Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting)
(1 day, 6 hours ago)
Public Bill CommitteesRead Hansard Text Read Debate Ministerial Extracts
The Chair
I remind Members to speak loudly and clearly so that everyone is able to hear.
Clause 9
Managed Service Providers
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Amendment 10, in clause 10, page 9, line 29, at end insert—
“(2A) The measures taken by an RMSP under paragraph (1) must ensure that the number of customers to whom the RMSP provides services does not exceed the critical risk threshold.
(2B) In paragraph (2A), the ‘critical risk threshold’ is the number of customers within a sector or subsector where an incident affecting the provision of services to those customers by the RMSP would result in disruption that is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom.
(2C) Paragraph (2D) applies where the number of customers to whom an RMSP provides services exceeds the critical risk threshold by virtue of contracts entered into before the coming into force of section 10 of the Cyber Security and Resilience (Network and Information Systems) Act 2026.
(2D) The RMSP must take steps to reduce the number of customers to below the critical risk threshold, including exercising any right to terminate a contract or vary the terms of a contract.”
This amendment would place a duty on relevant managed service providers (“RMSPs”) to ensure that they do not provide services to manage the technology systems for a number of customers that exceeds a critical risk threshold, such that an incident affecting those services would be likely to result in significant disruption in the United Kingdom. This would prevent an RMSP managing the technology systems for a whole sector or subsector. Provision is also made for a situation where an RMSP is in breach of the critical risk threshold because of contracts entered into before the enactment of the Bill.
Clauses 10 and 11 stand part.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I welcome you, Ms McVey, to the most exciting event in Parliament this week.
Kanishka Narayan
What a pleasure it is to serve with you in the Chair. Clause 9 brings large and medium-sized managed service providers—MSPs—into the scope of the Network and Information Systems Regulations 2018. MSPs are organisations that provide an ongoing IT function, such as an IT help desk or cyber-security support, to an outside client. In doing so, MSPs often have widespread and trusted access to clients’ networks and systems. A single targeted attack can ripple outward, disrupting thousands of other systems. That makes MSPs attractive targets for cyber-attacks. Last year an attack on Collins Aerospace halted check-in and boarding systems at major European airports, causing international disruption. Such attacks highlight what can happen if a single point of failure is compromised, and the importance of managed service providers implementing robust cyber-protections. Despite that, MSPs are not currently regulated for their cyber-security in the UK. As organisations rely more and more on outsourced technology, we must close that gap. The clause provides essential definitions of a “managed service” and of a “relevant managed service provider” to clearly set out which organisations are in scope of the regulations.
Clause 10 imposes new duties on MSPs that have been brought into scope by clause 9. For the first time, such businesses must identify and manage risks posed to the network and information systems that they rely on to provide their managed services. As part of that duty, MSPs must have
“regard to the start of the art”,
meaning that they must consider new tools, technologies, techniques and methods that threat actors may employ. That includes artificial intelligence, and means that providers must deploy the right tools to mitigate the risks and take action to minimise the impact of incidents if they occur. By bringing MSPs into scope of the regulations and imposing such security duties on them, we will strengthen cyber-security and resilience across supply chains, reduce vulnerabilities in outsourced IT services and better protect businesses and services across the UK.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Bringing MSPs into scope is the right direction of travel, and MSPs sit at points of concentrated risk, but they are not all the same and the real risk is not size alone but the level of privileged access and cross-customer dependency. Proportionality will be critical under these provisions if we want better security, not just box-ticking.
Kanishka Narayan
I agree very much with the hon. Member’s point, and a similar sentiment is expressed elsewhere in the Bill, in that it ensures that the focus is primarily on large and medium-sized MSPs, and that small businesses and microbusinesses are dealt with in a deeply proportionate way. That is an important point to take into account.
Clause 11 defines what it means for a digital or managed service provider to be
“subject to public authority oversight”
under the NIS regulations. Public authority oversight is defined as “management or control” by “UK public authorities” or by a board where the majority of members are appointed by those authorities. Such MSPs are already subject to requirements in the Government cyber-security strategy, which is mandatory for Government organisations. That ensures that cyber-resilience standards remain strong for services linked to public functions, while preventing disproportionate burdens on providers already subject to public authority governance.
In response to points raised by hon. Members in prior Committee sittings, I flag the engagement that we have conducted in coming to the definition of MSPs in question. In particular, beyond the provisions of the 2022 consultation, prior to the introduction of the Bill, we conducted a range of bilateral meetings. We have had multiple conversations with the industry body techUK, roundtables with digital firms, and we engaged through the National Cyber Security Centre-led MSP information exchange with 40 providers in this context, and undertook market research mapping the MSP market. As a consequence, adjustments to the definitions at the heart of this provision have been agreed with incredibly deep and broad engagement across the industry to arrive at a widely-welcomed definition.
Lincoln Jopp (Spelthorne) (Con)
It is a pleasure to serve with you in the Chair, Ms McVey. Small and medium-sized enterprises are defined by the headcount of full-time employees, yet in the world of IT, particularly for managed service providers, data centres and digital service providers, that is not a helpful metric to understand size and scale. Did the Department consider reevaluating the size of digital and managed service providers based on the through-flow of transactions or data rather than headcount? When I worked in the world of tech, there was a ratio for headcount that was totally different from other sorts of businesses.
Kanishka Narayan
The hon. Member raises an important point about the operating leverage of technology businesses. The Bill directly focuses on size as one proxy for risk, but it is not a complete or perfect proxy. That is why, through the critical supplier provisions, it ensures that any smaller providers can be caught in scope as essential services.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Ms McVey.
Clause 9 brings within scope of the NIS regulations a new category of technology service providers, known as relevant managed service providers. MSPs play a critical role in the UK economy. Research conducted by the Department for Science, Innovation and Technology under the last Government suggests that 11,000 MSPs were active in the UK in 2023, of which 1,500 to 1,700 were medium or large organisations that would be in scope of the Bill. Micro and small enterprises that offer managed services are excluded from the scope of regulation but have the potential to be designated as critical suppliers under other provisions, which we will come to shortly.
