The Chair

- Hansard -

Copy Link

I remind the Committee that with this it will be convenient to discuss the following:

New clause 1—Food supply chain to be regulated as an essential service—

“(1) The NIS Regulations are amended as follows.

(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—

Lincoln Jopp (Spelthorne) (Con)

- Hansard -

Copy Link

- - Excerpts

It is a pleasure to serve under your chairship, Mr Stringer. When we left off, we were considering the powers of the Secretary of State to bring new organisations within scope. I am a Conservative, and my view is that the best form of regulation is usually competition, so I am not actually volunteering these sectors for the guards. However, I want to understand the underlying logic as to why certain things have been included and certain things have not.

We have a fairly good guide as to what is essential. The reason we do is that we went through a global pandemic, and the following groups and organisations were designated as absolutely essential for the running of the state: health and social care, which is included; education and childcare, which is not; anything to do with the justice system; religious staff; public service broadcasters; local and national Government, which again is not in the Bill; food and other goods, which, as we discussed, are also not in the Bill, although they are in the new clauses; public safety and national security; transport; utilities; communications; financial services; and postal services.

That is the analogue I am putting to the Minister: we found out which things we really needed, we designated them as essential and we allowed them to continue during the covid pandemic. None of us particularly relishes being reminded of that time, but we owe it to the people who will be subject to the Bill to ask the Minister exactly what has been argued in and what has been argued out of scope, to understand how vulnerable the blank cheque we are issuing to the Secretary of State is to their including more and more in it, come the day of the races.

The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

- - Excerpts

I will start by addressing the questions raised by hon. Members, including the hon. Member for Spelthorne, who concluded by setting out a general philosophy of how we thought about what is in and out of scope, and then I will address some of the more specific concerns in the new clauses.

The overarching philosophy has not at all been to deny, as the hon. Members for Spelthorne and for Brecon, Radnor and Cwm Tawe argued, that there are a series of services that are absolutely essential. There is a category of critical national infrastructure, and there is a category of essential sectors and services that we identified in the pandemic. Although there is some overlap, a distinct segment for the Bill is operators of essential services such as digital services and managed service providers. The assessment there has been more about the immediacy and severity of the impact, and the availability of alternative provision in a very short time, which has meant that those sectors have been ruled in. I will lay out the logic of our position on the new clauses, which might help clarify this question, although I would be happy to engage further with hon. Members on it.

I am conscious that the hon. Member for Bognor Regis and Littlehampton and the shadow Minister raised very appropriate points about robustness and proportionality in relation to the Secretary of State exercising the powers in the Bill, so I will lay out the process and the role of Parliament.

In terms of the process for bringing new sectors or activities in scope, something must meet a specific, rigorous test to be defined as a new essential activity for the purposes of the Bill. The Secretary of State must be satisfied that the activity is essential to our economy or society. As I have mentioned, that is reserved for the most vital activities to our nation and acts as a high bar for inclusion, on the terms I mentioned to the hon. Member for Spelthorne.

In reaching a decision, the relevant Departments will need to carry out risk assessments and impact assessments and consider whether inclusion of those sectors and activities is proportionate. That is part of the normal policy development process. After that, the proposals will be subject to consultations and the affirmative procedure, ensuring the necessary scrutiny. Parliament will have the final say on the use of any expansive powers, as the vast majority of the changes I mentioned will be made through delegated powers and subject to the affirmative procedure. If a new sector is then brought into scope, we will undertake a phased implementation wherever possible, and organisations will be given adequate time to comply. Alongside that, regulations will be made in a controlled way and include consultations with relevant stakeholders before secondary legislation is laid before Parliament.

I make one final observation on the points that have been made, not least about Jaguar Land Rover. The UK Export Finance export development guarantee is not a bailout. UKEF receives payments for providing its guarantees, ensuring that the Government are appropriately compensated for the risk taken. In that context, a different assessment was made, as I hope to come to shortly.

More broadly, the Committee heard from expert witnesses that although the purpose of the Bill is clear, and its impact is a significant help for our national cyber-security and essential services, it or any other singular move is no silver bullet when it comes to our cyber-security. Different levers are effective in different parts of the economy and must be applied appropriately.

The most stringent lever the Government have at their disposal is legislation. As we have discussed in this and prior sittings, proportionality is key to the exercise of that lever. Regulation creates obligations and requires resources, so the pros of regulating must outweigh the costs. In the context of the Bill, that means protecting our society and economy from unacceptable risks with an immediacy of threat to our day-to-day life, not least our national security. That means things like keeping the lights on, the taps running and the NHS going, where there is little or no alterative provision of such services. We must also avoid creating unnecessary burdens where other measures are available.

In that context, I turn first to new clauses 1 and 9. The Government and the National Cyber Security Centre are clear that all organisations, whether a food supplier, an automotive giant, a supermarket or any other business operating in the UK, should take steps to protect their cyber-security and increase their resilience. That is why in October the Government wrote to FTSE 350 companies urging them to take three actions to strengthen their defences. First, they should make cyber-risk a board-level priority, and I know that that sentiment is shared across the Committee. Secondly, they should require suppliers to have baseline cyber-security through Cyber Essentials. Thirdly, they should sign up to the NCSC’s early-warning service.

The response has been encouraging already. A significant proportion of organisations have responded, with many of those responses coming directly from chief executive officers and chairs, showing the seriousness accorded to this by boards. Following the letter, we have seen increased interest in the Cyber Essentials website, uptake in early-warning registrations, and uptake in registrations for the IASME supplier check tool, which organisations can use to identify suppliers with Cyber Essentials certificates.

Beyond that, Departments and the NCSC deliver sector-specific support for key parts of the economy. On food specifically, the Department for Environment, Food and Rural Affairs and the wider Government have worked with the food and retail sector on cyber-resilience for many years, and we always stand ready to protect the UK food supply chain. During last year’s incidents involving Marks & Spencer and the Co-op, the NCSC and DEFRA worked closely with the affected retailers to support their response, to communicate advice and guidance and to assess the risk to food security. Following the attack, DEFRA Ministers wrote to major retailers to invite further collaboration on cyber-matters. Officials from both the NCSC and DEFRA are working with retailers to understand how we can best support them and the resilience of our food supply chain in the future.

Crucially, the food sector is unique among critical sectors for its high levels of industrial and geographic diversity. There are approximately 20,000 small and medium-sized food manufacturers alone spread across the UK, and many more farms, distribution centres, retailers and other types of businesses that form the UK’s food supply chain. As a result, it is a sector with few single points of failure. Its resilience is further strengthened by the steps that individual operators and suppliers are taking.

Finally, it is worth mentioning that the cyber-attack on Marks & Spencer last year, which hon. Members have raised, specifically involved the social engineering of a third party managed service provider. As the Committee is aware, the Bill brings large and medium-sized managed service providers into scope. That important change delivers downstream benefits across the wider economy, including for food retailers.

I will move on to new clause 8. The Government recognise that a step change in cyber and digital resilience is required across the public sector, including in local authorities. The Government’s cyber action plan is the overarching strategy to improve the cyber-resilience of Government. It will hold the public sector, including local government, to equivalent requirements to organisations regulated by the Bill. At the outset, the hon. Member for Spelthorne raised a question about schools and pupil data; where local authorities are the lead affected departments in that context, they would be expected to maintain very close oversight and compliance with the requirements and asks of the cyber plan, including in schools and the maintenance of pupil data.

Local authorities in England are accountable for their own cyber-security and resilience. The Ministry of Housing, Communities and Local Government, as the lead Government Department, is accountable for the sector-wide resilience of English local government, and is already taking a range of steps to support the sector, strengthen its cyber-resilience and manage its risks more effectively. For example, MHCLG has already provided £23 million of cyber grant funding and technical support to local government. That includes the delivery of clear cyber-security standards through the adoption of the cyber assessment framework—CAF—for local government. It is also aligned with the wider approach taken by organisations already in scope of the network and information systems regulations.

On social care specifically, as the lead Government Department for adult social care, the Department of Health and Social Care is working to ensure that the standards applied by adult social care providers are consistent with those used across Government and the wider public sector. The DHSC is investing a further £21 million over this Parliament to give care providers the support and guidance they need to improve their cyber-resilience and to enhance cyber-security standards to align with the cyber assessment framework. The MHCLG has also launched a local government cyber-incident response service to support English local authorities to respond to severe cyber-incidents, helping to limit the impact these have on data and services.

I now move on to new clauses 11 and 12, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe. The joint election security and preparedness unit—JESP—sits jointly between the MHCLG and the Cabinet Office. It was created by the defending democracy taskforce, a cross-Government unit, and works to protect UK elections and referendums by co-ordinating work across Government to respond to threats, including on cyber-security.

I know that the shadow Minister takes a keen interest in these questions on the run-up to elections, and he raised some important points. JESP works closely with the NCSC, which produces guidance for organisations involved in delivering elections, including local authorities. That includes advice to help IT practitioners implement security measures that will help prevent common cyber-attacks, as well as offers for direct NCSC support, including the NCSC’s active cyber-defence services.

The MHCLG as a whole is responsible for centrally managed digital electoral services covering voter registration, a postal or proxy vote, or a voter authority certificate. All systems and suppliers involved in developing and maintaining digital electoral services must meet strict cyber-security requirements, not least the MHCLG cyber-security assurance framework.

