Dr Ben Spencer (Runnymede and Weybridge) (Con)

- Hansard -

Copy Link

- - Excerpts

It is a pleasure to serve under your chairmanship, Dr Murrison, and it is always a pleasure to follow my hon. Friend the Member for Bognor Regis and Littlehampton. I will speak to clauses 15 and 16 and to new clauses 6 and 7, tabled in my name on behalf of His Majesty’s loyal Opposition.

The previous Government stated in their consultation covering the subject of cyber-incident reporting that security breaches that did not result in a successful attack could still leave organisations open to follow-up attacks. It was identified that reporting how the breach took place would also allow regulators and other organisations to prepare for similar attacks in the future. It is therefore a welcome development that clause 15 significantly increases the scope and speed of cyber-incident reporting by regulated entities to competent authorities and the NCSC.

That increase in scope is achieved by broadening the definition of reportable incidents from the current position, where only cyber-attacks having an actual adverse effect are reportable, to a position to where cyber-incidents that are capable of having an adverse effect on the operation or security of network and information systems must also be reported. The Government’s explanatory notes for the Bill state that this change in definition

“is designed to include incidents that have compromised the integrity or security of a system without causing significant disruption yet, but that could have potential significant impacts in the future.”

This has been broadly welcomed by industry stakeholders as a measure that should provide regulators with greater intelligence about emerging threats, leading to improved risk management and hardened resilience in their sectors.

On the importance of intelligence gathering, we heard evidence from David Cook of DLA Piper and Chung Ching Kwong of the Inter-Parliamentary Alliance on China, among others, about the increasing use of prepositioning and “live off the land” technologies deployed by malicious actors. Once systems are infiltrated, attackers remain in systems, sometimes harvesting data, waiting for the moment when they can cause maximum harm and disruption. Those serious risks should be flagged to regulators wherever they are identified.

Dr Sanjana Mehta of ISC2 described problems of underreporting in relation to the existing NIS regulations regime, and welcomed the principle of expanding reporting, as did Jill Broom of techUK. However, both cautioned that while some high-level factors have been provided as to the criteria indicating whether an attack should be reported, such as the number of users, impact, duration of interruption and geographical reach, what is not clear at present are the thresholds that are linked to those criteria. Those details are vital if reporting is to be successful in ensuring that regulators are kept appraised of the most serious threats.

Dr Mehta summarised that concern succinctly in her comment:

“In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators”. ––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 16, Q14.]

Likewise, techUK has stated in its written briefings on the Bill that

“technically any phishing email is ‘capable of’ having a significant impact if the organisation lacks adequate detection or response capabilities. This will lead to over-reporting of low-level incidents and potentially overwhelm regulators, thereby distracting attention from genuinely significant threats.”

As in many aspects of the Bill, the problem is not on the principle but in the detail. We heard in oral evidence about the concerns of industry and regulators regarding the availability of suitably qualified personnel to build capacity for effective regulatory oversight. We must be alive to that important consideration in ensuring that thresholds are proportionate and risk-based.

The Government have stated in their factsheets on the Bill that they intend

“to introduce thresholds through secondary legislation before this measure is brought into in force”

and after a period of consultation. They have also said that those thresholds will

“clarify the points at which we would consider the impact of an incident to be ‘significant’, and therefore reportable to regulators”.

What discussions has the Minister had to date with regulated entities and regulators about the approach to consultation on these thresholds? What is the feedback on what those organisations consider to be reporting priorities?

Dr Ben Spencer (Runnymede and Weybridge) (Con)

- Hansard -

Copy Link

- - Excerpts

It is a pleasure to serve under your chairmanship, Mr Stringer. I thank all hon. Members on both sides of the Committee for taking part, and the officials for their work on the Committee stage of this important Bill.

The Bill will significantly update and expand the Network and Information Systems Regulations 2018 by bringing new services within scope of regulation, giving sector regulators the power to designate critical suppliers, updating and expanding the reporting regime for cyber-security incidents and making significant changes to the regulatory funding model and regulators’ information-gathering and sharing powers. The Bill will also grant extensive powers to the Secretary of State to respond to emerging cyber-threats, including the power to bring further sectors within the scope of regulation, giving directions to regulated entities and issuing a code of practice that sets out measures for compliance with duties under the NIS regulations. Recognising the increasing role of malicious cyber-activity as a threat to our national security, part 4 will give the Secretary of State far-reaching powers to issue directions to regulated entities for reasons of national security.

Covid turbocharged the digitalisation of all aspects of the economy and our daily lives, bringing new opportunities but at the same time heightening the exposure of digital systems to exploitation by malicious actors. The previous Government recognised that in their post-implementation reviews of the NIS regulations and in a subsequent series of consultations on proposals to improve the cyber-resilience of the entities that are most important to the UK economy. Those consultations included a review of information security risks relating to outsourced IT provision, data centres and organisations controlling large amounts of electrical load. The last Government’s work assessing those threats has informed this Government’s decision to bring data centres, managed service providers and large load controllers within the scope of the NIS regulations.