MSPs are critical to the functioning of the multiple businesses that they serve, offering contracted IT services such as helpdesk and technical support, server and network maintenance, and data back-up. In many cases, they also provide managed cyber-security solutions to their customer bases. Consequently, these businesses often have significant access to their clients’ IT networks, infrastructure and data, which makes them attractive and valuable targets.
Chris Vince (Harlow) (Lab/Co-op)
I seek some clarification on the shadow Minister’s statistics about the number of MSPs that are in scope, and what they are as a proportion of the MSPs in the country. Could he clarify that he is talking about individual organisations rather than what they do? For example, if there is one large organisation and nine small ones, but the large one takes up 80% of the market, the proportions are slightly different.
Dr Spencer
The scope and breadth of the organisations regulated by these provisions is one of the most important parts of the debate. If the hon. Member can wait a moment, that point will form the bulk of my speech. It was also mentioned by my constituency neighbour, my hon. Friend the Member for Spelthorne.
The previous Government consulted on bringing MSPs within scope of regulation. Feedback on that consultation indicated strong support, with 86% of respondents in favour. As such, there is a sound policy rationale for imposing cyber-security and instant reporting regulations on MSPs over a certain threshold. Those MSPs will need to take appropriate and proportionate measures to manage risks to the security of the networks and information systems on which they rely to provide managed services in the UK.
However, as I said at the outset and as many people said during evidence, the devil really is in the detail as to whether the Bill is effective in protecting the sectors it seeks to regulate. Several industry stakeholders, including officers of MSPs and industry representation bodies, have raised concerns about the broad definition of MSPs in clause 9. As drafted, that definition has the potential to cause confusion among businesses as to whether they are in scope or not. These relevant provisions will be brought into force with secondary legislation before Royal Assent, allowing time for consultation with industry and specific duties. Could the Minister clarify whether his Department will respond to concerns by consulting on a refined definition of what constitutes an MSP, to provide much-needed certainty to businesses operating in the sector?
I will also take this opportunity to speak to amendment 10, which was tabled in the names of many Members, including the right hon. Member for Stone, Great Wyrley and Penkridge (Sir Gavin Williamson), who I know has a keen interest in this area. He represents an area in the west midlands, which, like many parts of the country, has suffered massively from the impact of the problems with Jaguar Land Rover. The amendment relates to legitimate concerns about the compound risk that could occur when MSP systems are accessed by malicious actors, and those MSPs are providing services to a large number of entities within a regulated sector. Clearly, there are many reservations about the desirability of this particular amendment, including its potential to interfere with customer choice and the inconsistency with the approach to freedom of enterprise in other regulated sectors in the Bill.
It is noteworthy that several witnesses who gave evidence to the Committee pointed out the lack of skilled cyber-security professionals available in the UK employment market to help regulated entities with the effective implementation of the Bill. It is conceivable that many regulated businesses, particularly smaller ones, will be forced to look for external expertise to comply with their obligations, and we would not want to artificially restrict access to expertise, even when done with the best of intentions. The point is rightly made that large MSPs and those providing services to the most critical sectors should observe the highest cyber-security standards. A relevant MSP must have regard to any relevant guidance issued by the Information Commissioner when carrying out the duties imposed on it, so will the Minister confirm whether and to what extent the important issues raised by the amendment will be covered in consultation and industry guidance?
The amendment, and some of the debate that we have had, goes to the heart of some of the thresholds and metrics that are being used as gatekeepers in the Bill when an entity is or is not being regulated. As I mentioned this morning, at least 70% of Government cloud procurement goes to the three big US tech actors. Those are clearly huge operators, but when it comes to the criticality of an MSP, as my hon. Friend the Member for Spelthorne mentioned, size does not in itself necessarily indicate its essentialness in the system.
One can imagine that if a particular unique type of service was being offered, such as a cyber-security service, by a big company—Cloudflare and Salesforce, for example, had a substantial impact on the sector—not merely the size of an organisation, but what they provide, could be relevant in terms of producing systemic risks to our economy as a whole.
Lincoln Jopp
Having read the Bill, does my hon. Friend understand that if a managed service provider provides services to, say, a hospital—so it would be covered by the regulations—and a reportable event happens to the managed service provider, there is any obligation for the hospital trust to report it as well, or is it just the managed service provider that has the responsibility? If he is not clear on that, would he ask the Minister?
Dr Spencer
I thank my hon. Friend for the “get out of jail free” card that he gave me at the end of his question; indeed, I pass that question on to the Minister. The point is well made in terms of trying to dissect the interacting and relevant duties in the Bill. The Bill tries to chop up different actors in the digital ecosystem, as well as public an non-public organisations, although a commercial threshold is being used. The Bill also introduces confusion: it rightly tries to make a carve-out for Crown data centres, but what exactly is a Crown data centre? One could argue that a Crown service is something provided by the state. Is a data centre serving a hospital therefore a Crown data centre?
There are so many different components within the Bill. Not only are there 14 regulators, or however many are operating—earlier this week, Amazon told us in evidence that it is regulated by four regulators—there is also confidential information going through, as my hon. Friend the Member for Spelthorne pointed out. It gets even worse in the clause on critical supply networks. It is just incredibly confusing. The Committee—and, dare I say, the Government—should not ignore the evidence we have received from managed service providers time and again saying that although MSPs should be in scope and these regulations help, we need clarity on what exactly that means.
Alison Griffiths
I think my hon. Friend is about to reference the commercial impacts on MSPs. We have already referenced the fact that they are of many different sizes. One of the concerns the Committee will need to consider is whether new contracts will need to be written. The level of uncertainty being created may render the existing frameworks within which they operate redundant.
Dr Spencer
I thank my hon. Friend for that pertinent intervention. The burden she talks about is not just financial; companies could also find themselves in legal jeopardy should they become subject to overlapping and competing duties without realising when the Bill becomes an Act. More than anything else—perhaps even more than a low taxation regime—businesses want certainty about the regulatory environment they operate in. This is made even more complicated by the fact that many organisations operate in different jurisdictions and have to contend with different, competing regulatory frameworks. My understanding is that the majority try to take an approach in one jurisdiction that will also cover them in the other so that they have an overlap, but those are the big companies. They have more capacity and resource to do that. The problem will be for the companies on the margins that are struggling.
