new powers for the Government to update the NIS regime via secondary legislation, to make it quicker and more agile for dealing with evolving technologies—we might need to respond quickly to a new type of cyber-threat, for example. That is not in order to override Parliament; in almost all cases, the Government will still be required to consult on any changes, and Parliament will have the final say on any legislation made under the power. However, delegated powers are essential for keeping us as responsive as possible. When national security is on the line, we need the ability to act fast and decisively.
In fact, in extreme cases some threats emerge so rapidly that even secondary legislation is too slow; if an ally were to be invaded by a hostile state, for example, the cyber risk to the UK would suddenly escalate. The Government will therefore also be given powers to direct regulators or regulated entities where national security is threatened—to issue specific cyber-security guidance in a crisis, for example. Those powers are intended as a last resort to protect our national security, and safeguards will go into the Bill to ensure that they are used accordingly.
The UK’s cyber sector is the third largest in the world, as we heard from our friend from Northern Ireland, the hon. Member for Strangford (Jim Shannon). It achieves double-digit growth year on year. We have fast-growing clusters of expertise in Cheltenham and Manchester. This legislation will supercharge that success, doubling down on one of our nation’s greatest assets. At its core, the Bill is about protecting the essential services that we all rely on, so that the lights always stay switched on, clean water always runs in our taps, and hospitals are always safe and secure. Those are the real life community issues that we and our constituents all encounter every single day.
This is more than a technical upgrade; it is a bold commitment from the Government to protect one of our biggest economic strengths and keep the UK safe in a rapidly evolving digital world. Together, we are working towards a future in which security is not a hope but a guarantee. I commend the Bill to the House.
Julia Lopez (Hornchurch and Upminster) (Con)
Happy new year, Mr Speaker, and thank you for putting the heating on. I am grateful to the Minister for setting out the Government’s rationale for this legislation in the Secretary of State’s stead. I do not know why the Minister was demoted either, but I want him to know that we appreciate him.
The official Opposition recognise the scale of the cyber-security challenge that the country faces. If the pandemic accelerated the adoption of digital technology at a pace we had never before seen, then the advent of artificial intelligence will embed that technology into our economy in wholly new ways that bring not only opportunity but unprecedented risk. AI and automation will not only transform productivity but equip hostile states, criminal gangs and opportunists alike with tools capable of eroding our national defences at speed and at scale. It is right that Parliament legislates to raise the collective security bar. We on the Conservative Benches support that principle. However, legislation of this kind does not come around often. Cyber law takes time to develop, and once the Bill passes, it is unlikely that Parliament will return to this territory for some years. That means that we must ask two simple but very serious questions today: will this law work and is it enough?
Before we answer those questions, it is worth reminding ourselves of the real-world consequences of failure. Cyber risk is neither abstract nor theoretical. Last year, the UK experienced what is widely regarded as our most economically damaging cyber-incident to date when Jaguar Land Rover suffered a major attack. That was not a sophisticated act of cyber-warfare against the state—although such acts are happening with increasing regularity—but was carried out by a band of hackers. The consequences were enormous, however. For five weeks, Jaguar Land Rover was unable to operate its automated manufacturing lines, cyber-related costs mounted to nearly £200 million, and national economic output was visibly affected in that month alone. The real damage did not stop at the factory gates: hundreds of small and medium-sized enterprises in the supply chain—many of them operating on thin margins—were pushed to the brink, workers faced uncertainty and contractors had their work paused.
Ultimately, the Government had to step in with a £1.5 billion loan guarantee to prevent wider economic fallout. When we consider the Bill, we must ask whether it would do anything to strengthen our collective resilience. That is one of the tests that this legislation ought to meet, and it is not yet clear that it does. Indeed, the attack on JLR would not have been stopped, as the Minister himself has made clear, because it would not have been in scope.
The cyber-threat landscape is evolving at an extraordinary pace. New research shows that cyber-attacks now cost our economy nearly £15 billion every year. High-profile breaches of businesses such as Marks and Spencer and the Co-op have demonstrated how quickly consumer confidence, jobs and supply chains can be put at risk. Last year alone, insurers paid out £197 million to help businesses recover from cyber-incidents. In fact, the collective cyber insurance bill of the FTSE 100 is now larger than the defence research and development budget. The Bill seeks to respond to one aspect of that reality by expanding the scope of regulation. Data centres, managed service providers, load controllers and designated critical suppliers will now fall within its ambit. That is a welcome acknowledgment that digitisation has introduced systemic risks that the original NIS regulations of 2018 did not adequately cover.
The Bill also strengthens the powers of regulators, introduces cost recovery mechanisms and tightens incident reporting requirements. Those measures are intended to modernise our cyber framework and address clear shortcomings identified in reviews of the NIS regime in 2020 and 2022. On paper, that all sounds sensible, but intent alone is not enough, which brings me back to our central concern: whether this law will work in practice in raising the standard of our collective resilience. The uncomfortable truth is that, in some of the most high-profile cases of cyber-attack, the penetration of systems was carried out by attackers using valid credentials. That means systems behaved normally. The breaches looked like legitimate access until it was too late. Human frailties were exploited: help desks were persuaded to reset passwords, and staff and contractors were impersonated. This Bill would help mainly after an attack—not before—by mandating reporting, improving intelligence sharing and increasing accountability.
Chris Vince
This is a friendly intervention, as I always like to get a bit of cross-party agreement where possible. I mentioned to the Minister the importance of changing the culture among employees to ensure that they feel confident about reporting cyber-attacks. Does the shadow Secretary of State agree with that?
Julia Lopez
Absolutely. The hon. Gentleman is correct: this is fundamentally about culture—that is the point that I am making. We can pass as many regulations as we like, but a lot of the holes in our cyber-security systems come down to human frailties. That means this challenge is not just about new laws but about changing a number of things to make us more resilient.
It is right not to dictate technical standards in primary law that will soon be outdated in the fast-moving world of technology, so the question is whether this law has the right mix of carrot and stick to make affected firms act in a way that raises the security bar—there are several areas where we fear it may not.
First, there is potentially an enforcement paradox. The Bill expands regulatory powers and increases the scale of potential fines, but the evidence from the existing regime does not suggest definitively that fines and new regulations deliver us greater cyber-resilience. Under the current NIS regulations, enforcement has been slow, inconsistent and often toothless. Very few significant penalties have been issued. Where they have been issued, the delay between incident and sanction has sometimes stretched beyond two years. That delay matters, because it actively undermines deterrence and disconnects accountability from operational reality. Simply widening the scope of regulation without ensuring that regulators are properly resourced, empowered and required to act quickly risks creating obligations that exist on paper but lack any real-world bite.
We also have concerns about the Bill’s cost recovery model. Funding regulators through levies on the organisations that they oversee risks unintended consequences in terms of improving our resilience. For large firms, the cost burden may be manageable, but for smaller enterprises it amounts to an additional operational tax that could divert scarce capital away from cyber-defence, staff training and innovation.
There is also a structural risk here. Regulators that are reliant on fee income might face incentives to expand scope and complexity unnecessarily, creating bureaucratic drag that crowds out voluntary, market-led initiatives, which often raise standards more effectively than prescriptive regulation.
More generally, I worry that this Bill will play into tech monopolies. The companies that thrive in this kind of environment are those with big compliance and legal departments. That concentrates risk and makes our tech economy less diverse, with serious implications that I shall come on to.
There may be reporting challenges too. A two-stage reporting process within 24 and 72 hours may be achievable for large, well-resourced organisations with in-house cyber teams, but for smaller operators it risks creating a compliance culture focused on speed, not substance.
There is also the danger of duplication. Many organisations already face overlapping reporting obligations under UK GDPR, sectoral rules and existing legislation. Without simplification and proportionality, the administrative load could be significant, once again diverting attention and resource from the very cyber-threat management that the Bill seeks to improve. We need to avoid this legislation becoming a “something must be done” Bill that totally misses the mark.
The Bill also fails to grapple properly with the human factor in cyber-security, which has already been talked about by the hon. Member for Harlow (Chris Vince). Technology alone does not keep organisations safe; governance matters. Yet board-level ownership of cyber-risk is moving in the wrong direction. Only 27% of businesses now have a board member explicitly responsible for cyber-security, down from 38% just three years ago. Without mechanisms to ensure senior accountability, fines risk becoming little more than a cost of doing business. Directors remain insulated while operational teams are left to carry the can. National cyber-resilience depends not just on systems and software, but on leadership, culture and accountability at the very top.
For those reasons, ahead of Committee consideration, we on the Opposition Benches are examining how the legislation can be strengthened, while continuing to support its core objectives. In the meantime, regulators must be properly equipped with the right powers, resources and clarity from Parliament on the intent of the law. Sanctions must be applied swiftly and consistently, and guidance must be clear, so that enforcement is credible and deterrence is real.
The Government should also look at how reporting obligations are calibrated. A one-size-fits-all approach might place disproportionate burdens on smaller firms, and it might be better to ensure that reporting thresholds reflect the size, complexity and risk profile of an organisation.
Equally, the funding of regulators must be transparent and predictable. There have to be safeguards against regulatory expansion for its own sake and firm assurances that funds raised are reinvested directly into improving national cyber-resilience, not absorbed by administrative overheads. While the Bill rightly prioritises critical national infrastructure, it cannot afford to ignore high-risk sectors that sit beyond its immediate scope.
There is also a major role for market-based solutions. Cyber insurance, sector-wide intelligence sharing and collaborative resilience initiatives can all complement regulation. These tools can reduce risk and improve preparedness without adding unnecessary legislative complexity.
The review cycle set out in the Bill may be too slow for the threat landscape we face and the pace of technological change. Annual or biannual reviews might allow Parliament to scrutinise effectiveness, respond to emerging threats and ensure that the legislation remains fit for purpose.
Let me make some more general points about the Government’s approach to cyber-security and resilience, and issues about the risk of dependence and threat from adversaries. I see no evidence from this Government that they are thinking with any clarity about the risks of long-term technological dependency and lock-in—quite the opposite, in fact. Large parts of our economy now depend on secure, high-quality digital infrastructure, and that reliance will only increase as AI advances. Whoever provides that infrastructure will wield huge future leverage. It was that reality that ultimately drove the change of heart over Chinese tech sitting at the core of our 5G telecom networks a few years ago.
However, the Government are seemingly betting every chip on US hyper-scalers. They provide our data centres, supply the platforms on which Government Departments are run and, more often than not, are the ones winning all the Government contracts. These investments will provide our companies with things that they need, from compute power to increasingly sophisticated AI platforms, but the UK is doing little simultaneously to mitigate our increased technological dependency. When I say “technological”, we need to understand that technology is what we now run our defence systems, factories, energy networks and communications on. Technology is the plumbing of our nation.
During September’s much crowed-about state visit by President Trump, this Government were visibly begging for good economic headlines after the humiliating resignations of the Deputy Prime Minister and the ambassador to the US, not to mention the uncontainable mess of the Chancellor’s first Budget and the threat of her second Budget. The US-UK tech partnership was the result, with a huge amount of smoke and mirrors deployed over what it actually contained. Whatever substance lay within it, we heard just before Christmas that it had been paused, used as leverage by the US while other trade negotiations were under way.
I am not criticising the US Administration for skilfully playing their hand in their national interest; I am asking this Government rapidly to wake up to the reality of a new world in which the post-war settlement is coming to an end—one that has been giving clues to its existence for many years, since long before President Trump came into office. The United States remains a vital ally, but in this new era Britain must be very clear-eyed about risk, the reality of hard power and the need to protect our sovereign interests.
Cyber-risk requires as much thought about the fundamentals of plumbing as it does about the laws that try to manage how humans use or exploit technology. The UK Government have a vast procurement budget for which our own firms ought to be able to make a successful bid, but UK tech tells me consistently that, for all the talk in the Government’s AI strategy of sovereign tech capability, it has not got a look-in since Labour has been in power. I am concerned that this Bill should not introduce new, burdensome regulation for UK firms in a way that benefits non-UK incumbents with giant compliance teams and legal resources in a way that would exacerbate the risk of vendor lock-in.
Let us turn to another risk. The private sector will have noticed that the new obligations in this Bill broadly do not touch the public sector, where cyber-risk remains red-light-flashingly large, notwithstanding the public cyber strategy that was thrown out today in implicit acknowledgment of that gaping hole. Knowing that the public sector holds such enormous cyber-risk, this Labour Government choose not to minimise it, but to create a brand-new one—a hulking great identity system mandated for anyone who wants a job and, we now hear, possibly for new-born babies. It is mandatory identity by stealth, not consent, and with no honesty about it.
It is not to be against the ability of people to verify themselves digitally for banking, to access certain online services or to stop fraud to think that Labour’s mandated digital identity plan is a complete rotter. The Association of Digital Verification Professionals called what Labour inherited on digital identity a
“world-leading model for data sovereignty that digitised liberty rather than diluted it”.
The citizen, not Government, would be in control. This naive Government are crowding out private sector expertise and making everyone have one of these identities by stealth. They have no idea what this system will cost, and they will not be honest about what it will be used for.
What of the cyber-security of this system? The system on which this digital identity will be run was breached during red team testing last year. When I asked the Secretary of State if that system has now met the National Cyber Security Centre’s cyber-security standard, no answers came. Whistleblowers have continued to speak out about the vulnerabilities of the system, and there is no sense whatsoever from Government that the dodgy digital identity plan will be paused until such a point when they are confident about cyber-security.
Andrew Cooper (Mid Cheshire) (Lab)
I am absolutely staggered to hear the shadow Secretary of State talk about standard software testing practices as though someone is doing wrong by trying to penetrate systems and find flaws in them. Is not the whole point of software testing to find the flaws in a system and get them fixed, rather than parading them in front of the House of Commons as though they are some sort of failure?
Julia Lopez
The hon. Gentleman is wilfully misinterpreting what I am saying. There is not an issue with having systems tested; there is an issue with the fact that the system test failed. There is no evidence that the Government have therefore acted to deal with those systemic failures.
Julia Lopez
The whistleblowers continue to raise serious concerns about the structures upon which the Government’s digital identity platform will be built. The hon. Member looks absolutely outraged that I might suggest there are some concerns about the cyber-security risk of a national, mandated digital identity platform. I find it extraordinary that he suggests that I am expressing concerns that a system might be tested. Of course every system must be robustly tested—that is not the point I am trying to make, and the hon. Member is being wilfully ludicrous in suggesting otherwise. This Prime Minister cannot run an economy, keep promises or control his Back Benchers, or his Front Benchers, so how on earth does anybody think he can run a secure digital identity system?
At the same time as risking technological lock-in by friendly allies, we are creating new vulnerabilities for adversaries to attack. Just before Christmas, UK intelligence agencies warned about increasing, large-scale cyber-espionage from China, targeting commercial and political information. We discovered from Ministers that the Foreign Office itself was the subject of a major cyber-attack in October, which officials believe was carried out by Chinese hackers, and this came in the midst of a major row between the Government and the Crown Prosecution Service about the prosecution of spies operating here in Parliament.
We will be looking closely at this legislation to identify where the Government should be addressing this cyber-reality with much greater force. An approach to cyber-resilience that looks only at introducing new regulations and compliance burdens without thinking through risks such as a mandated identity scheme, dependence on non-sovereign suppliers, the malign intent of other nations, and a failure to build up our own workforce and skills is one that will fail.
Sir Julian Lewis
I do not think I heard the Minister mention anything about the risk of cyber-attacks on local government. Does my hon. Friend agree that that is another potentially juicy target for people who wish to cause major mischief?
Julia Lopez
As my right hon. Friend is aware, local government is outside of the scope of the Bill, but it is a very juicy target—much of the public sector remains a very juicy target. In acknowledgment of that, the Government whipped out a strategy very quickly this morning that is meant to give us assurances about the public sector’s cyber-resilience. I am not sure that that strategy will provide much reassurance, which is why it is important to understand that this Bill can only be one part of a much wider arsenal to tighten gaps where they exist, in both the private and public sectors.
Ian Murray
It is worth clarifying for the House that we brought forward the Government cyber-security strategy this morning because the 2022 consultation undertaken by the previous Conservative Government was not acted upon. This Government are acting on those threats, bringing forward a plan that we will subsequently see through, and I think the hon. Lady should acknowledge that.
Julia Lopez
I welcome the strategy, but I have not yet had a chance to have a good look at it, because the Government always seem to publish these sorts of documents right at the last minute. The only way to get any information out of this Government is to apply some pressure in this House, and then, remarkably, things come flying out of the cupboard.
I will be very interested to see what the strategy looks like and whether it is up to the challenge we now face. The problems and risks of cyber have increased markedly since we were in Government because of the advent of AI technology—that technology is changing the picture very rapidly, just as the defence picture is changing very rapidly. My concern is that this Government are not taking seriously enough the various defence and security challenges that this House faces; they are prioritising spending on welfare payments, union payments and all manner of other things. It is one thing to get a strategy out of the door; it is another to put in place the measures that will implement that strategy. Basically, all we have seen over the past 18 months is strategy documents, without a great deal of delivery. That is one of the reasons why the Government are so rapidly losing public confidence.
In conclusion, we support this cyber Bill in principle—the threat is real and growing, and it demands action. However, it is only a tool, not a cure-all. A Government who are trying to close down gaps in one place while wilfully opening up huge new risks in a different corner are being negligent in their approach. Furthermore, if this legislation is to command confidence, it must be practical, proportionate and genuinely effective. Without meaningful improvements, the Bill risks placing new burdens on business while delivering only marginal gains for our national resilience. Cyber-security is a shared responsibility between Government, regulators, industry and the public, but leadership must come from the top, and that is where this Bill currently falls short.
With the private sector taking the lion’s share of the load while gaping holes remain in public sector cyber-defences, the Bill begs obvious questions about the confidence that citizens should have in flagship Government projects such as the Prime Minister’s mandatory digital identity system. As it stands, the Bill would not have prevented high-profile cyber-shutdowns such as Jaguar Land Rover’s, it does little to address the chronic vulnerabilities in the public sector, and it certainly will not make Labour’s dodgy ID database any more secure. That is why, as the Bill progresses through Parliament, we will be pressing this Government to ensure that it delivers genuine security, proper accountability and raised cyber-defences across the board, while taking them to task on major mistakes such as mandatory ID. Cyber-security is no longer a niche compliance exercise; it is about protecting the fundamental economic and defence interests of our nation.
Matt Western (Warwick and Leamington) (Lab)
I start by welcoming the Bill, which is a serious step forward in protecting the United Kingdom from the great number of cyber-attacks that we face each day. As we have just heard from my right hon. Friend the Minister, this legislation is long overdue. A consultation started back in January 2022, and in April of that year, the then Government identified serious issues and limitations. I was slightly bemused that my hon. Friend the shadow Minister—I do consider her to be a friend—did not cover that in her speech. The previous Government then failed to act for over two years, and as my right hon. Friend the Minister illustrated in his speech, that has proven very costly.
Over the past couple of years, we have seen that cyber-security is not just paramount in our everyday lives; it is crucial. It ensures that there is food on our supermarket shelves and that the lights stay on. It is critical to every corner of the UK, but now we have to move at pace, and not just through this legislation—I urge us to go further. If we are to protect ourselves from our adversaries, we need to develop a true whole-of-society approach to cyber-security and start a national conversation on security at home. This legislation is clearly an important first step. It is a first chapter, but many more must be written if we are going to seriously address our national security, by which I mean our social and economic security.