Industry stakeholders have welcomed the Bill as essential for bringing the cyber rules governing critical infrastructure in line with modern threats, economic realities and technological developments, and for moving our cyber-security regulatory framework into closer alignment with international partners to ease cross-border operations for businesses that provide services overseas.

In some respects, at least, the Bill identifies the right problems, but, crucially, it falls short of providing workable solutions. In embarking on our scrutiny of the Bill, the Committee should be acutely aware of the raft of digital legislation with which businesses and regulators have been asked to grapple in recent years. Many of those new regulations are necessary, but as lawmakers we should be conscious of the burden that we are placing on industries and particularly on small and medium-sized enterprises, which are the lifeblood of the UK economy and which have fewer resources to navigate complex layers of regulation. It is therefore incumbent on all of us to enact laws that are clear and capable of practical implementation.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for her intervention. I am reminded of the Committee’s evidence session earlier this week, in which expert after expert lined up to raise concerns around the scope of the definition. Although they acknowledged the importance of and appreciated the reasons for leaving some things to secondary legislation in a climate as fast-moving as the IT and digital sector’s, they raised concerns about the uncertainty that is coming for business and the need for extensive consultation so that businesses can feed into and have some degree of influence over the regulations that they will have to abide by.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I am certainly going to come back to it a few times—if not other Members—and I will invite the Minister to come back to it a few times.

Returning to the point about the dependency on particular sectors, I mentioned the impact that Amazon Web Services had on our society and systems; interestingly, the AWS outage was caused not by a cyber-attack, but it demonstrates the disruption to our lives and businesses that could occur in the event of such an attack. The last Government recognised the vital and growing importance of data centres to the UK economy and people’s lives, as well as the risks of serious interruption to these services. That led to a public consultation on enhancing the security and resilience of UK data infrastructure.

The Conservatives therefore welcome that this vital element of our national infrastructure will be subject to cyber-security regulation. However, for regulation to be robust for cyber-resilience and regulator data centres it is essential that there are high rates of industry compliance. The Government stated in their impact assessment for this Bill that there is an ongoing engagement with the data centre sector. Could the Minister lay out what feedback he has received on the sector’s preparedness to meet the cyber-resilience standards set by the NIS regulations?

Likewise, in terms of ensuring effective regulation, Ofcom will have a dramatically increased role in terms of cyber-security regulation when these provisions come into effect. In view of Ofcom’s current regulatory workload and the challenges with recruitment, which I mentioned earlier and highlighted in the evidence session this week, what ongoing engagement is the Minister having with Ofcom more broadly to make sure that it is sufficiently resourced to play its role?

Before I move on to clause 6, on large load controllers, I feel I need to go back to the discussion about proportionality and the purpose and need for these regulations in the Bill. One of the biggest criticisms of the NIS regulations is that they have not really been enforced. I am not saying that a certain rate of enforcement is a marker of efficacy or compliance, but it is curious, and it has been raised to me, that the level of enforcement indicates that the NIS regulations have not really had teeth or changed anything.

In one bad world, we have regulations that are completely disproportionate and place a huge and unnecessary burden on industry. But in some ways the worst of all worlds, or rather another problem that we would need to deal with, would be for us to legislate, produce this wonderful cyber-security Act, and go away happy as legislators—“Hey-ho, it’s all sorted and finished; we can sleep well in our beds about the cyber-security of the UK.” But if the companies cannot follow the legislation, will not follow it or do not have the resources to do so, then all we will have done is waste our time. Worse, we will have given ourselves a false sense of security, rather than delving into some of the real challenges and problems in the sector, which include overall education, encouraging businesses to take the issue more seriously and encouraging people to do Cyber Essentials.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

That is something that I know will come up in debate as we go through the Bill. It is curious that we are receiving consistent feedback that some boards are not taking the issue of cyber-security seriously, in terms of allocating resource to it, especially in the light of the very high-profile cyber-attacks on businesses. Obviously, I am all over this issue, given my role as shadow Minister, but I think it is completely insane, certainly for larger companies, not to focus on the challenge of cyber-security. It is a challenge for businesses of all sizes, but I am mindful that implementation is particularly problematic for very small businesses.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for that pertinent intervention. The burden she talks about is not just financial; companies could also find themselves in legal jeopardy should they become subject to overlapping and competing duties without realising when the Bill becomes an Act. More than anything else—perhaps even more than a low taxation regime—businesses want certainty about the regulatory environment they operate in. This is made even more complicated by the fact that many organisations operate in different jurisdictions and have to contend with different, competing regulatory frameworks. My understanding is that the majority try to take an approach in one jurisdiction that will also cover them in the other so that they have an overlap, but those are the big companies. They have more capacity and resource to do that. The problem will be for the companies on the margins that are struggling.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

The cloud providers tell me that the energy costs are crippling, which is highly problematic, and that is why we need to drive those costs down. They talk about the challenges of getting data centres built and about planning considerations, which are a concern across the country. They talk about the taxation environment and costs on businesses more generally, particularly when they are footloose, and they talk about the regulatory framework. Pretty much all of those things are not specifically in the Bill, with the exception of the regulatory framework, so there is a lot that is suppressing the opportunities for cloud providers and others in the sector and hindering them from doing business and succeeding.

