Cyber Security and Resilience (Network and Information Systems) Bill (Sixth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Ben Spencer
Main Page: Ben Spencer (Conservative - Runnymede and Weybridge)Department Debates - View all Ben Spencer's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Sixth sitting)
Ben Spencer ExcerptsTuesday 10th February 2026
(4 days, 9 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
Kanishka Narayan
I am grateful to my hon. Friend the Member for Harlow for his affirmation of that important point of parliamentary scrutiny.
As I mentioned, the report in question will set out how NIS regulators have sought and will seek to achieve the objectives in the statement through the exercise of their regulatory functions. The clause requires the Secretary of State to lay the annual report before Parliament, as well as to publish it in an appropriate manner. Clause 28 also introduces information-gathering powers for the Secretary of State so that they can collect the necessary information from regulators to draft the report. I commend the clauses to the Committee.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Stringer.
Clause 25 introduces a power for the Secretary of State to issue a statement of the Government’s strategic priorities in relation to the security and resilience of network and information systems with regard to essential activities. The statement will set out the responsibilities of regulators and specify objectives to secure the Government’s priorities. Competent authorities must be consulted in the drafting of the statement, and the Secretary of State must issue a report in every 12-month period on regulators’ compliance with meeting the objectives within it.
The changes aim to address important challenges around consistency in the approach to regulation that were identified by the previous Government’s second post-implementation review of the NIS regulations. Importantly, the measures also provide for a regular review of competent authorities’ approach to discharging their regulatory obligations. That measure is necessary given the inconsistent approach to oversight and enforcement of the NIS regulations so far.
We know that there are existing challenges relating to the capacity of competent authorities and there is the ongoing issue of securing sufficient cyber-security professionals to staff the teams. It is all well and good making statements, but they need to be followed. What strategies does the Minister anticipate will be needed and used to support—and, where necessary, drive up—standards of regulatory oversight when competent authorities fall short of the aims set out in the statement?
Kanishka Narayan
I thank the shadow Minister for raising an important point. His broader question is one of the most important in this context: Bills are only as good as the ultimate enforcement capability, capacity and framework in which regulators enforce them. Particular aspects of the Bill are focused on that question. One ensures that regulators have not just the resource through the cost recovery and charging schemes that the Bill allows for, but the information through the information-gathering powers—and not just the information, but a statement of strategic priorities as new horizontal risks emerge across sectors. So regulators are armed with resource, information and strategic priorities that emerge from time to time.
Alongside all those resources, data and information powers, regulators need also to have accountability, of course. In that context, the statement of strategic priorities is intended to be one vehicle through which regulators’ compliance with overarching objectives of the Bill will be looked at as well, alongside ongoing oversight of each of the regulators through the usual departmental channels.
Kanishka Narayan
I share the hon. Member’s recognition and her gratitude that we have not experienced the sort of incident that she described. The NCSC has told her, me and other Committee members that it brings regulators together and has done so on a number of occasions in the past to share cross-sectorally an understanding of emerging risks as well as incident-specific impacts. I take no sense of complacency from that precedent, but I do take some confidence from it. As the Minister in charge, I will ensure that the Department keeps a close eye on the ongoing implementation of the co-ordination powers under the Bill.
Dr Spencer
The Minister is being generous with his time during this important debate. I was just thinking through his earlier response to the point made by my hon. Friend the Member for Bognor Regis and Littlehampton about using the cost reclaims to employ cyber-security professionals. That goes to the heart of the concerns about the Bill and its approach to regulation.
We have heard that the industry, including regulators, is struggling to recruit cyber-security professionals. What gives the Minister confidence that, just because some money will be sloshing around in the regulators, there will be the ability to recruit cyber-security professionals, who are going to be essential to the implementation of the Bill?
Kanishka Narayan
First, I will provide some context for agreement. We want more people to be trained in cyber-security so that they can serve in the public and private sectors. Through the Bill, as well as a range of other initiatives, we are making sure that at every stage of the pipeline, there is resourcing, confidence and a demand signal that so more people can benefit from cyber-skills and serve in the industry.
There is a clear financing path for regulators to at least start to hire. Earlier in the pipeline, we are looking at a series of cyber-skills programmes all the way from schools through CyberFirst—I think about 415,000 students have gone through that programme. Ultimately, we want to create a long-term pipeline so that regulators and private companies can make the most of those skills.
The Chair
I thank the hon. Lady for her point of order. I know the Minister is trying very hard; his normal rate of speech is much faster, so he is trying. If you catch my eye, I will interrupt the Minister, or anybody else who is speaking, and remind them. It is important that every Member can hear so that they can participate in the debate.