I will move on to political parties. JESP and the NCSC regularly engage with political party representatives to understand their requirements, monitor any cyber-infrastructure vulnerabilities and raise awareness about Government cyber-defence services. The NCSC’s active cyber-defence programme provides free security tools to help UK organisations, including political parties and local authorities, reduce exposure to common cyber- threats. The NCSC encourages all political parties to sign up to these, and offers individual candidate briefings to parties that wish to take them up.

Everything I have said reflects the Government’s current assessment of where regulation is needed to protect the core of our society and economy. Of course, we have seen that what is considered an essential service can change, and we also know that cyber-threats are constantly evolving. That is why the Bill will enable the Government to bring more essential activities and services into scope in future, and to take swift action if UK national security is at risk, in scenarios where the evidence suggests the pros outweigh the costs. However, at this stage we do not think that that is the case for new sectors. I therefore ask hon. Members not to press their new clauses.

Question put and agreed to.

Clause 24 accordingly ordered to stand part of the Bill.

Clause 25

Statement of strategic priorities etc

Question proposed, That the clause stand part of the Bill.

The Chair

- Hansard -

Copy Link

With this it will be convenient to discuss clauses 26 to 28 stand part.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Clause 25 introduces a power for the Secretary of State to designate a statement of strategic priorities for the implementation of the NIS regulations. The NIS regulations are enforced by 12 different sectoral regulators. Although that allows each regulator to apply its sectoral expertise, it also means that at times they have taken divergent approaches to their regulatory responsibilities. Clause 25 addresses that by allowing the Secretary of State to set overarching objectives for regulators in the wider context of a statement of strategic priorities. The statement will replace the NIS national strategy, which the Government were previously required to produce under the NIS regulations. It will set out the Government’s priorities for the security and resilience of essential services.

To ensure that the objectives remain stable enough to enable regulators to plan their work, the clause will prevent a statement from being withdrawn or amended within three years of its designation. However, that three-year rule will not apply if there has been a general election, or a significant change in the threat landscape or in Government policy. That will allow for flexibility where appropriate. In sum, clause 25 empowers the Government to drive a more effective and consistent application of the NIS regulations.

Clause 26 establishes the process through which a statement of strategic priorities can be designated. It requires that there must be consultation with regulators, and that the statement be laid before Parliament, where it will be subject to the negative procedure. It establishes that the Government must share a draft of a proposed statement with the NIS regulators, and that the regulators must be given at least 40 days to provide comments to the Government on that draft statement. The Government must consider whether it is appropriate to make any changes to the draft statement in the light of that consultation. Once any changes have been made, they must lay the statement before Parliament, where it will be subject to the negative procedure. Following that, the Secretary of State may designate the statement.

Clause 27 establishes the legal duties that regulators will have in relation to a statement of strategic priorities. It sets out that regulators must

“have regard to the statement”

when carrying out their NIS functions, as introduced by parts 3 and 4 of the Bill. It also introduces a requirement for regulators to “seek to achieve” the objectives included in the statement.

Alison Griffiths (Bognor Regis and Littlehampton) (Con)

- Hansard -

Copy Link

- - Excerpts

As we heard in written evidence from the ABI, clarity about roles really matters. Can the Minister confirm that the statement of strategic priorities is not intended to operate as indirect instruction, and that regulators will retain clear discretion where sector evidence points in a different direction?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank the hon. Member for her point. Perhaps I can give a flavour of the objectives I might expect in a statement and assure her of the independence of sector regulators. Subject to consultation, which we would expect in the build-up to any such statement, a statement might include objectives such as encouraging regulators to seek to ensure that their sectors have plans in place to increase security, or focusing on regulatory activity in areas of greatest horizontal risk. To the hon. Member’s point about sector-specific expertise and the independence of regulators, the statement is intended to set objectives to be achieved within the parameters of regulators’ existing statutory duties, and what the overarching risks are. Of course, regulators will be free to do that in the ways they think most appropriate for their sectors, in the light of their own expertise and experience. I hope that gives the hon. Member some assurance.

Clause 28 requires the Secretary of State to publish an annual report setting out, in general terms, how NIS regulators have complied with their duties in relation to a statement of strategic priorities over the previous 12 months, and how they intend to meet their duties in the following 12 months.

Alison Griffiths

- Hansard -

Copy Link

- - Excerpts

As the Minister is saying, clause 28 is meant to help Parliament understand how regulators are responding to the statement of strategic priorities. Can he say a little about how substantive that reporting will be, and whether it will genuinely allow Parliament to assess how those duties are being exercised in practice?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

The hon. Member raises a very important point. We want Parliament to play an important role in the scrutiny of the overarching regime as a whole, but particularly in the operation of the statement. Perhaps I can break it into two parts: scrutiny of the statement in the first instance, and scrutiny of regulators’ compliance with the statement. Once a draft statement has been consulted on, the Government will be required to lay it before Parliament, and that will be subject to the negative procedure. Parliament will have 40 days to scrutinise the proposed statement and express disagreement with it, which is very similar to the procedure for statements of strategic priorities in other areas—not least online safety. In terms of confidence in Parliament about actions that regulators have taken, the Secretary of State will be required to publish an annual report setting out, in general terms, the activity undertaken by regulators in the prior 12 months, alongside activity planned for the following 12 months. My expectation is that, very similarly, Parliament will have sight of that, and have the ability to scrutinise it and ask questions of the Secretary of State in the usual way.

Chris Vince (Harlow) (Lab/Co-op)

- Hansard -

Copy Link

- - Excerpts

indicated assent.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I am grateful to my hon. Friend the Member for Harlow for his affirmation of that important point of parliamentary scrutiny.

As I mentioned, the report in question will set out how NIS regulators have sought and will seek to achieve the objectives in the statement through the exercise of their regulatory functions. The clause requires the Secretary of State to lay the annual report before Parliament, as well as to publish it in an appropriate manner. Clause 28 also introduces information-gathering powers for the Secretary of State so that they can collect the necessary information from regulators to draft the report. I commend the clauses to the Committee.

Dr Ben Spencer (Runnymede and Weybridge) (Con)

- Hansard -

Copy Link

- - Excerpts

It is a pleasure to serve under your chairmanship, Mr Stringer.

Clause 25 introduces a power for the Secretary of State to issue a statement of the Government’s strategic priorities in relation to the security and resilience of network and information systems with regard to essential activities. The statement will set out the responsibilities of regulators and specify objectives to secure the Government’s priorities. Competent authorities must be consulted in the drafting of the statement, and the Secretary of State must issue a report in every 12-month period on regulators’ compliance with meeting the objectives within it.

The changes aim to address important challenges around consistency in the approach to regulation that were identified by the previous Government’s second post-implementation review of the NIS regulations. Importantly, the measures also provide for a regular review of competent authorities’ approach to discharging their regulatory obligations. That measure is necessary given the inconsistent approach to oversight and enforcement of the NIS regulations so far.

We know that there are existing challenges relating to the capacity of competent authorities and there is the ongoing issue of securing sufficient cyber-security professionals to staff the teams. It is all well and good making statements, but they need to be followed. What strategies does the Minister anticipate will be needed and used to support—and, where necessary, drive up—standards of regulatory oversight when competent authorities fall short of the aims set out in the statement?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank the shadow Minister for raising an important point. His broader question is one of the most important in this context: Bills are only as good as the ultimate enforcement capability, capacity and framework in which regulators enforce them. Particular aspects of the Bill are focused on that question. One ensures that regulators have not just the resource through the cost recovery and charging schemes that the Bill allows for, but the information through the information-gathering powers—and not just the information, but a statement of strategic priorities as new horizontal risks emerge across sectors. So regulators are armed with resource, information and strategic priorities that emerge from time to time.

Alongside all those resources, data and information powers, regulators need also to have accountability, of course. In that context, the statement of strategic priorities is intended to be one vehicle through which regulators’ compliance with overarching objectives of the Bill will be looked at as well, alongside ongoing oversight of each of the regulators through the usual departmental channels.

Alison Griffiths

- Hansard -

Copy Link

- - Excerpts

Having worked in business, I know that the words we use to ensure that the capabilities are there are easy to say but not always easy to deliver. How will the Minister ensure that when we have a multi-sector issue, which could easily come up—particularly, as we have already discussed, around OT and the use of IEDs across multiple sectors—the National Cyber Security Centre and other regulators will have access to the skills, people and resources necessary to manage what could be a catastrophic incident? We already know that cyber-skills are in short supply as it is, even in the commercial sector.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

The hon. Member raises an important point. Two or three things are really important channels of impact when it comes to skills. First, the NCSC as a convening body across regulatory areas will be able to make sure that different regulators come together and learn by being able to share information not just between themselves, but through the NCSC itself as the convening body for sharing good and prompt understanding of emerging risks.

Secondly, on broader skills, the cost recovery schemes allowed under the Bill create a way for regulators to ensure they are resourced up and have the ultimate financial firepower to be able to enforce the requirements of the Bill.

