Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Ben Spencer
Main Page: Ben Spencer (Conservative - Runnymede and Weybridge)Department Debates - View all Ben Spencer's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
Ben Spencer Excerpts(1 day, 7 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
It is a pleasure to see you in the Chair, Mr Stringer. The Bill will make crucial updates that build on the NIS regulations, which are the UK’s only cross-sector cyber-security regulations. As clause 1 sets out, “NIS regulations” refers to the Network and Information Systems Regulations 2018 (S.I., 2018, No. 506).
Clause 2 gives an overview of the Bill’s parts and what they include. It sets out that part 2 amends the NIS regulations by expanding the scope of the regulations to cover data centres, large load controllers and managed service providers. It also introduces powers for regulators to designate suppliers as being critical for their sector. Part 2 also updates the existing incident-reporting regime and includes provisions relating to the recovery of regulators’ costs, information-gathering and sharing powers, and enforcement powers. Part 3 gives new powers to the Secretary of State to specify other sectors as in scope of the regulations in future, to create new regulations relating to the security and resilience of regulated services, and to issue a code of practice and a statement of strategic priorities. It also requires the Secretary of State to report on this legislation and its implementation. Finally, part 4 gives new national security powers for the Secretary of State to issue directions. I commend the clauses to the Committee.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Stringer. I thank all hon. Members on both sides of the Committee for taking part, and the officials for their work on the Committee stage of this important Bill.
The Bill will significantly update and expand the Network and Information Systems Regulations 2018 by bringing new services within scope of regulation, giving sector regulators the power to designate critical suppliers, updating and expanding the reporting regime for cyber-security incidents and making significant changes to the regulatory funding model and regulators’ information-gathering and sharing powers. The Bill will also grant extensive powers to the Secretary of State to respond to emerging cyber-threats, including the power to bring further sectors within the scope of regulation, giving directions to regulated entities and issuing a code of practice that sets out measures for compliance with duties under the NIS regulations. Recognising the increasing role of malicious cyber-activity as a threat to our national security, part 4 will give the Secretary of State far-reaching powers to issue directions to regulated entities for reasons of national security.
Covid turbocharged the digitalisation of all aspects of the economy and our daily lives, bringing new opportunities but at the same time heightening the exposure of digital systems to exploitation by malicious actors. The previous Government recognised that in their post-implementation reviews of the NIS regulations and in a subsequent series of consultations on proposals to improve the cyber-resilience of the entities that are most important to the UK economy. Those consultations included a review of information security risks relating to outsourced IT provision, data centres and organisations controlling large amounts of electrical load. The last Government’s work assessing those threats has informed this Government’s decision to bring data centres, managed service providers and large load controllers within the scope of the NIS regulations.
Industry stakeholders have welcomed the Bill as essential for bringing the cyber rules governing critical infrastructure in line with modern threats, economic realities and technological developments, and for moving our cyber-security regulatory framework into closer alignment with international partners to ease cross-border operations for businesses that provide services overseas.
In some respects, at least, the Bill identifies the right problems, but, crucially, it falls short of providing workable solutions. In embarking on our scrutiny of the Bill, the Committee should be acutely aware of the raft of digital legislation with which businesses and regulators have been asked to grapple in recent years. Many of those new regulations are necessary, but as lawmakers we should be conscious of the burden that we are placing on industries and particularly on small and medium-sized enterprises, which are the lifeblood of the UK economy and which have fewer resources to navigate complex layers of regulation. It is therefore incumbent on all of us to enact laws that are clear and capable of practical implementation.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Does my hon. Friend agree that, although we support the intent behind the Bill, clause 2 does a lot of framing work but does not necessarily consider the extensive perimeter that is coming through and how proportionality will be applied in practice? I suggest that the Committee keep that in mind as we move through the detail.
Dr Spencer
I thank my hon. Friend for her intervention. I am reminded of the Committee’s evidence session earlier this week, in which expert after expert lined up to raise concerns around the scope of the definition. Although they acknowledged the importance of and appreciated the reasons for leaving some things to secondary legislation in a climate as fast-moving as the IT and digital sector’s, they raised concerns about the uncertainty that is coming for business and the need for extensive consultation so that businesses can feed into and have some degree of influence over the regulations that they will have to abide by.