Dr Spencer
I confess, Mr Stringer, that I suspect I am also guilty of speaking a bit fast in our previous debates. I will do my best to slow down and speak in a lower tone, as I know that can also help, particularly with certain types of hearing impairment.
To continue the theme of agile regulation, clause 29 enables the Secretary of State to update the NIS regulations through secondary legislation. Clause 30 enables the Secretary of State to impose requirements on regulated entities, which may include directions to take specific actions to increase cyber-resilience, to report on certain matters and to appoint a UK representative if the entity is based outside the UK.
Furthermore, clause 31 specifies that the Secretary of State may direct competent authorities to undertake certain activities, including mandating functions in connection with monitoring and securing compliance with relevant requirements, investigating suspected non-compliance and mitigating the effects of non-compliance on the part of regulated entities. Clauses 32 to 35 provide for the Secretary of State to issue ancillary directions to facilitate information-gathering, investigation and enforcement activities on the part of regulators.
Taken together, the clauses give the Secretary of State a strong suite of powers to respond to emerging cyber-security risks. Again, I recognise the necessity of being able to respond quickly in fast-changing circumstances. However, the Government should clearly be reporting on the Secretary of State’s exercise of the powers at regular intervals to ensure transparency. We will discuss that in due course when we come to clause 40, on the report on network and information systems legislation.
Kanishka Narayan
Clause 36 sets out that the Secretary of State may issue a code of practice for regulated entities. The code will describe recommended steps to help these entities to comply with their duties and requirements under the NIS regulations and any new regulations made under the Bill. This will make it simpler for regulated persons to understand what is expected of them, thereby driving consistency and complementing sector-specific guidance from regulators.
The clause will also make enforcement clearer and more effective, as regulators must take the code into account when they assess compliance. The code is designed to be flexible: it can be updated as threats and technology change, and can be tailored to different types of organisations, ensuring that guidance is current, relevant and practical for all.
Given the importance of the measure in providing practical recommendations to regulated entities, it must be consulted on before it is prepared or revised, and this process is set out in clause 37. Before the code can be brought into force, a draft must be laid before Parliament, providing ample opportunity to scrutinise and, if necessary, reject it within a 40 day period. If either House objects, the Secretary of State cannot proceed with that version and may prepare a new draft. If the draft is approved by Parliament, the Secretary of State may issue it and must publish it, and it then comes into effect immediately, unless otherwise specified. The clause also clarifies how the 40-day period is calculated, to ensure consistency and transparency in the process.
As we know too well, cyber-threats continue to evolve as new tactics and technologies are deployed, which is why the clause includes a power for the Secretary of State to amend the procedure for issuing the code. The Secretary of State may, for example, wish to add or amend consultation requirements or extend the 40-day period.
Clause 38 establishes how the code of practice will be used and treated in legal and regulatory settings, to ensure it has the intended effect. For regulated persons, the code of practice is intended to be formal guidance, with recommendations on how to comply with their duties, but not to be legally binding itself.
As we know, there can be more than one way for businesses to meet their obligations and ensure that they have in place appropriate and proportionate security and resilience measures. It is therefore important that there is a degree of flexibility in how they do this, to accommodate sector-specific nuances and business needs. None the less, it is crucial that the code has sufficient legal status and that the good practice it contains is not simply ignored. That is why the code can be admissible as evidence in court when deciding whether legal obligations have been met, and why the courts and regulators must consider it as evidence when assessing compliance.
Clause 39 establishes a formal process for the withdrawal of the code of practice, in case that is ever needed.
Dr Spencer
Clause 36 provides that the Secretary of State may issue a code of practice for regulated entities to set out measures that they should take to demonstrate compliance with their duties under the NIS regulations, or any requirements imposed by the Secretary of State under clause 29. If done well, the code could be a repository of best practice, setting proportionate, consistent and effective standards for regulated industries. That will require constructive and open consultation with regulated sectors to identify the challenges facing those sectors and how best to address them.
One issue that came up in oral evidence was the question of the lag between regulation making and industry adoption. David Cook of DLA Piper commented that, after laws come into effect, the process of businesses understanding where they need to get to
“often requires a multi-year programme of reform.”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 5, Q1.]
The code of practice is not envisaged to be legally binding, in the sense that a failure to comply is not of itself evidence of a failure to meet obligations under the NIS regulations or the Bill. However, clause 38 states that it would be admissible as evidence in legal proceedings so, in that sense, the code is binding in all but name. In view of that, and the fact that codes can be revoked and reissued, can the Minister provide reassurance to regulated industries that a lead-in time will be built into any requirements to allow businesses to prepare to achieve full compliance?
