Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Clause 25 introduces a power for the Secretary of State to designate a statement of strategic priorities for the implementation of the NIS regulations. The NIS regulations are enforced by 12 different sectoral regulators. Although that allows each regulator to apply its sectoral expertise, it also means that at times they have taken divergent approaches to their regulatory responsibilities. Clause 25 addresses that by allowing the Secretary of State to set overarching objectives for regulators in the wider context of a statement of strategic priorities. The statement will replace the NIS national strategy, which the Government were previously required to produce under the NIS regulations. It will set out the Government’s priorities for the security and resilience of essential services.

To ensure that the objectives remain stable enough to enable regulators to plan their work, the clause will prevent a statement from being withdrawn or amended within three years of its designation. However, that three-year rule will not apply if there has been a general election, or a significant change in the threat landscape or in Government policy. That will allow for flexibility where appropriate. In sum, clause 25 empowers the Government to drive a more effective and consistent application of the NIS regulations.

Clause 26 establishes the process through which a statement of strategic priorities can be designated. It requires that there must be consultation with regulators, and that the statement be laid before Parliament, where it will be subject to the negative procedure. It establishes that the Government must share a draft of a proposed statement with the NIS regulators, and that the regulators must be given at least 40 days to provide comments to the Government on that draft statement. The Government must consider whether it is appropriate to make any changes to the draft statement in the light of that consultation. Once any changes have been made, they must lay the statement before Parliament, where it will be subject to the negative procedure. Following that, the Secretary of State may designate the statement.

Clause 27 establishes the legal duties that regulators will have in relation to a statement of strategic priorities. It sets out that regulators must

“have regard to the statement”

when carrying out their NIS functions, as introduced by parts 3 and 4 of the Bill. It also introduces a requirement for regulators to “seek to achieve” the objectives included in the statement.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank the hon. Member for her point. Perhaps I can give a flavour of the objectives I might expect in a statement and assure her of the independence of sector regulators. Subject to consultation, which we would expect in the build-up to any such statement, a statement might include objectives such as encouraging regulators to seek to ensure that their sectors have plans in place to increase security, or focusing on regulatory activity in areas of greatest horizontal risk. To the hon. Member’s point about sector-specific expertise and the independence of regulators, the statement is intended to set objectives to be achieved within the parameters of regulators’ existing statutory duties, and what the overarching risks are. Of course, regulators will be free to do that in the ways they think most appropriate for their sectors, in the light of their own expertise and experience. I hope that gives the hon. Member some assurance.

Clause 28 requires the Secretary of State to publish an annual report setting out, in general terms, how NIS regulators have complied with their duties in relation to a statement of strategic priorities over the previous 12 months, and how they intend to meet their duties in the following 12 months.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

The hon. Member raises a very important point. We want Parliament to play an important role in the scrutiny of the overarching regime as a whole, but particularly in the operation of the statement. Perhaps I can break it into two parts: scrutiny of the statement in the first instance, and scrutiny of regulators’ compliance with the statement. Once a draft statement has been consulted on, the Government will be required to lay it before Parliament, and that will be subject to the negative procedure. Parliament will have 40 days to scrutinise the proposed statement and express disagreement with it, which is very similar to the procedure for statements of strategic priorities in other areas—not least online safety. In terms of confidence in Parliament about actions that regulators have taken, the Secretary of State will be required to publish an annual report setting out, in general terms, the activity undertaken by regulators in the prior 12 months, alongside activity planned for the following 12 months. My expectation is that, very similarly, Parliament will have sight of that, and have the ability to scrutinise it and ask questions of the Secretary of State in the usual way.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank the shadow Minister for raising an important point. His broader question is one of the most important in this context: Bills are only as good as the ultimate enforcement capability, capacity and framework in which regulators enforce them. Particular aspects of the Bill are focused on that question. One ensures that regulators have not just the resource through the cost recovery and charging schemes that the Bill allows for, but the information through the information-gathering powers—and not just the information, but a statement of strategic priorities as new horizontal risks emerge across sectors. So regulators are armed with resource, information and strategic priorities that emerge from time to time.

Alongside all those resources, data and information powers, regulators need also to have accountability, of course. In that context, the statement of strategic priorities is intended to be one vehicle through which regulators’ compliance with overarching objectives of the Bill will be looked at as well, alongside ongoing oversight of each of the regulators through the usual departmental channels.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

The hon. Member raises an important point. Two or three things are really important channels of impact when it comes to skills. First, the NCSC as a convening body across regulatory areas will be able to make sure that different regulators come together and learn by being able to share information not just between themselves, but through the NCSC itself as the convening body for sharing good and prompt understanding of emerging risks.