Increasingly over the past decade, we have seen a blurring of war and peace, with the emergence of hybrid warfare and the widening of the grey zone. We are living in a cyber no man’s land where states or state-sponsored actors—proxies—can act with relative ease and impunity, leaving the world a more dangerous place. The cyber-realm is, and will remain, a key battleground, and it is one that we must seize. Every one of us in the United Kingdom needs to wake up to that fact, particularly with the development of AI and quantum computing and the extraordinary threats that will come from those developments. When it comes to being the target of cyber-attacks, the United Kingdom now ranks third among all nations. In 2024 alone, the NCSC handled an average of four major attacks every week—these are the really serious attacks—and the impact on the economy is staggering. In the same year, cyber-attacks cost the British economy £15 billion, or 0.5% of GDP. When we are trying to increase GDP by 1%, 2% or whatever it is, a hit of 0.5% is so significant.
While 43% of businesses have reported having any kind of security breach or attack over the past 12 months, that figure rises to 67% and 74% for medium and large businesses respectively. Every attack inflicts more pain on UK plc, meaning lower economic growth and lower tax receipts to fund our public services. As we heard earlier, the effects ripple through our whole society.
We have just been talking about the attack on Jaguar Land Rover this summer; that attack cost the company an estimated £500 million, affected over 5,000 businesses and put thousands of jobs at risk, with many of those employees based in my constituency of Warwick and Leamington. The impact was significant, whether it be on cafés, restaurants, pubs or shops, which were all affected by the downturn that immediately led from the shutdown of the factories.
The attack on Collins Aerospace was alluded to earlier. It crippled Heathrow airport, and I think Stansted was affected, too, but less so. It scuppered thousands of hard-earned family holidays in autumn last year, and the ramifications for the travel sector were significant.
It is not just businesses that have been affected. We have seen attacks on councils, as we have heard, and charities. Even the British Library was knocked out two years ago, which impacted so much of our research potential across our higher education institutions. It has significantly affected the UK. The Electoral Commission got knocked out by an attack by Chinese state-sponsored actors. There have been so many other attacks. Even our NHS is not safe. My right hon. Friend the Minister mentioned the attack on Synnovis. Last year, more than 11,000 NHS appointments were lost due to cyber-attacks. The attack in June 2024 on London hospitals by the Russian group Qilin saw 1,100 cancer treatments delayed, 2,000 out-patient appointments cancelled, more than 1,000 operations postponed and, tragically, the death of a patient. The message from across our international partners and the UK’s security services is clear.
Matt Turmaine (Watford) (Lab)
On the attack on the NHS, I worked for 10 years in health and social care prior to being elected to this place, so I witnessed that attack taking place, and nothing could give a starker demonstration of the impact on productivity that cyber-attacks have on our country and our society. There was a meeting of senior clinical commissioning group and other health trust executives in Hertfordshire at the time, and one by one they were forced to leave the room like lights blinking out as the impact of the attack became clear. Does my hon. Friend agree that this Bill is essential to keep our legislation up to date with the new methods of attack that bad actors are using on our state and infrastructure as online technology evolves?
Matt Western
I thank my hon. Friend for sharing his lived experience. I can relate that to when I have spoken to organisations through the Business and Trade Committee and through my role on the Joint Committee for National Security Strategy. I have heard from organisations that have been impacted about how paralysing the immediate aftermath of such an attack is and how it challenges an organisation. It is crucial that these red team, blue team scenarios get played out, but when it is actually happening and a company is facing an entire shutdown of its systems, it is very difficult to navigate. Many have talked about the culture change that is needed, and we need to urgently embrace that change. The experience in the NHS that my hon. Friend mentions is a good example.
These attacks are the new normal and we must be better prepared. In September 2024, led by the FBI and the National Security Agency, the United Kingdom, Germany, Estonia, Canada and a plethora of other allies released their clearest articulation of the threat posed by Russia, and Putin in particular. They said that Russia is
“responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020.”
The NCSC annual review in 2024 called the landscape “diffuse and dangerous”, while the 2025 review could not have been clearer in saying “It’s time to act” in the defining text on the front cover. Richard Horne, head of the NCSC, said:
“Empty shelves and stalled production lines are a stark reminder that cyber attacks no longer just affect computers and data, but real business, real products, and real lives… The recent cyber attacks must act as a wake-up call.”
Just last week, Andrew Bailey, the Governor of the Bank of England, said that cyber-attacks were one of the biggest threats to UK financial stability and stressed the critically important need for collaborative defence.
The reality should be clear to everyone here. The frontline is everywhere. It is our phone, it is at our desk, it is our businesses, it is our infrastructure and it is even here at the heart of our democracy. Such a threat requires a whole-of-society response. We are not the first to have been targeted. Back in 2007—18 years ago—Russia launched a determined cyber-attack on Estonia. It was damaging and debilitating to Estonia’s society and economy. The cyber-attack was a call to action for Estonia and it responded at pace. It brought about cultural change, which was talked about earlier in the debate. Estonia overhauled its legal, political and strategic framework—even looking at its education system—and adopted a whole-of-society approach to cyber-security, developing a serious public-private partnership to counter the threats posed by Russia. No doubt the Minister will have looked at this case in more detail to understand what learnings could be applied here and to our cyber-security strategy more widely to ensure whole-of-society resilience.
The reality is that cyber-attacks target the weakest link. It was welcome to hear my right hon. Friend the Minister talk about the initiatives with the FTSE 350 companies and some of the smaller businesses about how they should be engaging with these threats. It cannot be acceptable that the most popular password in the United Kingdom is “password”. It is ridiculous. Every one of us must act as guardian against our cyber-adversaries.
The Bill lays out valuable and desperately needed provisions. Its extent and scope are hugely welcome, bringing in data centres, large load controllers and managed service providers under the network and information systems regulations protects more of the economy from cyber-attacks. I am particularly pleased to see the inclusion of managed service providers, given the vulnerabilities that organisations often face from external IT suppliers or their supply base.
The amendments to the regulatory framework are a positive step. Improving the reporting of incidents will allow the Government to respond at pace and be agile to the evolving threats and shared vulnerabilities. That said, during the last Parliament, the Joint Committee on the National Security Strategy, which I now chair, called for one cross-sector cyber regulator, and I echo those calls, as I believe that would enable far greater regulation and enforcement. Finally, the improved resilience and security enabled through additional powers granted to the Secretary of State are crucial in enabling the Government to act quickly in real times of crisis.
Despite all the positive aspects of the Bill—I congratulate Ministers after the years of dithering by their predecessor Government—it does leave large parts of the economy outside its scope. As I have mentioned already, how can we incorporate a whole-of-society approach to cyber-security like that of Estonia? There will be many different levers for the Government to pull. This Bill is just one part, and I trust that others will follow swiftly. It is worth noting that the EU’s NIS2 directive is broadly parallel to the Bill before us. However, the EU goes further on cyber-resilience, having added sectors such as manufacturing, food distribution and waste water. Having witnessed such devastating attacks in these sectors in the past year, I urge us to act swiftly with further legislation to address those areas.
In summary, I just restate that I absolutely welcome the Bill and the three key pillars of the legislation—the expanded scope, improving regulation and strengthening resilience—are hugely welcome, as is the importance of experience reporting and sharing by victims. The cyber-attacks we have suffered this past year must be our inflection point—our call to action. Like Estonia in 2007, we have an opportunity to reinvigorate our cyber-defences and ensure the whole of society is resilient. The shadow Minister mentioned digital ID, and I gently say that that opportunity was seized upon by Estonia at the time and it has since introduced digital ID. It is secure, as it is in Denmark. Estonia looked at the opportunity presented by that challenge and that attack that they faced, and those systems work. That has been demonstrated by both those countries. As the annual review from the National Cyber Security Centre rightly asserts,
“the UK’s cyber security is… a shared responsibility where everyone needs to play a part.”
We parliamentarians have a duty to raise the salience of the issue, and to bring about a national conversation to ensure that everyone plays their part.
Finally, may I gently encourage the Minister to go further and faster, and to look at the broader cyber-landscape, as Estonia did and as the European Union is doing with its NIS2 legislation? May I encourage him to consider introducing legislation to cover food production and distribution, manufacturing and other critical sectors? As I have said, however, the Bill is an important first step, and I look forward to working constructively with him to ensure that the UK and its citizens are secure from, and resilient to, any future cyber-attacks.
Madam Deputy Speaker (Judith Cummins)
I call the Liberal Democrat spokesperson.
Victoria Collins (Harpenden and Berkhamsted) (LD)
I wish you and everyone else in the Chamber a happy new year, Madam Deputy Speaker.
It is a pleasure to finally address the long-awaited Cyber Security and Resilience (Network and Information Systems) Bill. As has been pointed out today, it is significant. The National Cyber Security Centre reported that nationally significant cyber-incidents had more than doubled since the previous year. The past year’s surge in cyber-attacks on targets ranging from supply chains to hospitals to critical infrastructure has made one fact clear: there is no economic or societal security without cyber-security. Cyber-attacks cost the UK economy £14.7 billion annually. There have been attacks on companies such as Jaguar Land Rover and Marks & Spencer. More important, however, is the impact on the real economy. Thousands of jobs and businesses are hanging in the balance, and our public services and our private data are also being impacted. As the Minister mentioned this morning, the NHS Synnovis ransomware attack resulted in more than 11,000 postponed appointments and procedures. It has even been linked to one patient’s death, which was attributed to the delay that the attack caused. This matters. We must do all that we can to upgrade protection and our security, because jobs, the economy and lives depend on it.
Our economy—imagine it, if you will, as a house—is under attack. The Liberal Democrats welcome the Bill’s intent to upgrade our home security; the addition of data centres, managed service providers and large load controllers means that we are building stronger fences, and that companies with a master key to all our doors have stronger security. Also, the wiring has been upgraded, and the alarm system is being given an upgrade; there is increased incident reporting. However, the Bill leaves the back door wide open by leaving out key sectors. Our alarm system is not sure when it is supposed to ring, and the companies that have the keys to our doors, and are using our house, are asking for simplicity, clarity and support, so that they can do their job properly. While no single piece of cyber-security legislation can act as a silver bullet, those are gaps that we must address.
We are failing to take the whole-economy approach mentioned by the hon. Member for Warwick and Leamington (Matt Western). We are leaving out the public sector and economically significant sectors, such as retail and manufacturing. The Bill’s stated aim is to protect organisations
“that are so essential that their disruption would affect our daily lives.”—[Official Report, 12 November 2025; Vol. 775, c. 26WS.]
However, the Government apparently do not consider their own public services, provided by local authorities, to be essential enough for protection. The £10 million Redcar council incident proves that voluntary schemes are failing local authorities, but after the Bill is passed, Government institutions and councils will still lack statutory protections and ringfenced funding—and all the while, council budgets are getting tighter. I have no doubt that members of the public whose data, be it from the electoral roll or from social care records, sits in these systems would object to the public sector’s exclusion from the Bill.
As has been mentioned, we are also talking about a potential mandatory digital ID system for the whole country. The Government have already said that it would be built with home-made technology. Where will the cyber-protection be in that? What is more, leaving out sectors such as retail and manufacturing would mean that the JLR and M&S cyber-attacks remained out of scope. These are significant sectors. They involve major employers and major parts of our supply chains, and they handle significant amounts of personal data.
The Bill marks a failure of ambition. The Government claimed in response to a letter that we sent on this topic that they
“do not need to wait for or rely on legislation”
to implement cyber-security requirements in the public sector, and will instead use the Government action plan to ensure that the very same requirements in the Bill will be applied to the public sector. Why must we have this two-tier approach? Why leave out economically and socially significant sectors, such as the public sector? Does the Minister agree that we need mandatory cyber-security standards for those absent sectors of our society, governance and economy? If we are serious about national resilience, about protecting citizens’ data and about aligning with our European partners, let us vote on the issue in primary legislation in this Chamber, so that the issue has the full transparency and accountability that it demands.
A further critical gap in the Bill is the failure to embed security by design, and a lack of clear accountability. This should be board-led, to ensure that each lock, door and window of our house is built securely. In 2019, the NCSC published design principles, and last October the Government launched a secure-by-design framework, which was seen as core to their cyber-security standard. However, the Bill not only excludes Government from critical national infrastructure but abandons that key principle, and fails to include the words “by design”, which matters, particularly as ISC2 research suggests that skills shortages are the No. 1 challenge for compliance with cyber regulation in the UK, with 88% of respondents experiencing at least one cyber-security breach as a result of skills shortages. This is also a missed opportunity for our economy and our cyber-security sector. Prioritising security by design would provide the baseline protection that our critical infrastructure so desperately needs. What consideration have the Government given to ensuring security by design?
Effective regulation does not just mean future-proofing; it must be workable. While we welcome expanded incident reporting, the current definitions risk creating a significant regulatory burden. Over-reporting will overwhelm, rather than strengthen, our cyber-security systems. Those who are coming to upgrade our security systems are not being given clear directions. The definition of a “reportable incident” is so broad that it could extend to every phishing email. How will the NCSC feasibly manage the administrative burden when the alarm may be ringing non-stop? Other critical terms lack clarity for industry, including “managed service provider” and the criteria for “digital critical suppliers”, as has been highlighted by techUK and others. These are not just technical details to be ironed out later; they are the difference between a Bill that works and one that does not, and industry needs clarity on how to comply. Will the Minister work with us and with industry to tighten those definitions, so that the Bill is workable, and will he consider the best way to ensure simplicity and effectiveness in incident reporting?
What is being done to support home-grown cyber-security in the UK? What is being done to defend us from hostile foreign interference? With one of the latest defence contracts going to Palantir, what is being done to support UK tech? Would the Government support a digital sovereignty strategy, as suggested by Open Rights Group? The Bill is yet another missed opportunity to support our domestic tech sector, at a time when we should be building UK cyber-security capabilities and creating highly skilled jobs here at home. How can we claim to be serious about national resilience when the very infrastructure protecting our critical systems could be entirely outsourced abroad?
Supporting UK tech and businesses is not just about the providers in the Bill; it is about the thousands of small and medium-sized enterprises that form the backbone of our economy. For the few SMEs and start-ups that are directly affected by it, the Bill creates a regulatory thicket of overlapping rules, different timelines and multiple bodies. Cyber-security is complicated, and for this legislation to work, it must be simple and easily implementable for UK SMEs. What support will there be for those SMEs and start-ups?
It would be remiss of me not to mention the wider cyber-crime landscape. SMEs make up 99.8% of UK businesses, and are often the most vulnerable link in cyber supply chains. The NCC Group confirms that manufacturing, retail and leisure, dominated by SMEs, were the sectors most targeted for ransomware in 2024. That is why the Liberal Democrats are calling on the Government to establish a digital safety net for SMEs—a nationwide first responder service that would provide free-at-the-point-of-use support for small businesses that have been victims of a cyber-attack. Australia is already doing that, providing person-to-person support during and after attacks. If Australia can do it, why can’t we?
On top of all that, the biggest threat is actually fraud, which costs the economy hundreds of billions a year. Two thirds of all fraud begins online, much of it through social media companies with no liability. That is why the Liberal Democrats are calling for social media platforms to be made financially liable for fraud on their sites, which would create a clear line of accountability for criminal activity. Moreover, fraud is a cyber-security issue; it exploits weak systems and inadequate protections. Families lose life savings, elderly people fall victim to sophisticated phishing, and small businesses shut down. The Bill protects infrastructure, but by leaving the back door open, it ignores the billions of pounds of savings lost and the livelihoods upended through online fraud. The Government must address that in their long-awaited fraud strategy. We cannot protect systems but abandon our businesses and our people.
The Bill is progress, but it is not the finish line. The cyber-threat is real, evolving and urgent. The Liberal Democrats will work constructively to strengthen the Bill through amendments, but we must ensure that we do not leave the back door open, and that we future-proof our security. We owe it to our businesses, our families and our national security to get this right.
Dame Chi Onwurah (Newcastle upon Tyne Central and West) (Lab)
Happy new year to you, Madam Deputy Speaker, to all hon. Members and to the staff.
It is appropriate that we begin 2026 by talking about an issue in the House that is of grave importance to all our constituents, but is not discussed enough either here or in the country: cyber-security. At the start of the millennium, only a quarter of the UK and 6% of the world were online. Today, almost 98% of the UK and 68% of the world use the internet. According to Ofcom, we each spend between three and six hours online every day, depending on our age and interests. For many—perhaps too many—life is lived online. Even when people are not online, the infrastructure of their lives is. Whether people use online banking or not, their bank account details will be stored in a cloud somewhere. The same is true of health records, electricity bills, children’s school records, the safety sensors of our nuclear power plants, Christmas Marks & Spencer orders and Uber ride details.
The Prime Minister said that national security is the first duty of any Government. I hope that all hon. Members agree that the Government must ensure the security of the British people as we go about our increasingly online lives. Previous Governments have not taken that issue seriously enough or done enough to protect our citizens. That is why, as Chair of the Science, Innovation and Technology Committee and a self-confessed tech evangelist, I welcome the legislation. I am pleased to see other members of the Committee here. The Committee has not examined cyber-security in detail, but we have expressed significant concerns about public sector data management, for example, after the Afghan data breach came to light.
As we have heard, the UK’s only cross-cutting cyber-security legislation is inherited from the EU. Since Brexit, the EU has updated those regulations, leaving the UK working in an outdated framework. Meanwhile, nationally significant cyber-incidents, as measured by the National Cyber Security Centre, more than doubled last year. The NCSC also warns that artificial intelligence will “almost certainly” increase both the scale and impact of attacks. When everyone can code, thanks to AI, everyone can hack, and we need to respond to that, because those attacks threaten not only our national security, but our economy. In November, the Bank of England cited, for the first time, a major cyber-attack—that on Jaguar Land Rover—as a factor in its decision to hold interest rates. The JLR breach is estimated to have cost the economy almost £2 billion.
I welcome the Bill, which seeks to expand its scope to new sectors, to make regulators more effective, and to grant the Government additional powers to respond to the ever-evolving threat landscape. However, I must be clear that there is more to be done. My main concern relates to the scope of the legislation. The Bill rightly brings data centres, large load controllers and managed service providers within the scope of regulations, and grants competent authorities the power to designate critical suppliers that are vital to the service provided, yet some of our most economically significant sectors remain outside its core obligations.
Retail is the UK’s largest private sector employer. It handles huge volumes of sensitive customer data, runs complex supply chains, and often relies on legacy IT systems, which make it a prime target for cyber-criminals, yet retail is outside the direct scope of the Bill. The legislation would therefore not have prevented the attacks on Marks & Spencer, the Co-op or Jaguar Land Rover, which affected our constituents so greatly.
I welcome the Government’s plan to promote the new cyber governance code of practice to improve preparedness in sectors such as retail. However, even after high-profile breaches, cyber-security is still not prioritised at board level. A recent report by the Information Systems Audit and Control Association—ISACA—shows that only 56% of company boards take cyber-security seriously enough, and that is after JLR.