Alison Griffiths

- Hansard -

Copy Link

- - Excerpts

I thank the Minister for his patience. He mentions a specific example of where he will ensure that the NCSC is resourced up. Do we have specific examples that have happened already of those powers having been put in place successfully? From conversations with the NCSC, I understand that it is reliant on its accredited bodies across the country, but we have not yet—I am touching the wood of my desk, as I speak—had to respond to a complex multi-sector issue. I challenge the Minister on whether he is confident about our capability to respond to one.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I share the hon. Member’s recognition and her gratitude that we have not experienced the sort of incident that she described. The NCSC has told her, me and other Committee members that it brings regulators together and has done so on a number of occasions in the past to share cross-sectorally an understanding of emerging risks as well as incident-specific impacts. I take no sense of complacency from that precedent, but I do take some confidence from it. As the Minister in charge, I will ensure that the Department keeps a close eye on the ongoing implementation of the co-ordination powers under the Bill.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

The Minister is being generous with his time during this important debate. I was just thinking through his earlier response to the point made by my hon. Friend the Member for Bognor Regis and Littlehampton about using the cost reclaims to employ cyber-security professionals. That goes to the heart of the concerns about the Bill and its approach to regulation.

We have heard that the industry, including regulators, is struggling to recruit cyber-security professionals. What gives the Minister confidence that, just because some money will be sloshing around in the regulators, there will be the ability to recruit cyber-security professionals, who are going to be essential to the implementation of the Bill?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

First, I will provide some context for agreement. We want more people to be trained in cyber-security so that they can serve in the public and private sectors. Through the Bill, as well as a range of other initiatives, we are making sure that at every stage of the pipeline, there is resourcing, confidence and a demand signal that so more people can benefit from cyber-skills and serve in the industry.

There is a clear financing path for regulators to at least start to hire. Earlier in the pipeline, we are looking at a series of cyber-skills programmes all the way from schools through CyberFirst—I think about 415,000 students have gone through that programme. Ultimately, we want to create a long-term pipeline so that regulators and private companies can make the most of those skills.

Chris Vince

- Hansard -

Copy Link

- - Excerpts

I am going to mention Harlow, because Harlow has young people with amazing potential. The point that the shadow Minister and other Opposition Members have made is really important. We need to make sure that this and the next generation of young people are trained up in these skills, because this is an emerging threat. I encourage the Minister to promote the Bill and what the Government are doing in cyber-security, because it is important that the wider public know that these important skills and jobs are available.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I am, of course, very happy to take on my hon. Friend’s recommendation that I be the promoter and ambassador for the Bill across the country. I am only sad not to have been invited to visit his constituency in the act of promoting said Bill, but I take his point seriously.

On the broader point about skills, I entirely agree with both my hon. Friend and the Opposition in recognising that skills are central to the enforcement of the programme. I hope that the funding and the earlier focus on skills across the life cycle give some assurance that the Government are committed to that.

Question put and agreed to.

Clause 25 accordingly ordered to stand part of the Bill.

Clauses 26 to 28 ordered to stand part of the Bill.

Clause 29

Regulations relating to security and resilience of network and information systems

Question proposed, That the clause stand part of the Bill.

The Chair

- Hansard -

Copy Link

With this it will be convenient to discuss clauses 30 to 35 stand part.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Clause 29 is the key pillar of the Bill’s future-proofing powers. It allows the Secretary of State to update, amend or replace the NIS regulatory framework by creating new regulations. This is a critical provision. Due to the way in which the NIS regulations were transposed into UK law, the Government lack a way of updating the framework other than through primary legislation. As a result, our regulations have remained static amid a rapidly evolving threat landscape, leaving our essential and digital services vulnerable to attack and our resilience falling behind the EU. The clause is an important response to that problem. It will ensure that the Government can take swift action so that our cyber regulations remain relevant. It is a more proportionate and effective approach than always relying on primary legislation.

I know the use of delegated powers can be a source of concern, so I will be clear that the clause is not a carte blanche—or a blank cheque, which the hon. Member for Spelthorne might be worried about—to smuggle in anything and everything under the guise of cyber-security. It is tightly constrained to ensure that any new regulations align with the original purposes of the NIS regulations. New regulations can be made only for the purposes of strengthening the cyber-security and resilience of the UK’s most critical activities, and only where they are genuinely essential to the functioning of the UK’s society and economy. Cyber-criminals will always find ways around regulations, but with this power we can stop them in their tracks.

I have already explained the critical role that clause 29 plays in enabling new regulations to be made for the purposes of cyber-security and resilience. However, I want to be clear about how those regulations will be used and reassure the Committee of their checks and balances. Clauses 30 to 35 set out what the regulations can do.

Clause 30 enables the Secretary of State to use the regulation-making powers to impose requirements on regulated persons. It clarifies who can be made subject to requirements and the types of requirement that can be imposed on them.

Alison Griffiths

- Hansard -

Copy Link

- - Excerpts

My question relates to clause 29 but also clause 30. As the Minister says, the powers are deliberately wide. The Institution of Engineering and Technology noted in evidence that predictability matters more than compliance. Will the Minister explain exactly how the Government will judge when risks require new statutory duties rather than updated guidance, so that businesses are not left guessing?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Any legislation made under clause 29 will need to align with the Bill’s clearly specified purposes to protect the systems that underpin our vital services. In any case, secondary legislation will require deep consultation to ensure that businesses have the sense of clarity that they require. There is a specific bar to pass for the scope of any further provisions, and it is a high bar given the definition of the sectors and the activities covered in the Bill.

Clause 30 has been designed with some clear use cases in mind. It will enable the security duties on regulated organisations to be updated with appropriate technical details. It will also ensure that more detailed thresholds for incident reporting can be set, and it is the mechanism through which we will set out the regulatory requirements for designated critical suppliers. In other words, the clause will help us to operationalise the provisions of the Bill and update the technical details of regulatory requirements in response to new risks or technology.

Clause 31 enables the Secretary of State to confer functions on regulators through the Bill’s regulation-making powers. These may be existing NIS regulators or newly appointed regulators. The types of functions that can be conferred are those concerned with compliance: monitoring and securing compliance, and investigating and managing non-compliance. To carry out such functions effectively, regulators must be able to impose penalties. Clause 31 also provides for that while putting in place important safeguards so that regulated organisations have a means of appealing penalties. The clause is essential for future-proofing the regulatory regime. It ensures that regulators can be equipped with the functions and powers they need to ensure the compliance and security of the UK’s most essential services.

Clause 32 sets out details and safeguards for how the regulation-making powers can be used when they impose or amend financial penalties. Crucially, it establishes upper limits on what the penalties can be—the greater of £17 million or 10% of turnover for an undertaking, or £17 million for a non-undertaking, or £17 million for an undertaking adjusted as needed to account for inflation. The 10% threshold has been chosen as a defensible outer limit for a regulatory regime concerned with national resilience and security. It aligns with penalties for non-compliance in legislation regulating critical national infrastructure and with the Bill’s own national security powers.

The clause further clarifies that regulations can define “turnover” and “undertaking”, where needed, to calculate a penalty. Together, these provisions create important safeguards and flexibility. They establish proportionate and transparent parameters within which penalty amounts can be set. They also enable the Secretary of State to define and consult on terms that are essential for operationalising the Bill’s new turnover-based penalties.

Like clause 31, clause 33 enables the Secretary of State to make regulations conferring functions on regulators. The functions specified in clause 33 complement the core compliance functions outlined in clause 31. They relate to the disclosure of information, issuing of guidance, record-keeping, preparation of reports, undertaking of reviews, and co-operation. The clause also enables the Secretary of State to impose functions on organisations that are not regulators but that play a public role related to the cyber-security and resilience of essential services. GCHQ, in its capacity as the UK’s computer security incident response team and technical authority, is the most important. Like clause 31, this clause is essential for future-proofing NIS regulations. It allows organisations that oversee and facilitate the cyber-security and resilience of essential services to be equipped with the tools and functions they need.

Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs using the powers under clause 29(1). These are the costs incurred through their functions under the NIS regulations or other obligations imposed through parts 3 and 4 of the Bill. 

In practice, the clause ensures that the Secretary of State can make changes and updates to the way that regulators carry out their cost recovery function under the NIS regime. It could, for example, be used to specify further factors that regulators need to consider when establishing approaches for charging fees in the charging schemes, in addition to those already set out in clause 17. That might be needed to deliver greater consistency in how the cost recovery measures are being applied and is something that the Government will keep under review.

Alison Griffiths

- Hansard -

Copy Link

- - Excerpts

As the Association of British Insurers has highlighted in its written evidence, the way cost recovery operates will shape behaviour on the ground. Can the Minister reassure the Committee that changes made under clause 34 will be transparent and proportionate and will not inadvertently discourage investment in cyber-resilience, particularly for smaller firms in supply chains?

On a personal point, could I ask him to speak more slowly? I am really struggling to hear him.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I apologise for the pace of my speech; I will try to make sure I am speaking more slowly.

On the particular point on transparency and ensuring that any amendments to cost recovery are both transparent and grounded in specific provisions, I can set out the sorts of expectations we have had for circumstances in which amendments might be made. In particular, the Bill’s powers will enable regulators to set up charging schemes, but it is not prescriptive—

Alison Griffiths

- Hansard -

Copy Link

- - Excerpts

Could the Minister repeat that?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

The Bill’s new powers enable regulators to set up charging schemes, but it is not prescriptive about how it should do that beyond certain baseline requirements. More specific requirements, as provided for in the Bill, could become clear, such as if cost recovery mechanisms are not working effectively or if regulators are diverging unhelpfully.

All regulators must consult on charging schemes. In doing so, the industry should have ample opportunity to scrutinise the approach that regulators are taking and, importantly, Parliament should be able to add to that scrutiny as well. Like clause 31, clause 34 is essential for the future-proofing of NIS regulations.

Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs; I have mentioned examples of the sorts of factors we might specify in that context. Together with clauses 29 to 33, 35 and 41, clause 34 is necessary to ensure that the Secretary of State can update and amend the functions of regulators as needed in the future, and is an integral part of the Bill’s future-proofing powers.

Clause 35 is the final clause that clarifies the limits and prospective uses of the regulation-making power in clause 29. It confirms that the regulations may confer functions and allow certain functions to be delegated to others—for example, it could enable a regulator to delegate functions to inspectors. It also clarifies that regulations can be made to require a person to have regard to guidance or codes of practice, or that make provision by reference to another document or piece of guidance. In short, the clause provides helpful clarity about how the regulations could be applied.

Sarah Russell (Congleton) (Lab)

- Hansard -

Copy Link

- - Excerpts

On a point of order, Mr Stringer. I am not sure whether this strictly meets the criteria for a point of order, but it is clear that some people in the room cannot hear what is happening. I know the convention is that only the Whips and Ministers sit on the front row, but if those who are struggling to hear wish to sit closer, could we abandon that convention? It would be a reasonable adjustment so that everyone can participate properly, because this is discriminatory.

The Chair

- Hansard -

Copy Link

I thank the hon. Lady for her point of order. It is a convention, and if the hon. Lady or any other Member wishes to sit on the Front Bench to make life easier, they certainly have my permission to do so.

Alison Griffiths

- Hansard -

Copy Link

- - Excerpts

Further to that point of order, Mr Stringer. Genuinely, I simply need the Minister to speak slowly and clearly. Yes, I am wearing hearing aids; I am sure that others wear them too. I am doing my very best to make sure that I can lip-read, but that is almost impossible given the speed the Minister is speaking at. One cannot lip read when he is looking down all the time either.

The Chair

- Hansard -

Copy Link

I thank the hon. Lady for her point of order. I know the Minister is trying very hard; his normal rate of speech is much faster, so he is trying. If you catch my eye, I will interrupt the Minister, or anybody else who is speaking, and remind them. It is important that every Member can hear so that they can participate in the debate.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I confess, Mr Stringer, that I suspect I am also guilty of speaking a bit fast in our previous debates. I will do my best to slow down and speak in a lower tone, as I know that can also help, particularly with certain types of hearing impairment.

To continue the theme of agile regulation, clause 29 enables the Secretary of State to update the NIS regulations through secondary legislation. Clause 30 enables the Secretary of State to impose requirements on regulated entities, which may include directions to take specific actions to increase cyber-resilience, to report on certain matters and to appoint a UK representative if the entity is based outside the UK.

Furthermore, clause 31 specifies that the Secretary of State may direct competent authorities to undertake certain activities, including mandating functions in connection with monitoring and securing compliance with relevant requirements, investigating suspected non-compliance and mitigating the effects of non-compliance on the part of regulated entities. Clauses 32 to 35 provide for the Secretary of State to issue ancillary directions to facilitate information-gathering, investigation and enforcement activities on the part of regulators.

Taken together, the clauses give the Secretary of State a strong suite of powers to respond to emerging cyber-security risks. Again, I recognise the necessity of being able to respond quickly in fast-changing circumstances. However, the Government should clearly be reporting on the Secretary of State’s exercise of the powers at regular intervals to ensure transparency. We will discuss that in due course when we come to clause 40, on the report on network and information systems legislation.

The Chair

- Hansard -

Copy Link

Does the Minister wish to respond?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

No.

Question put and agreed to.

Clause 29 accordingly ordered to stand part of the Bill.

Clauses 30 to 35 ordered to stand part of the Bill.

Clause 36

Code of practice

Question proposed, That the clause stand part of the Bill.

The Chair

- Hansard -

Copy Link

With this it will be convenient to discuss clauses 37 to 39.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Clause 36 sets out that the Secretary of State may issue a code of practice for regulated entities. The code will describe recommended steps to help these entities to comply with their duties and requirements under the NIS regulations and any new regulations made under the Bill. This will make it simpler for regulated persons to understand what is expected of them, thereby driving consistency and complementing sector-specific guidance from regulators.

The clause will also make enforcement clearer and more effective, as regulators must take the code into account when they assess compliance. The code is designed to be flexible: it can be updated as threats and technology change, and can be tailored to different types of organisations, ensuring that guidance is current, relevant and practical for all.

Given the importance of the measure in providing practical recommendations to regulated entities, it must be consulted on before it is prepared or revised, and this process is set out in clause 37. Before the code can be brought into force, a draft must be laid before Parliament, providing ample opportunity to scrutinise and, if necessary, reject it within a 40 day period. If either House objects, the Secretary of State cannot proceed with that version and may prepare a new draft. If the draft is approved by Parliament, the Secretary of State may issue it and must publish it, and it then comes into effect immediately, unless otherwise specified. The clause also clarifies how the 40-day period is calculated, to ensure consistency and transparency in the process.

As we know too well, cyber-threats continue to evolve as new tactics and technologies are deployed, which is why the clause includes a power for the Secretary of State to amend the procedure for issuing the code. The Secretary of State may, for example, wish to add or amend consultation requirements or extend the 40-day period.

Clause 38 establishes how the code of practice will be used and treated in legal and regulatory settings, to ensure it has the intended effect. For regulated persons, the code of practice is intended to be formal guidance, with recommendations on how to comply with their duties, but not to be legally binding itself.

As we know, there can be more than one way for businesses to meet their obligations and ensure that they have in place appropriate and proportionate security and resilience measures. It is therefore important that there is a degree of flexibility in how they do this, to accommodate sector-specific nuances and business needs. None the less, it is crucial that the code has sufficient legal status and that the good practice it contains is not simply ignored. That is why the code can be admissible as evidence in court when deciding whether legal obligations have been met, and why the courts and regulators must consider it as evidence when assessing compliance.

Clause 39 establishes a formal process for the withdrawal of the code of practice, in case that is ever needed.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Clause 36 provides that the Secretary of State may issue a code of practice for regulated entities to set out measures that they should take to demonstrate compliance with their duties under the NIS regulations, or any requirements imposed by the Secretary of State under clause 29. If done well, the code could be a repository of best practice, setting proportionate, consistent and effective standards for regulated industries. That will require constructive and open consultation with regulated sectors to identify the challenges facing those sectors and how best to address them.

One issue that came up in oral evidence was the question of the lag between regulation making and industry adoption. David Cook of DLA Piper commented that, after laws come into effect, the process of businesses understanding where they need to get to

“often requires a multi-year programme of reform.”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 5, Q1.]

The code of practice is not envisaged to be legally binding, in the sense that a failure to comply is not of itself evidence of a failure to meet obligations under the NIS regulations or the Bill. However, clause 38 states that it would be admissible as evidence in legal proceedings so, in that sense, the code is binding in all but name. In view of that, and the fact that codes can be revoked and reissued, can the Minister provide reassurance to regulated industries that a lead-in time will be built into any requirements to allow businesses to prepare to achieve full compliance?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

First, to ensure that the shadow Minister and I are representing the intent behind the code clearly, in legal terms it is not the case that an organisation that fails to follow the code of practice is automatically a regulated organisation that has broken the law. Clause 38 makes it clear that not following the code does not by itself constitute a breach of duty or mean that an organisation is automatically liable to legal action. Organisations can take different approaches to complying with security duties, but if they adopt an approach that is not within the code, they may need to explain why their approach still meets the required standards set out in the regulations, and regulators will be required to take the code into account when preparing guidance.

On the shadow Minister’s question about ensuring appropriate timing and preparation for companies, I would very much expect that the regulators in question would be closely regulated entities to ensure the proportionate implementation of codes.

Alison Griffiths

- Hansard -

Copy Link

- - Excerpts

We heard from the Information Systems Audit and Control Association that codes work best when they reflect operational reality. Given their evidential status, can the Minister reassure the Committee that codes will remain practical and iterative and not quietly harden into rigid compliance rules?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I am very happy to give the broad assurance that we will keep codes under review from time to time, and that any changes to the code will require deep consultation with regulators and businesses to ensure that the codes keep in touch with moving technology.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

For the sake of clarity on the legal status of the codes, I entirely agree with the Minister that it is important to get this right, and my understanding of codes of practice in a different area—statutory codes of practice relating to the Mental Health Act—is that case law says that deviation from the code of practice should be done only for cogent reasons. That is a pretty high bar to pass in terms of deviations. I should declare an interest as a former consultant psychiatrist and someone who operated subject to that particular code of practice.

For absolute certainty, will the Minister write to the Committee and make the status very clear, along with reference to relevant case law in terms of other codes of practice? Does the clause override that jurisprudence or not? That would settle the question as the Bill goes through Parliament.

The Chair

- Hansard -

Copy Link

Order. Interventions are getting a bit out of control again. I remind hon. Members that they should be brief.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I agree with the shadow Minister. The Bill’s focus is on the assessment of compliance with ultimate security duties. The codes of practice will set out approaches to do so, but they will not be the only approaches. I would be happy to write to the shadow Minister and the Committee on the particular legal interpretation, and any relevant case law that might apply.

Question put and agreed to.

Clause 36 accordingly ordered to stand part of the Bill.

Clauses 37 to 39 ordered to stand part of the Bill.

Clause 40

Report on network and information systems legislation

David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)

- Hansard -

Copy Link

- - Excerpts

I beg to move amendment 26, in clause 40, page 63, line 7, leave out “5” and insert “3”.

This amendment would increase the frequency of the reports that must be published under Clause 40, from every five years to every three years.