Kanishka Narayan
First, to ensure that the shadow Minister and I are representing the intent behind the code clearly, in legal terms it is not the case that an organisation that fails to follow the code of practice is automatically a regulated organisation that has broken the law. Clause 38 makes it clear that not following the code does not by itself constitute a breach of duty or mean that an organisation is automatically liable to legal action. Organisations can take different approaches to complying with security duties, but if they adopt an approach that is not within the code, they may need to explain why their approach still meets the required standards set out in the regulations, and regulators will be required to take the code into account when preparing guidance.
On the shadow Minister’s question about ensuring appropriate timing and preparation for companies, I would very much expect that the regulators in question would be closely regulated entities to ensure the proportionate implementation of codes.
Kanishka Narayan
I am very happy to give the broad assurance that we will keep codes under review from time to time, and that any changes to the code will require deep consultation with regulators and businesses to ensure that the codes keep in touch with moving technology.
Dr Spencer
For the sake of clarity on the legal status of the codes, I entirely agree with the Minister that it is important to get this right, and my understanding of codes of practice in a different area—statutory codes of practice relating to the Mental Health Act—is that case law says that deviation from the code of practice should be done only for cogent reasons. That is a pretty high bar to pass in terms of deviations. I should declare an interest as a former consultant psychiatrist and someone who operated subject to that particular code of practice.
For absolute certainty, will the Minister write to the Committee and make the status very clear, along with reference to relevant case law in terms of other codes of practice? Does the clause override that jurisprudence or not? That would settle the question as the Bill goes through Parliament.
The Chair
Order. Interventions are getting a bit out of control again. I remind hon. Members that they should be brief.
David Chadwick
Amendment 26, tabled by my hon. Friend the Member for Henley and Thame, seeks to ensure that the Bill keeps pace with the reality that it seeks to regulate. In the world of cyber-security, five years is a lifetime. In the past five years, the size and scale of cyber-attacks has continued to advance at pace, and we can expect the next five years to be the same. In that context, waiting five years for the first formal parliamentary review of the Bill seems dangerous. It risks leaving us with a regulatory framework designed for the threats of yesterday and not tomorrow. The cyber-threat is real, evolving and urgent.
The NCSC has reported that nationally significant cyber-incidents more than doubled in 2025 alone. That is why the amendment would change the reporting cycle to once every three years. That is a pragmatic timeline, which allows the Government to identify gaps and close them before they are exploited. The EU’s NIS2 directive explicitly mandates a review by the Commission every three years, and it is not clear why the Government have decided to diverge from that standard. Is it because they believe that the cyber-threat here is considerably less than the one facing European member states? It is simply not clear, which adds to the general sense of bewilderment about this provision. If our European neighbours are reviewing their cyber-security approach every three years, why are the UK Government content to wait for five?
Dr Spencer
Clause 40 requires the Secretary of State to publish a report every five years on the operation of the NIS regulations and parts 3 and 4 of the Bill. Reports should include a review of any exercise of powers under parts 3 and 4 by the Secretary of State. Given the wide-ranging powers granted to the Secretary of State under those parts, I have some sympathy for amendment 26, tabled by the hon. Member for Henley and Thame, which seeks to reduce reporting intervals from five years to three.
The shadow Secretary of State, my hon. Friend the Member for Hornchurch and Upminster (Julia Lopez), raised this issue on Second Reading. She suggested that annual or biannual reviews might allow for effective parliamentary scrutiny of the NIS regulations and of the Secretary of State’s exercise of powers to respond to emerging threats. In view of the concerns voiced by the hon. Members for Henley and Thame and for Brecon, Radnor and Cwm Tawe, and by the shadow ministerial team, will the Minister explain why five-year intervals have been selected and whether the Government will look at this important issue again?
Kanishka Narayan
I thank the hon. Member for that important point. The expectation is that the powers used here are scrutinised appropriately. If it helps, I can set out which uses of the power, particularly under clause 42, will trigger consultation requirements and the affirmative procedure, which will perhaps give her the assurance she seeks.
In essence, all changes that may have considerable impact on how the NIS regime operates will be subject to consultation and the affirmative procedure. In practice, this means that regulations concerning the designation of essential services, as well as changes to the duties of regulated entities and functions of regulators, will be subject to both consultation and affirmative procedure requirements.
In each of the cases I mentioned, clause 42 requires the Secretary of State to undertake consultation with appropriate persons before any regulations can be made. It also specifies that regulations of this kind can be approved only through the affirmative parliamentary procedure. These provisions ensure that any substantive regulations made through the Bill’s future-proofing powers will be properly tested. They provide the necessary checks and balances that such wide-ranging powers require, and they will ensure the credibility and legitimacy of future regulations made using these powers. For those reasons, I propose that clause 42 stand part of the Bill.