Chris Vince
The shadow Minister is always very generous with his time. This is not meant to be a controversial intervention, but does he recognise that micro and small enterprises have been omitted from this legislation because we recognise the challenges they have with the guidance? I appreciate that small can mean mighty when it comes to businesses. The hon. Member for Spelthorne made the point that businesses may have only a small headcount, but a very important role in the cyber-security make-up of this country.
Dr Spencer
Irrespective of their size, whatever definition or metric we use, businesses operate on fine margins for the majority of the time. Regulatory burdens not only impact their ability to operate; they are yet another cost, which means that the cost of services increases. That has a deleterious effect on our economy more generally. Burdens on businesses are passed on to consumers. That makes it more expensive to do business unless there are customers to receive it.
Global business competitiveness, which we have not spoken about yet, is critical. I am very concerned about UK competitiveness in the digital and tech sector. It saddens me to say that we are dwarfed by US big tech in many areas. I want our digital and IT sector to be bigger and better than that of our competitors, but we need a framework to support it. Even for bigger businesses, the regulatory burden is critical, especially as they can choose, to a certain extent, where they incorporate and focus on doing business. We want to ensure that the UK has the best regulations, but the best regulations are often the ones that are least burdensome but that still provide certainty to allow businesses to operate. This is a highly competitive market.
Lincoln Jopp
I thank the shadow Minister for his reply to my hon. Friend the Member for Bognor Regis and Littlehampton. Is he as surprised as I am to read in the impact assessment that the hourly rate for a contract lawyer is to be £34 an hour rather than £300 to £500 an hour, which in my experience is the market rate?
Dr Spencer
I thank my hon. Friend for pointing out that discrepancy in the costings. It goes back to the key principle that business and business modelling are best left to businesspeople, not to Government. The Government have a facilitatory role, but fundamentally their role is to get out of the way of business so that it can succeed and our economy can thrive. We need to ensure, for the good of our economy as a whole, that the critical elements of it are regulated in that way.
Given the interconnected operation of MSPs in our digital sector, any burden that we put on business will limit the growth that we all need and will limit competitiveness. In this footloose market especially, that could result in organisations and companies operating in other sectors, notwithstanding the fact that they will have to comply with UK jurisdictional rules. As a general point, regulations will cause footloose industries to move and operate in different sectors, which will mean less taxation revenue and more costs for clients, making it more difficult to do business.
We need to make sure that our economy is as nimble and free as possible, both for those trading as an MSP and more generally. I cannot labour the point enough: the costs that we impose on businesses under the Bill, in particular in the cyber-security and tech sector, will be felt by our economy as a whole. We will have to pay for that through increased inflation in food, energy or anything else that our critical suppliers provide. Even our NHS provision costs will increase as a consequence of the regulatory burden on businesses as disparate and distant from the NHS as those that we see in the Bill.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
The hon. Member is quite right to say that American companies have captured most of the market that he is talking about, particularly the cloud providers. What does he think is stopping British cloud providers from getting a larger share of the market?
Dr Spencer
The cloud providers I have spoken to talk about several things. They talk about the crippling cost of energy in the UK, something that we need to drive down—
The Lord Commissioner of His Majesty’s Treasury (Taiwo Owatemi)
I am sorry, but this is not in scope.
The Chair
Order. You are telling me that you do not think it is in scope, but we consider that it is.
Dr Spencer
The cloud providers tell me that the energy costs are crippling, which is highly problematic, and that is why we need to drive those costs down. They talk about the challenges of getting data centres built and about planning considerations, which are a concern across the country. They talk about the taxation environment and costs on businesses more generally, particularly when they are footloose, and they talk about the regulatory framework. Pretty much all of those things are not specifically in the Bill, with the exception of the regulatory framework, so there is a lot that is suppressing the opportunities for cloud providers and others in the sector and hindering them from doing business and succeeding.
There is a broader point to make about the Bill and the philosophy behind it, because there is something that we have to avoid. There is a sense in the UK that we are getting gummed up by regulation and obsessing more and more about limitations and restrictions to businesses. In that environment, people and organisations that do well financially, succeed and grow are seen as either targets or cheats—as something that we can go for, tax and punish. We have lost or diminished our can-do attitude when it comes to supporting the risk takers and the entrepreneurs, who are the people and organisations building the MSPs and data centres on which our economy relies.
Over and above that, there is a cultural issue that is impacting our IT and tech sector. As legislators we should ensure that the thing we have direct control over, which is the legislation in front of us, imposes as small a regulatory burden as possible while still ensuring that it is sufficient to meet our aims. We must listen to businesses and hear their concerns. We hear time and again that the lack of clarity, particularly in this part of the Bill, is putting them at financial and legal risk. That is a very substantial concern.
Alison Griffiths
On my hon. Friend’s point about the lack of clarity in the Bill, there is a real possibility that firms will find that an MSP has one view of an issue while their client has another. Unless there is sufficient clarity in the wording of the Bill, we will have issues.
Dr Spencer
I thank my hon. Friend for her intervention. Legal clarity is important. I have absolutely no issue with lawyers, but we do not want to make a load of money for lawyers as a consequence of the definitional challenges around the Bill’s implementation. That is not good for businesses, which need certainty as to how to apply the regulatory framework under which they operate. Regulatory uncertainty will not help a business to make decisions. My assumption is that the default position will be for businesses to assume that they are not regulated entities, which means that they will not take actions that we would like them to take as a result of the Bill. Again, we will be making laws under which everybody loses out.
My final point is about the carve-out in respect of public authority oversight. It is all well and good for the Government to say, “We have an action plan and we’re going to sort out Government IT and the cyber-security risk for Government services,” but it is not playing out that way. Our biggest risks, and the most vulnerable components of our digital IT infrastructure, are those that are linked to Government services. Change is needed. My sense is that when a company interacts and shares data with Government and public sector services, the biggest-cyber security risk is likely to be in the aspects that are provided by Government services. We are making legislation that puts a host of burdens on the private sector, yet we are largely silent about what is happening in the public sector. Putting people at risk in that way is really not good enough. We need to support our overall cyber-security.