The Minister, in his excellent speech, said that it was up to private sector companies to manage their cyber-security. I agree, but how will the Government assess whether that is happening? What will the Government do if there is evidence that companies are not managing their cyber-security effectively and that, as a result, our citizens are not adequately protected?
Without a way of monitoring and enforcing governance standards, large parts of our economy remain exposed. ISACA recommends a statutory review of the uptake and effectiveness of the cyber governance code; powers for regulators to mandate periodic external resilience assessments, such as penetration testing and scenario-based exercises; and a requirement for organisations to appoint an accountable individual who meets defined competency standards.
Government Departments, local administrations and public bodies, such as the BBC, are also outside the scope of the legislation. The Bill does nothing to address long-standing weaknesses in public sector data management, which the Select Committee highlighted. As the National Audit Office declared last year, the cyber-threat to the UK Government is “severe and advancing quickly”. The cyber-attack on the Foreign, Commonwealth and Development Office in October is a clear example of how rapidly the attacks are escalating. We need greater rigour to prevent future attacks and build the public trust that is needed for the implementation of digital ID and other digital transformation projects.
I have not been able to study in any detail the action plan that the Government published this morning, but I will look for clear measures of success when it comes to its implementation, and ways in which the cultural change that was mentioned in the debate, which is needed in the public sector as well as the private sector, has been achieved.
The Secretary of State recently told my Committee that the Government would
“assess the improvements the Cyber Security Bill brings to the UK’s cyber defences through post-implementation reviews, regular engagement with NIS regulators and industry, and monitoring the incidence and cost of any future cyber attacks.”
I would welcome clarification of whether those commitments reflect the statutory requirements in clauses 20 to 22 or additional policy commitments, and how they will be funded.
The Bill rightly focuses on critical national infrastructure, but as we all know, we are only as secure as our weakest link. The supply chains for our critical national infrastructure involve many small businesses, who may or may not be within the scope of the Bill, depending on their designation. How quickly does the Minister envisage businesses knowing whether they have been designated as critical suppliers?
I support the Bill’s proposals for mandatory cyber-incident reporting and recognise the value of the Government’s collecting and publishing data on ransomware and other attacks. However, I share the concerns raised by the Association of British Insurers and others about the feasibility of small businesses meeting the proposed two-stage reporting requirement, and particularly the requirement to submit full reports to regulators and the NCSC within 72 hours.
We have seen that the take-up of cyber essentials—the programme to help businesses, and particularly small businesses, achieve the cyber-security they need—is low among businesses. As I said, only 33,000 took it up in 2024. Cyber insurance take-up is also low among small businesses, leaving them vulnerable in terms of skills and protection. Can the Minister say a little about his plans to address that? If the Bill is to succeed, implementation must be done with industry, not to industry, so I echo techUK’s calls for clearer guidance on information sharing and for additional support to help small businesses meet compliance costs.
I hope that the Minister will address the following points specifically. Will the Government consider extending the Bill to economically significant businesses outside its current scope, and empowering regulators to mandate stronger cyber governance and resilience assessments? Will the Government consider including direct measures to strengthen cyber-security and resilience in public administration, including local authorities and Government Departments? Will the Government clarify whether the post-implementation reviews, monitoring of cyber-incidents, and engagement with regulators and industry that the Secretary of State has outlined to my Committee reflect the existing statutory requirements in the Bill? Will the Minister ensure that the new cyber- incident reporting and information sharing requirements are implemented in a practical and proportionate way for small businesses? Will the Government take steps to support cyber insurance take-up? Finally, will they ensure that there is clear guidance on information sharing requirements, and provide additional support to help businesses meet compliance costs?
We need to talk more about cyber-security. I have not touched on some of the national security implications, which the Minister and my hon. Friend the Member for Warwick and Leamington (Matt Western) described very well, but this issue is only going to get more important from the perspective of national security, economic security, and personal safety and security. If we can get the implementation of this Bill right by extending it as necessary, working with industry, supporting smaller businesses, and supporting public trust and public security, then I hope we can build a nation that is not just cyber-secure today, but prepared for the many challenges that lie ahead.
Sir Oliver Dowden (Hertsmere) (Con)
It is a pleasure to follow the hon. Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), who has brought tremendous expertise to this debate. In my previous role overseeing national resilience and cross-Government co-ordination of national security threats, cyber-security was probably the one area that caused me the greatest number of sleepless nights. There has been a lot of talk in recent months and years about the increased need to defend the realm and the steps that need to be taken to address the defence of the realm.
We all know from past experience that the first line of any attack on the defence of the realm is highly likely to be through cyber-attacks. Indeed, in a completely different context, we need only to look at the public comments made by the President of the United States a couple of days ago about the first steps that the United States took in its intervention in Venezuela: he talked about the United States’ capability to knock out the power supply there. If we look at our adversaries, particularly Russia, North Korea and Iran, we can see that they are actively inculcating and encouraging environments in which cyber-attacks can be planned and take place. Whether that is done explicitly by private sector individuals or with the connivance of the state, a deliberate grey zone is created, with the desire to increase knowledge of cyber-risks to the United Kingdom and our allies, and to carry out penetrative attacks to that effect. We are likely to see this grey zone warfare continue to increase as a result of the actions that we see in Ukraine and elsewhere.
We just have to look at our own experience. Many hon. Members have made the point that the initial attack on JLR rapidly cascaded and affected many others in the supply chain. From the Government’s own research and testing—this is in the public domain—one sees that a cyber-attack can rapidly cascade into other areas. For example, when we test the impact of a cyber-attack on our electricity system, it rapidly cascades into our water system, which is dependent on electricity. Clearly, it also rapidly cascades into our transport system. Before long, a small cyber-attack becomes a very, very large cyber-attack. In common with all other advanced countries, the United Kingdom is highly exposed to cyber-attacks—a point that I made repeatedly from the Dispatch Box.
I welcome this legislation and the steps that the Minister has outlined today, but I gently caution against what he said. I do not think it was his intention, but he said that this legislation will fix the cyber-security problem. It will not fix the cyber-security problem. No single piece of legislation is ever going to fix the cyber-security problem, nor is this a question of good guys and bad guys or of, “The last Government did nothing, and this Government are doing something.” Each Government must have a fresh look at the challenges of cyber-security, and take necessary and proportionate steps to address the risks.
Matt Western
Given the right hon. Gentleman’s extensive experience, it is very interesting to hear what he says. If he had his time again—this is not to criticise the previous Government, but to ask about the here and now—would he think that this area needs an absolute focus from across Government and across society, because it is such a crucial part of our defence?
Sir Oliver Dowden
Yes, I totally agree. Indeed, that is why the National Cyber Security Centre, working in conjunction with the last Government and now the current Government, has set out the whole-of-Government approach. It cannot just be about the actions of individual Government Ministers or individual actors in the private sector; the whole of Government need to act together.
On the further steps we could and should have taken—this goes back to my intervention on the Minister—I do think that more pressure needs to be brought to bear on Ministers in terms of their accountability for cyber-security, and I fear that if we do not put this into primary legislation, it can slip further and further down Ministers’ in-trays. Although Ministers have a desire to address it, more pressing and immediate problems distract their attention.
I have some constructive suggestions about how we can improve the proposed legislation. The first is about many of the powers being delegated to secondary legislation or ministerial direction. I do not have a problem with that, because it is essential that we have a framework piece of legislation and then the flexibility to allow secondary legislation to be brought forward to address challenges as they arise, but I urge Ministers to undertake a meaningful and mandatory consultation on any secondary legislation that comes forward, so that businesses and others can contribute to it.
I also caution against Ministers devolving to regulators their duties in respect of cyber-security. Too often—again, this applies to Governments of both colours—regulators are empowered to address cyber-security problems or any other problems. They then charge off in one direction and fail to take into account questions such as proportionality—the impact of the regulations versus their economic burden—and Parliament and Ministers cease to have a significant role. I urge Ministers to keep a tight grip on regulators and on the instructions that they give them.
I would also be a little cautious about some of the arguments made by hon. Members about the need constantly to expand the scope of this legislation to further areas of the private sector. It is very easy for us in this Chamber to talk about the need for further legislation, but when a small business is faced with a huge Act and required to interpret it, it looks a very daunting prospect. My preference would be to continue the sort of co-operation that we have seen through the whole-of-society approach advocated by the NCSC.
On proportionality, I urge Ministers to embrace AI. There are opportunities to use AI to triage incoming attacks and avoid duplication, for example, and a lot of streamlining of the system can be done in that area. On the flipside of AI, we must take very seriously the risk of cyber-attacks posed by agentic artificial intelligence. It appears that we reached an inflection point in November 2025, when Anthropic reported disrupting what it described as the first large-scale cyber-espionage campaign executed largely via agentic AI. We are likely to see much more of this. I would welcome the Minister saying in his concluding remarks what the Government intend to do to ensure that we keep up with this threat, because we are only in the foothills of the risk posed by agentic AI.
Further to the point about the role of the public sector, 40% of incidents handled by the National Cyber Security Centre when I was the Minister responsible were from the public sector, so I question the exclusion of the public sector. I appreciate that the Government have announced a plan. I have not had a chance to look at it, but I can imagine what it contains broadly. The key thing is what stick is applied to public officials and Ministers, outside the core responsible Government Departments, to make sure that they take their responsibilities seriously, so I think some legislative proposals may be needed in that area.
Similarly on budgets, again the core responsible Departments—the Cabinet Office and the Department for Science, Innovation and Technology—will prioritise cyber-security. I fear that other Departments may not, so there is a strong argument for ringfencing cyber-security budgets for all Departments so that money cannot be transferred to more pressing short-term problems, as has often been the case, particularly, for example, in the NHS.
It is very important that we do not overlook the basics. It is very easy to talk about legislation or to talk in high-level terms about threats, but probably the single biggest thing we could do to deal with cyber-risks in this country is to make sure that every time every single business and private individual gets one of those annoying pings on their phone saying that they need to upgrade their software to the latest operating system—it is the same with their PCs, iPads and so on—they do so. That is done by providers, because they know that there is a cyber-risk, and there is a patch to address it. If the patch is applied immediately, that can have a huge effect on the resilience of the whole of society, and the NCSC constantly puts out that message.
We need to look at our resilience in society as a whole when we have a major cyber-attack. We have had major cyber-attacks, but they have tended to be in just one sector, albeit with cascading effects, as with JLR. We have not yet had a whole of society cyber-attack—either one that flows out of control from a criminal attack, or a deliberate attack from a hostile state cascading widely across all of society—affecting our electricity, water supplies and so on. I fear that it is only a matter of time before that happens, and we need to look at the resilience of individuals, including the ability to have analogue systems such as battery-powered torches, rather than electric torches, and so on. I started the work on that as a Minister, and I think more needs to be done in that space.
We also need to look at the question of emergency communications. It was certainly my experience that public sector broadcasters—such as, I think, the BBC—are not required to take emergency communications from the Government in such situations. I think that is a loophole that could be exposed in such a situation.
On resilience more broadly, we are in the foothills of the impact of AI. We are going to see vast impacts on employment and how people lead meaningful lives as AI advances more and more rapidly. For the resilience of our society, this House needs to have a much wider debate—not on this Bill, but more generally—about how we address the epoch-changing challenges we are facing.
In conclusion, I think this is a welcome piece of legislation and an important step forward. My hon. Friend the Member for Hornchurch and Upminster (Julia Lopez) correctly highlighted the very important challenges, and they will need to be addressed as this Bill passes through the House. I think it is an important step forward, but it is only one step, and once this legislation is enacted, we will need to be prepared to return to this issue again and again.
Anna Gelderd (South East Cornwall) (Lab)
I am pleased to support this Bill as the MP for South East Cornwall, which is a constituency of hard-working rural and coastal communities where digital access remains a problem, as there are long distances between services and few alternatives when systems fail. As we know, digital connectivity is a growing necessity for daily life—from traditional farming and fishing businesses to carers supporting vulnerable residents—and access to online job sites, Government websites, and NHS services and emergency support are all part of our new daily existence. Reliable digital infrastructure that is protected from disruption and attack is therefore essential for our economy, public services and community safety.
That is why I am supportive of the actions this Government have taken to improve the lives of my communities, such as the digital inclusion innovation fund, which Labour has put in place to tackle the barriers that stop people getting online in the first place; the roll-out of Project Gigabit, ensuring that rural and hard-to-reach areas are not left behind; and the shared rural network, which is an important landmark partnership between Government and mobile network operators that Labour continues to support to eliminate so-called notspots—I have to say I know about them only too well in South East Cornwall—and improve 4G coverage across rural areas such as mine.
Improved connectivity and cyber-security can support small businesses, enable remote working, improve access to the NHS services we all need, and help young people build their futures through online training, job opportunities and Government support. They can also strengthen our rural resilience, ensuring communities stay connected during emergencies and are better able to adapt to future challenges. My goal is for South East Cornwall to become a digitally connected, resilient and safe constituency, where no one is left behind because of their rural postcode. I am pleased to have been raising constituents’ concerns with Ministers and working with them to improve that for local residents.
Digital systems must also be secure. Cyber-attacks carry real costs for both individual businesses and our wider economy. Businesses in South East Cornwall work hard to provide those services, create local jobs and support our local communities, and there are practical steps that businesses can take. The National Cyber Security Centre provides excellent guidance, but it also matters that businesses know that their Government are acting to protect them as they navigate the growing risks involved in working online. That is why I welcome the action this Bill takes to strengthen our cyber-resilience. May I ask the Minister what is being done on recovery and response planning should incidents occur, as the reality for rural and coastal communities is that outages often last longer and impacts are felt more sharply?
The Bill also presents an opportunity to grow skills, learning and employment across the country. Improving cyber-security standards increases demand for skilled professionals, and it creates pathways into good jobs and long-term careers. That matters for us in South East Cornwall, where we want our young people to see a future locally, without needing to leave to succeed.
This issue also matters for diversity. Our services are stronger when they are designed and protected by people with different backgrounds, experiences and perspectives. Work in this area can open doors for young girls and women into STEM—science, technology, engineering and maths—careers, and help break down the long-standing barriers felt by women under-represented in tech, whether at entry level, in mid-career progression or in leadership roles. The Secretary of State for Science, Innovation and Technology recently welcomed the launch of the women in tech taskforce to bring Government and industry together to identify and dismantle exactly those barriers, and I look forward to seeing the benefits reach the women and girls in South East Cornwall.
It is also important to recognise that cyber-resilience is now a key element of our national security and defence readiness. Staying up to date and agile is essential, particularly as advances in Al and quantum computing not only create new methods for testing, strengthening and securing our systems, but present new challenges that we must face. We have world-class research facilities in the UK, with brilliant minds that can support our national security and ensure that the UK is at the forefront and prepared for future attacks.
The work the Government are doing through the Bill updates the UK’s existing frameworks so that we can respond to new and emerging threats and better protect our communities, as well as safeguarding sensitive information and personal data, but of course there is room for further work in future. With the nationally important Devonport dockyard just across the river from South East Cornwall, many of my local residents cross the Tamar each day to work on site. A serious cyber-attack could disrupt supply chains, compromise secure communications and undermine operational readiness, with real consequences for local safety, local livelihoods and national defence. Supply chain resilience is especially important in South East Cornwall, as many Cornish businesses support larger providers in defence, energy and infrastructure. Ensuring that our services and local systems are resilient protects both local suppliers and national partners. It is essential that the UK defends itself and protects security at home and abroad, so how will the Minister create clear expectations on wider supply chain cyber-resilience, practical support for smaller suppliers such as those in South East Cornwall, and strong incident recovery planning, so that both major defence infrastructure and the SMEs that support it are protected?
For South East Cornwall, the Bill speaks to resilience in the broadest sense. It supports secure services, a stronger economy, new opportunities for skills and jobs, new opportunities for women and girls, and the confidence that the systems we rely on every day are protected. I am glad to support it and the action the Government are taking to keep our digital future safe.
David Reed (Exmouth and Exeter East) (Con)
I very much welcome the opportunity to speak on Second Reading. The Bill addresses one of the most defining national security challenges of our age and we have heard many valuable contributions from right hon. and hon. Members across the House.
Before entering Parliament, I spent several years working to protect our country from cyber-risks. My background in software engineering gave me a rare view under the bonnet of the systems that now underpin almost every aspect of our daily lives. I saw first-hand how our digital infrastructure works and just how vulnerable much of it remains. I really loved that work, and I am proud to say that as a country we are genuine world leaders, but I would be dishonest if I said that it did not leave me deeply worried at times. That is not because of any single threat or actor, but because of the sheer scale, complexity and relentlessness of the cyber-risks we face. Those risks are only accelerating with advances in artificial intelligence, automation and the advent of quantum computing. Those technologies will, as we have heard today, revolutionise our lives in ways that we are only just beginning to understand. We must adapt alongside them if we are to remain a serious technological and economic power.
Our lives are now dependent on digital systems at every level. From water treatment plants and electricity networks, to transport, financial markets, healthcare and the wider economy, it is fair to say that we are no longer merely supported by digital infrastructure, but built upon it. And when those systems fail, the consequences are not abstract. They are immediate, they are human and they can be devastating.
We have already seen that reality play out in this country. If we cast our minds back to May 2017, the WannaCry ransomware attack tore through the national health service. Tens of thousands of computers were infected, and staff were locked out of patient records, diagnostic systems and telephony. Ambulances were diverted, and thousands of appointments and operations were cancelled, including urgent cancer referrals. The estimated cost to the NHS was £92 million, but the human cost—the stress, disruption and loss of confidence—cannot be measured in pounds and pence. The crucial point, which we have heard made in contributions today, is that while the attack was not targeted at the NHS, it was particularly vulnerable, because it was reliant on outdated and unpatched systems, and on the fragmented digital assets it owned. It was a warning shot that should never be forgotten.
More recently, the private sector has faced similarly sobering lessons. Capita was recently fined £14 million following a cyber-attack that compromised the data of more than 6 million people. British Airways and Marriott International suffered major breaches affecting hundreds of thousands of customers, resulting in substantial penalties and lasting reputational damage. These are not small firms, but sophisticated organisations with scale, expertise and resources, yet still they were exposed. That is why the Bill matters and why I want to work constructively with the Government to ensure that we get it right first time.
Crucially, we must build the ability to adapt and update the framework as technology and threats continue to evolve, while—I refer to the point made by my right hon. Friend the Member for Hertsmere (Sir Oliver Dowden)—not making that burdensome on businesses and organisations.
As the UK’s first piece of legislation to include the words “Cyber Security” in its title, the Bill represents an important step forward. It modernises the network and information systems framework; brings new sectors into scope, including data centres, managed service providers and critical suppliers; strengthens incident reporting requirements; enhances enforcement powers; and allows Government to act decisively—I hope—where national security is at risk. I welcome those objectives and, in particular, the recognition that managed service providers and supply chains are now critical attack vectors. That is absolutely correct. Cyber-threats do not respect organisational boundaries, and our regulatory framework must reflect that reality.
However, the Bill must not be treated as some sort of elixir. Cyber-security is not solved by regulation alone. The Bill strengthens protections for critical national infrastructure but leaves significant questions unanswered—questions that we must address if we are serious about national resilience. One of the most pressing concerns raised by industry is the growing complexity of incident reporting. Organisations already face overlapping obligations under data protection law, sector-specific regulation and, soon, economy-wide ransomware reporting requirements. Add to that multiple voluntary reporting channels, and the landscape becomes fragmented and very confusing. Having been a small business owner, I know that, when dealing with marketing, advertising and payments to staff, having extra layers of complexity, with reporting added on, is a difficult position to be in.