Dr Spencer
I have two questions for the Minister. Given the impact on devolved legislation, can he confirm that the consultation will extend to devolved authorities should it impact on them? My second question is more generally on the theme of devolved authorities. Can he confirm that, as part of the publicised “reset” negotiations with the European Union, bringing Northern Ireland into scope of NIS2 regulations is totally off the table?
David Chadwick
Amendment 27, which I move on behalf of my hon. Friend the Member for Henley and Thame, would give the Government the ability to remove, disable or modify hardware and software that could be used to infiltrate British national infrastructure, such as the cables underneath the now approved Chinese mega-embassy in Tower Hamlets.
The Prime Minister’s greenlighting of the Chinese super-embassy in the heart of London is a grave mistake that presents an open door for the ramping up of Chinese espionage in our country. It sends a regrettable and shameful message to Hongkongers—many of whom have already been targeted, intimidated and coerced by the Chinese Communist party—that trade deals are being prioritised over their safety. The Government must take a robust stance with hostile states such as China.
Dr Spencer
Clause 43 grants the Secretary of State powers to issue directions to regulate entities where there is a risk to national security, or where an action must be taken in the interests of national security. Directions can include requirements relating to the management of systems, the yielding of information and the removal or modification of goods and services. The Secretary of State may also require a regulated entity to engage the services of a skilled person to comply with directions issued. The Secretary of State has wide discretion to dispense with providing reasons for directions or consulting with the affected parties on the basis of national security considerations.
Clause 44 clarifies that the Secretary of State’s directions under part 4 prevail if there is a conflict between those directions and another statutory requirement. The exercise of these powers by the Secretary of State could have far-reaching consequences for businesses, which may experience interruption to their commercial activities, as well as the potentially considerable time and expense in adhering to a request made on national security grounds.
I have spoken on several occasions in the House and in this Committee about the critical risks posed to our cyber-security and national security by hostile state actors and their affiliates. It is, of course, right that the Secretary of State should have this power, but it should be used only in extremis. Like other extensive powers granted to the Secretary of State under part 3, it must be subject to oversight and guardrails. A report to Parliament, which may well be redacted, on the exercise of functions under part 4 will not be sufficient to ensure that this power is used proportionately. Has the Department considered introducing an obligation for the Secretary of State to report to the Intelligence and Security Committee when she exercises powers under part 4?
We discussed the Chinese super-embassy earlier. Later in the Committee’s proceedings, I will talk about an Opposition new clause that would deal with that problem effectively.
Emily Darlington (Milton Keynes Central) (Lab)
As the Minister will be aware, I have spoken consistently of my concern about our reliance on hardware and tech that comes from potentially non-favourable state actors abroad. That also relates to Government procurement, which I have raised before, as the Minister will know.
The Committee has already discussed how local government and Government Departments are not covered by this legislation, and how there is a separate strategy and document. Can the Minister expand on how protections against a reliance on foreign tech within critical infrastructure, in either the private or the public sector, are being dealt with in the Bill or in the strategy that has been published for the public sector? How will that be continually reviewed as our global geopolitical situation remains unstable?
Dr Spencer
I really do not understand the Minister’s answer. If it has not been published on national security grounds, how will we know that it has been laid? The whole thing could be entirely secret. Surely it has to go to the ISC as an accountability mechanism.
Kanishka Narayan
The Bill currently provides for clear parliamentary scrutiny. The Secretary of State is responsible for coming to Parliament, although some information may not be able to be presented in public. I am happy to write to the shadow Minister about the mechanisms that other similar regimes have used to ensure that Parliament’s scrutiny is informed in those cases, whether in Committee or otherwise. The primary mechanism is the one we use for constant parliamentary scrutiny, and it would be unfair for any of us to suggest that most of those channels would not be appropriate for the sort of scrutiny we are looking at.
Dr Spencer
I think the Minister is saying that there will be a parliamentary scrutiny mechanism under these powers. Is that what he is saying?
Kanishka Narayan
To repeat, exactly as I said: once a direction is issued, it will be laid before Parliament for scrutiny. If there is any misunderstanding, I am happy for the shadow Minister to write to me so that I can confirm it.
Dr Spencer
I really think we should be very critical about this. What we are doing now is parliamentary scrutiny. There will be directions in future, which we expect to be laid, and they will also be subject to parliamentary scrutiny. Even where they are redacted because of national security concerns, somebody, or some mechanism of Parliament, will be able to scrutinise them. Can the Minister confirm that?