Kanishka Narayan
Once again, the shadow Minister is auditioning for roles in the Treasury, by talking about general taxation, and in the Department for Business and Trade, by talking about general philosophies of regulatory reform. I will focus on matters within the scope of our debate, and on four aspects in particular.
First, Opposition Members have raised questions about definition. They have been answered frequently, but I am happy to repeat the answer. The scope of MSP coverage, which focuses on large and medium-sized MSPs, means that something in the order of 11% of MSPs are covered, by number, but 97.6% of the UK’s MSP revenue is covered. I hope that that gives sufficient assurance as to the coverage of the Bill. Of course, the critical supplier provisions cover any others.
Kanishka Narayan
I am happy to proceed and to focus on Crown ownership of data centre provision to others. For those reasons, I continue to commend clauses 9 to 11 to the Committee.
Lincoln Jopp
Will the Minister please clarify whether he thinks that, as page 102 of the impact assessment states, the hourly rate for a lawyer changing a contract is £34?
Kanishka Narayan
I simply point out to the hon. Member that the pricing for law varies materially. I hope that, with the benefit of technology, it continues to be very accessible to all relevant providers.
Lincoln Jopp
I am sorry, but that is nonsense. The footnote on the page that cites £34 an hour for a contract lawyer directs us back to the Office for National Statistics. I hope that the Minister lives in the real world—he has clearly worked in the business world—so he knows that that is nonsense. Does he agree that that pretty well undermines that section of the impact assessment?
Kanishka Narayan
Having closed the debate, I am happy to conclude.
Question put and agreed to.
Clause 9 accordingly ordered to stand part of the Bill.
Dr Spencer
On a point of order, Ms McVey. What mechanism is available to Members who are concerned that there is a factual error in the impact assessment? How can that be corrected?
The Chair
The point has been made clearly on the record. We can take it beyond this room, and perhaps you can write to the Minister afterwards for clarification.
Clauses 10 and 11 ordered to stand part of the Bill.
Clause 12
Critical suppliers
Question put, That the clause stand part of the Bill.
Kanishka Narayan
Clause 12 will introduce a new power for regulators to designate critical suppliers to organisations as in scope of the NIS regulations. These are suppliers that are so pivotal to the provision of essential digital or managed services that a compromise or outage in their systems can cause a disruption that would have serious cascading impacts for our society and economy; I am thinking in particular of the Synnovis incident in 2024, when 11,000 medical appointments were cancelled across London hospitals as a result of an attack on a pathology service provider.
The clause will ensure that the power to designate can be exercised only where suppliers pose a credible risk of systemic disruption and when the regulator has considered whether the risks to the supplier cannot be managed via other means. In other words, it is a very high bar indeed.
The clause provides safeguards for suppliers, which must be consulted and notified during the designation process. It also requires regulators to consult other relevant NIS regulators when they are considering whether to designate, or decide to do so, ensuring that they have an accurate understanding of how suppliers are already regulated.
Finally, the clause provides for designations to be revoked when risks no longer apply or when a supplier has met the thresholds for regulation as a relevant digital service provider or relevant managed service provider. It should be noted that the clause does not set out the security duties on critical suppliers; these will be defined in secondary legislation following an appropriate period of consultation.
By addressing supply chain vulnerabilities, this measure will strengthen the resilience of the UK’s essential and digital services on which the public rely every day. I commend the clause to the Committee.
Alison Griffiths
The clause merits close scrutiny, because it is the point in the Bill where risk is supposed to be addressed beyond the individual operator and into the supply chain. In plain terms, clause 12 will allow the regulator to designate a supplier as critical where disruption to that supplier would have a significant impact on the delivery of an essential or digital service. The trigger is impact, not size or sector. That approach is sensible, but I want to stress-test how it works in the context of operational technology.
Across power, telecoms, transport, water and industry, many essential services rely on the same family of industrial control equipment. Substations, signalling systems and industrial plants may look different, but they often run on identical controlled devices and firmware supplied by a very small number of manufacturers.
The risk is not hypothetical. A single vulnerability in widely deployed OT equipment can create a common mode failure across multiple sectors at the same time, even where each operator is individually compliant with its duties. At the moment, the Bill places obligations squarely on operators of essential services, but in OT environments, operators do not control the design of equipment, the firmware, the vulnerability disclosure process or the remote access arrangements that vendors often require as a condition of support.
As Rik Ferguson highlighted in written evidence to this Committee, uncertainty about how and when suppliers might be brought into scope can lead to defensive behaviour and late engagement. The risk is amplified in OT, where suppliers may discover vulnerabilities before operators do, and where one operator may report an issue, while others in different sectors, using identical equipment, remain unaware.
There is also a traceability problem. OT equipment is frequently sold through integrators and distributors. Manufacturers may not have a clear picture of where the equipment is ultimately deployed. Without that visibility, national-scale vulnerability notification and co-ordinated response become very difficult.
UK Finance has also drawn attention to the complexity of multi-tier supply chains and the need for clear accountability when regulatory reach extends upstream. The clause recognises that reality, but its effectiveness will depend on how consistently and predictably designation decisions are made across sectors.
My concern is not about the existence of the power. It is about whether, in practice, the power will be used early enough and clearly enough to address shared OT risks before they become cross-sector incidents. Operational resilience today depends less on individual sites and more on the security practices of a relatively small— I would say very small—number of OT suppliers that sit behind them. The clause has the potential to address that, but only if its application is focused on genuine systemic risk and supported by clear signals to suppliers and operators alike. For those reasons, the clause warrants careful consideration as the Bill progresses.
Lincoln Jopp
To understand the impact of what we are discussing, we obviously look at the impact assessment. We in this place are often accused of simply making rules and passing laws with no real sense of the impact downstream, particularly on small businesses. Having worked in the tech sector for 10 years, with data centres and managed service providers, and worked to try to grow many small and medium-sized enterprises, I am acutely conscious of the need not to overburden them. It is clearly hugely important that the Government take account of the impact of the measures they are taking and the burdens they are imposing on small and medium-sized enterprises.