Chris Vince
The hon. Gentleman is making an interesting speech. I recognise his desire to be constructive on the issue. Will he recognise that this is about finding a balance? We want to include some flexibility in the legislation, because of the ever-changing threat that he mentioned. Equally, we recognise the challenge that SMEs may face in complying with the legislation on data sharing, but it is important that they do so, because not complying will have an impact on their business.
Dr Spencer
I thank the hon. Member for his point about balance. I am confident that this is an area to which the Committee will return quite a few times in our line-by-line scrutiny of the Bill, particularly clause 12, which relates to the designation of critical suppliers. Clearly the regulations need to be proportionate, but to make that judgment we will need to know exactly what the regulations are. A lot of the detail is not in the Bill and has instead been left to secondary legislation. As we heard from the experts, it is very difficult to scrutinise legislation that is mostly being left to future regulations rather than being set out in the Bill.
These definitions will be critical if businesses are to have clarity as to whether they will fall within scope. I do not want to go too deeply into clause 12 now, but I see it as an exemplar. How are businesses that could fall within the critical supplier designation to know what they need to do? How is the operator of an essential service to know what information it needs to pass to the regulator on businesses that it may end up regulating? It would be very helpful if the Minister could comment, even at this introductory stage, on how he envisages that balance playing out in the Bill, particularly given that so much of the detail has been left to secondary legislation. Anyway, I digress—I will get back on topic.
Businesses are struggling with legal uncertainty and the increased costs of regulatory burden. Regulators in the sector lack the resources, the teeth and sometimes even the will to carry out effective oversight and enforcement of existing cyber regulation. Uncertainty about which incidents should be reported will dramatically increase the burden on regulated entities and on regulators. All the while, institutional barriers to effective oversight and enforcement remain.
The Bill fails to give the legal certainty and the proportionate framework that businesses need if we are to achieve widespread adoption and hardened cyber-resilience across the sectors that are most critical to the economy and our society. Perhaps most critically, there is little point in granting the Secretary of State extensive powers to make directions to regulated entities for national security purposes if the Government remain wilfully blind to the greatest threats to our national security. In the past few weeks, reports have circulated that a Chinese state-affiliated group hacked the communications of top Downing Street officials between 2021 and 2024, yet the vital organs of our state, central Government Departments and agencies carrying out the most critical functions, are left unprotected and unaccountable for their cyber-resilience under the Bill.
If we do not address these problems, we risk the Bill becoming yet another missed opportunity for the Government. These are opportunities that we can ill afford to miss if we are to safeguard our economy and our national security.
Kanishka Narayan
I welcome some of the Opposition spokesperson’s comments. Let me briefly address his questions about definitions and public sector inclusion. It is customary for the Opposition to oppose for the sake of opposition, at times, and I am afraid that this is one of those times; I have so far set out only two clauses, which are effectively an index to the Bill. Notwithstanding that, I will address his two particular points.
I was delighted that in our evidence sessions we heard from witness after witness who appreciated the flexibility of the Bill. For the Government to prescribe activities or incident thresholds in the finest detail in primary legislation is not how businesses, Government and regulators ought to engage. I hope that the Opposition will come to appreciate that in due course.
On critical suppliers, which no doubt we will come on to, I thought that in response to Opposition comments at our second sitting, I set out a very clear, precise set of tests. I found no opposition to that claim, but I look forward to hearing any original thoughts on that question.
On incident reporting, I was delighted that there was a witness who noticed that the extension of the definition of incident reporting, to include incidents capable of having an impact, was appropriate and exactly in the right place.
On the question about the public sector’s inclusion, we are here not to prescribe and wait for a law to tell us what we ought to do in the public sector, but instead to move fast and fix things. In that spirit, the Bill focuses on essential services.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2 ordered to stand part of the Bill.
Clause 3
Identification of Operators of Essential Services
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 3 makes important distinctions as to which organisations can and cannot be considered operators of essential services for the purposes of the NIS regulations. It clarifies that a person—in practice, an organisation or business—can be an operator of an essential service regardless of whether that person is established in the UK, as long as they are providing essential services in the UK. That means that organisations established outside the UK can be regulated under the NIS regulations.
