Question to the Cabinet Office:

To ask His Majesty's Government, following the data breach experienced by Southern Water as a result of a cyber-attack, what assessment they have made of the adequacy of existing cyber security regulations for UK critical infrastructure.

Answered by Baroness Neville-Rolfe - Minister of State (Cabinet Office)

The National Cyber Strategy 2022 set outcomes for critical national infrastructure (CNI) (in the private and public sector) to better understand & manage cyber risk and minimise the impact of cyber incidents when they occur. In addition, at CyberUK 2023, the Deputy Prime Minister announced specific and ambitious cyber resilience targets for all CNI sectors (public and private sector) to meet by 2025.

Over the past year, the Cabinet Office has been progressing foundational work to support the creation of common but flexible resilience standards across CNI and do more on the assurance of CNI, including cyber assurance preparedness, by 2030. This includes work to evaluate the impact and effectiveness of all regulation that applies to CNI, including (but not limited to) NIS regulations, and to bring more private sector businesses working in CNI within the scope of cyber resilience regulations.

The Government is also committed to ensuring cyber security in the public sector, which is why GovAssure was launched in April 2023. Under GovAssure, government organisations regularly review the effectiveness of their cyber defences against common cyber vulnerabilities and attack methods. We are currently evaluating the first year’s assessments. GovAssure will enable government organisations to accurately assess their levels of cyber resilience across their critical services, highlight priority areas for improvement and provide the Government with a strategic view of cyber capability, risk and resilience across the sector.

Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government what plans they have to publish draft legislation incorporating proposed reforms to the Network and Information Systems Regulations 2018.

Answered by Viscount Camrose - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)

The government remains committed to updating the Network and Information Systems Regulations 2018 (“NIS Regulations”) as soon as parliamentary time allows.

Whilst we wait for parliamentary time, the government is developing improvements which can be delivered without legislative changes, including:

• Updating guidance to NIS competent authorities.
• Developing potential further measures to strengthen the proposed package of reforms.
• Identifying ways to strengthen the capabilities of NIS competent authorities.
• Engaging with managed services providers in the UK to assist their future transition to the NIS Regulations.

These actions build on the government’s existing plans, as set out in the £2.6 billion National Cyber Strategy, to improve cyber resilience across the economy.

Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government what steps they are taking to help businesses provide advanced cyber skills training to staff.

Answered by Viscount Camrose - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)

The National Cyber Strategy sets out the importance of reducing cyber risks to businesses. To do this, the Government is supporting the UK Cyber Security Council to define the skills and knowledge needed for cyber roles. The Government is also funding numerous targeted training initiatives such as Cyber Ready and Upskill in Cyber to upskill and retrain those in the workforce, as well as the government-funded Skills Bootcamp opportunities highlighted through our recent Advanced Digital Skills campaign. This is alongside our Cyber Essentials scheme which supports businesses to implement essential technical controls on cyber security.