Secondly, on broader skills, the cost recovery schemes allowed under the Bill create a way for regulators to ensure they are resourced up and have the ultimate financial firepower to be able to enforce the requirements of the Bill.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I share the hon. Member’s recognition and her gratitude that we have not experienced the sort of incident that she described. The NCSC has told her, me and other Committee members that it brings regulators together and has done so on a number of occasions in the past to share cross-sectorally an understanding of emerging risks as well as incident-specific impacts. I take no sense of complacency from that precedent, but I do take some confidence from it. As the Minister in charge, I will ensure that the Department keeps a close eye on the ongoing implementation of the co-ordination powers under the Bill.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Clause 29 is the key pillar of the Bill’s future-proofing powers. It allows the Secretary of State to update, amend or replace the NIS regulatory framework by creating new regulations. This is a critical provision. Due to the way in which the NIS regulations were transposed into UK law, the Government lack a way of updating the framework other than through primary legislation. As a result, our regulations have remained static amid a rapidly evolving threat landscape, leaving our essential and digital services vulnerable to attack and our resilience falling behind the EU. The clause is an important response to that problem. It will ensure that the Government can take swift action so that our cyber regulations remain relevant. It is a more proportionate and effective approach than always relying on primary legislation.

I know the use of delegated powers can be a source of concern, so I will be clear that the clause is not a carte blanche—or a blank cheque, which the hon. Member for Spelthorne might be worried about—to smuggle in anything and everything under the guise of cyber-security. It is tightly constrained to ensure that any new regulations align with the original purposes of the NIS regulations. New regulations can be made only for the purposes of strengthening the cyber-security and resilience of the UK’s most critical activities, and only where they are genuinely essential to the functioning of the UK’s society and economy. Cyber-criminals will always find ways around regulations, but with this power we can stop them in their tracks.

I have already explained the critical role that clause 29 plays in enabling new regulations to be made for the purposes of cyber-security and resilience. However, I want to be clear about how those regulations will be used and reassure the Committee of their checks and balances. Clauses 30 to 35 set out what the regulations can do.

Clause 30 enables the Secretary of State to use the regulation-making powers to impose requirements on regulated persons. It clarifies who can be made subject to requirements and the types of requirement that can be imposed on them.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Any legislation made under clause 29 will need to align with the Bill’s clearly specified purposes to protect the systems that underpin our vital services. In any case, secondary legislation will require deep consultation to ensure that businesses have the sense of clarity that they require. There is a specific bar to pass for the scope of any further provisions, and it is a high bar given the definition of the sectors and the activities covered in the Bill.

Clause 30 has been designed with some clear use cases in mind. It will enable the security duties on regulated organisations to be updated with appropriate technical details. It will also ensure that more detailed thresholds for incident reporting can be set, and it is the mechanism through which we will set out the regulatory requirements for designated critical suppliers. In other words, the clause will help us to operationalise the provisions of the Bill and update the technical details of regulatory requirements in response to new risks or technology.

Clause 31 enables the Secretary of State to confer functions on regulators through the Bill’s regulation-making powers. These may be existing NIS regulators or newly appointed regulators. The types of functions that can be conferred are those concerned with compliance: monitoring and securing compliance, and investigating and managing non-compliance. To carry out such functions effectively, regulators must be able to impose penalties. Clause 31 also provides for that while putting in place important safeguards so that regulated organisations have a means of appealing penalties. The clause is essential for future-proofing the regulatory regime. It ensures that regulators can be equipped with the functions and powers they need to ensure the compliance and security of the UK’s most essential services.

Clause 32 sets out details and safeguards for how the regulation-making powers can be used when they impose or amend financial penalties. Crucially, it establishes upper limits on what the penalties can be—the greater of £17 million or 10% of turnover for an undertaking, or £17 million for a non-undertaking, or £17 million for an undertaking adjusted as needed to account for inflation. The 10% threshold has been chosen as a defensible outer limit for a regulatory regime concerned with national resilience and security. It aligns with penalties for non-compliance in legislation regulating critical national infrastructure and with the Bill’s own national security powers.

The clause further clarifies that regulations can define “turnover” and “undertaking”, where needed, to calculate a penalty. Together, these provisions create important safeguards and flexibility. They establish proportionate and transparent parameters within which penalty amounts can be set. They also enable the Secretary of State to define and consult on terms that are essential for operationalising the Bill’s new turnover-based penalties.

Like clause 31, clause 33 enables the Secretary of State to make regulations conferring functions on regulators. The functions specified in clause 33 complement the core compliance functions outlined in clause 31. They relate to the disclosure of information, issuing of guidance, record-keeping, preparation of reports, undertaking of reviews, and co-operation. The clause also enables the Secretary of State to impose functions on organisations that are not regulators but that play a public role related to the cyber-security and resilience of essential services. GCHQ, in its capacity as the UK’s computer security incident response team and technical authority, is the most important. Like clause 31, this clause is essential for future-proofing NIS regulations. It allows organisations that oversee and facilitate the cyber-security and resilience of essential services to be equipped with the tools and functions they need.

Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs using the powers under clause 29(1). These are the costs incurred through their functions under the NIS regulations or other obligations imposed through parts 3 and 4 of the Bill. 