Clause 3 also makes it clear that the NIS regulations do not apply to public electronic communications networks or to public electronic communications services. Those are telecoms operators, which are regulated separately under the Communications Act 2003. The amendments in clause 3 will prevent telecoms companies from being subject to duplicate regulations; they will also ensure that all essential services in the UK are protected, even if the company operating them is based outside the UK. I commend the clause to the Committee.
Dr Spencer
Clause 3 will amend the relevant provisions of the NIS regulations, stipulating that operators of essential services are within scope of the regulations whether or not they are operating an essential service in the UK, and regardless of jurisdiction in which they are established. Providers of public electronic communications networks and public electronic communications services are excluded from characterisation as operators of essential services, as the Minister says, to avoid duplication with their sector-specific cyber-security regime.
The clause is an important provision to ensure that entities providing essential services in the UK are compliant with domestic standards. Perhaps the most important aspect of the change is ensuring that serious cyber-security risks that appear within the systems of those entities are reported to the UK authorities for action. That is vital for the National Cyber Security Centre to keep abreast of emerging risks and be able to respond to them.
Nevertheless, the complex maze of compliance and regulatory standards across jurisdictions is a growing challenge for businesses of all sizes and particularly for small and medium-sized enterprises. This is also a complicating factor facing UK companies when providing services abroad, particularly in the digital domain. Will the Minister lay out what discussions he has had with industry representatives about easing the complexity of cross-border digital service provision to ensure that the UK is a competitive and attractive place to do business?
Kanishka Narayan
On the question about cross-border compliance and making sure that we have a proportionate and effective regime, we have had a series of engagements at ministerial and official level with representatives of techUK, the industry body. The NCSC has convened a series of organisations—not least managed service providers, but others as well—and there has been a pretty extensive period of consultation on that and every other matter in the Bill.
I feel satisfied that the Bill strikes a good balance in ensuring proportionality in what businesses experience. Critically, as supply chains in this context become increasingly cross-border, it is vital that bodies that may not be resident in the UK but which provide essential services here are included in the scope of the Bill.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4
Data centres to be regulated as essential services
Dr Spencer
Clause 4 amends the NIS regulations to bring data centres that meet certain thresholds within scope of the regs as operators of essential services. As drafted, these data centres will be regulated by DSIT and Ofcom, but the amendments moved by the Minister propose that Ofcom will be the sole regulator for the subsector. I thank him for his explanation of why he has tabled these amendments.
Given the oral evidence from Ofcom and other sector regulators earlier this week regarding the challenges of recruiting skilled cyber-security staff to regulate effectively, what assessment has the Minister made of the additional regulatory burden on Ofcom of this decision and its capacity to secure adequate resources to meet it? Clause 5 extends the scope of the regulations to data centres operated by the Government, with the exception of services provided by or on behalf of intelligence services handling classified information.
Data centre infrastructure is increasingly vital to the UK’s society, economy and security. Data centres underpin nearly all aspects of our digital lives, from sending emails to booking GP appointments or ordering shopping online. Businesses of all sizes routinely process their workloads in the cloud, supported by data centres. For those reasons, data centres were designated as critical national infrastructure—CNI—in 2024.
The UK digital sector, which is heavily reliant on data centres, contributed more than 7% of the UK’s total gross value added in mid-2024, growing almost three times faster than the rest of the economy. Data centres are also critical to the UK’s ambition to become an AI superpower. Training artificial intelligence models relies on access to an abundance of processing capacity, or compute, located in secure data centres.
In October last year, Amazon Web Services experienced a glitch in one of its US data centres, which set off a chain reaction that took down online services across the globe.
Bradley Thomas
On the growth of this industry, and with 78% of UK enterprises relying on cloud-based services, 96% of companies expected to use public cloud services, 35% of UK businesses outsourcing IT support and, as of last year, 63% of organisations planning to continue or increase their IT outsourcing over the next 12 months, does my hon. Friend the shadow Minister agree that greater consideration—or at least elaboration—must be given to the vulnerability of the supply chain of large load data centres?
Dr Spencer
My hon. Friend will be aware that the issue regarding the bottleneck in the supply of cloud computing, in which I put data centres, compute more generally and access to large language models, in our country is very much on my mind, and we have been raising it with the Government. At the moment, I understand that around 70% of cloud services directly procured by the Government are coming from the three big US providers. I hear from UK SMEs—not just cloud providers, but SMEs of all types—all the time about the challenge that they face with Government procurement contracts to procure domestic UK-company services, whether that is central Government or otherwise.