The first hours of a cyber-incident are chaotic: systems are down, decisions are time-critical and staff are under immense pressure. Forcing organisations to navigate multiple reporting regimes in that moment risks distracting them from the most important task, which, as we all know, is containing the attack and restoring services. A unified reporting framework with a single point of contact and aligned timelines would reduce burdens on businesses, while improving the quality of information available to Government. The Bill should move us closer to that outcome, not further away from it. I look forward to working with the Government at the next stage of the Bill to ensure that happens.
We must be honest about the limits of sector-based regulation—the Minister referred to this in his opening remarks. The Bill focuses, rightly, on critical national infrastructure, but many of the most damaging attacks in recent years have occurred outside its scope. Manufacturing, retail and consumer services have been heavily targeted. The attack on Jaguar Land Rover, which many right hon. and hon. Members have referred to today, is estimated to have caused up to £2 billion in economic damage across the company and its supply chain. That is a stark example.
I want to put on the record my deep concern about the precedent being set: the British taxpayer is effectively being required to act as insurer of last resort for major companies that have failed to adequately defend themselves. For large firms that are critical to our economy, the expectation that the public will step in cannot become the norm. Responsibility must sit squarely with the boards and executives to invest properly in cyber-security resilience or face the consequences. I am glad to see that the Government have taken the initial steps to have that conversation with industry.
At the same time, small and medium-sized enterprises, which make up the vast majority of our economy, are particularly exposed. They often lack the skills, budgets and capacity to implement proportionate cyber-defences, yet they sit deep within critical supply chains. A single weak link can have cascading consequences far beyond the organisation directly attacked. If cyber-security is economic security—I think we all agree that it is—we need a whole-of-economy approach. That means combining regulation with incentives, and support and standards that uplift resilience across UK plc, not just at the very top. That should include stronger, secure-by-design requirements for technology products, embedded through procurement and standards, and practical, accessible support for smaller businesses, potentially including consideration of a national first responder model to help small firms recover quickly from cyber-attacks.
We must also address the skills challenge head-on, as cyber skills shortages are already undermining resilience and compliance. If we are to give them more investigatory powers, the regulators themselves will need additional technical and enforcement capacity to deliver the expanded responsibilities set out in the Bill. That capacity cannot be assumed; it must be planned for, funded and developed far in advance.
Finally, I want to raise the issue of cyber-crime law. The Computer Misuse Act 1990 dates from a time when fewer than 1% of the population had access to the internet. Its blanket prohibition on unauthorised access fails to distinguish between malicious attackers and legitimate cyber-security professionals acting in the public interest. That matters: vulnerability research and threat intelligence are essential to defending our systems, yet many professionals in the industry operate in a legal grey area when carrying out work that ultimately strengthens our national security. Updating that framework, including by introducing protections for reasonable research, would modernise the law without weakening it.
In conclusion, the Bill is an important foundation. It strengthens protections for critical services and sends a clear signal that cyber-security is a core responsibility of the modern state. However, legislation alone will not deliver that resilience; it requires co-ordination, clarity, capability and sustained investment, as well as an honest understanding of where the Bill must be strengthened as it moves through Parliament.
Cyber-threats do not stand still, and neither can we. I support the direction of travel set out in the Bill and urge the Government to engage constructively as it progresses so that we can deliver a framework that provides real, lasting protections for our country, our economy and the British citizens.
Anneliese Dodds (Oxford East) (Lab/Co-op)
I wish you, Madam Deputy Speaker, all parliamentary staff and all Members in this Chamber a very happy new year.
It is a real pleasure to rise to speak in favour of this crucial Bill, which I am pleased to see having its Second Reading. It is also a pleasure to follow the hon. Member for Exmouth and Exeter East (David Reed), who set out many of the stakes that are so critical here. We also heard that in the opening speech by my right hon. Friend the Minister for Digital Government and Data, who described a number of disturbing cases, as others have done during the debate. He also set out the scale of the impact of cyber-attacks with some concerning figures, as did my hon. Friend the Member for Warwick and Leamington (Matt Western). I was particularly struck by the 0.5% hit to GDP from cyber-attacks and the fact that our country has been the third most severely impacted worldwide by cyber-attacks. It is therefore welcome that the Bill focuses on a faster and more joined-up approach to deter and deal with cyber-attacks.
I believe that that approach has gone alongside a really strong grip from the new Government on the need for a sectoral approach to dealing with cyber-attacks. Of course, we unfortunately had to see that, given the attack on JLR. I was pleased to see the previous Secretary of State really engaging with the automotive sector—work that has been continued by the current Secretary of State—on the challenges and lessons that need to come out of that attack, which has been particularly important in my constituency given the significance of BMW Cowley for employment in Oxford East.
I believe it is critical that we assess cyber-security alongside other forms of cyber-criminality, as the head of MI5 has argued for us to do. Cyber-attacks are increasingly being carried out by quasi-non-state actors that operate in the grey zone that the right hon. Member for Hertsmere (Sir Oliver Dowden) talked about, often implicitly backed by Russia or other adversaries. Those attacks are taking place at the same time as a rise in cryptocurrency laundering and disinformation operations.
I am sadly forced to share the assessment of GLOBSEC, the security-focused think-tank, that the pattern of Russia’s hybrid war
“has persisted without an effective Western response”.
There has been an escalation in cyber-attacks, sabotage, disinformation and political interference, but we have not seen the kind of joined-up approach across like-minded democracies that is needed. I was assured recently by my right hon. Friend the Paymaster General that the Government are working with the EU on combating foreign interference. That work clearly needs to be intensified, especially when we see what is happening to other democracies not so very far away from us.
I saw the threat for myself directly in Moldova, where cyber-criminals’ methods are often being used in combination: a cyber-attack on the election regulator coincided with a disinformation campaign sponsored by Russia and disruptions like bomb hoaxes in real life. So while I welcome this legislation, it must be co-ordinated with broader work to protect our country’s resilience and digital sovereignty, and to secure transparency on foreign interference.
In that regard, I will end by mentioning a concerning development: the sanctioning of two British citizens by the United States over the Christmas period, both of whom have worked to deliver transparency, including on foreign interference—clearly relevant to this Bill. Imran Ahmed is from the Centre for Countering Digital Hate, whose dispassionate, evidence-based analysis has uncovered the spread of disinformation, violent racism and material that poses harms to children. Clare Melford is from the Global Disinformation Index, which provides information about the extent of polarisation and disinformation so that companies can make informed choices about where to advertise—a free market approach to providing transparency.
The Minister stated at the beginning of this debate that when national security is on the line, we must be ready to act, and I strongly agree. A number of Members in the Chamber have said how important it is that we have a cross-economy and cross-society approach to these issues. I believe that the sanctioning of these individuals risks chilling transparency, including potentially transparency that can uncover foreign interference. I hope the Government will resist all attempts to reduce transparency. The welcome efforts in this Bill on cyber-resilience must be accompanied by work to counter other cyber and information-related threats to our national digital sovereignty and, more broadly, threats to our national security and interest.
Bradley Thomas (Bromsgrove) (Con)
I start by putting on the record my broad support for the principles in the Bill. Cyber-threats are among the biggest threats that our country faces. We are living in the grey zone right now—every day, thousands of cyber-attacks take place on private companies, publicly owned companies and infrastructure. This is probably the most profound wave of attacks and hostility that we face; they are in plain sight, but the vast majority of the country and our constituents are unaware of them. That is for good reason: there are many good people working at the National Cyber Security Centre, in the intelligence agencies and the military, across Government and across private industry who do so much to keep us safe. However, that does not mitigate the fact that the threat is real, present and only ever increasing.
It is only ever increasing not just because of criminality in a cyber form, but because of the threats that come from nefarious states, particularly Russia, China, Iran and others that have been mentioned. The Jaguar Land Rover attack is particularly prominent in everyone’s minds. It affected the whole country and affected global supply chains, but it had a particularly profound effect in my constituency, where many of the JLR workforce are based. We have seen what happens if we fail to invest sufficiently in our cyber-defences—such a deficiency in investment only enables those who seek to do us harm. The point has been made that our lives are not somewhat digital; they are fundamentally digital in almost every facet of life.
I would like to emphasise a couple of points in particular. One that I have not heard spoken about much, which I think is both within the scope of the Bill and, at the same time, somewhat adjacent to it, is the role of foreign technology in our supply chains, particularly kill switches. We are seeing increasing numbers of news articles about these switches, particularly relating to energy installations. Questions have been raised on numerous occasions on the Floor of the House about the prevalence of kill switches in Chinese technology in particular and the risk of exposure to an adversarial state abroad that could destabilise our energy systems. I would particularly like to see a joined-up, whole-of-Government approach to tackling the broader threat, instead of it being viewed through a single lens. I know that Ministers will be looking at it across the board, but I would appreciate if the Minister could address how it is being looked at across Government.
Another case is the rise of Chinese-made cars. It struck me that around 12 months ago I rarely saw a Jaecoo or Omoda car on our streets, but now they seem to be everywhere. I cannot help but suspect, given the links that those manufacturers have to the Chinese Communist party, that there are potentially kill switches within those vehicles and, more importantly, that the vehicles are sending data on users’ mobility habits to a foreign adversarial state. The implications of that are profound.
My final point is about the reporting regime. I introduced a ten-minute rule Bill a couple of months ago that touched on the broad principles within reporting, calling on the Government to have a pragmatic approach with regard to the reporting obligations on particularly small companies. I suggested a threshold of £25 million of turnover before a company would be within the scope of my proposed Bill. I chose that threshold because it would omit the vast majority of small or family-owned businesses unless they are designated within one of the 13 critical industries. The reason for that was simply a fear that reporting obligations on small businesses are ever-growing, and for many businesses additional cyber-security obligations could result in significant additional head count that they may not be able to afford. I encourage the Minister to engage as much as possible with representatives of small business to ensure that the reporting obligations are as minimal as possible while capturing the broad principle of the Bill.
I support the broad principle of the Bill; I think it is a step in the right direction. I hope that the Government will adopt a cross-Government approach. This is a wider societal issue that all of us have an obligation and duty to fulfil. I look forward to seeing the Bill’s progress and contributing as it makes its way through Parliament.
Sarah Russell (Congleton) (Lab)
Happy new year to you, Madam Deputy Speaker, your team and everyone else in the House.
It is no overstatement to say that this is one of the most pressing issues of our time. I suspect that if we were not bringing forward this legislation it would only become apparent quite how pressing it had been when there was a major incident that lay it bare. I think it is one of the marks of successful government that we are, hopefully—I touch wood as I say this—managing to stay ahead of the curve on these incidents. There is nothing more important than national security relating to critical infrastructure. I think it is exactly what our constituents want to see us acting on, and I wish they saw more of us discussing issues on a cross-party basis, with broad agreement. It is welcome to see the Government taking these steps.
I particularly want to discuss the enhanced incident reporting duties on the digital service providers and the duties to inform customers. In short, I have real concerns about how those duties will play out in practice. From my experience of having advised whistleblowers in the financial sector, when there are obligations of this nature, some corporations unfortunately make more effort to avoid complying with them than to comply with them. It is an excellent piece of legislation, and I am not suggesting that the Government should have drafted it in any other way, but we need to look at our whistleblowing laws alongside it, because at the moment we do not have strong enough protections for whistleblowers within UK law. That applies both inside and outside employment settings—for example in relation to contractors and other third parties.
If we do not ensure that people have mechanisms by which they can anonymously report breaches of those sorts of obligations, and if we do not have the right protections for them when they are raising the concerns internally in the first place, we will not be able to make adequate use of the Bill’s excellent provisions. I want to impress upon the Minister how important it is that this legislation is looked at in that wider context.
Also within the wider context is a broader debate—lots of us have touched on this without specifically identifying it—about how we balance the risk across society and the cost of the risk. It is about the risk to individuals, national security, individual businesses and individuals within those businesses, such as directors or other senior leaders. It is about how we ensure that in our country we do not have large tech companies, major data centres and other big private sector businesses taking economic benefits without carrying risk. We need those businesses and they are crucial to us, but we do not want them taking the economic benefits of operating in our advanced economy while the Government and therefore the taxpayer carry all the risk and burden of the regulation.
It is great to see that the Bill contains provisions allowing for financial recovery in the enforcement action that we want to take. It is also fantastic that when it comes to the enforcement provisions and finances associated with it, we are looking at up to 4% of global turnover in terms of potential fines for not complying. My position as a former lawyer is always that I want to know that things are enforceable. There are good enforcement mechanisms in the Bill, and there is plenty of money that could potentially be at risk, which incentivises the kind of compliance that we want to see, but we need to look at the broader societal piece about how we balance the risks and opportunities in relation to tech in general.
I was going to talk quite a bit about my concerns about my local public services and how they can better manage cyber-security. The Legal Aid Agency cyber-attack enabled criminals to steal the details of anyone who had applied for legal aid between 2007 and 2025. The scale of the financial risks to those individuals cannot be overstated; the amount of personal data that that involved was absolutely huge. Six out of 10 secondary schools are now subject to cyber-attacks. The Cheshire Cyber Security Programme is in place to help local small businesses manage their cyber-risk. It provides training for up to five members of staff in small businesses. Our local police powers are being used to try to take proactive steps to improve the situation for our local small businesses.
Schools in academy trusts are spending quite a lot of money on cyber-insurance to try to protect against these risks. We have seen schools across the country shut down because they are unable to open following cyber-attacks. The public sector action plan that the Government published this morning is incredibly welcome in terms of cyber-risk, and I really look forward to the opportunity to go through it in more detail. We again need to look at the balance of cost within our society.
I would like to add to the comments of those who have suggested that we should review the Computer Misuse Act 1990 and the lack of current protections for researchers doing important work in this area. We obviously have several institutions that are currently engaged in cyber-security work, including the Alan Turing Institute and the National Cyber Security Centre. We need to make sure that they have the right remit, because this area is only going to expand when the complexities of AI are added. We must ensure that everyone is protected to do their job effectively. That means protecting individuals, businesses and our wider society.
Lastly, we need to move as quickly as we can on this. It is great that we are maintaining our EU alignment, because realistically the only way that we can continue to be a major player and have considerable influence over companies, many of which now have much larger budgets than major economies, is if we work in conjunction with other countries. That is what our ongoing relationship with the EU should be about.
I thank everyone who has been involved with work on the Bill. I think it is excellent, and it is completely the right direction of travel. It is a shame that the Government doing the right thing every day does not get more publicity, even when it is not likely to grab many headlines. It is about doing the work, getting the right structures in place and moving forward productively in a cross-party way where possible. It is about securing our nation and ensuring that our economy is on a strong footing. There is everything to be said in favour of that.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Cyber-attacks are a growing menace for British businesses. They cause chaos for all types of businesses and organisations, both small and large. The consequences of those attacks have hit our economy hard. The disruption caused by the cyber-attacks on Jaguar Land Rover, M&S and the Co-op were felt by many businesses further down their supply chains; for instance, the disruption that hit JLR resulted in a freeze for its steel supply chain, much of it in Wales.
So much of our economy relies on well-functioning digital platforms. Last year, many Lloyds bank customers found themselves unable to access money or pay their bills due to app outages, with that problem compounded by its decision to close high street branches. Yet, bizarrely, Lloyds decided still to pay its chief executive officer Charlie Nunn £5 million in 2024. I make that point to illustrate the lack of accountability we see in positions at the top of these organisations despite massive numbers of people being reliant on those services.
A successful cyber-attack often ends in people having their personal data stolen. That is why it is welcome that the Bill highlights sensible requirements to ensure that businesses properly consider supply-chain risks and their usage of managed service providers, as well as many others. On the other hand, it will be a mystery to many why sectors such as finance, food and drink and retail have not been included, particularly considering how those sectors have been hit hard recently.
The Government would clearly like to achieve security. To do that, it would help if the Bill could be improved to provide greater certainty and clarity for businesses. For instance, how are businesses supposed to manage relationships with managed service providers? For five years, I worked in the cyber-security industry, starting with the introduction of the GDPR, which happened at the same time as the original NIS directive. I found that the cyber-security sector is a well-connected community underpinned by a welcome commitment to sharing knowledge and best practice. For instance, Cyber Wales is a representative body that brings together the Welsh cyber-community. It is an industry that requires input from academia, law enforcement agencies, defence and businesses. There are clusters of success across Wales, including in my constituency. Partnerships built in academia often create spin-off companies that generate jobs. For instance, in Wales, the University of South Wales and Swansea University have done a lot to build up our local cyber-security ecosystem. As the Bill progresses, the Government would be wise to continue to consult regularly with this very engaged community.
It would be helpful to hear what sort of consultations, and how many, have taken place so far. It would also be helpful to hear the Government respond to the Information Systems Audit and Control Association’s proposals, particularly around giving regulators the power to suggest mandatory penetration testing.
The growing cyber-security sector should be a route for much needed economic growth and well-paid jobs in Wales. Many such jobs can be done remotely from anywhere with an internet connection. Recent research from Infosecurity suggests that there are 17,000 vacancies in the cyber-security industry right now, with that figure growing at 10% to 12% a year. That is a huge opportunity for a country like Wales.
Having an effective skills base is one way in which we can guard ourselves against cyber-attacks. Keeping Britain safe from cyber-attacks requires a trained workforce who can marry technical expertise with regulatory competence. I have seen in my professional experience how many people from many other sectors were able to retrain and upskill to work in cyber-security. People with experience in project management or managing processes are very capable of retraining to work in the cyber-security industry. Special thought should be paid to military veterans in particular, who are well suited to those jobs.
One of the questions for the Government should be about how to help more British people into those jobs while ensuring that our education system is equipped to help children pick the sector. That is why I call on the Government to ensure that funding is available for all schools in Wales to take part in the highly successful CyberFirst Wales scheme.
Mike Reader (Northampton South) (Lab)
I start with a story; it is a real story, but I have changed the names for obvious reasons. It was a Tuesday afternoon and I had a call from our CEO, David, who said to me, “Mike, I am jumping on a plane, but I need you to speak to a law firm we have been working with. This lady called Sandra will ring you from A&A law firm. I want you to speak to her. She will talk to you about a project we have been working on. Sorry I have not been able to read you in until now.” I think, “This is a bit strange. David’s a very busy man, but why would he ring me jumping on a plane?”
Sandra rang me, and it seemed pretty legit. We had a chat and it turns out we may know someone in common. I looked her up on LinkedIn: her firm is legit, she is there, and she has connections similar to mine. She tells me, “I need you to sign a non-disclosure agreement so we can talk to you about the opportunity we are working on with David.” I said that was fine and signed the NDA. I was sent a Teams link and joined a call with Sandra and some of her colleagues. Also on the call was David, my chief exec, whose signal was not good. He said, “Mike, I’m on a plane, but I’ve tried to join just to say thanks so much for being a part of this. We’re looking at an acquisition in your business area. I want you to work with A&A legal partners to ensure they have got the information they need. This is a real opportunity for us to grow. You know that we have been looking to grow the business.” Then his signal dropped off.