Kanishka Narayan
To return to the point made by my hon. Friend the Member for Milton Keynes Central about the Bill’s provisions, the Bill looks at particular risks posed by hostile states, related actors and a wide range of other actors. Network and information systems for essential services and the identity of risk sources may be one consideration for organisations and regulators as well as the NCSC. The Bill does not look at specific actors but the outcome of the risk. Of course, hostile actors are an important part of that. I am happy to write to my hon. Friend about wider initiatives outside the Bill, particularly in the public sector, which I know is an important concern for her in relation to hostile state actors. There are a range of initiatives that the Government are taking forward in that context.
Clause 43 grants the Secretary of State the power to direct an NIS-regulated entity to take necessary and proportionate actions in response to national security threats. The power can be used where the entity’s network and information systems have been compromised or there is a threat of such compromise. The clause sets out the sorts of action that a direction could require. A direction could, for example, require an energy provider to take action to remove a hostile actor’s presence from their networks, in response to intelligence that a hostile state actor was pre-positioned for an attack.
Cyber-attacks on NIS sectors represent a serious and growing threat to the UK’s national security. High-capability actors and hostile states can mount increasingly targeted and sophisticated attacks. At present, however, the Government lack powers to require regulated entities to take necessary action in response. That gap could be exploited with increasing frequency and impact. The clause will remedy that, ensuring that the Government have the necessary powers to act quickly to protect our national security.
Kanishka Narayan
This group of clauses concerns how compliance with national security directions will be monitored. Clause 45 enables the Secretary of State to delegate the task of monitoring compliance with the direction issued under clause 43 to a NIS regulator. Regulators have valuable sectoral expertise and existing relationships with the entities they regulate. As such, it may be effective to delegate monitoring of compliance to the relevant regulator. The Secretary of State will retain the sole ability to make judgments about whether non-compliance has occurred, or if any penalty is appropriate. The regulator would be required to obtain information relating to compliance, to be shared with the Secretary of State. The Secretary of State would then determine how they would like to receive this information—for example, in reports or at regular intervals.
Clause 46 grants information-gathering powers to the Secretary of State and to regulators that are subject to a monitoring direction or request. In order to determine whether an incident or threat meets the bar for issuing a direction, or whether a regulated entity is complying with the direction, the Secretary of State will need information from that entity and potentially other parties. The clause establishes the power for the Secretary of State to request that information. As the monitoring of compliance with the direction may be delegated to NIS regulators, the clause also equips those regulators with the power to request information needed for their monitoring functions.
Clause 47 grants the Secretary of State the power to carry out or delegate inspections needed to assess compliance with a direction, or with a confirmation decision specifying actions to be taken in the event of non-compliance. The Secretary of State is responsible for judging whether a regulated entity is complying with a direction, and therefore needs access to relevant information that the regulated entity holds. In some cases, this may not be possible to verify without physical attendance. To ensure the effective use of time and resources, the Secretary of State will have the power to appoint a person to carry out an inspection on their behalf, or to direct the recipient of a direction to appoint an approved inspector. The clause also grants these powers to regulators, where the regulator has been directed or requested to monitor compliance on behalf of the Secretary of State. This will ensure that they can provide the Secretary of State with the most accurate information. I commend the clauses to the Committee.
Dr Spencer
Clause 45 gives the Secretary of State powers to require regulatory authorities to monitor and report on regulated entities’ compliance with directions given under clause 43 for reasons of national security. Clause 46 provides the Secretary of State with extensive information-gathering powers through the use of information notices to facilitate the giving of directions and monitoring of compliance with directions under clause 45(4). Clause 47 empowers the Secretary of State to conduct inspections to assess whether a regulated entity is complying with directions issued under clause 45(4). The Secretary of State may appoint a third party to conduct the inspection, and require the regulated entity to meet the costs associated with this.
I reiterate the point that these powers are necessary; however, given the potential for significant cost and administrative burden for businesses, they should be subject to contemporaneous or near-contemporaneous oversight by parliamentary authorities, observing the necessary confidentiality protocols. I also make the point that these information-gathering powers apply extraterritorially and may lead to conflict with regulated entities’ data privacy obligations in other jurisdictions. What discussions has the Secretary of State conducted with industry and law enforcement counterparts in other countries about the approach to information sharing for this purpose, and the implications for companies operating services on a cross-border basis?
Kanishka Narayan
I am reluctant to engage in the specifics of incidents without knowing the full range, but I would expect there to be an initial period of engagement to get to a position of agreement. Where the Secretary of State’s directions are not complied with in the context of a disagreement of the sort that the hon. Gentleman points out, penalties for non-compliance will be available to the Secretary of State. They will have to be justified both in the moment and subsequently, in the light of the particular provisions of the Bill.
