Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Ben Spencer ExcerptsTuesday 24th February 2026
(1 week ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 24 February 2026 - (24 Feb 2026)
The Chair
I remind Members to send their speaking notes by email to Hansard and to switch electronic devices to silent. Tea and coffee are not allowed during sittings. I remind all Members, particularly the Minister and the shadow Minister, to speak loudly, slowly and clearly in support of others in the room.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
On a point of order, Ms McVey. I seek your advice with reference to the debate on clause 43, on 10 February. I draw Members’ attention to my question to the Minister in Hansard about parliamentary scrutiny of directions:
“Even where they are redacted because of national security concerns, somebody, or some mechanism of Parliament, will be able to scrutinise them. Can the Minister confirm that?”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 10 February 2026; c. 212.]
The Minister responded: “Yes.”
We received a letter over the recess dated 19 February—we are very grateful to the Minister for writing to us—which states something slightly different:
“The Government’s default position is that copies of directions will be laid in Parliament, to enable all parliamentarians to scrutinise the Government’s use of…powers. Where this is not possible for national security reasons, alternative options for scrutiny could be used, such as allowing for directions to be read in private reading rooms or briefing individual shadow ministers. As such, we are confident that alternative options are available for scrutiny when directions cannot be laid in Parliament for national security reasons.”
“Will” is different from “could” and “are available”. Given that we have moved beyond the debate on clause 43, what options are there for the Minister to either clarify those remarks or correct the record?
The Chair
I thank the shadow Minister for getting those comments on the record. Would the Minister like to address those points?
Kanishka Narayan
It is a pleasure to serve with you in the Chair, Ms McVey.
I thank the shadow Minister, the hon. Member for Runnymede and Weybridge, for the new clauses in his name, which would require the Secretary of State to create a register of foreign powers that pose a threat to UK cyber-security, to review that register, and to lay a report before Parliament. This is intended to inform the use of powers granted under part 4 of the Bill. I empathise with the shadow Minister’s concerns that hostile foreign actors could target the network and information systems of operators of essential services or critical supplies. That is a clear risk, and one that we are addressing through the Bill.
As drafted, the Bill grants the Secretary of State new powers to issue national security directions to regulated entities or regulators where their compromise poses a national security risk. So long as those tests are met, the powers may be used by the Secretary of State irrespective of the actor that is causing the national security incident or threat.
New clause 2 would require the creation of a register of foreign states that pose a risk to the UK based on GCHQ advice. I reassure the shadow Minister that regardless of the proposed new clause, any decision to use the powers in this part of the Bill will be informed by expert national security advice from GCHQ. As a result, it is unclear what additional support the proposed register would provide to the Secretary of State when, for example, deciding whether to issue a direction to a regulated entity.
Additionally, the report required by new clause 3 would effectively be a list of the vulnerabilities of the network and information systems of our essential services, and would therefore be an asset to malicious actors. That would be counterproductive to national security. The new clause would allow the Secretary of State not to publish part or all of the report, if publishing would be contrary to the interests of national security. However, it is unclear how even part of the report could be published without harming national security, given its intended content.
Drafting a report of vulnerabilities that cannot be disclosed to Parliament without harming national security would simply duplicate existing assessments, and run the risk of distracting Government from more effective measures to protect from hostile foreign actors. That is not to say that we shirk transparency about these kinds of risk. The Government are already able to communicate with Parliament and the public about such cyber-security risks where it is appropriate to do so, through things such as the National Cyber Security Centre’s annual report and advisories. I therefore kindly ask that the shadow Minister withdraw the new clause.
I thank the hon. Member for Henley and Thame for the Liberal Democrat new clauses in his name, which would require the Secretary of State to publish a statement of how the Government intend to address risks posed by foreign actors to UK network and information systems, and to assess how many entities regulated by the NIS regime are owned in part or in full by foreign states.
Let me reassure the hon. Member that the Government take the risks posed by foreign interference seriously. The NCSC’s annual reviews continue to highlight cyber-risks to the UK from foreign actors, as well as measures to mitigate those risks. We have robust processes for assessing such threats, drawing on the expertise of the intelligence community, including the National Cyber Security Centre and the National Protective Security Authority.
The measures introduced by the Bill will boost the security and resilience of network and information systems across essential services, managed services and relevant digital services, protecting them from the risks of foreign interference. Where that is not enough, the Bill provides a backstop: the new direction powers in the Bill will enable the Government to protect our critical services from exactly those kinds of national security risks. We will be able to require a regulated entity to undertake any action that is necessary and proportionate for national security in response to the threat of a compromise. Conducting assessments of the ownership structures of the many thousands of in-scope entities within six months would be disproportionately resource intensive, distracting Government from more effective measures to protect our services.