I carried on the conversation with Sandra and her partners. They started asking for information that perhaps they did not need—for example, about operational matters and how the business worked. They followed up with another call, in which they started asking for financial information about some of our clients. They followed up with another call in which they asked for financial information about the business. At that point, I thought, “I had better ring David and just make sure this is legit.” When I rang David, I found that he had no idea this was going on. Our business was being attacked through a deepfake intrusion. They had mirrored our chief exec, and used his voice for a call and his image for a Teams call. Had I—this story is actually about a friend of mine—not called my boss to say, “Is this legit?” they could have got away with goodness knows what. That seems quite far-fetched, but Arup, another big British firm, got done by a very similar deepfake scam; it lost £20 million to scammers.
I start with that real story about something that happened to one of my colleagues, because this Bill is really important. It is a framework Bill that will set out how we put in place better standards, procedures and controls, but actually where many businesses—be they data centre providers, managed service providers or those already covered by legislation—fall down is at the point when a human is in the loop. We heard from my hon. Friend the Member for Harlow (Chris Vince) about how to get the culture right, and how to ensure that people are considered in future legislation and guidance that will come off the back of the Bill. I wanted to open up and make that point, because through the Bill, we can do all we can on technical processes and procedures, but it is really important that we focus on the human in the loop and the human aspect, as that is often where these major attacks start.
I am really pleased to support the Bill. Cyber-security and cyber-crime impact our daily lives. I will not repeat the stats, which we have heard from many hon. Members on both sides of the House. They impact the businesses that support our economy, our public services and our banking sector—things that we use every day. It is therefore right that the Bill has been brought forward, although there was a considerable delay following the work done in 2022 by the previous Government. I am pleased that the Bill seems to have cross-party support.
The Bill recognises that attacks involve a wide range of methods, and may involve data centres, outsourced IT providers and complex supply chains working in the sector. That is critical for my constituents in Northampton, who are on the northbound data super-highway from London. In the last six months, we have heard announcements of over £1 billion of investment in new data centres, in both the public and private sectors. I thank the Minister and his Department for all their hard work in securing that investment, which will create new jobs in my constituency. Without improved regulation and clarity, that investment remains slightly uncertain. The Bill will definitely improve that clarity and certainty for the sector, as well as for the many businesses in my constituency that rely on a managed service provider for their IT or provide data centres. That is particularly important for all hon. Members, because the control centre that looks after our security is in my constituency. That data security is therefore particularly important for our personal wellbeing.
I have also looked at this issue from the perspective of the many businesses in my constituency who use managed service providers for their IT. They include large businesses. In my previous business—a business of 7,000 or 8,000 people—an MSP provided our help desk; when I had a problem, I would ring it up. The inclusion of managed service providers is critical to give us better protection and improve standards and resilience, and therefore reduce burdens on the businesses that use them, particularly their cyber insurance costs. I have two asks of Government on this. First, as other Members have done, I ask that we do this proportionately, as change in this area may have a considerable impact on small businesses—both on their MSP costs and their direct costs. I also ask that we work hard to consider how the legislation works with international law, particularly as my experience is that a lot of MSPs, such as HelpDesk, use overseas workforces.
I welcome the stronger reporting requirements. I recognise the point made by the hon. Member for Bromsgrove (Bradley Thomas) about his ten-minute rule Bill on regulation and reporting. From a business perspective, as long as there is clarity—the Bill sets out that there will be greater clarity for business—we get honesty, trust and a business environment in which people understand what they have to do and when they have to do it. The Bill moves us towards that.
I also welcome the much stronger enforcement powers in the Bill. That sends a real message to criminals that there are significant risks to them. To businesses, I say that money talks, and when there are stronger enforcement risks to someone’s business, all of a sudden cyber-security ends up higher up the corporate risk register.
As the Bill is implemented, I ask for genuine consultation with industry. It is particularly important to note that this is a framework Bill.
Kit Malthouse (North West Hampshire) (Con)
The hon. Gentleman is making a very interesting and pertinent speech. I hope he will welcome the fact that the Bill strengthens the requirement on companies to not only look at prevention but have an adequate recovery plan. Does he think that there is adequate sanction in the Bill for those companies that are deemed not to have an adequate recovery plan? My reading is that regulators cannot necessarily fine for a negligent recovery. As the hon. Gentleman said, the human factor so often matters, but surely that matters as much in recovery as it does in prevention.
Mike Reader
I think the Bill goes some way on that, and it is clear that future legislation and guidance will start to frame those issues. There are other ways that we can drive businesses to improve their business resilience planning. It is part of the standard Government procurement process to require business continuity planning to be demonstrated, and many large businesses in our constituencies will be trying to transact with Government, whether local or national, with the NHS or others. Business resilience is also required at other times when the state interacts with business; I think of procurement particularly. My background is in one of those key areas.
I was just saying to the Minister that one concern I have is that this is a framework Bill. There is to be a lot of future guidance, so we need continued consultation—this message has been made by others as well—so that the standards are really clear. The legislation was getting quite messy. We want to make it a lot clearer. We want to be really clear with business, and we want to give organisations early notice, so that they can adjust, rather than springing this on business as we push to address a real threat that has been recognised right across industry.
I come back to my original point: we should consider the human in the loop. When we set guidance and requirements, we should look at how businesses think about the human aspect, as well as the technocratic solutions that would be in a business continuity plan or similar. This is a necessary Bill. I support its aims and focus. It signals real confidence to the market—to those already operating in it, and to those who are coming to invest in great places like Northampton, to build the data centres and other infrastructure that we need.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
I refer the House to my entry in the Register of Members’ Financial Interests. I commend my right hon. Friend the Member for Hertsmere (Sir Oliver Dowden) and my hon. Friend the Member for Exmouth and Exeter East (David Reed) for their excellent speeches. I particularly associate myself with their comments on the Computer Misuse Act 1990 and the need for an extension to our cyber-skills in this country. Before entering this place, I worked professionally in cyber-security and operational resilience, advising businesses of all sizes on how to reduce the risk of cyber-attacks and helping them to understand how far-reaching the consequences of a cyber-breach can be from a commercial perspective, and not just a technical one.
I am vice-Chair of the Business and Trade Committee, and we have heard direct evidence for our report on economic security from Marks & Spencer, Co-op and Jaguar Land Rover, all of which suffered catastrophic breaches last year. Although the attacks were different in form and impact, as the shadow Secretary of State, my hon. Friend the Member for Hornchurch and Upminster (Julia Lopez), said, they shared a common feature: they were driven by social engineering, not technical failure. Human access was exploited, trust was abused, and controls failed further up the chain. The outcomes, however, were very different.
At Co-op, a more modern, secure-by-design IT infrastructure enabled an early containment strategy, limiting the impact on customers, stores and the bottom line. Marks & Spencer, which had not prioritised early replacement of legacy infrastructure, suffered months of major disruption to customer-facing services and retail logistics. The financial impact alone for M&S is in the region of £300 million, or 45% of its prior year pre-tax profits. Jaguar Land Rover was in a different category altogether. There, the attack cut into operational technology systems tightly integrated with manufacturing operations, bringing production lines to a standstill and disrupting just-in-time supply chains. That shutdown cascaded far beyond a single company, directly impacting numerous suppliers in the midlands regional economy, as many Members have already mentioned, as well as contributing to a measurable fall in UK GDP, estimated to be in the region of £2 billion.
Those cases demonstrate that cyber-risk manifests in three ways: operational risk, financial risk and reputational risk. Too often, even at FTSE level, businesses and boards fail to grasp that this is a potentially devastating combination. I hear the same message repeatedly from industry, including at the Financial Times Cyber Resilience Summit in London, where I spoke at the end of last year. There is frustration from CISOs—chief information security officers—and security vendors that it can be difficult to develop conversations with boards and audit chairs to assign the appropriate resources and strategic prioritisation. Businesses accept that standards must rise, but they want regulation that is targeted, proportionate and focused on prevention, rather than paperwork.
The Bill does some things well. Updating the 2018 NIS framework, expanding coverage where it is genuinely needed and strengthening enforcement powers are all sensible in principle. Faster incident reporting has value, but reporting alone is not resilience. There are gaps that matter. First, the Bill does not go far enough on governance. Cyber failures are governance failures. Responsibility sits not only at board level, but clearly and specifically with chairs and audit and risk committees, yet the Bill stops short of driving meaningful accountability there. Without that pressure, cyber will continue to be delegated downward to IT and operations teams, rather than being owned at the top.
Secondly, there is a risk of confusing activity with preparedness. Increasing reporting obligations after an incident does nothing to prevent the incident from occurring. Prevention is always better than cure, and this legislation needs a stronger emphasis on baseline capability, risk maturity and early intervention.
Thirdly, we must be careful about cost, capacity and particularly enforcement. The implications for SMEs are significant, particularly those that are pulled into scope through supply chains. At the same time, regulators cannot enforce what they are not resourced to oversee. Without credible enforcement, the Bill risks becoming a paper exercise and boards will respond accordingly.
Fourthly, the Bill needs to recognise the connection between, and draw a clear distinction between, IT and operational technology. What works for enterprise IT systems may be inappropriate or even dangerous in OT environments such as manufacturing, critical national infrastructure, energy and logistics. Segregation, architecture and the configuration of security devices must be assessed. Risk profiles differ; controls differ. That nuance matters.
I want to be clear that the Opposition support the aims of this Bill in principle. Cyber-resilience requires a whole-of-society approach involving Government, regulators, businesses and boards working together, but if this legislation is to drive real change, it must be enforceable, proportionate and grounded in how organisations actually operate. Boards and audit committees must feel the weight of responsibility, regulators must have the tools and resources to act, and prevention must be prioritised over post-incident form filling. The National Cyber Security Centre has produced clear, practical guidance for boards, and that should sit at the heart of our approach. We need smarter regulation, properly enforced, not just more of it.
Amanda Martin (Portsmouth North) (Lab)
I want to start by saying happy new year to you, Madam Deputy Speaker, to the staff, to all in this House and to the residents of Portsmouth.
I thank the Minister for his introduction to the Bill and for highlighting some of the major concerns that cyber-insecurity has caused and continues to cause for this country. I welcome the Cyber Security and Resilience (Network and Information Systems) Bill because it reflects a clear change of direction under a Labour Government, moving from a fragmented and often reactive approach to a cyber-security approach that is strategic, cross-Government, resilient and focused on national capability and everyday solutions. We have heard it said many times in this House that the first duty of any Government is to protect their citizens, and in the modern world that duty must extend to the digital systems we all rely on.
Cyber-attacks now pose a daily threat, not just to Government systems but to the livelihoods and security of people in Portsmouth, where major employers, manufacturers, ports and supply chains are attacked and the consequences are immediate and personal. Production can stop overnight, wages can be put at risk and sensitive personal data can be exposed. Constituents in my city who work for, supply or depend on companies such as Jaguar Land Rover have seen this reality at first hand. When large engineering, retail and manufacturing firms are targeted, the impact ripples far beyond their head offices, reaching workers on the shop floor, contractors, small local suppliers and customers whose orders are delayed or cancelled.
For a city like Portsmouth, which is built on defence, maritime work, engineering skills and complex supply chains, cyber-resilience is not an abstract policy or a technical exercise; it is about protecting jobs, safeguarding family incomes, maintaining confidence in the systems that keep our city working, ensuring the security of the public services people depend on every day, and ensuring that our city’s residents are kept safe. Portsmouth city council has been a target. In late 2024, its website was hit by a cyber-attack called a distributed denial of service—DDOS—attack by a pro-Russian hacking group. The attack made it difficult for residents to access council services online for a period of time. Fortunately, no personal or council services were compromised, but the attack demonstrated that even local public infrastructure in places such as Portsmouth is a target for cyber-actors. This is not just an abstract risk.
Local crime statistics show that cyber-crime is a lived experience for Portsmouth residents. About 16% of residents reported experiencing cyber-crime in a 12-month period, including phishing attempts, online fraud and accounts being hacked. As my hon. Friend the Member for Harlow (Chris Vince) noted, not all these crimes are reported as people feel embarrassed, alone or foolish. That is how these crimes continue to proliferate through our society. Local police crime figures also show significant levels of harassment, malicious communications and other online offences that are often instigated through cyber-attacks. These are not just techie problems; they translate into financial losses, practical inconveniences and, most alarmingly, psychological harms and in some cases people attempting to take their own lives because of the damage that has been caused.
Yes, there is an economic cost to cyber-crime, but there is also a human cost, and that is why this Bill matters. It modernises the UK cyber-security framework by strengthening baseline requirements, improving instant reporting and extending protections to a wider range of essential services and supply chains. Its three pillars are welcome. It recognises that weaknesses in one organisation can rapidly cascade across the entire economy, whether it is through the actions of cyber-criminals or hostile foreign actors. It recognises that cyber-crime is real and its effects devastating.
This is not just about big business; as we have heard, cyber-attacks disrupt NHS appointments, threaten energy and water supplies, and prevent people from living their daily lives. Last year alone, 11,000 NHS appointments were lost due to cyber-attacks, and since 2024 at least five direct cyber-attacks have been targeted at UK water supplies—one of them targeted at Southern Water. In 2025, it was reported that 62% of UK energy organisations experience cyber-attacks.
Crucially, Labour recognises that cyber-security is not only a technical issue, but a workforce and economic one. Clearer standards and stronger oversight give businesses the confidence to invest, raise resilience across the economy and ensure that organisations are not left to face increasingly sophisticated threats alone. The Bill rightly ensures that breaches are reported swiftly within 24 hours, because pace and speed are vital if we are to minimise the domino effect of cyber-crime.
The Bill rightly gives regulators the flexibility and powers they need to act as new threats emerge. That comes with the assurance of resources and transparency, as well as a more consistent strategy, evidence and wider clarity. That is particularly important for Portsmouth. Our city is home to the Royal Navy, with one of Europe’s most significant naval bases sitting alongside a major commercial port, advanced engineering and manufacturing activity and a university that recognises expertise in cyber-crime and digital security. When our city was blitzed in the second world war, we could see it and act on it. Cyber-crime needs to be brought into the light in the same way, so that we can all act on the attacks that are happening and create a different culture in which people do not hide and are not embarrassed to say what has happened to them, their businesses or their community.
Portsmouth already plays a vital role in our national security and industrial base. It is not just a target, but a part of the solution. I am proud that the University of Portsmouth is recognised as a centre of cyber-expertise, with leading research and collaboration on cyber-crime, digital security and economic crime. Its centre for cyber-crime and economic crime brings together multidisciplinary experts studying cyber-crime courses, prevention and resilience, and it works with community groups, schools and local businesses to raise awareness and protect people from cyber-crime. The university also conducts advanced research into cyber-security systems and threat detection through computing and behavioural science, helping to develop real-world solutions that improve organisation and national resilience. These efforts not only support local households and employees, but grow the skilled cyber workforce that the UK needs, which links directly to the economic and security objectives of the Bill.
The Bill lays the foundations for a more secure and resilient Britain, and I am pleased to support its Second Reading. In doing so, I seek reassurances and clarity from the Minister on four key points. First, how will the whole of Government work together to ensure that Portsmouth, with its defence, maritime and manufacturing base alongside thousands of small businesses, local services and the public sector, is supported to benefit fully from the Bill? Secondly, how will the Government work with and reach all employers to strengthen knowledge and skills, long-term economic resilience, accountability and responsibility? Thirdly, how will the Bill be linked to investment in cyber-skills and training, so that we are not left without the people needed to make the changing world an easier place to live?
Finally, how can we ensure that this is just the start of the conversation? How can we use the Bill to help change the culture around cyber-attacks so that individuals and organisations can, yes, take responsibility and ownership, but in a supportive environment, rather than one that lays blame? How can we as MPs across the House encourage openness among our constituents, small businesses, large employers and the public sector alike, so that together we can carry out the Government’s first duty, which is to protect their citizens in a modern, ever-changing world?
Ben Lake (Ceredigion Preseli) (PC)
It is a pleasure to speak on Second Reading of the Bill. I am very pleased to say that I support the Government’s introduction of the Cyber Security and Resilience (Network and Information Systems) Bill and welcome it as a very important first step in strengthening the protections of the UK’s critical national infrastructure and because it addresses many of the gaps that have been identified in numerous implementation reviews in recent years.
Other right hon. and hon. Members have made the point that the risk and harm inflicted by cyber-attacks are significant and very real. Others have cited their impact on a whole host of businesses and industrial sectors and on society. We have heard about the harm inflicted on NHS services, for example, and many Members have referred to the attacks on JLR, the Co-op and Marks & Spencer. The impact that the attacks had on not only those businesses, but the wider supply chains and local economies, is significant. As the Minister said when he opened the debate, it is estimated that some £14.7 billion is lost to the UK economy annually due to cyber-attacks, which is the equivalent of 0.5% of GDP, so it is right that the Government act to address these risks and harms.
In doing so, the Government comply with one of the calls of the strategic defence review, which stated that the world has changed and, in listing the other, more conventional threats that the country faces, specified that daily cyber-attacks at home are something we need to take very seriously. The Government are right to bring forward the Bill. As other Members have made very clear, the nature of cyber-crime and cyber-attacks and the threat that they pose are ever evolving, so I have a great deal of sympathy with the Government as they endeavour to keep up with what is a very rapidly developing industry and nature of threat.
Although I support the Bill and look forward to working with Ministers as it passes through the House, there are two points on which I would welcome clarity or further consideration by Ministers. A few Members have mentioned the importance of looking at our cyber-resilience in a more holistic manner. Although technical security and safety are very important, and the Bill goes a long way to addressing those matters, it could perhaps be strengthened by looking at our digital sovereignty. Other Members have made the important point that we need to consider supplier concentration in this field and domestic capability. If we fail to do so, we risk long-term dependency.
There are a few examples that I could draw on, but I will use that of Microsoft deciding to suspend the use of some of its services for justices in the International Criminal Court. I am not saying that Microsoft is going to threaten the UK Government or any of our services, but that example illustrates the risk that if we, or aspects of our economy or businesses, are overly dependent on certain suppliers, we are vulnerable. It is right that the Government have a way of preparing contingency plans for that or, at the very least, that they consider the potential impact of over-dependence on certain suppliers.
I wonder whether that consideration could be included as part of the statement of strategic priorities that part 3 of the Bill stipulates will be made by Ministers. The statement could then look not only at technical security as part of its cyber-resilience approach, but at digital sovereignty and domestic capability. In that regard, it would be not too dissimilar to some of the efforts we are starting to see from European partners. France and Germany are starting to undertake similar strategies and reviews of their domestic capability and potential over-reliance on certain suppliers.
My second and final point is to seek clarity from the Minister when he sums up on the directions to certain bodies and persons for national security purposes in part 4 of the Bill. If we accept that the nature of the cyber-threat and the risk to cyber-security are ever evolving, it will be impossible for any one piece of legislation to encompass all the possible dangers we may face. In order to try to future-proof the Bill, especially against national emergencies or crises, I wonder whether Ministers should consider even further last-resort powers, particularly to enable them to direct the shutdown of any domestic data centres or AI systems in the event of a security or operational emergency. I ask that because I am not entirely clear whether the powers already listed in the Bill allow Ministers to do that. If they do not, I ask the Government to consider such powers, so that they are able to intervene appropriately in the event of a future national crisis or emergency caused by AI systems in particular data centres. Such events could cause large-scale harm to the public, especially in the very rare but hopefully unlikely scenario in which the designated persons who are otherwise responsible for those systems refuse to co-operate with the Government.