The Chair

- Hansard -

Copy Link

With this it will be convenient to discuss clause stand part.

David Chadwick

- Hansard -

Copy Link

- - Excerpts

Amendment 26, tabled by my hon. Friend the Member for Henley and Thame, seeks to ensure that the Bill keeps pace with the reality that it seeks to regulate. In the world of cyber-security, five years is a lifetime. In the past five years, the size and scale of cyber-attacks has continued to advance at pace, and we can expect the next five years to be the same. In that context, waiting five years for the first formal parliamentary review of the Bill seems dangerous. It risks leaving us with a regulatory framework designed for the threats of yesterday and not tomorrow. The cyber-threat is real, evolving and urgent.

The NCSC has reported that nationally significant cyber-incidents more than doubled in 2025 alone. That is why the amendment would change the reporting cycle to once every three years. That is a pragmatic timeline, which allows the Government to identify gaps and close them before they are exploited. The EU’s NIS2 directive explicitly mandates a review by the Commission every three years, and it is not clear why the Government have decided to diverge from that standard. Is it because they believe that the cyber-threat here is considerably less than the one facing European member states? It is simply not clear, which adds to the general sense of bewilderment about this provision. If our European neighbours are reviewing their cyber-security approach every three years, why are the UK Government content to wait for five?

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Clause 40 requires the Secretary of State to publish a report every five years on the operation of the NIS regulations and parts 3 and 4 of the Bill. Reports should include a review of any exercise of powers under parts 3 and 4 by the Secretary of State. Given the wide-ranging powers granted to the Secretary of State under those parts, I have some sympathy for amendment 26, tabled by the hon. Member for Henley and Thame, which seeks to reduce reporting intervals from five years to three.

The shadow Secretary of State, my hon. Friend the Member for Hornchurch and Upminster (Julia Lopez), raised this issue on Second Reading. She suggested that annual or biannual reviews might allow for effective parliamentary scrutiny of the NIS regulations and of the Secretary of State’s exercise of powers to respond to emerging threats. In view of the concerns voiced by the hon. Members for Henley and Thame and for Brecon, Radnor and Cwm Tawe, and by the shadow ministerial team, will the Minister explain why five-year intervals have been selected and whether the Government will look at this important issue again?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank the hon. Member for Brecon, Radnor and Cwm Tawe for moving amendment 26, in the name of the hon. Member for Henley and Thame. It seeks to reduce the period for publishing a report on the operation of the legislation from at least every five years to at least every three. I reassure him that the Government recognise the importance of regular assessments of the regime to ensure that it is as effective as possible. The legislation sets five years as the minimum period. That is an appropriate and proportionate timeframe in which to meaningfully assess the progress, at a regular frequency, of the entire regime set out in the Bill, following the approach set by existing legislation such as the Online Safety Act 2023.

David Chadwick

- Hansard -

Copy Link

- - Excerpts

I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 40 ordered to stand part of the Bill.

Clause 41

Regulations under section 24 or Chapter 3

Question proposed, That the clause stand part of the Bill.

The Chair

- Hansard -

Copy Link

With this it will be convenient to discuss clause 42 stand part.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Clause 41 gives further detail on the sorts of provisions that can be included in regulations made under clause 24 and chapter 3 as a whole. It confirms that regulations can make different provisions for different purposes, different categories of person or different areas; can make provisions for how those regulations apply to the Crown or UK territorial waters; and can include consequential, supplementary, incidental, transitional or saving provisions. The clause also defines how certain terms used in regulations should be interpreted, such as “relevant UK waters” or “primary legislation”. In summary, the clause provides important points of clarification about how the regulation-making powers in the Bill can operate. I propose that clause 41 stand part of the Bill.

Clause 42 sets out the consultation requirements and parliamentary procedure that apply where regulations are used to designate new essential services or regulators, to impose regulatory requirements or change regulator functions, or to amend requirements for the five-yearly legislative review.

Alison Griffiths

- Hansard -

Copy Link

- - Excerpts

These procedures are standard, but the powers they apply to are significant. Where regulations under part 3 would materially expand duties or bring new actors into scope, have the Government considered whether those should receive deeper scrutiny in practice, even if the formal procedure remains the usual one?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank the hon. Member for that important point. The expectation is that the powers used here are scrutinised appropriately. If it helps, I can set out which uses of the power, particularly under clause 42, will trigger consultation requirements and the affirmative procedure, which will perhaps give her the assurance she seeks.

In essence, all changes that may have considerable impact on how the NIS regime operates will be subject to consultation and the affirmative procedure. In practice, this means that regulations concerning the designation of essential services, as well as changes to the duties of regulated entities and functions of regulators, will be subject to both consultation and affirmative procedure requirements.

In each of the cases I mentioned, clause 42 requires the Secretary of State to undertake consultation with appropriate persons before any regulations can be made. It also specifies that regulations of this kind can be approved only through the affirmative parliamentary procedure. These provisions ensure that any substantive regulations made through the Bill’s future-proofing powers will be properly tested. They provide the necessary checks and balances that such wide-ranging powers require, and they will ensure the credibility and legitimacy of future regulations made using these powers. For those reasons, I propose that clause 42 stand part of the Bill.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I have two questions for the Minister. Given the impact on devolved legislation, can he confirm that the consultation will extend to devolved authorities should it impact on them? My second question is more generally on the theme of devolved authorities. Can he confirm that, as part of the publicised “reset” negotiations with the European Union, bringing Northern Ireland into scope of NIS2 regulations is totally off the table?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

On the broader point about application to the devolved Administrations, changes in UK legislation may indeed need to be reflected in devolved legislation, such as where it refers to and references the name of UK legislation. In those contexts, it is important that consequential provision can be made to ensure coherence. We will continue to engage with our devolved colleagues on the implementation. I am very happy to write to the hon. Gentleman and the Committee, particularly on the Northern Ireland point.

Question put and agreed to.

Clause 41 accordingly ordered to stand part of the Bill.

Clause 42 ordered to stand part of the Bill.

Clause 43

Directions to regulated persons

David Chadwick

- Hansard -

Copy Link

- - Excerpts

I beg to move amendment 27, in clause 43, page 66, line 11, at end insert—

“(fa) a requirement to remove, disable or modify hardware, software or other facilities;”

This amendment would enable the Secretary of State to issue directions to remove, disable or modify hardware, software or other facilities for national security purposes.

The Chair

- Hansard -

Copy Link

With this it will be convenient to discuss clauses 43 and 44 stand part.

David Chadwick

- Hansard -

Copy Link

- - Excerpts

Amendment 27, which I move on behalf of my hon. Friend the Member for Henley and Thame, would give the Government the ability to remove, disable or modify hardware and software that could be used to infiltrate British national infrastructure, such as the cables underneath the now approved Chinese mega-embassy in Tower Hamlets.

The Prime Minister’s greenlighting of the Chinese super-embassy in the heart of London is a grave mistake that presents an open door for the ramping up of Chinese espionage in our country. It sends a regrettable and shameful message to Hongkongers—many of whom have already been targeted, intimidated and coerced by the Chinese Communist party—that trade deals are being prioritised over their safety. The Government must take a robust stance with hostile states such as China.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Clause 43 grants the Secretary of State powers to issue directions to regulate entities where there is a risk to national security, or where an action must be taken in the interests of national security. Directions can include requirements relating to the management of systems, the yielding of information and the removal or modification of goods and services. The Secretary of State may also require a regulated entity to engage the services of a skilled person to comply with directions issued. The Secretary of State has wide discretion to dispense with providing reasons for directions or consulting with the affected parties on the basis of national security considerations.

Clause 44 clarifies that the Secretary of State’s directions under part 4 prevail if there is a conflict between those directions and another statutory requirement. The exercise of these powers by the Secretary of State could have far-reaching consequences for businesses, which may experience interruption to their commercial activities, as well as the potentially considerable time and expense in adhering to a request made on national security grounds.

I have spoken on several occasions in the House and in this Committee about the critical risks posed to our cyber-security and national security by hostile state actors and their affiliates. It is, of course, right that the Secretary of State should have this power, but it should be used only in extremis. Like other extensive powers granted to the Secretary of State under part 3, it must be subject to oversight and guardrails. A report to Parliament, which may well be redacted, on the exercise of functions under part 4 will not be sufficient to ensure that this power is used proportionately. Has the Department considered introducing an obligation for the Secretary of State to report to the Intelligence and Security Committee when she exercises powers under part 4?

We discussed the Chinese super-embassy earlier. Later in the Committee’s proceedings, I will talk about an Opposition new clause that would deal with that problem effectively.

Emily Darlington (Milton Keynes Central) (Lab)

- Hansard -

Copy Link

- - Excerpts

As the Minister will be aware, I have spoken consistently of my concern about our reliance on hardware and tech that comes from potentially non-favourable state actors abroad. That also relates to Government procurement, which I have raised before, as the Minister will know.

The Committee has already discussed how local government and Government Departments are not covered by this legislation, and how there is a separate strategy and document. Can the Minister expand on how protections against a reliance on foreign tech within critical infrastructure, in either the private or the public sector, are being dealt with in the Bill or in the strategy that has been published for the public sector? How will that be continually reviewed as our global geopolitical situation remains unstable?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I will start by addressing amendment 27, moved by the hon. Member for Brecon, Radnor and Cwm Tawe, which would add to the non-exhaustive list of requirements that could be included in a national security direction. It specifies that a direction could include requirements to

“remove, disable or modify hardware, software or other facilities”.