The clause sets out the circumstances in which the Secretary of State and relevant regulators can issue a notice of contravention and the details that such a notice should contain, including the steps that an entity should take to rectify or remedy an act of non-compliance and the penalties that are being considered. The ability to issue a notice of contravention is an important procedural mechanism. It gives directed entities the opportunity to address non-compliance before penalties are imposed through a final confirmation decision, and increases the likelihood that the requirements of a direction will be met. That is vital, given the national security risks that a direction is intended to address.
Clause 49 empowers the Secretary of State to determine appropriate and proportionate penalties for non-compliance with a direction. It sets an upper threshold on what the penalties can be. For non-compliance with a direction, penalties are fixed at the greater of £17 million or 10% of turnover for undertakings, subject to turnover and undertaking being defined in regulations, and £17 million for non-undertakings. For requirements concerning the provision of information or inspections, the maximum penalty for non-compliance is set at £10 million.
Clause 49 also provides for daily penalties to be issued. These are set at £100,000 a day for non-compliance with a direction and £50,000 a day for related requirements. They will continue in force until the entity has complied with the relevant requirement. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will be able to issue penalties for non-compliance with an information notice or inspection issued by the regulator.
These provisions have been designed to reflect the gravity of non-compliance with a national security direction and the necessity of ensuring that directed entities comply with the requirements that directions impose. It is also why the maximum penalties have been set at a significantly higher level than they have for the updated NIS enforcement regulations in clause 21. The better comparison in that context is the penalty threshold for national security powers in the Telecommunications (Security) Act 2021, which align with the provisions in clause 49.
Clause 50 grants the Secretary of State and, where relevant, regulators the power to issue a final confirmation notice for non-compliance with a direction or related requirements. The clause specifies that the Secretary of State or regulator can issue a confirmation notice where they have previously notified an entity of suspected non-compliance, and where they are now satisfied that non-compliance has occurred. The notice of confirmation is the mechanism through which the Secretary of State or regulator can issue their final determination about the actions an entity needs to undertake to correct or remedy a contravention, and the penalties it will need to pay, in accordance with the provisions in clause 49.
A confirmation decision can be issued only after a directed entity has had the opportunity to make representations about an earlier notice of contravention. Once it has been issued, the directed entity must comply with it, and this duty can be enforced through civil proceedings. In short, clause 50 ensures that a direction can be enforced effectively and appropriate action taken to penalise non-compliance.
Clause 51 sets out how penalties will be recoverable across the nations of the UK in the event of non-payment. Clause 52 grants the Secretary of State the power to enforce non-disclosure requirements imposed in relation to the issuing of a direction, notice of contravention or final confirmation notice. Failure to respect these requirements could harm national security, for example by exposing vulnerabilities in the UK’s essential services or the security mitigations being put in place to protect their network and information systems. As a result, it is crucial that the Secretary of State has adequate powers to enforce non-disclosure requirements. Clause 52 largely replicates the enforcement process for non-compliance with other requirements of directions issued by the Secretary of State. The maximum penalties will be £10 million or £50,000 per day.
I ask the Committee to support the clauses in order to enable the effective enforcement of directions issued by the Secretary of State to protect the UK’s national security.
Dr Spencer
Clauses 48 to 52 deal with notifications and financial penalties where a regulated entity is deemed not to be compliant with directions issued by the Secretary of State under part 4. In particular, clause 48 would grant enforcement authorities powers to issue a contravention notice if they believe a person has failed to comply with a requirement under part 4. The notice must set out details of remedial steps to address the failure, as well as the financial penalty that the enforcement authority intends to impose.
Clause 49 would require penalties to be set at a level that is appropriate and proportionate, with the maximum penalty being £17 million or 10% of turnover. A maximum daily penalty of £100,000 applies to ongoing breaches. The maximum fines for failing to comply with an information notice or an inspection would be set at £10 million.
Kanishka Narayan
I have two points to make to the shadow Minister on defining turnover. As he will be well aware, “turnover” is a technical term that is best defined in secondary legislation, to keep up to date with accounting principles that at times vary from sector to sector. He asked for factors that might contribute to definitions. The specific determination of turnover will be set out secondary legislation, but we intend to establish a presumption that only the turnover of the regulated entity that breaches the direction will be considered for determining penalties on this point.
Question put and agreed to.
Clause 48 accordingly ordered to stand part of the Bill.
Clauses 49 to 52 ordered to stand part of the Bill.
Clause 53
Power to direct regulatory authorities
Question proposed, That the clause stand part of the Bill.
Dr Spencer
Clause 53 would grant the Secretary of State powers to issue directions to regulators where this is necessary for national security reasons, and to allow a reasonable period for the regulator to comply with that direction. Clause 54 provides that directions may be amended or revoked by the Secretary of State. Under clause 55, directions to regulated entities or regulators must be laid before Parliament unless that
“would be contrary to the interests of national security.”