Having raised those two points, I wish to underline my support for the Government’s efforts in this regard. I very much welcome the Bill and its Second Reading.
Emily Darlington (Milton Keynes Central) (Lab)
I welcome the Bill and the cyber action plan for public services, which was published today. As we have heard from right hon. and hon. Members’ many great speeches today, this is so important to the UK economy and public.
Despite being one of the smaller countries in the world, we are still one of the biggest targets for cyber-attacks. In the past 12 months, there has been some good news: only four in 10 businesses and three in 10 charities have had cyber-security breaches—the figures are down on the previous year. However, there has been a huge increase in nationally significant cyber-incidents, which have more than doubled in the past year, including the malicious cyber-attacks on critical infrastructure by Russia and China.
These matters are important to companies based in Milton Keynes Central, where one in three jobs are in technology. Milton Keynes is a leader in the development of AI and tech services, including in legal services, financial services and autonomous vehicles. Those companies have experienced cyber-attacks, so the Bill is very welcome. The difficulty is that it misses a huge portion of the discussion, and Ministers have somewhat neglected to mention sovereign technology in their comments or in the strategy. I hope that they will do so in the wind-up.
One role of sovereign technology is to fight cyber-crime. There are many definitions of sovereign technology, so what does it actually mean? To me, most of the public and the industry, it means UK innovation and technology. It is developed in the UK and is UK-owned intellectual property. It means a company paying UK taxes. Most importantly, it means a UK company being accountable to the UK. The Government have talked a lot about their commitment to developing and securing sovereignty, but that needs to be extended to all critical technology and infrastructure. Not only is that important in cyber-security terms, but it has other advantages, too: it is good for the economy, creates innovation and sets the highest standards, and it thereby gets public support and confidence and achieves small business support for absorbing the innovation. It achieves growth by creating not only UK customers, but—ambitiously—worldwide customers.
The Government have done that quite well in the past. They have created safe and secure solutions. Crown Hosting Data Centres is a really good example of a joint venture between the Government and Ark Data Centres. Unfortunately, only 3% to 4% of Government servers actually use it, and we must ask why. What are we doing to promote safe and secure solutions in the UK that would help us to fight for cyber-security and ensure that it is promoted across the public sector, and to ensure that those solutions gain support in the private sector? Instead of using Crown Hosting Data Centres, many are using ones run by foreign firms with securities and standards developed outside the UK. Outages at Amazon Web Services in cloud hosting have cost business millions.
Let us look at other areas where the public rightly worry about cyber-attacks and cyber-security, such as NHS data. We have heard about the impact of cyber-crimes on the NHS and on lives, but it also impacts public confidence. Palantir has a £330 million contract to bring together all NHS data. That is a fantastic initiative and really important, and the public support it because they do not want to have to repeat their health story to each and every doctor, nurse or other health professional that they meet. The difficulty is that using a foreign firm with some questionable alliances has led to an erosion of public trust and to a lack of trust among doctors, slowing the take-up of this important innovation in NHS services. That is partly because the co-founder of Palantir called our pride in the NHS “Stockholm syndrome”. Unfortunately, he misunderstands the very body to which he is selling services and is thereby eroding public trust. I know many UK firms that could have done just as good a job—and probably better, because trust among the public and doctors would have increased.
We hear that Palantir has just won a £240 million contract with the Ministry of Defence for
“data analytics capabilities supporting critical strategic, tactical and live operational decision making across classifications”.
Again, it is hugely important that we are using the latest technology to promote our MOD and that we are tying all that up. I do not think anybody in this House has concerns about the MOD making these kinds of investments; it is who we choose to partner with that drives the concern.
As I have already argued, the reality is that cyber-security has to be UK-focused. We have to protect our national interest and ensure that our partners put our national interest and cyber-security first and foremost. The views of organisations such as Palantir on the NHS and its integration into US Immigration and Customs Enforcement—otherwise known as ICE—lead us to worry that it does not share UK values. It creates a strategic vulnerability. That is what the sector is saying to us, and we should listen to it. Cyber-security is not just about reporting; it is about the investments we make ahead of time. Imagine if those two contracts and their economic opportunities had been given to UK firms. There would be enhanced UK-based cyber-security and greater confidence in our most critical areas of health and the military.
Let me raise another example which, if The Daily Telegraph is correct, I am sure will raise significant public trust concerns. It has reported today that the Government are considering using Starlink for the emergency services network, replacing the existing radio set-up that is used by ambulances, police and the fire service in an emergency—our most critical infrastructure. This company is controlled by a man who has shown his willingness to turn off satellites in Ukraine at his own political whim.
Cameron Thomas (Tewkesbury) (LD)
The hon. Lady is making a really important point about Elon Musk’s Starlink system, but will she go a little further and recognise that not only has Elon Musk switched off Starlink in Ukraine at will, but he has done so on occasions that might have turned the tide of the war?
Emily Darlington
I thank the hon. Member for raising that point. It is important to note that Elon Musk turned off Starlink at very strategic points for the Ukrainian military when it was advancing on Russian-held territory. It is not just that he chose to turn it off; he chose to turn it off at a critical time for the Ukrainian military. I worry that somebody who chooses to do that, and who encourages violence among the UK public at a far-right rally, at which he said,
“Whether you choose violence or not, violence is coming to you. You either fight back or you die”,
is not an appropriate or safe partner for our emergency services.
I absolutely support the comments made by my right hon. Friend the Member for Oxford East (Anneliese Dodds) about transparency, and about some of the actions being taken by those who have been willing to stand up to these companies and demand transparency. While that is probably not the subject of today’s debate, I think we must take those actions as a warning for what is to come.
I welcome the Bill and the action plan, but to truly make the UK safe and secure from state-sponsored or criminal cyber-attacks, we need to ensure that there is a UK sovereign infrastructure, capacity and capability. The Government can lead the way through their own procurement practices by making sure we are partnering with UK sovereign firms. That is good for security, good for protecting us against cyber-attacks, and good for the economy and public trust.
Andrew Cooper (Mid Cheshire) (Lab)
It is a privilege to follow my hon. Friend the Member for Milton Keynes Central (Emily Darlington), who made a fantastic speech. I do not think mine will be of quite the same quality, but I will do my best.
Having spent my career prior to entering this place as a software developer, it is perhaps not so much a pleasure as a blast of nostalgia to be speaking on this Bill today. The Bill provides for an important and long-overdue update to the NIS regulations, and provides the means to keep those regulations up to date more quickly as new threats emerge. That was a massive gap in our capability left behind by the rather haphazard and cavalier manner of our departure from the EU, and it is absolutely right that we resolve it as soon as we can.
It is a cliché to say that the nature of the threats we face has changed. Whether it is state-sponsored cyber-attacks, hacktivism, identity theft or ransomware attacks, those threats can have a widespread and significant impact on people’s lives, on the wider economy, and on our safety and security. Many Members from across the House have noted the cyber-attack on Jaguar Land Rover —which led to that company posting a loss of £485 million last year and, as I think we heard earlier, to a £2 billion impact on the wider economy—and the Co-op infiltration, which cost that retailer at least £206 million. However, this is not a new issue, and virtually no area of the economy has not experienced attempts to penetrate its systems and cause disruption or steal data.
Cameron Thomas
The hon. Member speaks of the cyber-attacks on Jaguar Land Rover and the Co-op. Those who pay council tax to Gloucester city council have concerns that following a Russian cyber-attack in 2021, that council recently discovered a £17.5 million deficit. Will the hon. Member recognise that too?
Andrew Cooper
I thank the hon. Member for his intervention. I confess that I am not an expert on the IT of Gloucester city council, but I am sure the Minister has heard his intervention, and may wish to respond in his summing up.
I welcome the measures in the Bill to bring managed service providers and data centre infrastructure into scope. When I began my career working on hotel reservation systems, legacy on-premise infrastructure was the standard operating practice. Some organisations would develop their own line of business systems and some would buy in, but virtually all would be hosted on their own servers, often with clever names such as Spartacus, Xena or Buffy the Vampire Slayer—names that I worked with over the years.
That situation changed for a whole pile of reasons, such as the need to support more public access, the requirement to facilitate more home working, huge increases in the speed of domestic and business broadband, the need to provide failover, redundancy and scaling, the shift away from big capital investment towards infrastructure as a service, and wanting to benefit from more rapid roll-out of features and applications that require significant server infrastructure behind them, such as we have seen more recently with AI. Systems have been moving virtually wholesale to those that are managed remotely and sandboxed to multiple organisations, and towards virtual servers or services in data centres, rather than on-premise tin.
Bringing these two areas into scope is obvious, and it is long overdue. I offer a note of caution about this part of the Bill, and it relates to the threshold at which the regulations apply. For managed service providers, we need to ensure that we are providing appropriate levels of cyber-security without blocking new entrants to the market. That applies to critical suppliers, too. The risk is that we end up boosting the hegemony of the big outsourcers and IT suppliers, rather than being able to support new domestic entrants. There is a risk of vendor lock-in, as we have heard several times today. Equally, the threshold on data centres appears to have been set so high that only larger ones will be in scope. I hope that the Minister will keep both of those points under review as the Bill progresses and think about how we can strengthen this provision to strike the right balance.
The other area of the Bill that I want to talk about relates to the regulators. The Minister set out in his opening remarks why he believes a sectoral approach is appropriate, and there is merit to that argument. Sectoral regulators have deep, long-standing institutional knowledge and they understand how the processes work in their sector. However, as I touched on earlier, the consequences of failure are enormous, with real-world impacts on people’s everyday lives. We should not expect an overarching cyber regulator to have the domain-specific knowledge of the water sector or the air traffic control sector, and nor should we expect every sectoral regulator to carry the expertise of how modern scalable data centres that detect faults automatically and automatically failover to different regions or different jurisdictions work. We just need to think about what the priority of an individual sectoral regulator will be, because it will not necessarily be cyber-security. We have to get the balance right, and we need to listen to the sectoral expertise on that.
In conclusion, this Bill is an important and long-overdue update to the UK’s cyber-security framework. I look forward to working with the Government to get the scope and scale of these regulations right and to ensure that all the systems that we rely on every day are secure in the face of current and emerging threats.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
The cyber Bill should be one of the most fundamentally important pieces of legislation the House will consider in this Parliament, because the UK’s cyber-resilience is a cornerstone of the foremost duty of Government: the protection of the people.
The shadow Secretary of State has already made clear that His Majesty’s official Opposition appreciate the urgent need to act to protect our society, our economy and our security in the face of growing and evolving cyber-security risks. The cyber Bill, however, is a Bill of missed opportunities. It would not have stopped the JLR or Marks & Spencer cyber-attacks. It is silent on the threats from hostile state actors, and it does not answer the fundamental question of: if NIS1 was not enforced, what difference will further regulations make?
Cyber-security is key to our national security. It is too important an issue to play partisan politics with. As a responsible Opposition, we will work with the Government to get the approach to this legislation correct.
Many Members have made insightful contributions today. My right hon. Friend the Member for Hertsmere (Sir Oliver Dowden), who has great experience in this regard, raised the issue of hostile state actors and gave the Ministers some practical advice on which I hope they will reflect. My hon. Friend the Member for Exmouth and Exeter East (David Reed) spoke about his professional experience and about the need for proportionate regulations and modification of the Computer Misuse Act 1900, which was mentioned by several other Members. My hon. Friend the Member for Bromsgrove (Bradley Thomas) made an important point about physical technology and the risk of threats from cellular modules. My hon. Friend the Member for Bognor Regis and Littlehampton (Alison Griffiths) also spoke about her own experience and, in particular, about the importance of the Government’s ensuring that the Bill has an impact. The hon. Member for Ceredigion Preseli (Ben Lake) mentioned digital sovereignty, another important issue which we have discussed on many occasions in this place.
We also heard from the hon. Member for Warwick and Leamington (Matt Western), the Chair of the Select Committee; from the hon. Members for Newcastle upon Tyne Central and West (Dame Chi Onwurah) and for South East Cornwall (Anna Gelderd); from the right hon. Member for Oxford East (Anneliese Dodds); and from the hon. Members for Congleton (Sarah Russell), for Northampton South (Mike Reader), for Portsmouth North (Amanda Martin), for Milton Keynes Central (Emily Darlington), and for Mid Cheshire (Andrew Cooper).
The gravest and the most pernicious risks to UK cyber-security go completely unaddressed by this Bill. Cyber is the emerging battlefield of state security, with hostile state actors ramping up their efforts to disrupt our society, our economy and our democracy apace. Time and again in this Parliament, the Government have baulked at acknowledging the elephant—or, in this case, the dragon—in the room when it comes to matters of national security. Last year the director of GCHQ, the UK’s intelligence and cyber-security agency, confirmed that it devotes more resource to China than any other single mission.
The evidence is clear: the Chinese Communist party is one of the greatest national security threats that our country faces. In November last year, Mr Speaker took the exceptional step of circulating a briefing from MI5 warning of the widespread efforts of individuals and organisations working on behalf of the Chinese Ministry of State Security to target Parliament for intelligence gathering. In the intervening weeks we have learned that Home Office systems were accessed, apparently by a Chinese state-affiliate group. Reports have circulated that the attack is linked to the Chinese gang Storm 1849, previously connected with cyber-attacks on MPs and the Electoral Commission. Furthermore, in December 2025 the Government confirmed that they had sanctioned two Chinese companies for perpetrating what they described as indiscriminate cyber-attacks on the UK public and private sector IT systems.
These are not isolated incidents. They are evidence of a concerted and intensifying campaign on the part of the Chinese Communist party and its affiliates to undermine vital public services and UK businesses. How our country, and how our democratic allies and partners, face the threat of hostile state actors, working in concert, is an epoch-defining challenge. It is a challenge that we must meet, or we will live to regret it.
It is no coincidence that several recent cyber-incidents have targeted organs of Government, with malicious actors rightly perceiving that many of our Departments are the weakest links in the cyber-security ecosystem. The National Audit Office’s 2025 report on Government cyber-resilience laid bare the inconsistent, and in some cases glacial, progress of the Government in making effective improvements in cyber-resilience. Last month’s attack on Home Office IT systems is a stark reminder of the urgency of improving Government cyber-security. His Majesty’s official Opposition have received a clear message from cyber-industry stakeholders: the Government should be leading from the front and setting the standard for effective cyber-resilience. I am pleased that the Government managed, at the last moment, to push out the cyber action plan today. It acknowledges the challenge, but how it will ensure that change is delivered is unclear.
Attacks on household names such as Jaguar Land Rover, Marks & Spencer and the Co-op have raised public awareness of the risks we face, with consumer supply chains interrupted and jobs put in peril. However, the Bill would not have prevented those attacks had it been in force when they took place. Given the constraints on public finances as a result of the Chancellor’s reckless Budget decisions, the Government need to ask themselves how many cyber-attacks of the magnitude of that on JLR we can afford to bankroll. The Government must undertake an urgent review to identify companies whose failure as the result of a cyber-attack would present a comparable risk to the UK economy to that on JLR.
Failing to address all the urgent problems will leave an open goal for malicious cyber-actors to undermine the UK’s security and prosperity. The House is unlikely to revisit cyber-security legislation for some time. The threat to our economy and national security from malicious cyber-actors is one of the most serious we face as a country.
In the parliamentary debate after MI5’s China espionage briefing, the Minister for Security pledged to strengthen the legislative tools available to disrupt the threat. Why not use the opportunity presented by the Bill to address that head-on? We stand ready to work with the Government to stand up for and protect our country, and to prevent the Bill from becoming yet another missed opportunity.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
First and foremost, I thank all Members for their contributions to the debate. I am glad that the House has welcomed the Bill, with deep expertise shown by Members on both sides of the House. Of course, Members have asked questions and I will try to share the Government’s approach. Before that, let me set out what is at stake.
The UK is the most cyber-attacked country in Europe. In 2024, more than 600,000 businesses were subject to a cyber-attack, the average cost of which was just over £190,000. The cost of cyber-attacks to UK businesses in aggregate is estimated to be £14.7 billion a year. The personal experience of my hon. Friend the Member for Northampton South (Mike Reader) is on my mind, as well the facts that my hon. Friend the Member for Warwick and Leamington (Matt Western) shared, such as the most common password in this country being “password”, and, indeed, the comments of my hon. Friend the Member for Mid Cheshire (Andrew Cooper) about Buffy the Vampire Slayer being an effective name deployed in some contexts. The combination of aggregate impacts and such personal experiences is the motivation for the Bill.
National security is the first responsibility of any Government. Cyber-threats have grown and the previous Government failed to move fast enough in the light of that. This Government are acting robustly to ensure that the British public are secure. The big message is, “Let’s ditch legacy systems and platforms and move to a more secure future.” We have done that by ditching the Conservative party; it is time to do it across our economy.
Let me deal with some of the themes that hon. Members raised, especially threats from AI that will emerge in future. The right hon. Member for Hertsmere (Sir Oliver Dowden) and my hon. Friend the Member for Congleton (Sarah Russell) mentioned those threats. AI will almost certainly continue to make elements of cyber-intrusion operations more effective and efficient, and cyber-threats more frequent and intense. That is why it is important that organisations take steps to bolster their cyber-defences. Under the Bill, organisations must have regard to the state of the art when maintaining the security of their network and information systems. That applies not only to cyber-defences, but to cyber-threats.
The right hon. Member for Hertsmere mentioned agentic AI, and I am conscious that it will be a particular risk. A significant source of mitigation must be the quality of our capability in the private sector, but also in the public sector. I pay tribute to the work of the AI Security Institute, which is right at the frontier of understanding the risk of agentic AI.
Several Members asked questions about scope. Of course, there is a significant risk across our economy, but we have chosen to focus, as NIS regulations have historically done, on essential services, the failure of whose network and information systems poses imminent threat to life to the British public. For that reason, the scope of the Bill is tight. That is not to say that other businesses should not do a great deal to protect themselves against cyber-attacks. However, the Government need assurances that the resilience to cyber-attack of essential services, the disruption of which would have the most profound consequences for public safety, national security and economic stability, is prioritised. Of course, businesses outside the scope of the Bill should make it a critical business priority to gain the same assurance without the need for as much Government intervention.
I am aware of the points made by my hon. Friends the Members for Lichfield (Dave Robertson) and for Warwick and Leamington, the Chair of the Joint Committee on the National Security Strategy, as well as by my hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), the Chair of the Science, Innovation and Technology Committee, on Jaguar Land Rover. In that instance, the Government acted swiftly in exceptional circumstances by providing a £1.5 billion loan guarantee to protect jobs, support businesses in the supply chain, and preserve this vital part of British industry. However, as the hon. Member for Exmouth and Exeter East (David Reed) noted, that should not be the expectation on Government; businesses must look to their own defences as a matter of corporate responsibility.
Kanishka Narayan
I might just make a bit of progress.
My hon. Friend the Member for Warwick and Leamington mentioned the food sector and food retailers, given recent attacks. Following the attacks on Marks & Spencer and Harrods, my hon. Friend the Minister for Food Security and Rural Affairs has written to and engaged deeply with the chief executive officers of major food retailers to advise on how the food sector can best protect itself from cyber-threats.