To understand the impact of this measure, it is important to know two things: first, how many companies will be impacted and, secondly, how much it is going to cost. While I am sure that the Minister will say that this provision on critical suppliers is great, and all very clear, it cannot really be that clear. Page 110 of the impact assessment states:
“DSIT is not able to estimate at this stage the number of SMEs or SME DSPs that will be designated as critical suppliers”;
so we cannot tell how many there are. The same page also states:
“Specific duties will be set through secondary legislation so the exact cost of security measures is not possible to estimate.”
We do not know how many there are or how much the measure is going to cost, but Government Members will be whipped to say, “That’s okay—that can be done by someone else at another time.” We do not really have a strong sense of the impact on real-world businesses of what we are doing here. We also talked about the legal costs in an earlier sitting. I look forward to hearing the Minister’s reassuring words about how very clear the clause is and how it is not just a blank cheque, even though we do not know how many people it will affect or how much it will cost them.
Dr Spencer
This clause is one of the provisions that has given rise to widespread industry concern regarding its scope and implications. Business supply chains, particularly for large operators of essential services and multinational companies, are becoming ever more complex. The increased digitisation of service provision across the board means that the delivery of essential services can be vulnerable to severe disruption when the systems of critical supply chain entities are interrupted by cyber-attacks.
The Government have pointed to the 2024 cyber-attack on Synnovis, a pathology lab provider serving several London hospitals, as an example of the severe consequences that can flow from a cyber-attack on a key supply chain provider. In that case, the suspension of Synnovis services caused disruption to more than 11,000 appointments and operations. The attack caused at least two cases of serious harm to patients and, tragically, one patient’s death was attributed to the long wait for blood test results. Estimated financial losses from the attack exceeded £30 million.
The previous Government were conscious of intensifying supply chain risk, and consulted on measures to enable regulators to designate individual suppliers as critical if they provided an IT service on which an OES or RDSP was dependent for the provision of its essential service. The response to that consultation showed overwhelming support for the proposal, but stakeholders argued that the designation process would need to be transparent and based on engagement with industry. It is those vital elements of transparency and engagement, or rather the current lack of them, that are causing high levels of concern among supply chain entities that stand to be brought within scope of regulation when these provisions come into effect.
To break that down, preserving agility for the Secretary of State and regulators to respond to emerging risks has been recognised as both a strength and a weakness of the Bill. However, lack of certainty is a particular concern in a context of critical supplier designation, especially as this part of the Bill has the potential to bring in large numbers of small and even microbusinesses within the scope of regulation, potentially by multiple regulators. That is a daunting prospect for smaller companies, even taking into account the caveated duty on competent authorities to co-ordinate in the approach to regulation of critical suppliers in the proposed new paragraph 14L of the NIS regulations.
Several witnesses in oral evidence, including techUK and ISC2, made strong arguments that SMEs often lack the financial and human resources to develop cyber-security expertise and comply with regulation. Those organisations will need additional time to prepare, and a better indication of the criteria that might be used by regulators to determine which supply chain providers are critical. Industry bodies have called on the Government to ensure meaningful consultation on secondary legislation and guidance, to ensure that the measures are fit for purpose and capable of practical implementation. As part of the planned consultation, will the Minister commit to considering whether there are alternative approaches to regulation for increasing cyber-resilience in companies below a certain size?
Alison Griffiths
The clause is drafted broadly, which is understandable, but in practice many of the supply chains, as my hon. Friend has ably demonstrated, involve several layers of providers and sub-providers. I would welcome clarity on how regulators are expected to approach designation in these cases, so that responsibility is clear and preparation can happen upstream, rather than only after an incident.
Dr Spencer
My hon. Friend has figured out what I am going to say in a moment, when it comes to the scoping of the regulator and that communication process. Such is the depth of the rabbit hole that the provision creates that, even though my hon. Friend’s intervention did not go where I thought she was going, another problem has just come to mind.
What happens in the circumstance where a critical supplier that acts as a proxy for multiple critical suppliers? How does designation operate in that fashion? There are suppliers that essentially operate as a marketplace to a certain provision of services. Is it the marketplace that is regulated, or is it each supplier within the marketplace? A locum agency could hypothetically be an umbrella company for multiple different smaller locum agencies, each of which would share the corporate risk as part of that.
Going back to my first point, the idea that access to the IT network or system will somehow be discriminatory, or dichotomise between people who are in scope of this measure and people who are not, seems to me complete nonsense. It is difficult to see what organisations, if they provide a service to a modern OES, will be in scope of it.
Secondly, there is systemic or significant disruption. I often say that, if someone wanted to cripple a hospital, the best way to do that would be to stop the cleaners cleaning rooms, and to stop the porters pushing people around the hospital to get them to their appointments and moving beds. There is often a focus on doctors and on the rest of the core medical and nursing staff— I myself often focus perhaps a bit too much on doctors—but it really is a whole-team effort. In fact, the most critical people are often the people who might not be the subject of the most focus, such as the cleaners and porters.
If the cleaners stop work or do not turn up to work, the hospital grinds to a halt. If taxis are not taking people to and from hospital out of hours, or if the patient transport is not taking people to hospital, out-patient departments grind to a halt. If the locum companies that fill gaps in staff rotas are not available to do that, and there are substantial rota gaps that make the provision of services unsafe, the hospital also grinds to a halt. If it is not possible to get access to critical medicines, if staff cannot maintain the blood gas machine or the blood pressure machine, or if the boiler breaks down, the hospital grinds to a halt.
It is not just something as obvious as the tragic situation with blood and pathology testing that causes a hospital to grind to a halt. Indeed, I cannot think of many private sector provisions that would not have a substantial impact on a hospital if they were to be removed; if any other Member can, I will be very happy to stand corrected. However, just skimming through them, I can see that the removal of most of them would cause the hospital to grind to a halt. The idea that the significant impact definition will be a discriminatory factor regarding suppliers just does not work. Someone might say: “Ben, you’re completely wrong. We found some providers.”, but, if that situation arises, how will the arbitration occur in terms of the threshold?
Chris Vince
I am not going to tell the hon. Gentleman that he is completely wrong—he should not worry about that. I will make another point. I wonder whether the distinction might be how time-sensitive losing a particular service would be. That is just a suggestion.