Publishing a review identifying national security risks caused by foreign state ownership, or assessing whether our powers are adequate, as the Opposition’s new clause 3 would require, would provide valuable insight to our adversaries. As I have previously set out, there is a clear pathway for Government to communicate with Parliament and the public about such cyber-risks where it is appropriate to do so, but where we identify specific concerns, it is right that we retain the ability to assess and respond without disclosing our conclusions to those who might exploit them.
Finally, it is worth pointing out that, as drafted, new clause 13 is not aligned with the intended scope of the Bill. The Bill is solely concerned with entities that are currently, or could one day be, regulated under the NIS regulations. This new clause would require a statement on the risks posed to all UK network and information systems, which is a significant broadening of the scope of NIS-regulated entities and sectors. Similarly, the focus on Government procurement seems outside that scope, given that Government network and information systems are not wholly regulated by the Bill. For those reasons, I ask that the hon. Member for Henley and Thame kindly consider not pressing his amendment.
Dr Spencer
I am grateful to the Minister for his response, but we have seen over the past six months, especially with the alleged spying incidents in Parliament, the Government’s resistance to recognising the Chinese Communist party as a threat. When it comes to our new clause 3 and concerns over transparency, we have also seen, in the last few weeks, that there are mechanisms—for example, the Intelligence and Security Committee—to ensure the disclosure of documents, while preserving national security. I would therefore like to press new clauses 2 and 3 to a vote.
Question put, That the clause be read a Second time.
Dr Spencer
I beg to move, That the clause be read a Second time.
This new clause would require the Secretary of State to review the effect of existing information sharing and analysis centres, with a view to determining whether further such centres should be established. The financial services industry has successful voluntary schemes—the Cyber Defence Alliance, and the Financial Services Information Sharing and Analysis Centre—which act as hubs for collaboration on all matters relating to the prevention, detection, mitigation and investigation of cyber-threats and criminality impacting members. These organisations provide an essential alerting and co-ordinating role for their members, including providing intelligence and technical support during ongoing incidents. They can assist in building partnerships contextualised to particular sector risks.
According to Richard Starnes of the Worshipful Company of Information Technologists, companies
“may be competing with one another in their chosen businesses, but they are all in the same boat with regard to being attacked by whatever entities are attacking them.”
And he said that if the FS-ISAC were replicated
“on an industry-by-industry basis, particularly ones in CNI, that would be helpful. It would also help with information sharing with entities like NCSC and GCHQ.”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 64, Q75-76.]
Bradley Thomas (Bromsgrove) (Con)
On the point about information sharing with a view to bolstering resilience, Marks and Spencer reported to me that it was surprised to have received more information from the FBI on the origin and impact of the cyber-attack that it suffered than it received from UK authorities. That should adequately demonstrate why sufficient data sharing is required to underpin our resilience and bolster our strength.
Dr Spencer
That information is concerning. I entirely agree with my hon. Friend that information sharing is important when dealing with evolving threats.
Lincoln Jopp (Spelthorne) (Con)
I am grateful to the shadow Minister for giving way, if only to repeat what my hon. Friend the Member for Bromsgrove has just said. The Minister and the Government Whip were both on their phones, and I do not think they were fully concentrating on the fact that M&S has reported that it got more information about its information loss from the FBI than from our own agencies. I repeat that for the record so that the Minister has a chance to concentrate on that very important information.
Dr Spencer
I thank my hon. Friend for his intervention, which is more for the Minister and the Government Whip’s benefit than mine.
Properly established ISACs will not only increase real-time awareness of cyber-risks and mitigations, but could also alleviate some of the burden on regulators in terms of sector-specific intelligence analysis. Industry feedback and experience from the adoption of the Network and Information Systems Regulations 2018 indicate that sectoral regulators are unlikely to have the capacity to assist with intelligence sharing in relation to real-time cyber-risks.
We know from the sectoral regulators’ oral evidence that building sufficient capacity for effective regulatory oversight is a challenge. Where we have models for sector-led and market-led good practice in hardening cyber-resilience, we should look at how it can be rolled out further. Seeing more of these organisations emerge could even lead to broader adoption beyond NIS-regulated areas to other industries. ISACs have the potential to become integral nodes in improving whole-of-society cyber-resilience, and it is an approach called for by many cyber industry stakeholders. I therefore commend new clause 4.
Kanishka Narayan
I thank the shadow Minister for this amendment, which would require the Secretary of State to review how information sharing and analysis centres support the functioning of the NIS regime and what steps the Government can take to improve them.