There is a broader question about sectors that are not regulated by this Bill, which has been raised by numerous Members from across the House. The fact that a sector is not regulated under the Bill does not mean that organisations in it cannot protect themselves against cyber-attacks. As I said, the Bill is not designed to cover every sector. Where sectors are covered by existing regulations, and where the Government do not consider it essential to regulate a sector through the Bill, we have taken a proportionate approach. Introducing blanket coverage for whole new sectors would create extensive regulatory burdens for more of our economy, stifling economic growth. At the same time, this Bill will enable the Government to bring more sectors into scope in the future, and to take swift action if national security is at risk.
The Bill sits alongside a series of actions that the Government have taken. I highlight in particular the fact that the Government have written to UK businesses and trade bodies across sectors to make sure that they are embedding cyber essentials across their supply chains, that they are making cyber-resilience a board-level priority, and that the NCSC’s early warning system and advice is heeded.
Both Conservative Front Benchers, the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted (Victoria Collins), and my hon. Friend the Member for Congleton spoke about coverage of the public sector. The public sector requires a significant step change in cyber and digital resilience. As has been mentioned numerous times, today we have published the Government’s cyber action plan, backed by £210 million of investment. The plan takes decisive action and holds Government Departments accountable for their cyber-security and resilience, as well as providing them with more direct support and services, and co-ordinating responses to fast-moving incidents.
I will take up the point made by the right hon. Member for New Forest East (Sir Julian Lewis) about the juiciness of local government digital provision. I share his enthusiasm. The Government’s cyber action plan takes into account wider Government and public sector coverage. In fact, it strengthens, clarifies and joins up how lead Government Departments hold the wider public sector, including local government, to account for improved and equivalent cyber-resilience.
I will make an observation about the points raised about not just reporting and assessment, but recovery and resilience. I flag to hon. Members from right across the House that our proposals for security and resilience requirements are being prepared for secondary legislation. They will align with the NCSC’s cyber assessment framework, which relates to effective response and recovery. A consultation is likely in the year ahead.
There were a series of questions and comments about regulators, and proportionate and effective regulation. The Bill allows regulators to make sure that they are well resourced to carry out their duties, and can charge reasonable fees to cover more of the cost of their activities under the regime. It will enhance the regulators’ impact by ensuring clearer information gateways and increased incident reporting, and establishes a unified set of objectives. The shadow Secretary of State talked about regulators not finding enough incidents, and about them finding too many, but I will let her work out the obvious contradiction in her position.
I say in response to the right hon. Member for Hertsmere that there is clear scope for AI capability to be used in triage. I very much hope that the reviews that the Secretary of State must undertake—they are embedded in the Bill’s requirements—will ensure that we look at efficient ways that regulators can do that.
The Chair of the Science, Innovation and Technology Committee, my hon. Friend the Member for Newcastle upon Tyne Central and West, made a point about the frequency and quality of the reviews of the regime in this Bill. The Department for Science, Innovation and Technology will monitor and evaluate the new framework in reviewing the effectiveness of the regime. The Bill requires the Secretary of State to lay before Parliament a report on the operation of certain NIS legislation, and to publish one at least every five years. It will be an extensive review, so we want to make sure that it is proportionate, rather than overly frequent. The commitments made by the Secretary of State to the Chair relate primarily to the Bill.
In response to the points made by my hon. Friends the Members for Warwick and Leamington, and for Mid Cheshire, about the possibility of a cross-sectoral cyber regulation approach, I flag that 12 regulators are responsible for enforcing this regime, because different sectors rely on different technologies, and have very different risk attitudes and responses to vulnerabilities. It is right that we use sector expertise to address sector-specific issues.
The hon. Member for Bognor Regis and Littlehampton (Alison Griffiths) made an appropriate point about enterprise IT and operational technology being differentiated. That is why we have used a sectoral lens; it is a very tractable way of differentiating the risk factors. We have set out a sectoral approach, but that does not preclude the Secretary of State from setting out, in a statement of strategic priorities, the possibility of co-ordination and information sharing across regulators.
In response to the points made by the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted, as well as the hon. Member for Exmouth and Exeter East, about making sure that incident thresholds are clear and proportionate, the 24-hour light-touch notification requirement is proportionate. All that is needed is information alerting the regulator and the National Cyber Security Centre to the nature of the incident; the system does not rely on over-regulation. With the exception of data centres, reportable incidents that affect operators of essential services would need to have affected the operation of significant network and information systems right across the entity, and to have a significant national security impact. That is extremely unlikely to include minor matters, such as the receipt of a phishing email.
The Chair of the Treasury Committee, my hon. Friend the Member for Hackney South and Shoreditch (Dame Meg Hillier), made a point about financial services organisations, and I respond simply by flagging that UK financial services are resilient against cyber-threats. The threats are of course growing, but the regulatory approach taken by the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England were some of the sources for the approach we have taken in this Bill. Regulatory overlap was mentioned; this Government will make sure that businesses that have to navigate multiple regulatory frameworks with multiple services will face minimal burdens. We will work with our regulators and international authorities, including those in the EU, on the implementation of the Bill.
Turning to the impact on business, and the Bill ensuring a proportional approach to security, the Government will regulate only when that is necessary to protect our economy and our country from serious harm. A single attack can disrupt hospitals, transport and vital services, putting lives at risk, and we will not gamble with our economy or our people’s safety. The cost of doing nothing is, of course, too great. As I have mentioned, cyber-attacks drain almost £15 billion a year from UK businesses. At the same time, this Bill takes a proportionate approach to ensuring the safety of British people.
Board-level responsibility was brought up by a number of Members from across the House. I simply say that all business leaders need to take responsibility for their organisation’s cyber-resilience. On 13 October last year, the Government wrote to chief executives, requesting that they make cyber-security a board-level responsibility. The Government’s new cyber governance code of practice focuses on the governance of cyber risk specifically, and we will consider using secondary legislation to require companies to clarify their cyber-security responsibilities at board level.
A number of Members raised the issue of the effect on small and medium-sized businesses. Growth is the Government’s No. 1 mission, and small businesses are the engine room of that growth. They provide many of our most important services. That is exactly why small and, particularly, micro-sized managed or digital services are exempt from regulation under this Bill. They can be regulated only if they are designated as critical suppliers, and there will be an extremely high bar for designation. That should answer the question from my hon. Friend the Member for Mid Cheshire about companies meeting the bar for designation. A point was made about the ability of small businesses to tell quickly whether they are in scope. The regulator will complete an investigation process, which will include giving notices and having consultations with relevant businesses, prior to confirming whether an organisation meets the criteria for being in scope. That process needs to be robust, but we hope to make sure that those regulatory processes are proportionate, too.
I turn to a critical question from my hon. Friend the Member for Milton Keynes Central (Emily Darlington), my right hon. Friend the Member for Oxford East (Anneliese Dodds) and the hon. Member for Ceredigion Preseli (Ben Lake) on long-term sovereignty and capability in this country. Over the last decade and a half, the Conservative party in government sold this country’s strategic leverage over the primary sector, software and digital infrastructure. We will not repeat that mistake. We have already committed, right across the board, to extremely robust digital sovereignty measures. We have committed £500 million to a sovereign AI fund. We have made sure that there are tens of billions of pounds pouring into this country as capital infrastructure for AI, and British firms like Nscale are right at the heart of that. There is an advanced market commitment to cloud compute, to make sure that British companies are right at the heart of the provision of core infrastructure in future. Through the British Business Bank, we are committing tens of billions.
David Reed
We talk about sovereign capability, but how can we have fully sovereign capability when we do not own the means of production of most advanced chips?
Kanishka Narayan
I point the hon. Member to a thriving compound semiconductor cluster in south Wales, as well as chip manufacturing companies. If he doubts how advanced Arm is—the primary chip design company in the world—I would advise him to read a primer on the chip company supply chain.
The Government are pursuing a clear sense of digital sovereignty. On China, I flag that we are taking stronger action to protect our national security, including our critical national infrastructure, as well as making sure that, where appropriate, we look for opportunities for co-operation. The national security strategy, the independent review of state threat legislation and our new powers on counter-terrorism will make sure that we do that.
I am conscious that I am testing your patience, Madam Deputy Speaker, so I will simply flag a final point. The “whole society” approach was mentioned by a number of right hon. and hon. Members. We are making a series of investments in skills to ensure that young people are inspired to pursue careers in cyber-security. On the points made by my hon. Friends the Members for South East Cornwall (Anna Gelderd), and for Portsmouth North (Amanda Martin), I am deeply passionate about ensuring that young people—young women and girls, in particular—in their areas, Wales and across the country pursue thriving careers in cyber-security.
National security is the first responsibility of this Government. The Bill could not be more necessary for confronting developments in global cyber-threat. I thank all right hon. and hon. Members for their engagement with the Bill as it progresses. I encourage them to engage deeply. To all rogue organisations with hackers at the helm—I do not just mean the Conservative party—I say this: your time is up. With this Bill, we will make sure that the British public are secure.
Question put and agreed to.
Bill accordingly read a Second time.
Cyber Security and Resilience (Network and Information Systems) Bill: Programme
Motion made, and Question put forthwith (Standing Order No. 83A(7)),
That the following provisions shall apply to the Cyber Security and Resilience (Network and Information Systems) Bill:
Committal
(1) The Bill shall be committed to a Public Bill Committee.
Proceedings in Public Bill Committee
(2) Proceedings in the Public Bill Committee shall (so far as not previously concluded) be brought to a conclusion on Thursday 5 March 2026.
(3) The Public Bill Committee shall have leave to sit twice on the first day on which it meets.
Consideration and Third Reading
(4) Proceedings on Consideration shall (so far as not previously concluded) be brought to a conclusion one hour before the moment of interruption on the day on which those proceedings are commenced.
(5) Proceedings on Third Reading shall (so far as not previously concluded) be brought to a conclusion at the moment of interruption on that day.
(6) Standing Order No. 83B (Programming committees) shall not apply to proceedings on Consideration and Third Reading.
Other proceedings
(7) Any other proceedings on the Bill may be programmed.—(Jade Botterill.)
Question agreed to.
Cyber Security and Resilience (Network and Information Systems) Bill (Money)
King’s recommendation signified.
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Cyber Security and Resilience (Network and Information Systems) Bill, it is expedient to authorise the payment out of money provided by Parliament of:
(1) any expenditure incurred under or by virtue of the Act by the Secretary of State or another public authority, and
2) any increase attributable to the Act in the sums payable under or by virtue of any other Act out of money so provided.—(Jade Botterill.)
Question agreed to.
Cyber Security and Resilience (Network and Information Systems) Bill (Ways and Means)
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Cyber Security and Resilience (Network and Information Systems) Bill, it is expedient to authorise:
(1) the imposition of charges under or by virtue of the Act; and
(2) the payment of sums into the Consolidated Fund.—(Jade Botterill.)
Question agreed to.
Cyber Security and Resilience (Network and Information Systems) Bill (Carry-over)
Motion made, and Question put forthwith (Standing Order No. 80A(1)(a)),
That if, at the conclusion of this Session of Parliament, proceedings on the Cyber Security and Resilience (Network and Information Systems) Bill have not been completed, they shall be resumed in the next Session.—(Jade Botterill.)
Question agreed to.
River Cherwell: Clearing Illegal Waste
(3 days, 6 hours ago)
Commons ChamberRead Hansard Text Watch Debate Read Debate Ministerial Extracts
Calum Miller (Bicester and Woodstock) (LD)
It is my privilege to represent a beautiful part of England’s countryside. Stretching from the Chilterns in the east to the Cotswolds in the west, it is criss-crossed by a network of rivers that define the geography of the area. The largest of these is the River Cherwell, which flows from its origin in Northamptonshire for about 40 miles south, where it joins the Thames in Oxford. My constituency also hosts two major highways: the M40 and the A34. It is the proximity of the A34 to the River Cherwell that created both the setting and the opportunity for a major environmental crime to be committed.
In late October, I was knocking on doors in Kidlington when a conversation opened my eyes. The resident—not particularly interested in politics—was ready to close the door when he said, “Actually, my housemate Billy might want to talk to you.” He shouted upstairs and Billy came down. Billy Burnell is a local angler who knows the River Cherwell inside out. He showed me photos and videos of a vast waste dump beside the river. This was not fly-tipping—it was industrial-scale organised criminal dumping.
It quickly became clear that this was not new. Billy and others had been raising concerns for months. The Environment Agency had visited the site on 2 July with local council officers and determined it was a major incident, which the EA took responsibility for addressing. Yet local anglers, farmers and residents saw dumping continue through the summer.
What emerged was staggering: around 20,000 tonnes of waste had been dumped illegally on a floodplain beside the River Cherwell, close to the A34. You had to see it to believe it—and many people did, thanks to media coverage that went viral due to its shocking nature. This mountain of waste was one of the most serious cases of criminal dumping anywhere in the country.
We quickly had an energetic response from local councillors like Laura Gordon and Gemma Coton, and campaigners stepped up too. Environmental groups including Friends of the Thames helped to amplify the concerns across Oxfordshire and nationally. Around Kidlington, a parliamentary petition gathered nearly 1,000 signatures, which I presented here on 9 December following a series of interventions: my oral question to the Minister on 13 November, my urgent question on 17 November, the question of my right hon. Friend the Member for Kingston and Surbiton (Ed Davey) to the Prime Minister on 19 November and my meeting with the Minister on 2 December. I thank the Minister for her engagement with this issue from the start and for her work with officials to ensure that the risks were identified and managed.
Locally, following my initial question and the media coverage that followed, the Environment Agency convened key partners from councils and emergency services to develop a strategy for the site. The agency confirmed last month that it will take the exceptional step of clearing the site itself, citing serious fire and public safety risks. This is highly unusual and entirely reflective of the sheer amount of effort and support local councillors, campaigners and activists put in to raise the alarm. It should never have been allowed to reach this scale, but this decision shows what determined local people, backed by political pressure, can achieve.
We come now to the situation today. The River Cherwell is, thankfully, not high by its winter standards, yet it still laps against the sandbags and fencing installed by the Environment Agency. Water testing has, thankfully, not shown any significant increase in chemical pollutants downstream from the site. I am truly grateful that we appear to be averting environmental catastrophe—for now. However, now that the winter trees have shed their leaves and revealed the scale of the illegal waste site, it is visible to my constituents and is a constant reminder of the damage already done and the risks ahead.
My constituents continue to ask what is being done to avert the environmental disaster of the waste contaminating the River Cherwell, and I have some questions to ask the Minister on their behalf. Have the measures to contain the waste been designed to cope with a rise in water levels equivalent to a further 2 metres—the peak recorded at the nearest EA measuring station at Thrupp in November 2024? What actions will be taken by the Environment Agency if water testing reveals that chemical pollutants are leaching into the River Cherwell? What steps have been taken to reduce the risk of fire at the site? The December decision to clear the site was warmly welcomed by all the campaigners who had fought for it, yet the factor that led the Environment Agency to authorise the clearance—the risk of fire from combustible and decomposing waste—remains.
Local people remain angry that criminals did this to our countryside and deeply frustrated that more than six months after the site was first visited by the Environment Agency, the waste is still there. The key question that my constituents continue to ask is: when will the waste be removed?
On 11 December, a press release from the Environment Agency and the Department for Environment, Food and Rural Affairs stated that
“preparatory works for clearance will begin imminently. Further details on the timeframe for clearance will be set out shortly.”
To the best of my knowledge, no physical preparatory works have commenced, and the timeframe for clearance has not been set out. I therefore ask the Minister to tell my constituents the following. What steps have been taken since 11 December? When will a timetable for clearance be published? When will the first lorry remove waste from the site? When does she estimate the site will finally be cleared?
Finally, my constituents are concerned about who will bear the cost for this clear-up, so can the Minister confirm that all efforts are being made to identify the criminals responsible and recover costs from them, and that in the meantime the Environment Agency will meet the cost of clearance and that it will not fall to local taxpayers? Can she further confirm whether she has an estimate of what the total cost will be?
Since news broke of the illegal waste dump in Kidlington, there has been concerted media focus on the scandal of industrial-scale, criminal waste dumping up and down the country. Like many people, I had no idea it was so widespread. I have been shocked to learn of how many communities are afflicted by it. Research commissioned by the Liberal Democrats in December indicated that 20% of UK adults have witnessed large-scale illegal dumping in their own local areas, and three in five of those say that the problem has got worse in the last year. This is truly an epidemic of criminal activity that damages our natural spaces and harms the lives of local residents.
People who play by the rules—who dispose of their own litter carefully and take their household waste to council-run tips—are rightly appalled that gangs are doing this and, too often, getting away with it. I know that it is less of a surprise to the Minister, who has been working on these issues for some time. She will know that the House of Lords Environment and Climate Change Committee, led by my noble Friend Baroness Sheehan, has been critical of the Government’s response to its inquiry and recommendations of October 2025. I do not intend to cover those points extensively, but I want to highlight three that directly reflect the experience in my constituency.
First, we need to make it easier for people to report waste crime. In this case, constituents told me that they had suspicions and even evidence in the form of number plates or a description of unusual activity, but did not know what to do with it. Should they call the council, the police, the Environment Agency? They did not know, and that stopped them from acting. Early detection of sites is key to stopping the criminals before they get started, and we should make it as easy as possible for people to report concerns. Will the Minister look again at creating a single national hotline for reporting waste crime?
Secondly, it is clear that the Environment Agency is grossly under-resourced to tackle waste crime. When I first raised this case in the House with the Minister on 13 November, she said that the budget for waste crime enforcement had been increased by 50% this year. That took the budget to £15.6 million, yet as this case shows, the costs of clearance can be close to that full amount. At the same time, the Treasury received £486 million in revenue from landfill tax in 2004-05. Have the Government conducted an assessment of how much additional landfill tax revenue is generated for each pound spent on tackling waste crime? Has DEFRA pressed the Treasury to allocate a larger share of the revenue from landfill tax to the waste crime budget? Given the Government’s response to the House of Lords Environment and Climate Change Committee, can the Minister set out a clear timetable for the publication of the revised national metrics on waste crime and confirm whether interim reporting will be put in place while those indicators are developed?
Thirdly, in this case it is clear that the Environment Agency prioritised investigating the crime over protecting the site by containing the waste on it. Between 2 July and 15 October, the joint unit for waste crime worked to establish who the landowner was and collected evidence about the crimes. I am glad that that led to an arrest last year. However, nothing was done to anticipate the risks to the site, either from waste entering the River Cherwell or fire hazard. It was only after my question to the Minister on 13 November that work began to put in barriers to prevent the waste entering the Cherwell.
I want to be clear: the EA has worked swiftly since November to prevent further environmental damage, and working with other local partners it identified the risks of the site, which led to the decision to remove all the waste from it. My concern is that, perhaps for financial reasons, in this case the EA prioritised investigation ahead of early protective action on the site. Does the Minister think that the EA should reassess the balance between investigation and environmental protection when it identifies sites? Is the Minister satisfied that the EA has the resources and expertise to tackle serious organised criminals who are committing waste crimes, or should the National Crime Agency take over major investigations?