We are getting ourselves into a very difficult situation from a resilience perspective: not only are we currently heavily reliant on US big tech, but we are not doing the work we need to do right now to support a burgeoning UK tech industry. In the UK, we have fantastic universities and businesses. We really are a centre of innovation, but the problem is that companies can really struggle to take the next step forwards.
Of course, Government procurement is not the be-all and end-all—although, depending what sort of sector the company is operating in, it might be—but we are certainly not focusing enough on supporting our SME sector. The sector is really good and strong, and it has the potential to be great, but we still have not had a hyperscaler. We have not seen the expansion in the UK digital and tech sector that, all things considered, given our background and where we stand in terms of our academic and business resources, we really should have seen.
The Chair
Order. Interventions should be short and to the point. If any hon. Member wishes to catch my eye, they should not have any difficulty in doing that, but it is important to keep a distinction between interventions and contributions to the debate.
Dr Spencer
The hon. Member for Lichfield may be aware that my background is in medicine; I used to be a doctor before I came to this place. One of the skills and challenges in medicine is that any medical intervention—apart from a small handful—always has a risk of harm or side effects to the patient. It is always a balancing act between the harm and the benefit. My bread and butter before I came to this place was balancing harms and risks in the best interests of the person in front of me.
Although I have never been a businessperson, and I have certainly never owned or run a data centre, my approach to business burdens is to see the extra things that the Government make businesses do—which are not necessarily what businesses would normally do or see as in their direct interests—as a prima facie harm. I will expand my words a bit if that helps in explaining the logic. The starting point is that it is an extra burden and a harm, but then benefits from other angles can outweigh that harm. It is getting businesses to do something more; if they were doing it anyway, we would not need regulations. It is an additional thing that business is being asked to do. It might be that we have decided that overall it is in the best interests of the sector. Individual businesses cannot regulate and change the sector themselves, so we have decided, “For the good of society, we think businesses should do this.”
I am always a little careful when we politicians say that we know what is better for business in terms of what they are doing. I take the point about how regulatory certainty can be helpful in itself. I also take the point about the overall benefit to society and the business network of having confidence that there are secure and working data centres and that the large load controllers—which we will talk about presently—have control. This Bill is a full-fat compendium of cross-regulations and links. I feel for any business looking through the later chapters and finding themselves subject to those requirements. We have to keep that in mind: all of us in this Committee want our businesses to succeed and do well, and we also want stable and flourishing infrastructure.
Going back to my medical roots, the starting point should be, “Primum non nocere”. That is often misinterpreted as, “First, do no harm”; actually, not doing harm is the main thing that we should do. As a legislator, you should have quite a high threshold before you start saying, “The solution is putting in another law. Let’s create another regulation,” or, “Let’s put another burden on business.”
One of the challenges I had when looking at the Bill when it was first published was understanding why we need it in the first place. What is its starting point? That is something that I have been exploring and thinking about as we have been preparing for this Committee stage. Why is our industry not doing it itself and sorting this out? Why is the Minister here today bringing forward these regulations on business and why is that necessary in the first place as opposed to business sorting it out?
I am sure that this is something that the Committee are going to come back to and explore in more detail when we discuss some of the more high-profile cyber-security impacts, particularly on Jaguar Land Rover and M&S. The hon. Member for Lichfield makes a very good point, and I do not think that this debate is settled in some ways—and I am sure we are going to come back to it quite a few times during the passing of this Bill.
Dr Spencer
I am certainly going to come back to it a few times—if not other Members—and I will invite the Minister to come back to it a few times.
Returning to the point about the dependency on particular sectors, I mentioned the impact that Amazon Web Services had on our society and systems; interestingly, the AWS outage was caused not by a cyber-attack, but it demonstrates the disruption to our lives and businesses that could occur in the event of such an attack. The last Government recognised the vital and growing importance of data centres to the UK economy and people’s lives, as well as the risks of serious interruption to these services. That led to a public consultation on enhancing the security and resilience of UK data infrastructure.
The Conservatives therefore welcome that this vital element of our national infrastructure will be subject to cyber-security regulation. However, for regulation to be robust for cyber-resilience and regulator data centres it is essential that there are high rates of industry compliance. The Government stated in their impact assessment for this Bill that there is an ongoing engagement with the data centre sector. Could the Minister lay out what feedback he has received on the sector’s preparedness to meet the cyber-resilience standards set by the NIS regulations?