I recognise the intent of this new clause. These centres play a key role in promoting collaboration and co-ordination in the cyber-security space, allowing organisations to share information, intelligence and best practice. In fact, the UK already benefits from a range of such initiatives, many of which are facilitated by the National Cyber Security Centre. In its latest annual report, the NCSC noted that more than 200 companies now meet regularly in trust groups to exchange intelligence and best practice, and to support each other in incident response. NIS regulators also support organisations to share information with each other in sector-specific groups.
However, while I fully endorse the value of those initiatives, I do not believe it is the Government’s role to review how they operate or to mandate how or where they are established. Such centres are meant to be a forum in which organisations can voluntarily engage in the exchange of information. As such, they operate most effectively where the initiative for participation comes from the organisations themselves or from technical authorities such as the NCSC.
The Government are, of course, committed to ensuring that the information-sharing provisions within the Bill are effective, and that will be assessed through the formal review of the legislation already required under clause 40. I kindly ask the shadow Minister to withdraw the new clause.
Dr Spencer
In response to the Minister’s comments, clause 40 is about a review; it does not provide any direction, other than for the Secretary of State to do their job in reviewing this area. I will press new clause 4 to a vote.
Question put, That the clause be read a Second time.
Dr Spencer
I beg to move, That the clause be read a Second time.
The National Audit Office’s 2025 report on cyber-resilience highlighted that Government Departments and agencies are among the weakest links in the UK’s cyber-security ecosystem and lack a credible plan to become cyber-resilient in the short to medium term. The Government play a key role in the management of certain critical national industries, but the continuing cyber-security vulnerabilities in the IT systems used to operate CNI expose the UK to the threat of serious attacks that could undermine national security and the economy.
That is not to mention the risk to enormous amounts of highly sensitive data held on Government systems. Dr Sanjana Mehta of ISC2 said in her oral evidence that the Department for Work and Pensions administered £288 billion of benefits over the past year, with more than 23 million people claiming benefits of some kind. That activity involves processing vast amounts of personal, medical and financial data, which presents rich pickings for malicious actors.
The feedback from industry stakeholders, many of whom are being asked by the Government to take on onerous security and reporting obligations under this Bill, echoes those concerns regarding Government cyber-immaturity. There is a strong sentiment that the Government should be leading by example, as Chris Anley of the NCC Group commented in the Committee’s oral evidence sessions.
In view of the growing risk posed to UK cyber-security by hostile state actors, by their affiliates and by criminal gangs, improving Government cyber-security is urgent. It is clear from the NAO’s findings and other recent reports that Government Departments have lacked the clear goals and necessary accountability to incentivise tackling this significant challenge.
In his letter of 19 February to members of the Committee, the Minister said:
“Government will be held to equivalent cyber security requirements that we expect of the essential and digital services in scope of the Cyber Security and Resilience (Network and Information Systems) Bill.”
But as matters stand, there are no effective legal mechanisms for accountability to Parliament on increasing Government cyber-resilience to the standards necessary to meet the intensifying threats facing our Government Departments and agencies.
New clause 5 would compel the Secretary of State to make yearly reports to Parliament setting out the Government’s progress towards meeting the recommendations of the National Audit Office’s 2025 report on Government cyber-resilience and towards meeting the standards they set themselves in their recent cyber action plan. Where necessary, the Secretary of State would have to account for failures to meet deadlines for implementation and issue a new plan to achieve compliance.
In moving this new clause, I am aware of the challenges that successive Governments have faced in driving up cyber-resilience standards. There are serious practical and budgetary obstacles that can impede progress, such as the vast amount of legacy IT equipment that remains in use, which is inherently more vulnerable to attack. Moreover, there is the ongoing problem of recruiting highly skilled cyber-security professionals to work in these roles, given the competition in the recruitment market and constraints on public sector salaries. Illustrative of that challenge is the worrying statistic, cited by Chris Anley of the NCC Group, that
“almost a third of cyber-security posts in Government are presently unfilled”.––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 24, Q29.]
None the less, the Government have now put in place a plan that they consider achievable, and they should be held to account for it. The new clause creates a mechanism for that much-needed accountability.
Lincoln Jopp
Does the shadow Minister agree that if Labour Members vote against new clause 5, it would be a classic case of “Do as I say, not as I do”? If they are happy to go on the record as voting it down on that basis, does the shadow Minister agree there would be an element of what is politely termed “variable geometry”? The more direct word is “hypocrisy”.