There is a broader point to make about the Bill and the philosophy behind it, because there is something that we have to avoid. There is a sense in the UK that we are getting gummed up by regulation and obsessing more and more about limitations and restrictions to businesses. In that environment, people and organisations that do well financially, succeed and grow are seen as either targets or cheats—as something that we can go for, tax and punish. We have lost or diminished our can-do attitude when it comes to supporting the risk takers and the entrepreneurs, who are the people and organisations building the MSPs and data centres on which our economy relies.

Over and above that, there is a cultural issue that is impacting our IT and tech sector. As legislators we should ensure that the thing we have direct control over, which is the legislation in front of us, imposes as small a regulatory burden as possible while still ensuring that it is sufficient to meet our aims. We must listen to businesses and hear their concerns. We hear time and again that the lack of clarity, particularly in this part of the Bill, is putting them at financial and legal risk. That is a very substantial concern.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for her intervention. Legal clarity is important. I have absolutely no issue with lawyers, but we do not want to make a load of money for lawyers as a consequence of the definitional challenges around the Bill’s implementation. That is not good for businesses, which need certainty as to how to apply the regulatory framework under which they operate. Regulatory uncertainty will not help a business to make decisions. My assumption is that the default position will be for businesses to assume that they are not regulated entities, which means that they will not take actions that we would like them to take as a result of the Bill. Again, we will be making laws under which everybody loses out.

My final point is about the carve-out in respect of public authority oversight. It is all well and good for the Government to say, “We have an action plan and we’re going to sort out Government IT and the cyber-security risk for Government services,” but it is not playing out that way. Our biggest risks, and the most vulnerable components of our digital IT infrastructure, are those that are linked to Government services. Change is needed. My sense is that when a company interacts and shares data with Government and public sector services, the biggest-cyber security risk is likely to be in the aspects that are provided by Government services. We are making legislation that puts a host of burdens on the private sector, yet we are largely silent about what is happening in the public sector. Putting people at risk in that way is really not good enough. We need to support our overall cyber-security.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

My hon. Friend has figured out what I am going to say in a moment, when it comes to the scoping of the regulator and that communication process. Such is the depth of the rabbit hole that the provision creates that, even though my hon. Friend’s intervention did not go where I thought she was going, another problem has just come to mind.

What happens in the circumstance where a critical supplier that acts as a proxy for multiple critical suppliers? How does designation operate in that fashion? There are suppliers that essentially operate as a marketplace to a certain provision of services. Is it the marketplace that is regulated, or is it each supplier within the marketplace? A locum agency could hypothetically be an umbrella company for multiple different smaller locum agencies, each of which would share the corporate risk as part of that.

Going back to my first point, the idea that access to the IT network or system will somehow be discriminatory, or dichotomise between people who are in scope of this measure and people who are not, seems to me complete nonsense. It is difficult to see what organisations, if they provide a service to a modern OES, will be in scope of it.

Secondly, there is systemic or significant disruption. I often say that, if someone wanted to cripple a hospital, the best way to do that would be to stop the cleaners cleaning rooms, and to stop the porters pushing people around the hospital to get them to their appointments and moving beds. There is often a focus on doctors and on the rest of the core medical and nursing staff— I myself often focus perhaps a bit too much on doctors—but it really is a whole-team effort. In fact, the most critical people are often the people who might not be the subject of the most focus, such as the cleaners and porters.

If the cleaners stop work or do not turn up to work, the hospital grinds to a halt. If taxis are not taking people to and from hospital out of hours, or if the patient transport is not taking people to hospital, out-patient departments grind to a halt. If the locum companies that fill gaps in staff rotas are not available to do that, and there are substantial rota gaps that make the provision of services unsafe, the hospital also grinds to a halt. If it is not possible to get access to critical medicines, if staff cannot maintain the blood gas machine or the blood pressure machine, or if the boiler breaks down, the hospital grinds to a halt.

It is not just something as obvious as the tragic situation with blood and pathology testing that causes a hospital to grind to a halt. Indeed, I cannot think of many private sector provisions that would not have a substantial impact on a hospital if they were to be removed; if any other Member can, I will be very happy to stand corrected. However, just skimming through them, I can see that the removal of most of them would cause the hospital to grind to a halt. The idea that the significant impact definition will be a discriminatory factor regarding suppliers just does not work. Someone might say: “Ben, you’re completely wrong. We found some providers.”, but, if that situation arises, how will the arbitration occur in terms of the threshold?