Likewise, in terms of ensuring effective regulation, Ofcom will have a dramatically increased role in terms of cyber-security regulation when these provisions come into effect. In view of Ofcom’s current regulatory workload and the challenges with recruitment, which I mentioned earlier and highlighted in the evidence session this week, what ongoing engagement is the Minister having with Ofcom more broadly to make sure that it is sufficiently resourced to play its role?
Before I move on to clause 6, on large load controllers, I feel I need to go back to the discussion about proportionality and the purpose and need for these regulations in the Bill. One of the biggest criticisms of the NIS regulations is that they have not really been enforced. I am not saying that a certain rate of enforcement is a marker of efficacy or compliance, but it is curious, and it has been raised to me, that the level of enforcement indicates that the NIS regulations have not really had teeth or changed anything.
In one bad world, we have regulations that are completely disproportionate and place a huge and unnecessary burden on industry. But in some ways the worst of all worlds, or rather another problem that we would need to deal with, would be for us to legislate, produce this wonderful cyber-security Act, and go away happy as legislators—“Hey-ho, it’s all sorted and finished; we can sleep well in our beds about the cyber-security of the UK.” But if the companies cannot follow the legislation, will not follow it or do not have the resources to do so, then all we will have done is waste our time. Worse, we will have given ourselves a false sense of security, rather than delving into some of the real challenges and problems in the sector, which include overall education, encouraging businesses to take the issue more seriously and encouraging people to do Cyber Essentials.
Alison Griffiths
My hon. Friend is making a very good point, which also applies to improving board awareness and ensuring that the enforcement of the regulations incentivises boards to take the issue seriously and make sure that they are equipped to understand the commercial reality of cyber-security for their businesses. Enforcement is an important part of that.
Dr Spencer
That is something that I know will come up in debate as we go through the Bill. It is curious that we are receiving consistent feedback that some boards are not taking the issue of cyber-security seriously, in terms of allocating resource to it, especially in the light of the very high-profile cyber-attacks on businesses. Obviously, I am all over this issue, given my role as shadow Minister, but I think it is completely insane, certainly for larger companies, not to focus on the challenge of cyber-security. It is a challenge for businesses of all sizes, but I am mindful that implementation is particularly problematic for very small businesses.
Bradley Thomas
Does the shadow Minister agree that the Government should heed the message of Chris Dimitriadis, the chief global strategy officer at the Information Systems Audit and Control Association? He said:
“The era when cyber regulation could focus solely on critical national infrastructure is over. Today, every major employer is part of the digital economy—and therefore part of the threat landscape.”
Surely the Government should heed that message.
Dr Spencer
That is a stark message. Going back to my previous point, I struggle to think how many small businesses can really put in the necessary resource to take these sorts of steps on cyber-security.
There is a broader point here, which goes back to my opening remarks. A chunk of this involves hostile state actors that are attacking our companies, Parliament and the Government, whether directly or through their intermediaries. I find it quite ironic that it was announced earlier this week that our security services are going to work with China’s security services to deal with cyber-security threats. I thought, “Well, hang on a sec. What are they going to say, given that the Chinese Communist party is one of the main drivers of cyber-security threats in the UK?”
Legislating in this area and deciding how to approach it as a society is a particular challenge, given that it is not merely criminals or hacktivists doing this stuff to our companies and institutions; there is also full-fat hostile state inference from Russia, Iran or the Chinese Communist party.
Bradley Thomas
The risk and the threat from hostile states is plain to see. Does my hon. Friend have any sympathy for the ten-minute rule Bill that I introduced a few months ago on the Floor of the House? We need to strike a balance between the risk that bureaucratic administration poses to small businesses and the very real risk that cyber-attacks pose to the economy in general. The Government should have the private sector in scope and look at setting a threshold that does not become burdensome on smaller businesses. My proposal was for any company that turns over £25 million or more to be scope, in order to not bear down too heavily on small companies that would otherwise find the process, the risk and the burden of reporting too onerous.
Dr Spencer
I thank my hon. Friend for his interesting proposal, which attempts to crack the nut of one of the problems subsumed in the Bill.