I repeat my earlier question about the ISC’s role regarding scrutiny. Clause 56 would permit the Secretary of State and regulatory authorities to share any information obtained under part 4 with each other and the NCSC. The provision also allows for the sharing of information with other UK or overseas public authorities with equivalent cyber-security or national security functions. Government amendments 23 and 24 seek to amend that clause to provide for directions and notices issued under this part to be sent by email to relevant persons who provided those contact details to regulatory authorities.
Some reassurance on the extent of information sharing for businesses is delivered through provisions specifying that disclosures of information should be limited to that which is relevant and proportionate. However, those are high-level and subjective terms, open to interpretation by the authority sharing the information. Can the Minister provide any update on the development of protocols between authorities to ensure that information shared is limited to that which is necessary for effective oversight and enforcement in relation to national security risks?
Kanishka Narayan
On the shadow Minister’s first point, I repeat what I said earlier and, of course, acknowledge his concern. I assure him that, while a direction can only be issued out of necessity for national security, it does not follow that public knowledge of that direction or its contents would compromise national security. I would expect a pretty extensive scope of such directions and, therefore, an appropriate channel of scrutiny in Parliament.
On his question of protocols to ensure information shared is not just proportionate in general, but specific to the purpose of national security specified, I am happy to give him the assurance that the Bill contains it and that, in the process of working out implementation, we will make sure that regulators are focused on developing those protocols.
Question put and agreed to.
Clause 53 accordingly ordered to stand part of the Bill.
Clauses 54 to 56 ordered to stand part of the Bill.
Clause 57
Means of giving directions and notices
Amendments made: 23, in clause 57, page 83, line 8, at end insert—
“(za) an email address provided to a regulatory authority as an address for contacting that person,”
This amendment would ensure that a direction or notice can be given to a person using an email address which has been provided to a regulatory authority as a contact email address.
Amendment 24, in clause 57, page 83, line 11, leave out
“there is no such published address”
and insert—
“no email address has been so provided or published”.—(Kanishka Narayan.)
This amendment is consequential on Amendment 23.
Clause 57, as amended, ordered to stand part of the Bill.
Clause 58 ordered to stand part of the Bill.
Clause 59
Extent
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
New clause 3—Register of foreign powers for the purposes of Part 4: review of nature of risk—
“(1) For each foreign power added to the register established under section [Register of foreign powers for the purposes of Part 4], the Secretary of State must review the extent and nature of the risk posed to the network and information systems of operators of essential services and critical suppliers, including whether the risk arises –
(a) from activities undertaken outside of the UK, or
(b) from foreign owned or controlled infrastructure or locations within the UK.
(2) Within six months of the establishment of the register under section [Register of foreign powers for the purposes of Part 4(1)], the Secretary of State must lay before Parliament a report containing –
(a) the findings and conclusions of the review conducted under subsection (1), and
(b) the Government’s plan for addressing the risks identified.
(3) If the Secretary of State considers that laying a report, or any portion of a report, under subsection (2) would be contrary to the interests of national security, the Secretary of State must make a statement to Parliament confirming that –
(a) a review has been conducted under subsection (1), and
(b) that the report, or a portion of the report, cannot be laid before Parliament for reasons of national security.”
This new clause would require the Government to report on the risk to relevant network and information systems posed by foreign powers appearing on the register established by NC2 considering whether such risks arise from extra-territorial activities and infrastructure or premises owned or controlled by foreign powers.
New clause 13—Statement on risks posed to systems by foreign interference—
“(1) The Secretary of State must, within 12 months of the passing of this Act, publish a statement of the Government’s plans in relation to risks to the security and resilience of network and information systems arising from foreign interference.
(2) Any statement under this section must—
(a) set out the Government’s intentions to assess, manage and mitigate the risks posed, or which could potentially be posed, to the security and resilience of network and information systems by foreign interference in such systems;
(b) include risks associated with—
(i) hardware,
(ii) software,
(iii) supply chains,
(iv) procurement processes, and
(v) the use of, or reliance on, foreign technologies or systems;
(c) include a specific focus on government digital procurement processes.
(d) where risks are identified under (2)(b)(v), state whether the Government intends to address these risks by encouraging or supporting the use of domestic technologies or systems.”
This new clause would require the Government to publish a statement of how it intends to address and mitigate any risks to network and information systems posed by foreign interference.
New clause 15—Review of high-risk bodies—
“(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies.
(2) A review under this section must assess—
(a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise;
(b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and
(c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities.
(3) In this section—
“relevant body” means—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.