I reassure him that the Bill, as currently drafted, allows the Secretary of State to impose those types of requirements. Clause 43(3)(f) specifies that a direction may include

“a requirement relating to removing, disabling or modifying goods or facilities or modifying services”.

That already encompasses the types of requirements specified in amendment 27.

Furthermore, clause 43(3) lists the requirements that may “in particular” be included in a direction. The list is therefore not exhaustive, and for good reason. It is not possible or desirable to specify every action that might be needed to address a national security risk. That would restrict the Government’s potential avenues to address urgent national security threats, and would risk the legislation being too narrow to address novel threats to the UK’s national security.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I really do not understand the Minister’s answer. If it has not been published on national security grounds, how will we know that it has been laid? The whole thing could be entirely secret. Surely it has to go to the ISC as an accountability mechanism.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

The Bill currently provides for clear parliamentary scrutiny. The Secretary of State is responsible for coming to Parliament, although some information may not be able to be presented in public. I am happy to write to the shadow Minister about the mechanisms that other similar regimes have used to ensure that Parliament’s scrutiny is informed in those cases, whether in Committee or otherwise. The primary mechanism is the one we use for constant parliamentary scrutiny, and it would be unfair for any of us to suggest that most of those channels would not be appropriate for the sort of scrutiny we are looking at.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I think the Minister is saying that there will be a parliamentary scrutiny mechanism under these powers. Is that what he is saying?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Yes.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Okay.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

To repeat, exactly as I said: once a direction is issued, it will be laid before Parliament for scrutiny. If there is any misunderstanding, I am happy for the shadow Minister to write to me so that I can confirm it.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I really think we should be very critical about this. What we are doing now is parliamentary scrutiny. There will be directions in future, which we expect to be laid, and they will also be subject to parliamentary scrutiny. Even where they are redacted because of national security concerns, somebody, or some mechanism of Parliament, will be able to scrutinise them. Can the Minister confirm that?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Yes.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Okay.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

To return to the point made by my hon. Friend the Member for Milton Keynes Central about the Bill’s provisions, the Bill looks at particular risks posed by hostile states, related actors and a wide range of other actors. Network and information systems for essential services and the identity of risk sources may be one consideration for organisations and regulators as well as the NCSC. The Bill does not look at specific actors but the outcome of the risk. Of course, hostile actors are an important part of that. I am happy to write to my hon. Friend about wider initiatives outside the Bill, particularly in the public sector, which I know is an important concern for her in relation to hostile state actors. There are a range of initiatives that the Government are taking forward in that context.

Clause 43 grants the Secretary of State the power to direct an NIS-regulated entity to take necessary and proportionate actions in response to national security threats. The power can be used where the entity’s network and information systems have been compromised or there is a threat of such compromise. The clause sets out the sorts of action that a direction could require. A direction could, for example, require an energy provider to take action to remove a hostile actor’s presence from their networks, in response to intelligence that a hostile state actor was pre-positioned for an attack.

Cyber-attacks on NIS sectors represent a serious and growing threat to the UK’s national security. High-capability actors and hostile states can mount increasingly targeted and sophisticated attacks. At present, however, the Government lack powers to require regulated entities to take necessary action in response. That gap could be exploited with increasing frequency and impact. The clause will remedy that, ensuring that the Government have the necessary powers to act quickly to protect our national security.

Lincoln Jopp

- Hansard -

Copy Link

- - Excerpts

To take this a little bit beyond the theoretical, is the Minister suggesting that, where it is discovered that, for example, a major offshore wind power generation facility was fitted with remotely triggerable kill switches, triggerable by a foreign state or sub-state actor, the Secretary of State could require that energy company to remove whatever piece of hardware or software was producing that threat?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I could not judge a specific situation but, broadly speaking, that is the sort of situation, especially if it is an NIS-regulated entity, and in particular where the exercise of the power is focused on the entity’s network and information systems, that I would expect to come in scope of the powers specified here.

Under clause 44, a direction can be issued only when necessary for national security. It is possible that, in some circumstances, what is needed to protect UK national security could conflict with standard regulatory duties. For example, a direction might relate to a particularly sensitive national security risk, where only those involved in addressing the risk should be aware of it. That is to minimise the risk of hostile actors becoming aware of a vulnerability. A direction could therefore require an entity not to report that national security risk for the period in which the risk was being remedied. They may ordinarily have had to report that national security risk to comply with standard reporting requirements. The clause will resolve that conflict and provide certainty to recipients of directions about what they must do to ensure that the national security risks in a direction are addressed.

David Chadwick

- Hansard -

Copy Link

- - Excerpts

Given the reassurances from the Minister, I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 43 ordered to stand part of the Bill.

Clause 44 ordered to stand part of the Bill.

Clause 45

Monitoring by regulatory authorities

Question proposed, That the clause stand part of the Bill.

The Chair

- Hansard -

Copy Link

With this it will be convenient to discuss clauses 46 and 47 stand part.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

This group of clauses concerns how compliance with national security directions will be monitored. Clause 45 enables the Secretary of State to delegate the task of monitoring compliance with the direction issued under clause 43 to a NIS regulator. Regulators have valuable sectoral expertise and existing relationships with the entities they regulate. As such, it may be effective to delegate monitoring of compliance to the relevant regulator. The Secretary of State will retain the sole ability to make judgments about whether non-compliance has occurred, or if any penalty is appropriate. The regulator would be required to obtain information relating to compliance, to be shared with the Secretary of State. The Secretary of State would then determine how they would like to receive this information—for example, in reports or at regular intervals.

Clause 46 grants information-gathering powers to the Secretary of State and to regulators that are subject to a monitoring direction or request. In order to determine whether an incident or threat meets the bar for issuing a direction, or whether a regulated entity is complying with the direction, the Secretary of State will need information from that entity and potentially other parties. The clause establishes the power for the Secretary of State to request that information. As the monitoring of compliance with the direction may be delegated to NIS regulators, the clause also equips those regulators with the power to request information needed for their monitoring functions.

Clause 47 grants the Secretary of State the power to carry out or delegate inspections needed to assess compliance with a direction, or with a confirmation decision specifying actions to be taken in the event of non-compliance. The Secretary of State is responsible for judging whether a regulated entity is complying with a direction, and therefore needs access to relevant information that the regulated entity holds. In some cases, this may not be possible to verify without physical attendance. To ensure the effective use of time and resources, the Secretary of State will have the power to appoint a person to carry out an inspection on their behalf, or to direct the recipient of a direction to appoint an approved inspector. The clause also grants these powers to regulators, where the regulator has been directed or requested to monitor compliance on behalf of the Secretary of State. This will ensure that they can provide the Secretary of State with the most accurate information. I commend the clauses to the Committee.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Clause 45 gives the Secretary of State powers to require regulatory authorities to monitor and report on regulated entities’ compliance with directions given under clause 43 for reasons of national security. Clause 46 provides the Secretary of State with extensive information-gathering powers through the use of information notices to facilitate the giving of directions and monitoring of compliance with directions under clause 45(4). Clause 47 empowers the Secretary of State to conduct inspections to assess whether a regulated entity is complying with directions issued under clause 45(4). The Secretary of State may appoint a third party to conduct the inspection, and require the regulated entity to meet the costs associated with this.

I reiterate the point that these powers are necessary; however, given the potential for significant cost and administrative burden for businesses, they should be subject to contemporaneous or near-contemporaneous oversight by parliamentary authorities, observing the necessary confidentiality protocols. I also make the point that these information-gathering powers apply extraterritorially and may lead to conflict with regulated entities’ data privacy obligations in other jurisdictions. What discussions has the Secretary of State conducted with industry and law enforcement counterparts in other countries about the approach to information sharing for this purpose, and the implications for companies operating services on a cross-border basis?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I am grateful to the hon. Gentleman for his points about proportionality and scrutiny. I want to give him assurances about that, as I did in our earlier conversation.

On cross-border compliance, the hon. Gentleman rightly points out that relevant information can be requested, regardless of whether it is held the UK. I am very happy to write to him with further detail on our ongoing engagement with counterparts elsewhere. During this process, we have engaged more broadly to understand other regulatory regimes and ensure compliance with them.

Question put and agreed to.

Clause 45 accordingly ordered to stand part of the Bill.

Clauses 46 and 47 ordered to stand part of the Bill.

Clause 48

Notification of contravention

Question proposed, That the clause stand part of the Bill.

The Chair

- Hansard -

Copy Link

With this it will be convenient to discuss clauses 49 to 52 stand part.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

This group of clauses concerns the enforcement of directions issued by the Secretary of State. I shall speak to them in turn.

Clause 48 grants the Secretary of State the power to issue a notice of contravention where they believe an entity is failing or has failed to comply with requirements relating to a direction. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will also be able to issue a notification of contravention relating to an information notice or inspection issued by the regulator. It would not be appropriate for a regulator to judge compliance with a direction issued under clause 43 or any other requirement imposed by the Secretary of State.

Lincoln Jopp

- Hansard -

Copy Link

- - Excerpts

What happens when the Secretary of State, via his various proxies—the regulator or whomsoever—gives a direction to a company to do something in the interests of national security, and the entity disagrees and says, “That simply won’t work, and it won’t solve the problem that you are seeking to address”?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I am reluctant to engage in the specifics of incidents without knowing the full range, but I would expect there to be an initial period of engagement to get to a position of agreement. Where the Secretary of State’s directions are not complied with in the context of a disagreement of the sort that the hon. Gentleman points out, penalties for non-compliance will be available to the Secretary of State. They will have to be justified both in the moment and subsequently, in the light of the particular provisions of the Bill.