Dr Spencer
I thank the hon. Member so much for that intervention about the time it would take to find an alternative supplier, because it will bring me on nicely to my point about alternative suppliers.
However, before I move on to that point, the hon. Gentleman made a very good point in his intervention, which I will address. To be subject to these provisions will create a regulatory burden, and therefore a cost burden, for an organisation that is designated to be a national critical supplier. If I was a supplier of services, I would want to have the best provision possible. I would want to be cyber-secure; I would want to have a gold-standard service. However, I might also be nervous of being designated as a critical supplier because of the regulatory burden that would impose on me, which would make me potentially less competitive in getting contracts because of the costs that would ensue. There would need to be an arbitration system where a company that is under threat of being designated a critical supplier could have a discussion or debate about whether that designation was relevant or not.
I will now move on to the point that the hon. Gentleman made about alternative services. I really have no idea at all how we can expect a regulator to delve into the complexities and the minutiae of what is available in a local economy to provide these services that the OES is receiving. Do we expect the relevant regulator to check what taxi services are available—actually available, rather than some sort of fantasy availability where they are available on paper, but not in reality—in the local ecosystem that could supply to that hospital, which is the operator of essential services? What is the scope of research that the regulator would have to do? What considerations would they need to take regarding how much the taxis cost and how effective they are? What about the procurement decisions and processes that have already been gone through?
Most public sector organisations have complex procurement rules when setting up their contracts—and that is before we even begin to consider health and safety concerns that are subject to regulatory provisions. For example, if the regulator decided that taxi services are under threat of becoming a critical supplier, then does the taxi service have the ability to deal with someone who has a cardiac arrest, needs oxygen or has a behavioural disturbance? Can it manage people with physical or mental disabilities? What is the scope of that particular service provision? The experts will be the people who commissioned it in the first place; yet on the face of the Bill there is no objective requirement for the regulator to speak to the OES in the first place about how this provision and service was procured.
In terms of the service being available—as per the point made by the hon. Member for Harlow about the time to shift through—how will that be evidenced and investigated? What resource is going into this? That is just for a taxi company. What about when we expand it—and this is just for the NHS—to cleaners, porters, locum agencies or medicines provision? Is the provision of services geographically circumscribed or will this be across the country? I am sure that one can find alternative services to provide taxis to St Thomas’ in Birkenhead, but that does not necessarily mean that it is available in a reasonable timeframe or sense, in terms of the designation of supplier.
Lincoln Jopp
I do not want to add spurious hypotheticals, so I will talk about the real world. I visited the Maypole special school in my constituency the other day. It has 20 members of staff and 18 pupils. It has people coming from as far away as Wandsworth. It books the transport, and the transport is paid for by the local education authority in which the pupil lives. It is clearly critical that children get to the school—just as it would be for a hospital. Would it be up to members of staff at the Maypole school to find out whether Addison Lee used a managed service provider or a data centre? That seems quite a tricky thing to know about and then to fulfil.
Dr Spencer
I really appreciate my hon. Friend’s intervention. It goes incisively to the heart of the concern about how these provisions are currently drafted. I really struggle to see how an OES that is providing a service to another OES could effectively argue that it is not within the full scope of these regulations. We have a lot of OESs in this country. It may be the Minister’s and the Government’s intention to essentially have a proxy regulatory framework for suppliers to OESs going forward—it is being kept very loose, because there is some flexibility in that, but that in itself will be a problem.
I worry that a lot of providers are going to think to themselves, “Why should we provide to an OES when we might be at risk of being designated as a national critical supplier?” Surely that is a concern that will have a chilling effect on organisations supplying to OESs, because of the risk of being found within the scope of this additional regulatory burden.
Don’t get me wrong; as I have said, companies should be taking cyber-security seriously, as should everyone. However, not everyone should be subject to the various regulations and data-sharing requirements that this Bill provides for. I suspect that many organisations will be very concerned. If there is a risk of designation as a critical supplier, companies will already be instructing lawyers and other organisations to manage that corporate risk.
If an organisation starts supplying to a hospital trust, or to whoever it may be, it might think, “Actually, we’re likely at risk of being designated, so we need to start doing some work and investment, either to challenge that designation or begin doing the preparatory work.” Maybe that is the intention: to effectively regulate the entire sector providing to OESs without actually lifting a finger in terms of regulation through this Bill. If that is the case, I am sort of sad, because I think it is better to be clear-cut about it. I would be grateful if the Minister answered that point directly.
Finally, in terms of OESs, we have already mentioned the fact that Government and local authority IT infrastructure and services are among the biggest risks in our system. I was really struck by the evidence from the NHS on Tuesday, in which our witnesses described data-sharing operations with adult social care, which is of course provided by local authorities.
It seems quite perverse, if I may say so, that a GP surgery, which is a private organisation, could be deemed a critical supplier to a hospital in terms of patient information sharing. Quite frankly, I would like the Minister to answer the question specifically: does he envisage primary care GPs being in scope because of data sharing of hospital records with NHS trusts? GPs could fall within scope as critical suppliers, while social care records, which are provided by local authorities, would not. There are all these weird situations that could emerge because of the scope and the looseness of these provisions, with all the consequent harms and problems. I look forward to hearing the Minister’s responses to my points.
Kanishka Narayan
First, I will respond to the apt and thoughtful points from the hon. Member for Bognor Regis and Littlehampton on operational technology. I can confirm to her that both vendors and providers of operational technologies will be covered by the provision of the five-step test for critical supplier designation. That is an important aspect when thinking about supply chains and the presence of operational technology where it is of critical interest.
The hon. Member for Spelthorne raised a very accurate point about proportionality in the provisions of the Bill, and in particular the impact assessments, statements, or limited statements on critical supplier impacts. As he will know very well, the Bill takes a very nuanced position on proportionality. When a sector is designated, there will be total clarity on the number of suppliers affected and on the ultimate impact. We will have sight of that.
The provision on critical suppliers was asked for by industry. The reason why the Bill does not specify critical suppliers is that it is simply not for the Government to specify how a business can or cannot continue. It is for businesses and regulators to work that through by understanding the depth of expertise that businesses have. We have started to do that, but that is precisely why the critical suppliers provisions have been delegated to secondary legislation and subsequent guidance.