In practice, the clause ensures that the Secretary of State can make changes and updates to the way that regulators carry out their cost recovery function under the NIS regime. It could, for example, be used to specify further factors that regulators need to consider when establishing approaches for charging fees in the charging schemes, in addition to those already set out in clause 17. That might be needed to deliver greater consistency in how the cost recovery measures are being applied and is something that the Government will keep under review.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I apologise for the pace of my speech; I will try to make sure I am speaking more slowly.

On the particular point on transparency and ensuring that any amendments to cost recovery are both transparent and grounded in specific provisions, I can set out the sorts of expectations we have had for circumstances in which amendments might be made. In particular, the Bill’s powers will enable regulators to set up charging schemes, but it is not prescriptive—

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

The Bill’s new powers enable regulators to set up charging schemes, but it is not prescriptive about how it should do that beyond certain baseline requirements. More specific requirements, as provided for in the Bill, could become clear, such as if cost recovery mechanisms are not working effectively or if regulators are diverging unhelpfully.

All regulators must consult on charging schemes. In doing so, the industry should have ample opportunity to scrutinise the approach that regulators are taking and, importantly, Parliament should be able to add to that scrutiny as well. Like clause 31, clause 34 is essential for the future-proofing of NIS regulations.

Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs; I have mentioned examples of the sorts of factors we might specify in that context. Together with clauses 29 to 33, 35 and 41, clause 34 is necessary to ensure that the Secretary of State can update and amend the functions of regulators as needed in the future, and is an integral part of the Bill’s future-proofing powers.

Clause 35 is the final clause that clarifies the limits and prospective uses of the regulation-making power in clause 29. It confirms that the regulations may confer functions and allow certain functions to be delegated to others—for example, it could enable a regulator to delegate functions to inspectors. It also clarifies that regulations can be made to require a person to have regard to guidance or codes of practice, or that make provision by reference to another document or piece of guidance. In short, the clause provides helpful clarity about how the regulations could be applied.

The Chair

- Hansard -

Copy Link

I thank the hon. Lady for her point of order. It is a convention, and if the hon. Lady or any other Member wishes to sit on the Front Bench to make life easier, they certainly have my permission to do so.

The Chair

- Hansard -

Copy Link

I thank the hon. Lady for her point of order. I know the Minister is trying very hard; his normal rate of speech is much faster, so he is trying. If you catch my eye, I will interrupt the Minister, or anybody else who is speaking, and remind them. It is important that every Member can hear so that they can participate in the debate.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

First, to ensure that the shadow Minister and I are representing the intent behind the code clearly, in legal terms it is not the case that an organisation that fails to follow the code of practice is automatically a regulated organisation that has broken the law. Clause 38 makes it clear that not following the code does not by itself constitute a breach of duty or mean that an organisation is automatically liable to legal action. Organisations can take different approaches to complying with security duties, but if they adopt an approach that is not within the code, they may need to explain why their approach still meets the required standards set out in the regulations, and regulators will be required to take the code into account when preparing guidance.

On the shadow Minister’s question about ensuring appropriate timing and preparation for companies, I would very much expect that the regulators in question would be closely regulated entities to ensure the proportionate implementation of codes.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I am very happy to give the broad assurance that we will keep codes under review from time to time, and that any changes to the code will require deep consultation with regulators and businesses to ensure that the codes keep in touch with moving technology.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Clause 41 gives further detail on the sorts of provisions that can be included in regulations made under clause 24 and chapter 3 as a whole. It confirms that regulations can make different provisions for different purposes, different categories of person or different areas; can make provisions for how those regulations apply to the Crown or UK territorial waters; and can include consequential, supplementary, incidental, transitional or saving provisions. The clause also defines how certain terms used in regulations should be interpreted, such as “relevant UK waters” or “primary legislation”. In summary, the clause provides important points of clarification about how the regulation-making powers in the Bill can operate. I propose that clause 41 stand part of the Bill.

Clause 42 sets out the consultation requirements and parliamentary procedure that apply where regulations are used to designate new essential services or regulators, to impose regulatory requirements or change regulator functions, or to amend requirements for the five-yearly legislative review.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank the hon. Member for that important point. The expectation is that the powers used here are scrutinised appropriately. If it helps, I can set out which uses of the power, particularly under clause 42, will trigger consultation requirements and the affirmative procedure, which will perhaps give her the assurance she seeks.

In essence, all changes that may have considerable impact on how the NIS regime operates will be subject to consultation and the affirmative procedure. In practice, this means that regulations concerning the designation of essential services, as well as changes to the duties of regulated entities and functions of regulators, will be subject to both consultation and affirmative procedure requirements.

In each of the cases I mentioned, clause 42 requires the Secretary of State to undertake consultation with appropriate persons before any regulations can be made. It also specifies that regulations of this kind can be approved only through the affirmative parliamentary procedure. These provisions ensure that any substantive regulations made through the Bill’s future-proofing powers will be properly tested. They provide the necessary checks and balances that such wide-ranging powers require, and they will ensure the credibility and legitimacy of future regulations made using these powers. For those reasons, I propose that clause 42 stand part of the Bill.