The clause sets out the circumstances in which the Secretary of State and relevant regulators can issue a notice of contravention and the details that such a notice should contain, including the steps that an entity should take to rectify or remedy an act of non-compliance and the penalties that are being considered. The ability to issue a notice of contravention is an important procedural mechanism. It gives directed entities the opportunity to address non-compliance before penalties are imposed through a final confirmation decision, and increases the likelihood that the requirements of a direction will be met. That is vital, given the national security risks that a direction is intended to address.

Clause 49 empowers the Secretary of State to determine appropriate and proportionate penalties for non-compliance with a direction. It sets an upper threshold on what the penalties can be. For non-compliance with a direction, penalties are fixed at the greater of £17 million or 10% of turnover for undertakings, subject to turnover and undertaking being defined in regulations, and £17 million for non-undertakings. For requirements concerning the provision of information or inspections, the maximum penalty for non-compliance is set at £10 million.

Clause 49 also provides for daily penalties to be issued. These are set at £100,000 a day for non-compliance with a direction and £50,000 a day for related requirements. They will continue in force until the entity has complied with the relevant requirement. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will be able to issue penalties for non-compliance with an information notice or inspection issued by the regulator.

These provisions have been designed to reflect the gravity of non-compliance with a national security direction and the necessity of ensuring that directed entities comply with the requirements that directions impose. It is also why the maximum penalties have been set at a significantly higher level than they have for the updated NIS enforcement regulations in clause 21. The better comparison in that context is the penalty threshold for national security powers in the Telecommunications (Security) Act 2021, which align with the provisions in clause 49.

Clause 50 grants the Secretary of State and, where relevant, regulators the power to issue a final confirmation notice for non-compliance with a direction or related requirements. The clause specifies that the Secretary of State or regulator can issue a confirmation notice where they have previously notified an entity of suspected non-compliance, and where they are now satisfied that non-compliance has occurred. The notice of confirmation is the mechanism through which the Secretary of State or regulator can issue their final determination about the actions an entity needs to undertake to correct or remedy a contravention, and the penalties it will need to pay, in accordance with the provisions in clause 49.

A confirmation decision can be issued only after a directed entity has had the opportunity to make representations about an earlier notice of contravention. Once it has been issued, the directed entity must comply with it, and this duty can be enforced through civil proceedings. In short, clause 50 ensures that a direction can be enforced effectively and appropriate action taken to penalise non-compliance.

Clause 51 sets out how penalties will be recoverable across the nations of the UK in the event of non-payment. Clause 52 grants the Secretary of State the power to enforce non-disclosure requirements imposed in relation to the issuing of a direction, notice of contravention or final confirmation notice. Failure to respect these requirements could harm national security, for example by exposing vulnerabilities in the UK’s essential services or the security mitigations being put in place to protect their network and information systems. As a result, it is crucial that the Secretary of State has adequate powers to enforce non-disclosure requirements. Clause 52 largely replicates the enforcement process for non-compliance with other requirements of directions issued by the Secretary of State. The maximum penalties will be £10 million or £50,000 per day.

I ask the Committee to support the clauses in order to enable the effective enforcement of directions issued by the Secretary of State to protect the UK’s national security.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Clauses 48 to 52 deal with notifications and financial penalties where a regulated entity is deemed not to be compliant with directions issued by the Secretary of State under part 4. In particular, clause 48 would grant enforcement authorities powers to issue a contravention notice if they believe a person has failed to comply with a requirement under part 4. The notice must set out details of remedial steps to address the failure, as well as the financial penalty that the enforcement authority intends to impose.

Clause 49 would require penalties to be set at a level that is appropriate and proportionate, with the maximum penalty being £17 million or 10% of turnover. A maximum daily penalty of £100,000 applies to ongoing breaches. The maximum fines for failing to comply with an information notice or an inspection would be set at £10 million.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I have two points to make to the shadow Minister on defining turnover. As he will be well aware, “turnover” is a technical term that is best defined in secondary legislation, to keep up to date with accounting principles that at times vary from sector to sector. He asked for factors that might contribute to definitions. The specific determination of turnover will be set out secondary legislation, but we intend to establish a presumption that only the turnover of the regulated entity that breaches the direction will be considered for determining penalties on this point.

Question put and agreed to.

Clause 48 accordingly ordered to stand part of the Bill.

Clauses 49 to 52 ordered to stand part of the Bill.

Clause 53

Power to direct regulatory authorities

Question proposed, That the clause stand part of the Bill.

The Chair

- Hansard -

Copy Link

With this it will be convenient to consider the following:

Clauses 54 to 56 stand part.

Government amendments 23 and 24.

Clauses 57 and 58 stand part.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

This group concerns the power for the Secretary of State to issue directions to the NIS regulators, as well as general provisions relating to the power and the power to direct regulated entities. That includes the procedure for reviewing, varying or revoking directions, the procedure whereby Parliament can scrutinise these directions, how information concerning directions can be shared, the means by which directions can be issued and the clarifications of key terms concerning part 4 of the Bill. I shall speak to each clause in turn.

Clause 53 grants the Secretary of State the power to direct NIS regulators in the exercise of their NIS functions, where it is necessary and proportionate in the interests of national security. The current system requires regulated entities to undertake “appropriate and proportionate” measures to secure themselves against cyber-threats. Regulators issue guidance to their sectors to help them to interpret that duty. However, geopolitical or technological developments could lead to rapid, unexpected increases in the cyber-threat that quickly leave whole sectors vulnerable and create a national security risk.

In such circumstances, it is essential that the Secretary of State can leverage the expertise and powers of NIS regulators to drive the implementation of enhanced security procedures and practices. For example, they may need to direct a regulator to issue an urgent advisory to its sector regarding new cyber-threats or to update guidance on what measures are “appropriate and proportionate” for them to take. This power will not extend to other Government Departments or devolved Governments, for which any actions to mitigate significant national security threats will be agreed through engagement.

Given the changing nature of national security threats, there may be times at which a national security direction needs to be varied or revoked. Clause 54 introduces powers for the Secretary of State to change the content of a direction, or revoke it altogether, where it is necessary and proportionate to do so in the interests of national security. The Secretary of State will be able to vary a direction to add new requirements, or to simplify directions by removing requirements that are no longer needed. To ensure that regulated entities are able to make representations, the Secretary of State is required to consult them before a direction is varied, where practicable. This requirement does not apply if consultation would be detrimental to the interests of national security.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Clause 53 would grant the Secretary of State powers to issue directions to regulators where this is necessary for national security reasons, and to allow a reasonable period for the regulator to comply with that direction. Clause 54 provides that directions may be amended or revoked by the Secretary of State. Under clause 55, directions to regulated entities or regulators must be laid before Parliament unless that

“would be contrary to the interests of national security.”

I repeat my earlier question about the ISC’s role regarding scrutiny. Clause 56 would permit the Secretary of State and regulatory authorities to share any information obtained under part 4 with each other and the NCSC. The provision also allows for the sharing of information with other UK or overseas public authorities with equivalent cyber-security or national security functions. Government amendments 23 and 24 seek to amend that clause to provide for directions and notices issued under this part to be sent by email to relevant persons who provided those contact details to regulatory authorities.

Some reassurance on the extent of information sharing for businesses is delivered through provisions specifying that disclosures of information should be limited to that which is relevant and proportionate. However, those are high-level and subjective terms, open to interpretation by the authority sharing the information. Can the Minister provide any update on the development of protocols between authorities to ensure that information shared is limited to that which is necessary for effective oversight and enforcement in relation to national security risks?

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

On the shadow Minister’s first point, I repeat what I said earlier and, of course, acknowledge his concern. I assure him that, while a direction can only be issued out of necessity for national security, it does not follow that public knowledge of that direction or its contents would compromise national security. I would expect a pretty extensive scope of such directions and, therefore, an appropriate channel of scrutiny in Parliament.

On his question of protocols to ensure information shared is not just proportionate in general, but specific to the purpose of national security specified, I am happy to give him the assurance that the Bill contains it and that, in the process of working out implementation, we will make sure that regulators are focused on developing those protocols.

Question put and agreed to.

Clause 53 accordingly ordered to stand part of the Bill.

Clauses 54 to 56 ordered to stand part of the Bill.

Clause 57

Means of giving directions and notices

Amendments made: 23, in clause 57, page 83, line 8, at end insert—

“(za) an email address provided to a regulatory authority as an address for contacting that person,”

This amendment would ensure that a direction or notice can be given to a person using an email address which has been provided to a regulatory authority as a contact email address.

Amendment 24, in clause 57, page 83, line 11, leave out

“there is no such published address”

and insert—

“no email address has been so provided or published”.—(Kanishka Narayan.)

This amendment is consequential on Amendment 23.

Clause 57, as amended, ordered to stand part of the Bill.

Clause 58 ordered to stand part of the Bill.

Clause 59

Extent

Question proposed, That the clause stand part of the Bill.

The Chair

- Hansard -

Copy Link

With this it will be convenient to discuss clauses 60 and 61.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I will speak to clauses 59, 60 and 61 in turn. Clause 59 clarifies that the Bill’s provisions apply to England and Wales, Scotland and Northern Ireland. That is consistent with the Network and Information Systems Regulations 2018.