Kanishka Narayan
I commit to giving way to the hon. Gentleman at the end of my speech. He asked about schools. I am happy to confirm that schools are not in the scope of the Bill.
In response to the shadow Minister, I highlight that the five-step test is cumulative: a business must meet all the conditions to be designated as critical, not just one. I think that answers the series of logical puzzles that he tied himself up in.
I am very happy to confirm to the Committee that it is expected that regulators will use information gathered from their oversight of operators of essential services, relevant managed service providers and relevant digital service providers to identify potential critical suppliers for designation. They can also ask organisations for more information to support their assessments. Future supply chain duties will also require organisations to share supply chain risk assessments with regulators. A supplier can be designated only after the regulator has completed an investigation process, including serving notices and holding a consultation, and confirmed that the criteria are met. Designated suppliers will also have the right to challenge decisions through an independent appeals process.
Kanishka Narayan
I commit to giving way at the end of my speech to the shadow Minister and the hon. Member for Spelthorne.
On the question of consultation, I am happy to confirm that the team in question has set up an implementation-focused effort. We have started to engage with regulators already, and there will be an extensive process of engagement on the Bill with business, as has been conducted historically.
The shadow Minister highlighted a number of logical puzzles. I have worked in a range of businesses and public sector organisations, and most have business continuity services. His hypothetical idea that businesses do not understand alternative provision, and whether they are or are not in a position of exposure, is well solved in the real world. I would give more credit to our expert witnesses from NHS Scotland than he did in recognising that they said that they frequently deal with the question of critical suppliers in co-ordination with competent authorities.
Lincoln Jopp
The Minister came back with an answer on proportionality, saying that it is not for Government to decide what is essential. He missed out the next bit, which is, “We’re just going to regulate critical suppliers and pass laws about them, but we don’t know how many there are, and we don’t know how much the policy is going to cost.” Would he accept that characterisation as the logical conclusion of what he said?
The Minister also said that schools were not covered by the Bill. As far as I am aware, patient data and children’s data are two of the most precious things that we have, so I would like to know why schools are not covered by the Bill.
Kanishka Narayan
On the first point, I am afraid that I do not think that was an appropriate characterisation, because where the sectoral scope is clear and where there is a clear risk of critical national infrastructure and essential services being directly exposed, we have specified that in the Bill. We have looked at the impacts set out in the impact assessment. For the critical suppliers in those sectors—I would expect them to be very limited in number—we have made sure that regulators and businesses have the flexibility to set the requirements directly, rather than them being set here in Parliament.
Chris Vince
I was going to intervene on the hon. and gallant Member for Spelthorne, but he is bigger than me. I recognise the points he made about the number of critical suppliers, but I come at the question from the other angle: doing nothing may leave critical suppliers at risk. Although we might not know the exact number, as he correctly asserted, it is important that we do something and introduce the regulations as soon as we can to protect our critical infrastructure.
Kanishka Narayan
I thank my hon. Friend for that point. This issue has not come out of nowhere. Industry and a number of organisations asked that we introduce the measures in the clause.
Beyond the very clear five-step test for critical supplier designation, the Bill provides that the requirements on critical suppliers are proportionate. The reason why we have both the five-step test and the provisions in the Bill is that, in most cases, if the risk assessment suggests so, the security requirements set out in the Bill will be less onerous in most cases. They will be specified in secondary legislation and guidance.
On the question of schools, and more broadly the question of public sector authorities, I entirely accept that the handling of pupil data in schools is a critical aspect of our public service operations. The reason why public service authorities have largely been left out of the Bill’s scope is because we do not need to wait for the legislative process to act. We have been working, not least closely with the Government’s cyber-security strategy and the cyber action plan, to ensure that pupil data is kept securely and robustly.
Dr Spencer
The Minister is, of course, within his rights to snarkily dismiss the questions that I have raised, but I should point out that the stuff that is debated in Parliament, whether in Committee or on the Floor of the Chamber, is relevant when it comes to future legal disputes after a Bill is passed. The questions I have asked about the application of the Bill’s provisions will be important parts of the legal disputes that I expect will arise after its implementation. When people look back through the Minister’s dismissive comments, I hope they have other resources that they can go to for settling legal arguments. However, he may choose to respond fully now, or in writing if he cannot provide me with an answer.
Kanishka Narayan
I believe that where the shadow Minister laid out any specific concerns, I was able to set out answers, not least on the process for the designation of critical suppliers and the availability of an appeals process. Where his points were more in the realm of specific hypothetical puzzles, I have stayed clear for precisely the reasons that he highlights. This is serious stuff that can form the basis of how businesses and others plan, rather than specific judgments that we ought not to speculate about in this House.
Question put and agreed to.
Clause 12 accordingly ordered to stand part of the Bill.
Clause 13
Provision of information by operators of data centre services
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 13 ensures that operators of data centres provide essential information to regulators, enabling them to properly monitor their sector and its cyber-resilience. The clause requires operators to submit key details, such as names, addresses and contact information, within three months of designation, and to update regulators within seven days if anything changes. Regulators are required to maintain a list of designated entities. By keeping regulatory records current, the clause strengthens our ability to monitor and protect essential services and respond to incidents that could affect businesses, public services and national security. The clause plays a key foundational role in the Bill’s wider framework for cyber-security and resilience.
Like clause 13, clause 14 places legal duties on digital and managed services providers to provide essential information to their regulator—in this case, the information commission. Like operators of data centre services, RDSPs and MSPs will be required to register with the information commission within three months, submitting key details, such as names and contact information, and to update regulators within seven days if anything changes. Organisations based outside the UK will be required to nominate a UK representative and provide contact details. To strengthen cross-agency support and recognise the key role that these businesses play in the UK economy and society, the information commission will be required to share its registers of relevant digital and managed service providers with GCHQ. Those proportionate steps will enable authorities to do their job and respond when it matters.