Dave Robertson (Lichfield) (Lab)
It is interesting to hear the hon. Member for Spelthorne say that this is apparently hypocrisy and the shadow Minister agree with him. The National Audit Office report was published on 29 January 2025, barely six months after the general election, so it was really commenting on 14 years of Conservative-led Governments. I think it is pertinent to put it on record there has been a lack of focus in this area for far too long, and I am glad that the Government are introducing legislation. If we are to have comments such as that made by the hon. Member for Spelthorne, I feel it is appropriate to have something on the record to counter it.
Dr Spencer
I agree about the importance of putting things on the record. Since the hon. Member obviously has not been listening to my speech, he can check it out on the record. I acknowledged the challenges in this area—[Interruption.] Does the Government Whip want to intervene, or was she just chuntering? I will continue.
Given that the Bill puts quite a burden on the private sector, as we discussed over several sittings before the parliamentary recess, I think it is important that the Government recognise, as my hon. Friend the Member for Spelthorne said, it would be pretty shameless not to vote for accountability for themselves while putting it on other people. Let us see how the vote goes. I commend new clause 5 to the Committee.
Kanishka Narayan
I thank the shadow Minister for moving new clause 5, which seeks to require annual reporting on progress towards meeting the recommendations of the National Audit Office’s report on Government cyber-resilience and meeting the implementation milestones of the Government’s cyber action plan.
We recognise the value of accessing the expertise of Parliament to hold the Government accountable for the changes required for our cyber-resilience. That is why, notwithstanding the hon. Member for Spelthorne acknowledging the embarrassment of the Conservative party owning its hypocrisy, this Government have already strongly welcomed the recent reports from the Public Accounts Committee and the National Audit Office on Government cyber-resilience.
David Chadwick
I beg to move, That the clause be read a Second time.
The purpose of new clause 10 is to ensure that regulatory authorities and regulated persons have adequate resources and capabilities to carry out their responsibilities. Fundamentally, this is a question of state capacity. Surely it is hard to disagree with that statement. We can pass legislation in this House, but if the regulators tasked with enforcing that legislation lack the resources and capabilities to fulfil their duties, and if the businesses subject to the new requirements lack clarity about what is required of them, the Bill will remain little more than words on a page.
Cyber-resilience cannot be achieved through legislation alone, poor and weak though this piece of legislation is; it must be delivered by regulators with properly trained staff, clear guidance and sustained investment in enforcement and oversight. Without that foundation, even the strongest legal framework risks becoming ineffective. The new clause would create a vital statutory reality check. It would require the Secretary of State within one year of the Act coming into force to consult with regulators and regulated organisations, and report to Parliament on whether the regulatory system is equipped to function under the new rules. The new clause asks a simple but essential question: do the bodies responsible for protecting our critical digital infrastructure have the people, funding, tools and skills that they need to succeed?
Laws work only if the people enforcing them have the time, money, expertise and systems to do so properly. The scale of the challenge is already clear. Research from ISC2 shows that 88% of organisations that have suffered cyber-incidents link those breaches directly to skills shortages. If regulators themselves face similar skills or operational shortages, enforcement will be slow, inconsistent and ultimately ineffective, and may leave businesses facing uncertainty about what is required of them.
The new clause would help to ensure that issues are identified early and addressed proactively, rather than after a major cyber-security incident exposes weaknesses in our regulatory system. For this legislation to work, it requires fully funded and effective regulators. That is why I will press the new clause to a vote.
Dr Spencer
This new clause, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe, would require the Secretary of State to consult and report within one year on whether regulatory authorities and regulated persons have sufficient resources and capabilities to meet their statutory obligations. Historical levels of regulatory oversight and enforcement in relation to the NIS regulations 2018 have fallen short of what is necessary to achieve meaningful cyber-resilience across regulated sectors. The second post-implementation review of the NIS regs 2018, conducted in 2022, found that incident reporting on the part of regulated entities was very low, with only 13, 12 and 22 NIS incidents reported in 2019, 2020 and 2021 respectively.
A review conducted by the Worshipful Company of Information Technologists identified a near total absence of formal financial sanctions under the NIS regulations, with zero confirmed major penalties from 2021 to 2024. The model has not been conducive to effective discharge of regulatory responsibilities, with knock-on effects for cyber-resilience and regulated industries, yet regulators will be expected to oversee a far larger pool of regulated bodies and process a far larger number of incident reports under the Bill’s provisions. It is therefore right for us to scrutinise carefully whether regulators are in a position to meet these obligations.