The Bill cherry-picks certain sectors that need to be regulated entities, and there is a whole host of definitions. Then the Secretary of State can allocate some of the bits that they want to tag on through secondary legislation or the designation of a critical supplier. Then we have the MSP component. But there is something the Bill does not deal with. If I were to ask to the man in the street to identify the biggest cyber-security attack they have heard of in the past year or so, their answer would probably depend on where they live. If they live in the west midlands, they would talk about JLR, which has had a catastrophic effect on the local economy. In other parts of the country, the focus might be on Marks & Spencer or the Co-op. The Bill does not fix that, so what needs to be done? Should there be a threshold based on turnover, so that the process is not so onerous on certain companies, or something to support the insurance industry?
The Bill is silent on this issue, and the Government need to come up with some answers. I totally understand what they are trying to do with the Bill and how it is taking us forward—of course the NIS regulations need updating—but it does not fix the big stuff that has had a huge impact on people’s lives and required a massive bail-out of several billions of pounds-worth of taxpayers’ money. How many more JLRs can the Government afford to bail out until they have to do something to resolve the issue? I suspect we will come back to that, but I am glad that my hon. Friend introduced his ten-minute rule Bill.
We need to have a solution, but at the same time, we should not put onerous burdens on companies that are already struggling because of the Government’s anti-growth agenda and the punitive taxes being imposed on them to pay for profligate spending. This goes back to the discussion about prima facie harms. Taxation is the best example of a prima facie harm.
Dave Robertson
I fear I am about to repeat what I said a moment ago. I am aware that nobody gets up in the morning and is excited to pay tax, but tax pays for our roads, for our infrastructure, for our hospitals, which keep our workforce in good health, for the education of the next round of employees, for our security services, and for the police, who help to prevent crime. It pays for a whole variety of things that are essential for business to succeed, so taking an evangelical view that tax is bad is just not—
The Chair
Order. I want to take this opportunity to again remind the hon. Gentleman and the shadow Minister that this Bill is not about tax. It is relatively narrowly drawn, so I would be grateful if hon. Members can come back to what is on the face of the Bill.
Dr Spencer
As I risk getting into trouble with Mr Stringer, I will not respond to the hon. Member for Lichfield. I look forward to the opportunity to debate this issue again, perhaps in the emergency Budget in the next couple of weeks.
Clause 6 brings large load controllers, which provide the flow of electricity in and out of smart appliances, within scope of the NIS regulations if the load is above 300 MW. I understand that the threshold has been decided through consultation, given that that pressure could have a substantial impact on the grid. There is a challenge in managing peak demand and supply in the grid and big changes in it, so I entirely understand why the Government are introducing this provision. Smart EV devices—I have a smart charging electric vehicle device myself—used system-wide could cause big grid disruptions, particularly as we integrate infrastructure into our homes such as solar panels, batteries and other energy-related smart devices.
In fact, we need the grid to become more smart device-integrated over the next 10, 15 or 20 years. When we look at projections of energy consumption, we see that we will need to enable people to use the grid by expanding technology such as vehicle-to-grid energy supply, so that we can manage peak load. That is part of expanding our energy, reducing energy costs and supporting renewable energy and the transition to net zero. If anything, this issue will become more important and expansive over the years.
On that basis, I have some questions for the Minister about the clause. Why are data centres and large load controllers the two sectors that he has decided to put on the face of the Bill? I say that with particular reference to the NIS2 regulations, which are expanded a bit more. How does he envisage this area expanding in the future? Is he confident that the scope of the clause is sufficient to cover future technologies that are coming down the track? I am thinking of EV charging apps. The list is prescriptive, but does it have sufficient flexibility? Is the Minister able to come back with secondary legislation if he needs to expand the list in the future, given that it is in the Bill in that form? Would it not be better to put that on the face of the Bill and to use secondary legislation to lay it out, in order to have flexibility? The Minister has been trying to ensure flexibility elsewhere, and understandably so—let us not go back into those debates. I just want to understand his reasoning behind that a bit better. That is certainly not a criticism, but I want to know why those particular sectors have been pulled out, and why it has not been left for secondary legislation.
Kanishka Narayan
With your permission, Mr Stringer, I will restrict my comments to clauses in question—in particular, clauses 5 and 6—and the relevant Government amendments. The shadow Minister has auditioned for roles at the Department for Business and Trade in talking about the philosophy of regulation, at the Department of Health and Social Care in talking about his medical background, and at the Treasury in talking about taxation. I will try to restrict myself to none of those and simply speak to the clauses and address three points in response to his comments.