Effective implementation is key to a successful regime. Clause 60 outlines the phased commencement timings of the provisions, ensuring that they commence at an appropriate time. Some of the provisions will commence upon Royal Assent, or two months after Royal Assent, allowing the Government to begin implementing the regime without delay. That includes powers for the Secretary of State to lay important secondary legislation required to operationalise some measures in the Bill upon Royal Assent, and the power to publish a statement of strategic priorities at month two. All remaining measures will be brought into force via regulations, allowing the Secretary of State to sequence implementation in a way that is practical and proportionate, allowing for transitional arrangements and business adjustments. That also allows sufficient time for the implementing regulations to be made and scrutinised, and is required to make operational and implement the new, stronger framework.

Clause 61 clarifies that the Bill can be referred to as the Cyber Security and Resilience (Network and Information Systems) Act 2026 once passed.

Question put and agreed to.

Clause 59 accordingly ordered to stand part of the Bill.

Clauses 60 and 61 ordered to stand part of the Bill.

New Clause 2

Register of foreign powers for the purposes of Part 4

“(1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must, by regulations, establish and maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom’s critical network and information systems within six months of the passing of this Act.

(2) Foreign powers designated by the Secretary of State under subsection (1) must include states –

(a) which have been confirmed by GCHQ as having—

(i) perpetrated, or attempted to perpetrate, a cyber-attack in the UK in the preceding seven years,

(ii) targeted, or intended to target, that attack at the network or information systems of one or more operators of an essential service or critical suppliers, or

(iii) carried out, or intended to carry out, that attack through a state department, agency or affiliate group,

(b) which GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.

(3) Regulations under this section are subject to the affirmative resolution procedure.

(4) In this section, “foreign power" means–

(a) the sovereign or other head of a foreign state in their public capacity;

(b) a foreign government, or part of a foreign government;

(c) an agency or authority of a foreign government, or of part of a foreign government;

(d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or

(e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government—

(i) hold those posts as a result of, or in the course of, their membership of the party, or

(ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party.”

This new clause would require the Government to maintain a register of state actors posing a threat to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of the Act, which enable the giving of directions in the interests of national security.—(Dr Spencer.)

Brought up, and read the First time.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I beg to move, That the clause be read a Second time.

The Chair

- Hansard -

Copy Link

With this it will be convenient to discuss the following:

New clause 3—Register of foreign powers for the purposes of Part 4: review of nature of risk—

“(1) For each foreign power added to the register established under section [Register of foreign powers for the purposes of Part 4], the Secretary of State must review the extent and nature of the risk posed to the network and information systems of operators of essential services and critical suppliers, including whether the risk arises –

(a) from activities undertaken outside of the UK, or

(b) from foreign owned or controlled infrastructure or locations within the UK.

(2) Within six months of the establishment of the register under section [Register of foreign powers for the purposes of Part 4(1)], the Secretary of State must lay before Parliament a report containing –

(a) the findings and conclusions of the review conducted under subsection (1), and

(b) the Government’s plan for addressing the risks identified.

(3) If the Secretary of State considers that laying a report, or any portion of a report, under subsection (2) would be contrary to the interests of national security, the Secretary of State must make a statement to Parliament confirming that –

(a) a review has been conducted under subsection (1), and

(b) that the report, or a portion of the report, cannot be laid before Parliament for reasons of national security.”

This new clause would require the Government to report on the risk to relevant network and information systems posed by foreign powers appearing on the register established by NC2 considering whether such risks arise from extra-territorial activities and infrastructure or premises owned or controlled by foreign powers.

New clause 13—Statement on risks posed to systems by foreign interference—

“(1) The Secretary of State must, within 12 months of the passing of this Act, publish a statement of the Government’s plans in relation to risks to the security and resilience of network and information systems arising from foreign interference.

(2) Any statement under this section must—

(a) set out the Government’s intentions to assess, manage and mitigate the risks posed, or which could potentially be posed, to the security and resilience of network and information systems by foreign interference in such systems;

(b) include risks associated with—

(i) hardware,

(ii) software,

(iii) supply chains,

(iv) procurement processes, and

(v) the use of, or reliance on, foreign technologies or systems;

(c) include a specific focus on government digital procurement processes.

(d) where risks are identified under (2)(b)(v), state whether the Government intends to address these risks by encouraging or supporting the use of domestic technologies or systems.”

This new clause would require the Government to publish a statement of how it intends to address and mitigate any risks to network and information systems posed by foreign interference.

New clause 15—Review of high-risk bodies—

“(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies.

(2) A review under this section must assess—

(a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise;

(b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and

(c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities.

(3) In this section—

“relevant body” means—

(a) an operator of an essential service,

(b) a relevant digital service provider,

(c) a relevant managed service provider, or

(d) a critical supplier

within the meaning of the NIS Regulations.

“foreign state-owned enterprise” means a body corporate in which a foreign state has a controlling interest;

“network and information systems” has the meaning given by section 24(1).”

This new clause would require the Government to review the security risks posed by critical suppliers and essential service providers linked to foreign states and evaluate whether current powers are sufficient to address these threats.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

New clause 2 contains an obligation for the Secretary of State to establish and maintain by regulation a list of foreign powers presenting a significant cyber-security risk to the UK. The list must include states that have been confirmed by GCHQ as having perpetrated a cyber-attack, whether by a state department, agency or affiliate, on the UK in the preceding seven years. It must also include foreign powers that GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.

New clause 3 would compel the Secretary of State to review and report to Parliament on the risk to networks and information systems posed by foreign powers appearing on the register under new clause 2, with specific regard to activities undertaken from abroad and the risk posed by locations or premises controlled by those states in the United Kingdom. New clauses 13 and 15, in the name of the hon. Member for Henley and Thame, look as if they have been tabled in the same spirit of genuine concern about the risk of foreign hostile state interference and control in critical systems and supply chains.

There is an established precedent in UK legislation for maintaining registers or lists of hostile state actors and other entities presenting a threat to our national security for use by Government. That includes the foreign influence registration scheme under the National Security Act 2023, which came into effect last year. Russia and Iran were placed on an enhanced tier of the scheme, which applies to foreign powers considered to pose a risk to the UK’s safety or interests. The Government said that that was in response to those countries being identified as presenting an elevated national security risk. China was conspicuous by its absence, despite the director of GCHQ having confirmed in 2024 that her organisation devotes more resource to China than to any other single mission.

Chris Vince

- Hansard -

Copy Link

- - Excerpts

The shadow Minister will forgive me for taking the opportunity to defend the Government and the Prime Minister; I was not expecting to do that in this Committee this week. I reassure Members across the House that this Prime Minister and Government put national security first. The shadow Minister will know that intelligence agencies have been consulted about the relocation of the Chinese embassy. He will also be aware that the proposed new site at Royal Mint Court is actually further away from this place than the current site.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Frankly, I find it astounding that, according to my understanding, in response to the planning decision being granted our security services said that they would take measures to start moving sensitive digital cables. It strikes me that a decision about sensitive digital cables should have been pertinent to the planning application in the first place.

The Government remain reluctant to name China as a threat to UK national security, despite the overwhelming and growing portfolio of evidence. In case the Government are still in any doubt, we need look only at the oral testimony given to this Committee by the Inter-Parliamentary Alliance on China for a clear picture of the role of China and its state affiliates at the forefront of the cyber-security threats to our critical sectors.

Given that established and growing threat, new clause 3 would compel the Secretary of State to review, among other matters, the cyber-security risk to surrounding critical networks in the vicinity of the super-embassy site in the City of London. In the Commons debate on the embassy application in June last year, my hon. Friend the Member for Thirsk and Malton (Kevin Hollinrake) reminded the Minister for Housing and Planning that the Government’s own cyber-security experts, Innovate UK, have warned about the threat to the City of London from the embassy. My hon. Friend made specific reference to the Wapping telephone and internet exchange that would be surrounded on three sides by this new embassy—not to mention the fibre cables I referred to earlier, which carry highly sensitive information and run beneath this site.

Chris Vince

- Hansard -

Copy Link

- - Excerpts

I recognise that the shadow Minister cares passionately about the security of this country—as do I, which is why we are discussing the Bill. But does he not recognise that the site was purchased by the Chinese Government in 2018? There is a potential threat whether or not the new embassy is built there.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I do not want to repeat the discussion that we had a moment ago. I think it is complete lunacy to permit the building of a super-embassy—one of the biggest in the region—next to highly critical data transmission. I am also concerned by media reports that the Prime Minister’s recent visit to China was greenlighted only following the final approval of the embassy. I am deeply depressed that, following the visit, Jimmy Lai has been effectively sentenced for life. I respect the tone and constructive way in which the hon. Member for Harlow approaches this debate, but it is fair to say that the Government are sadly weak on standing up to hostile state actors such as the Chinese Communist party.

As I said at the start, there is simply no point in granting the Secretary of State powers to issue directions on the basis of national security if the Government are not willing to be clear-eyed about the most critical cyber-security risks to the nation. I therefore submit that the new clauses are a vital addition to the Bill to focus the attentions of the Secretary of State to ensure that her functions under part 4 are carried out in the best interests of our national security. No responsible Government would or should vote against such provisions. Parliament should make it crystal clear that the Chinese Communist party is a threat to the United Kingdom. We must support new clauses 2 and 3.

Ordered, That the debate be now adjourned.— (Taiwo Owatemi.)