Adam Jogee (Newcastle-under-Lyme) (Lab)
I did not realise that the A34 goes through the hon. Gentleman’s constituency, as it does mine—we will have to do a road trip some time. I congratulate him on his excellent speech. The Minister will not be surprised to see me here, because in Newcastle-under-Lyme we lived with the very worst example of waste crime and profit over people that was Walleys Quarry. We have just marked a year since the landfill site was closed and the cowboy operators driven out of town. Does the hon. Gentleman agree that we need a stand-alone strategy for waste crime and that we need it quickly?
Calum Miller
I am grateful to the hon. Gentleman for his intervention. Perhaps we can look forward to joining up on the A34 at some point. I agree that we need an approach that is truly national and truly strategic. What I have witnessed in my constituency is a piecemeal approach, with best efforts by an under-resourced agency unable to join the dots and, despite the hard work of many people within that agency, a failure to conduct, on the one hand, the investigation and, on the other hand, the preventive measures. It is clear that the estimates of the scale of the criminal activity justify a robust and fulsome national strategy. I agree with him and hope that the Minister will respond to his question.
Strange as it may seem, my constituents and I have been lucky, in so much as this site met the narrow criteria for exceptional intervention. Many communities up and down the country, such as the one just cited, also face the blight of criminal waste dumping yet do not have exceptional circumstances that allow the EA, under the current resourcing and rules, to clear their sites. The site chosen by criminals to dump waste in my constituency suited them as it had easy, undetected access to the A34, but its very proximity to the A34 became the reason that exceptional action has now been approved to remove the waste.
What has struck me most about this toxic crime is how strongly people feel it is wrong. It is wrong to be so arrogant as to despoil our beautiful countryside; wrong that too many people get away with it and that the penalties are not higher; and wrong that it takes too long to clear up these sites. When Billy told me about the site, I vowed that I would work to see the waste contained and then cleared. I am glad that that is happening now, and I hope the Minister will confirm that it will be delivered with urgency.
When I learned how widespread the issue was, I vowed to work with all those like the Minister who care deeply about it to ensure that we make real progress in stopping this crime from blighting so many communities. I look forward to continuing that work with colleagues across the House.
The Parliamentary Under-Secretary of State for Environment, Food and Rural Affairs (Mary Creagh)
It is lovely to be here with you again to celebrate the new year, Madam Deputy Speaker. I wish you and all colleagues in the House a very happy new year. What a shame it is that we are starting it with the trash from last year.
As we have just celebrated Christmas and the holiday period, we will have seen our bins and recycling facilities overflowing with the Christmas excesses. We have faith in our systems that when that is taken away, it is responsibly dealt with. I therefore thank the hon. Member for Bicester and Woodstock (Calum Miller) for raising this important issue. I share his anger and the public’s anger about this serious crime and its impact.
Waste crime blights our communities, as I know from my work as a constituency MP in Coventry. Waste criminals damage the environment and, in the worst cases, directly threaten our health, life and limb. These criminals also undermine legitimate businesses and deprive the Exchequer of tax income. That is why the Government are committed to tackling waste crime. We will crack down on the waste criminals and the organised crime groups who have moved into this lucrative space, and we will ensure that they are brought to justice.
I confirm that the criminal investigation into the Kidlington site is moving forward apace. Environment Agency officials, working closely with the police, have taken samples of the waste materials on site for forensic examination. There is a lot we can divine from some of these materials as to where they originated from. Those forensic results will be available by the end of January.
The Environment Agency is working closely alongside partners including Oxfordshire county council, the police and fire and rescue services as part of the site’s strategic co-ordinating group and tactical co-ordinating group. The strategic group has set the overall goals for this major incident, supporting the gold commander with advice, analysis and community links, while the tactical group implements those goals at the scene. The strategic group has local and operational expertise, and it has determined that the scale of the fire risk sets this case apart from the other illegal waste dumps in England. This location presents an overriding public imperative. That is why the Environment Agency took the exceptional decision to clear the waste and why it is working rapidly to implement a safe, systematic and focused clearance plan. It is important to stress that only two other sites have been cleared by the Environment Agency in the past five years: Hoad’s Wood, via a ministerial direction; and Twyford House in Stoke-on-Trent, where lots of flammable liquids were stored close to the west coast main line. The hon. Member for Bicester and Woodstock will see some of the similarities there.
The Environment Agency will continue to closely monitor the site while preparatory work takes place. It has informed me today that prep work will begin shortly and clearance of the waste is expected to start in February. Further timeline updates will follow from the Environment Agency. It is important that the site’s vast amount of waste is handled correctly and moved to the right facilities without causing damage to the environment. The Environment Agency is monitoring risks at the site and will respond promptly to any change in situation.
It is important that people, whether members of the public or well-meaning journalists, do not enter the site. It is an environmental crime scene and climbing on the waste is dangerous. In doing so, people are putting themselves at risk and compromising the criminal investigation, which is a criminal offence in itself. We do not need to add extra problems to the very big one already there. There is now 24-hour surveillance in place.
The Environment Agency’s approach and actions are always based on evidence, and with the containment and clearance, actions were taken in response to a changing risk level and the potential for a rise in the water levels. The Environment Agency was on site within days of receiving photographic evidence from a member of the public and immediately visited the site with the local authority and confirmed it as a high-risk illegal waste site. Over 80% of the waste on site was there before the Environment Agency visited on 2 July, so the vast majority happened before it was alerted. When further waste movements were reported in September, the EA swiftly obtained a restriction order in October.
The current risk of waste entering the river is very low. A barrier has been installed at the site to prevent the waste from entering the river, to safeguard both the environment and public safety in the event of river levels rising or flooding. The Environment Agency has carried out water quality sampling of the River Cherwell to check for potential impacts of run-off or leaching from the waste. Having sampled upstream and downstream of the site, it has found no indication of pollution entering the Cherwell as a result of the waste.
The clear-up of illegal waste sites by the Environment Agency should only be a last resort, undertaken in exceptional circumstances to protect the public and the environment. In accordance with the “polluter pays” principle, criminals who disregard the law, undercut legitimate businesses and blight communities and the environment must pay the penalty—not us as taxpayers. We do not wish to create a perverse incentive for some people to dump, or facilitate the dumping of, waste. It should be for polluters, not taxpayers, to pay the costs of clean-up.
I acknowledge the huge frustrations about the time such an approach takes—I know that from my hon. Friend the Member for Newcastle-under-Lyme (Adam Jogee). In some cases, that can undermine public confidence or create a perception somehow that the matter is not taken seriously or tackled swiftly. As with any police investigation, there is no running commentary provided either by police, law enforcement or Ministers. I can confirm, though, that I am vigorously pursuing all avenues on this and other waste crime sites. We are committed to bearing down on the cynical waste criminals who damage our environment, harm businesses and blight our communities.
I will go through each of the hon. Member’s questions. I request the patience of the House—Madam Deputy Speaker, feel free to cough if I go on too long. I believe we have until 7.30 pm, so strap in! The hon. Member asked how we are tackling the blight on the country caused by waste crime. We are pursuing a series of reforms that will have a lasting impact on reducing waste crime. We are bringing in reforms to the carrier, broker and dealer regimes, which will shrink the number of people who can handle waste. That is the first thing. We are changing the waste permit exemption regimes. At the moment, certain activities do not need a permit and we are shutting down those exemptions. We are also introducing digital waste tracking, which is coming in this year. These are things that I have done as a Minister that have been consulted on as far back as 2018 but have not been enacted by successive Governments. We think these three actions—this pincer movement, if you like—will be the most effective way to drive criminality away from the waste sector, because this is all about knowing the chain of custody for these materials.
Alongside this, we have increased the Environment Agency’s budget for waste crime enforcement by over 50% this year to £15.6 million. This is the investigatory part of what the EA does, and it includes issues involving misdescribed waste, waste shipments and all the difficult business. This work is very time consuming and painstaking because it has to be done to a criminal standard of proof that will stand up in a court of law. I want to go into a bit more detail about this. These reforms were deprioritised and stalled, but under this Government they are being accelerated.
Mandatory digital waste tracking will replace outdated methods for monitoring waste movements and unify fragmented processes. It will provide a single comprehensive view of waste types, waste quantities and waste destinations. The lack of digital record keeping in the waste industry is frequently exploited by organised criminals, who undercut legitimate businesses through mishandling waste, illegal exports and simple fly-tipping. Data in the new system will help regulators to check that waste is ending up at legitimate, licensed sites and enable the quicker investigation of illegal activity. This digital waste tracking system is being phased in this year, beginning with the introduction of a system for waste receiving sites—for example, landfills—and with planned expansion to other waste operators such as waste carriers in 2027, subject to further funding.
Adam Jogee
I am grateful to the Minister for sharing with the House this important step forward. We are talking about these issues going back to 2018, and it just worries me that if this had been done before, some of the issues that I have hassled her about in relation to Walleys Quarry since I was elected to this place in July 2024 could have been dealt with a lot sooner. This raises many questions about the impact on my constituents back home in Newcastle-under-Lyme under the previous Government, who were clearly missing in action. We can discuss this further outside this House.
Mary Creagh
I pay tribute to my hon. Friend’s assiduousness on the issue of Walleys Quarry. That site is also now being run by the Environment Agency, and the risk of odour that his constituents were really grievously suffering is now extremely low, but that has come at a cost, as he rightly says.
This is nothing new. When there is a problem and no action is taken and no new policy is created, these illegal businesses think, “Well, it’s a victimless crime, so I can carry on making money.” Then they tell their friends and, guess what, soon many flowers are blooming. But they are the wrong sort of flowers, and this creates incentives. Then of course, the legitimate businesses are like, “Hang on, why am I paying all these fees if all I need to do is buy a field, dig it up and dump stuff in it?” This creates disincentives for legitimate operators as well. I am only too aware of this. It was starting post-2016 when the then Government were focused on leaving the EU and the large international issues. I was chairing the Environmental Audit Committee at the time and I was always worried about what was going to happen to waste, including chemical waste, once we put up a border with our nearest neighbours.
Secondly, we will reform waste management and transport. Instead of the current light-touch registration system, it will now be a permitted system. We will move on from a system that was so lax that people were able to sign up Oscar the dead dog to be a waste carrier. Activists were doing that back in 2018-19, so we have known about these problems. Anyone can falsify a bit of paper. We will introduce tougher background checks for operators and tougher penalties for those who break the law.
We will also require vehicles that transport waste—the man with the van—to display their permit numbers on their vehicles and on their advertising, so service users can be reassured that their waste is being handled by an accredited business rather than criminals. The reform will introduce mandatory technical competence for all permit holders, meaning that anyone transporting or making decisions about waste will have to demonstrate that they are competent to do so, rather than simply just going on a register. Waste will be managed by authorised persons only and in a safe manner.
Vikki Slade (Mid Dorset and North Poole) (LD)
I am fascinated and happy to hear what is being proposed. Will it be possible for members of the public to check an online database for that permit? When somebody picks something up from a house and shows their permit, people can feel quite vulnerable. Being able to go online and check the permit against the local authority or central database would give people a lot more confidence.
Mary Creagh
I will get back to the hon. Member on that, if I may. The point of a digital waste tracking system is that everything is digitised. The problem has been that it is a paper-based register, so how can people check it at the moment? My understanding is that the move is to a digital system, but I will get back to her. I do not want to mislead her or the House. Perhaps Box officials can enlighten us while I go through the third reform of the waste permit exemptions.
Thirdly, there are exemptions for three high-risk areas: end of life vehicles—that is, car scrappage—end of life tyres and scrap metal. Those exemptions have long caused problems and have been abused. We will replace them with a requirement for a full environmental permit for all those activities. We will introduce greater record keeping requirements for all waste exemption holders and impose controls on how exemptions can be managed at one site.
At the moment, there are seven waste exemptions: construction waste, preparatory treatments, treatment of waste wood, manual treatment, burning vegetation at the place of production only—that is essentially for farmers—storage in containers and storage in a safe place. As I have mentioned, we have increased the waste crime investigation unit budget. It now has 43 full-time staff.
People have often asked me about enabling the Environment Agency to use environmental permit income to tackle waste crime. Rules are set out by the Treasury in “Managing Public Money” about how the income raised by public bodies may be used. These rules ensure transparency to us as parliamentarians and ensure that fees and charges are not set higher than necessary to cover activity that should be properly funded from taxation. We instead look to innovative ideas, and the EA has consulted on the implementation of a 10% levy to generate a further £3.2 million of waste enforcement funding each year. That would enable a further 30% increase in enforcement activity to be targeted at activities identified by the EA as waste crime priorities. Those include tackling organised crime groups, increasing enforcement activity around specific areas of concern such as landfill sites, closing down illegal sites more quickly, using intelligence more effectively and delivering successful major criminal investigations.
Calum Miller
I am grateful to the Minister for such a comprehensive response. On the question of funding, the £15.6 million in the budget this year for tackling waste crime, as she said, is for the officers who engage in investigation, but it still strikes me as a small amount of money, with 43 officers for a crime that is now taking place up and down the country. Can she clarify whether the additional £5.6 million is now permanently in that budget and will be going forward such that the additional funds she has referred to for permitting will be over and above that sum? Fundamentally, does she think that this is enough?
Mary Creagh
My aim is not to spend further taxpayers’ money on crime; my aim is to stop it happening in the first place. All budget decisions are subject to the normal business planning, but we hope that, through our three-year spending review, we can give the Environment Agency a three-year or indicative settlement that will enable it to plan, rather than the annual process of, “Up this year, down next year,” so that there will be long-range line-of-sight planning. As I say, the EA is consulting at the moment on the additional extra revenue. If that goes through, there would be a funding uplift.
I have the answer to the question from the hon. Member for Mid Dorset and North Poole (Vikki Slade): we are happy to confirm that it is already possible to check the online database for permits, so that is good news there.
I have mentioned the different reforms and I think I have answered all the hon. Gentleman’s questions. I am pretty much coming to the end of my speech. On steps taken since 11 December and his specific question about the rise in water level of up to two metres, equivalent to the peak recorded at Thrupp in November ’24, the waste is within a large floodplain that can store a substantial volume of water during heavy rain. The EA has carried out more detailed flood risk assessment to understand any changes in water levels due to the illegal waste and has determined that there will not be any increased flood risk to local properties. My understanding is that sandbags and a fence are there in order to protect the river.
The EA has also carried out regular water quality sampling of the river to check for impacts of run-off or leaching and has found no indication of pollution. If any pollutants were found in the watercourse, the action would depend on the nature and type of the pollutants found.
On fire risk at the site, EA officials have been working with the fire and rescue service, which is leading on monitoring the temperatures of the waste and planning appropriately. The fire risk was one of the main reasons that an exceptional decision was taken to progress works to clear the site entirely.
Analysis on how the site would be cleared, including ecology surveys, has been carried out with partners and the Environment Agency to get contracts in place as soon as possible, but we need to follow legal process to ensure that the waste is disposed of correctly. The clearance timetable is being finalised and will shortly be published on the EngagementHQ website. As I said, we hope that clearance will begin in February. Early indications and scoping indicate that full clearance will take approximately six to nine months. Where possible, we are seeking to recover our costs from those responsible in accordance with the legislation and the “polluter pays” principle, and the EA is working with the economic crime unit to target the finances of waste criminals. That unit can freeze bank accounts, seize assets and investigate cases of money laundering linked to waste crime.
Adam Jogee
I am grateful to the Minister for setting out so clearly how seriously she is taking this issue, which will be of continued reassurance to people back home in Newcastle-under-Lyme. In many examples, waste crime is rural crime, such as in the example from the constituency of the hon. Member for Bicester and Woodstock (Calum Miller) and for me back home. The Minister talks about working together—can she touch a little bit more on the importance of co-operation and partnership work with the Home Office to make sure that we are getting that right? Clearly, in many communities up and down the country, people think that they can get away with doing whatever they want in rural communities, where there are fewer people around. We have to make sure that we tighten that up quickly.
Mary Creagh
I agree with my hon. Friend. One of the things that I am very interested in exploring is what the playbook is. The hon. Member for Bicester and Woodstock asked who such things should be reported to, and the problem is that if that is not clear, people do nothing. The most important thing when any crime is being carried out, wherever it is happening—whether that is on the Tube or wherever we see things happening—is for us as citizens to do something. That might be reporting it to the council, the local police or the Environment Agency, whose hotline is 0800 807060—I thank my officials for getting that through so that it is on the public record.
The playbook is important. Once something has been reported, what does the local authority, the police or the EA do? What is the definition of “major site”? I have visited sites, including Watery Lane in Staffordshire, where two vanloads of fly-tipping was not classified as a major problem, and it fell to the local authority to clear it. People were locked in their homes physically unable to leave via the road—an absolutely extraordinary position for people to find themselves in. What is the playbook, what are the definitions and where do national agencies step in?
The Environment Agency expects to fund the clearance efforts by making efficiencies in its operations, without impacting on or scaling back any other services. The EA is not funded to clear up waste sites nationally, however, and makes these types of decisions only in exceptional circumstances.
The hon. Member for Bicester and Woodstock asked about additional landfill tax revenue. The waste crime survey that the EA has carried out indicates that 20% of waste is handled illegally. His Majesty’s Revenue and Customs estimates that 23% of landfill tax is evaded, contributing to an annual waste crime cost of roughly £1 billion a year, including a £150 million landfill tax gap, which is 23% of the theoretical liability—I hope that everyone can understand that. That £1 billion a year shows that this is big business. It is a profitable and lucrative business, and we are all paying. We are paying twice, because we are losing the £1 billion and then clearing up the waste, so it is a double whammy for us—it is maddening.
Calum Miller
I am grateful to the Minister for setting out those figures so clearly. That was the point that I was driving at in addressing the budget for waste crime. It is not so much that I or anybody else wants to spend money dealing with criminals, but a relatively modest investment in detection and investigation could yield a higher proportion of that missing tax. We lose £1 billion every year, but a relatively modest increase in the waste crime unit’s budget, or the National Crime Agency doing more, could potentially bring in more of that revenue, which should be used for the benefit of all taxpayers.
Mary Creagh
I am in passionate agreement with the hon. Gentleman, as I am sure is everyone in the Chamber and watching at home. I would say, however, that big businesses use all available resources to protect their income. They are sophisticated businesses—some are registered companies—and they have their own ways of making life difficult for law enforcement. We are in a bit of a David and Goliath situation. They have been very good at doing that. This is a complex crime, and it takes a while to unravel.
We continue to work with the Treasury on the best approach to fiscal policies to tackle and reduce waste crime. The joint unit for waste crime is a UK-wide partnership, working with the Environment Agency, HMRC, the National Crime Agency, the police and others. It shares intelligence, powers and resources to disrupt waste criminals. The unit, which was launched in 2024 and uses proceeds of crime action and asset freezes, has doubled in size thanks to our extra funding. Anyone with intelligence about waste crime can report it to Crimestoppers on 0800 555111.
My message to our constituents around the country is that waste crime is an absolute top priority for the Government. My message to the waste criminals is we are coming for you and we are going to shut you down. My message to the legitimate waste operators is thank you for your work maintaining safe, healthy and clean environments in our towns and putting pride in our places. Let us all ensure that we work together to create a truly circular economy in which this sort of terrible crime is unthinkable and its perpetrators are put out of business.
Question put and agreed to.