The first relates to the skills and resourcing of our regulators. On that, I welcome the shadow Minister’s prior engagement with me directly and his questions now. The last Government completely gutted our regulators. Having done so, they achieved neither growth nor regulatory quality, which Opposition Members now talk about. As a consequence, it falls to us to make sure that our regulators are fit for purpose and resourced in the way they need to be. This Bill gives them the powers to secure initial and full notifications in a timely way, the powers to share information in an appropriate way and, fundamentally, the ability of cost recovery, to resource themselves in an appropriate way. Alongside that, our wider initiatives on skills in the cyber-sector and technology more broadly are fundamental to achieving our aspirations, not least through the CyberFirst programme, which I mentioned in a witness session.
Kanishka Narayan
Loudly and slowly: this will capture organisations remotely managing significant amounts of electrical load via energy-smart appliances, both in a domestic and non-domestic setting. These organisations play an increasingly important role in the management of the electricity system, but are not currently regulated for cyber-security. A cyber-attack could therefore create major disruptions to the national grid, shutting down public services and critical national infrastructure. Capturing load control as an essential service will safeguard the public from these disruptions. It will also reflect the need to bring in new safeguards to manage a more digitalised and dynamic energy landscape in the transition towards net zero.
Dr Spencer
Before the Minister moves on—I was a bit nervous that he was going to finish—I have an additional question about the Crown data centre. What happens if a data centre is providing services commercially to both the public and the Crown? How is that operated within the scope of the Bill?
Kanishka Narayan
I very much welcome that point. In talking about broad architecture characteristics—being able to scale compute and to be elastic to multi-tenants by being shareable—rather than setting out the specific nature of resources, we capture both commercial cloud and AI deployments. However, I am keen to ensure that we keep this under review and, where possible, use the flexibilities provided by the Bill to adapt it to changes in technology.
Although the policy intention behind the definition has not changed, amendment 13 will provide certainty for industry, support effective regulatory oversight and ensure that services whose disruption could significantly impact the UK economy and society are properly captured. In addition, the drafting is more aligned with that of our international partners, which will improve efficiency for providers operating across borders.
This targeted, technical improvement will bring greater clarity, consistency and fairness to the NIS regulations. I urge Members to support both the clause and this important amendment.
Dr Spencer
Clause 7 amends the definition of cloud services, which have been within the scope of regulation since the NIS regulations came into force. The expanded definition emphasises remote accessibility and the “on demand” nature of cloud services, and that services may be delivered from multiple locations. It also excludes managed services from the scope of cloud services to avoid duplication of regulatory requirements and oversight.
The Minister proposes changes to this provision in Government amendment 13, which sets out further details regarding the features of in-scope cloud service provision, including common access by multiple users, with each having access to separate processing functions. My question to the Minister builds on the one raised by my hon. Friend the Member for Bognor Regis and Littlehampton. It is obviously difficult—if it is possible at all—to predict how the tech sector will evolve, but what powers will the Government have to adjust these provisions as the cloud ecosystem changes, and what consultation has the Minister done on that within the scope of the Bill?
Kanishka Narayan
On that important point, which the hon. Member for Bognor Regis and Littlehampton also raised, the changes to the definition came about in part through extensive engagement, and in particular by ensuring that the attributes of “elastic” and “scalable” were treated individually rather than jointly and that “shareable”—the ability to have multi-tenants and therefore be a genuine cloud computing service for multiple clients—was considered in scope. As I mentioned to the hon. Member for Bognor Regis and Littlehampton, it is important that we keep this under review, and part of the reason for the secondary powers in the Bill is to make sure it remains both specific, giving clarity and certainty, and flexible at the same time.
Dr Spencer
If I might just help a colleague, I think the grouping and selection of amendments has changed, so the hon. Member for Brecon, Radnor and Cwm Tawe may have the previous iteration.
The Chair
That is very helpful. Thank you.
Amendment 13 agreed to.
Clause 7, as amended, ordered to stand part of the Bill.