Dr Spencer
Clause 13 requires in-scope data centre operators to provide certain information to their designated competent authorities, which—subject to Government amendment 11, which we passed earlier—will now be solely Ofcom, and to keep that information up to date. The information includes the data centre operator’s address and the names of directors. It must be provided within three months of the data centre operator’s designation. For data centres that meet the threshold criteria, that would be three months after clause 4 comes into force. Other OESs are not subject to an equivalent requirement to provide information to their sector regulator. That reflects the fact that the Government currently have limited information about the data centre sector.
RDSPs are already required, under regulation 14 of the NIS regulations 2018, to provide their contact details to the information commission, as their sector regulator. Clause 14(2) amends regulation 14 to require RDSPs to provide more information, including about their directors and the digital services they provide. It would also require the information commission to share a copy of its register of RDSPs with GCHQ. Clause 14(9) requires RMSPs to register with the information commission and to submit the same contact details as RDSPs. RMSPs must nominate a UK representative if they are based outside the UK. The information commission will be required to maintain a register of RMSPs and to share it with GCHQ. Clauses 13 and 14 give Ofcom and the information commission access to more detailed information about regulated entities and facilitate regulatory oversight of the data centre RDSP and RMSP industries in the UK.
Question put and agreed to.
Clause 13 accordingly ordered to stand part of the Bill.
Clause 14 ordered to stand part of the Bill.
Clause 15
Reporting of Incidents by Regulated Persons
Dr Spencer
I beg to move amendment 1, in clause 15, page 22, line 15, at end insert—
“(f) whether the incident involves failure modes not previously observed in the relevant sector materially involving autonomous or adaptive systems based on machine learning, including where the potential impact of such failure modes was mitigated or prevented.”
The Chair
With this it will be convenient to discuss the following:
Amendment 2, in clause 15, page 22, line 25, at end insert—
“(ea) where the incident was associated with one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;”
Amendment 4, in clause 15, page 23, line 32, at end insert—
“(ea) where the incident involved one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;”
Amendment 5, in clause 15, page 26, line 37, at end insert—
“(h) whether the incident involves failure modes not previously observed in the relevant sector materially involving autonomous or adaptive systems based on machine learning, including where the potential impact of such failure modes was mitigated or prevented.”
Amendment 6, in clause 15, page 27, line 7, at end insert—
“(ea) where the incident was associated with one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;”
Amendment 7, in clause 15, page 30, line 8, at end insert—
“(fa) whether the incident involves failure modes not previously observed in the relevant sector materially involving autonomous or adaptive systems based on machine learning, including where the potential impact of such failure modes was mitigated or prevented;”
Amendment 8, in clause 15, page 30, line 21, at end insert—
“(ea) where the incident was associated with one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;”
Amendment 9, in clause 18, page 40, line 10, at end insert—
“(8A) Where the CSIRT receives notification of an incident under regulation 11, 11A, 12A, or 14E that materially involves autonomous or adaptive systems based on machine learning, the CSIRT must share relevant technical information with the relevant body within 72 hours.
(8B) For the purposes of this regulation, a “relevant body” means the AI Security Institute or any successor or replacement body designated by the Secretary of State.”
Dr Spencer
I will speak to the amendments tabled by the hon. Member for Dewsbury and Batley (Iqbal Mohamed), but wait for the next group to speak to clauses 15 and 16 and the amendments to them in the name of the official Opposition.
From the outset, it is important for me to say that while I have spoken to the hon. Member more generally and responded to a debate he secured on AI, I have not spoken to him specifically regarding these amendments and their precise purpose. However, given his concerns about the AI sector and his background, we can see where he is going with them. Broadly speaking, the amendments would ensure that as part of the reporting requirements under these clauses, there is an ability to measure whether adaptive AI or large language models have been responsible for a cyber-security breach or an incident within the systems themselves.
That derives from what we see happening more generally in the cyber-security sector. We heard evidence that, online, people can essentially purchase a cyber-security hack suite of software. It is possible to pay for people to do hacking and one can get training in it. A lot of hacking and cyber-security breaches are now expanding because of large language models and the use of AI to probe systems. I do not know if we have a sense of scope regarding how much this is a problem specifically in the UK, whether for the individual businesses or organisations that will be regulated under the Bill. I understand, as I interpret them, that the point of the amendments is to get a dataset on where AI or automated decision making has been used to pose a particular cyber-security risk.
The amendments also speak to a more general point. There has been a lot of debate in this place over the years about what we as a country, and equivalent democracies, are doing on the regulation of AI and large language models, building on the Bletchley conferences, innovative work and what guardrails we need to think about in terms of imposing LLMs and AI in the UK, and how we approach AI being used by hostile state actors, such as through bot accounts. I understand that the use of deepfakes, bots and so on is an emerging risk as a method of cyber-attack. There are broader issues with regard to transparency when bots on the internet and social media networks can get into various IT systems and accounts, and effectively pretend to be somebody else to get around the cyber-security system. As with all things, we do not know what we do not know. I understand that the amendments were tabled to increase reporting requirements and give us more evidence of the scope of the problem and the threat posed.
I will be grateful if the Minister gives his sense of how much of a problem this is, particularly with regard to whether reporting requirements are necessary. I believe that the Government’s original plan was to introduce an AI Bill. That would have pros and cons, and I remain agnostic on that, but, speaking for His Majesty’s Opposition, I would like to know the Minister’s plans for the AI landscape and whether, in the upcoming King’s Speech, there is an idea of revisiting an AI Bill, which might make such amendments obsolete.
Kanishka Narayan
I appreciate the intent behind the amendments and the shadow Minister’s position of understanding but not supporting them, which I share. I share his concerns about the potential for emerging risks posed by AI systems, not least in the realm of cyber-security. At the same time, I am conscious that we have not specified any risk factors in the Bill from a reporting point of view for the National Cyber Security Centre or the regulators. To do so in this context would place an undue priority on one category or source of risk.
For those reasons, although I understand the motivation behind the amendments and I am conscious of the risks posed by AI systems, I urge the hon. Member not to press them. The Bill is technology-agnostic rather than focused on particular areas of risk. The Government continue to work on mitigating AI risks, primarily at the point of use, but also through extensive Government capability, not least in the AI Security Institute.
Dr Spencer
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Ordered, That further consideration be now adjourned. —(Taiwo Owatemi.)