“foreign state-owned enterprise” means a body corporate in which a foreign state has a controlling interest;
“network and information systems” has the meaning given by section 24(1).”
This new clause would require the Government to review the security risks posed by critical suppliers and essential service providers linked to foreign states and evaluate whether current powers are sufficient to address these threats.
Dr Spencer
New clause 2 contains an obligation for the Secretary of State to establish and maintain by regulation a list of foreign powers presenting a significant cyber-security risk to the UK. The list must include states that have been confirmed by GCHQ as having perpetrated a cyber-attack, whether by a state department, agency or affiliate, on the UK in the preceding seven years. It must also include foreign powers that GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.
New clause 3 would compel the Secretary of State to review and report to Parliament on the risk to networks and information systems posed by foreign powers appearing on the register under new clause 2, with specific regard to activities undertaken from abroad and the risk posed by locations or premises controlled by those states in the United Kingdom. New clauses 13 and 15, in the name of the hon. Member for Henley and Thame, look as if they have been tabled in the same spirit of genuine concern about the risk of foreign hostile state interference and control in critical systems and supply chains.
There is an established precedent in UK legislation for maintaining registers or lists of hostile state actors and other entities presenting a threat to our national security for use by Government. That includes the foreign influence registration scheme under the National Security Act 2023, which came into effect last year. Russia and Iran were placed on an enhanced tier of the scheme, which applies to foreign powers considered to pose a risk to the UK’s safety or interests. The Government said that that was in response to those countries being identified as presenting an elevated national security risk. China was conspicuous by its absence, despite the director of GCHQ having confirmed in 2024 that her organisation devotes more resource to China than to any other single mission.
Chris Vince
The shadow Minister will forgive me for taking the opportunity to defend the Government and the Prime Minister; I was not expecting to do that in this Committee this week. I reassure Members across the House that this Prime Minister and Government put national security first. The shadow Minister will know that intelligence agencies have been consulted about the relocation of the Chinese embassy. He will also be aware that the proposed new site at Royal Mint Court is actually further away from this place than the current site.
Dr Spencer
Frankly, I find it astounding that, according to my understanding, in response to the planning decision being granted our security services said that they would take measures to start moving sensitive digital cables. It strikes me that a decision about sensitive digital cables should have been pertinent to the planning application in the first place.
The Government remain reluctant to name China as a threat to UK national security, despite the overwhelming and growing portfolio of evidence. In case the Government are still in any doubt, we need look only at the oral testimony given to this Committee by the Inter-Parliamentary Alliance on China for a clear picture of the role of China and its state affiliates at the forefront of the cyber-security threats to our critical sectors.
Given that established and growing threat, new clause 3 would compel the Secretary of State to review, among other matters, the cyber-security risk to surrounding critical networks in the vicinity of the super-embassy site in the City of London. In the Commons debate on the embassy application in June last year, my hon. Friend the Member for Thirsk and Malton (Kevin Hollinrake) reminded the Minister for Housing and Planning that the Government’s own cyber-security experts, Innovate UK, have warned about the threat to the City of London from the embassy. My hon. Friend made specific reference to the Wapping telephone and internet exchange that would be surrounded on three sides by this new embassy—not to mention the fibre cables I referred to earlier, which carry highly sensitive information and run beneath this site.
Chris Vince
I recognise that the shadow Minister cares passionately about the security of this country—as do I, which is why we are discussing the Bill. But does he not recognise that the site was purchased by the Chinese Government in 2018? There is a potential threat whether or not the new embassy is built there.
Dr Spencer
I do not want to repeat the discussion that we had a moment ago. I think it is complete lunacy to permit the building of a super-embassy—one of the biggest in the region—next to highly critical data transmission. I am also concerned by media reports that the Prime Minister’s recent visit to China was greenlighted only following the final approval of the embassy. I am deeply depressed that, following the visit, Jimmy Lai has been effectively sentenced for life. I respect the tone and constructive way in which the hon. Member for Harlow approaches this debate, but it is fair to say that the Government are sadly weak on standing up to hostile state actors such as the Chinese Communist party.
As I said at the start, there is simply no point in granting the Secretary of State powers to issue directions on the basis of national security if the Government are not willing to be clear-eyed about the most critical cyber-security risks to the nation. I therefore submit that the new clauses are a vital addition to the Bill to focus the attentions of the Secretary of State to ensure that her functions under part 4 are carried out in the best interests of our national security. No responsible Government would or should vote against such provisions. Parliament should make it crystal clear that the Chinese Communist party is a threat to the United Kingdom. We must support new clauses 2 and 3.
Ordered, That the debate be now adjourned.— (Taiwo Owatemi.)