Clause 8
Duties of relevant digital service providers
David Chadwick
Surely, we cannot pass a cyber-security and resilience Bill that ignores a crime that affects thousands of people. We know that cyber-security criminals across the world attack individuals to enable themselves to get into systems. Families are losing life savings, and small businesses are shutting down because of this epidemic.
The Government often treat fraud as a policing issue, but the amendment would establish that it should be regarded as a cyber-security issue that needs action at the national security level. By amending regulation 12(1) of the NIS regulations, we place a legal duty on digital providers to identify these vulnerabilities proactively. If we mandate that providers manage fraud risks before an incident occurs, we will reduce the number of victims and the devastation caused to livelihoods. We cannot claim to protect our digital economy while ignoring the billions of pounds lost to scams.
Dr Spencer
Clause 8 provides a new definition of “relevant digital service” and makes it clear that this category includes online marketplaces, online search engines and cloud computing services. The definition of “relevant digital service provider” is updated to encompass all entities providing a relevant digital service in the UK, regardless of whether they are established here. Entities designated as critical suppliers are excluded from the definition to avoid duplication of duties and regulatory oversight from sector-specific competent authorities.
However, the definition excludes from scope of regulation relevant digital service providers subject to public authority oversight, unless they derive over half their income from commercial activities. The exclusion of organisations overseen by public authorities also applies in relation to relevant managed service providers.
In many respects, clauses 7 and 8 provide necessary updates to reflect the changing nature and use of vital digital services. Once again, including within the scope of regulation companies that deliver services to the UK but are established or headquartered elsewhere helps to ensure that those companies report cyber-security incidents to UK authorities, rather than just authorities in their home states. That means that UK regulators and law enforcement are equipped with the most comprehensive knowledge of emerging threats.
Bradley Thomas
Given the blurring of boundary lines between cyber-attacks and financial crime, I can see the compelling reasons why the amendment has been tabled, but does the shadow Minister agree and acknowledge that fraud detection often requires a different skillset from standard network security, so it is important to strike the right balance?
Dr Spencer
I broadly agree. This is one of those difficult areas where there can be overlap. I have sympathy with the argument that it is important to use any opportunity, and in particular this Bill, to raise fraud.
We focus on financial fraud, but this area is not limited to that, especially when we think about other malicious operators, and about ransomware and hacktivism, where the boundaries are particularly blurred. In a situation where a fraudulent operator, service, provider or organisation has material, whether on social media or subject to search engines, and the police or other competent authorities have flagged it to the provider as fraudulent—as illegal criminal activity—what duties does that provider have to remove it or take it down? Is that something that the Minister is aware of? Has he looked into it, and what is the Government’s plan to crack down on that activity?
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for tabling amendment 25, which would amend the duties for RDSPs in the NIS regulations. I empathise with the source of his concern about fraud; I think many of us in the House know and feel that concern, through either our personal experience or that of our constituents.
That said, the security duties within NIS require RDSPs to identify and take steps to manage the full spectrum of risks posed to the security of their systems. They must prevent and mitigate relevant incidents, regardless of what the threats are or where they emanate from. That includes taking an all-hazards risk-based approach. Entities must manage risks to cyber-security, physical security and broader operational resilience. “Security” includes the ability to resist any action that may compromise the availability, authenticity, integrity or confidentiality of those systems, including risks that may arise from fraud. I caution against highlighting only one particular vector of risk in the clause; that is unnecessary and would not reflect the full range of risks each RDSP faces.
Further, while the Bill clarifies the high-level duty to manage risks, secondary legislation will give further detail on the security and resilience requirements. Guidance and the code of practice will give further detail still on the types of risks to consider. For that reason, I kindly ask the hon. Gentleman to consider withdrawing the amendment.
The shadow Minister asked about the Government’s treatment of fraud, particularly when it has been found on a platform and the authorities have asked that platform to take it down. The Government made a clear commitment in our manifesto to introduce a new fraud strategy, and the Home Office, as the lead Department, has been working at pace to engage deeply in making that an effective reality.
Alongside that, in my wider role in online safety, I am conscious that fraud is a fundamental area of content in which platforms have to look at where it crosses the border into illegality, as it may well do in the instance the shadow Minister described. That has been a central focus since the illegal content duties came into play last year. I believe that such instances are well covered by the pieces of legislation that I have just mentioned. The Bill is clearly more focused on critical national infrastructure and its exposure to network and information systems.