In the evidence sessions, many of my questions to witnesses, including those from Ofgem, Ofcom and the Information Commissioner’s Office, focused on their preparations to meet the demands of their expanded roles. It was clear from feedback that although regulators understand what they need to do to prepare, the practical challenges associated with securing sufficient resource are far from resolved. I would therefore be grateful if the Minister could clarify his plans to review regulators’ progress and what the key milestones will be to ensure that regulators can discharge their new duties alongside their existing ones when these provisions come into effect.
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for his new clause, which seeks to require a consultation on the resourcing and capabilities of regulators and regulated entities, assessment on whether additional Government support is needed, and a report on the findings. I reassure the hon. Gentleman that the Bill was developed in close collaboration with regulators and industry to ensure that regulators have the right information and tools to implement it.
The Bill already requires the Government to produce two regular reports to monitor the effectiveness of the legislation, and those would naturally include reviews of whether resourcing and capability were impacting on the effectiveness of the regime. The first of those is the annual report on regulator activities in relation to the statement of strategic priorities. The second is the report on the operation of the legislation, which must take place at least every five years.
Freddie van Mierlo
The thresholds have been set out in the new clause. Australia already provides support for small businesses during and after attacks. The clause would simply bring the UK up to speed with international partners, ensuring our businesses are not at a competitive disadvantage on cyber-security support. If Australia can support its SMEs, why can we not? It is only fair that if we are increasing the regulatory burden, the Government provide the support required to navigate it. I will press the new clause to a vote.
Dr Spencer
New clause 14, tabled by the hon. Member for Henley and Thame, addresses concerns regarding the capacity of SMEs to comply with their regulatory obligations, should they be brought within the scope of the Bill. That matter has been discussed on several occasions by the Committee. That is only right given that, according to figures provided by NCC Group, SMEs make up over 99% of businesses in the UK but too often lack the skills and budgets to implement proportionate cyber-protections, leaving them particularly exposed.
SME cyber assistance schemes akin to the one proposed by the new clause have been rolled out in Scotland on a limited basis and in Australia, where the Government are investing 8 million Australian dollars over three years to provide free person-to-person support for small businesses during and after a cyber-attack. Those schemes have enjoyed some success in hardening cyber-resilience among SMEs that have been able to access them. That can only be welcomed.
There is a case for looking more closely at whether regulation is the appropriate first step to address the cyber-resilience of the smallest organisations that might be brought within the scope of regulation, as legal compliance efforts could detract from already pressured operational defence budgets. In giving evidence to the Committee, Jill Broom of techUK called for strategies
“such as financial incentives, or…tax credits”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 18, Q20.]
to help SMEs improve their cyber-resilience, and techUK has suggested that funding or relief could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first. In the light of those considerations, what analysis has the Minister’s Department conducted of the likely return on investment, in terms of sustainability and growth among smaller companies, of a cyber support service for UK SMEs?
Emily Darlington (Milton Keynes Central) (Lab)
The new clauses raise a really important point about security by design implemented within companies, and within the companies that provide cyber-security technology to them. An hon. Friend of mine tabled an amendment, which we are not speaking about today, on a similar subject.
Security and safety by design is something that we talk about quite often in this area. It may not be appropriate for this Bill, but I am keen to hear how we will progress those discussions, because ultimately we do want to prevent cyber-attacks. We need to make sure that companies, small and medium-sized enterprises, major infrastructure and local government all have access to technology and infrastructure that looks at security by design in its own design right from the outset, because that is what makes us most secure.
How will we take forward those discussions, and extend the idea that already exists in legislation, through the Online Safety Act 2023, about safety by design, in order to ensure that products around cyber-security have this at their heart, and deliver the prevention mechanism that I think we all want to see—especially the small businesses and organisations that are victims of such attacks?
Dr Spencer
New clause 16 would require active board oversight of security and resilience measures and accountability for board members where they fail in those oversight duties, whereas new clause 17 would require regulated entities to carry out proportionate, periodic testing of the security and resilience of their network and information systems, and provide the results to regulatory bodies upon request.
On board accountability, as we have already discussed in this Committee, the existing regulatory model under NIS regulations has not been sufficiently effective in driving up cyber-resilience standards to meet emerging threats. Board engagement is a key part of that, but the stat I quoted previously in this Committee indicates that engagement is going in the wrong direction. What assessment has the Minister made of the potential advantages and disadvantages of direct accountability in the adoption of effective cyber-resilience measures, based on a roll-out of the NIS2 regulations?
Proportionate testing of systems may be a useful tool in detecting and managing cyber-security risk. What consideration has the Minister’s Department given to how that topic should be approached in the Secretary of State’s code of practice?
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for his new clauses. I will speak first to new clause 16, which seeks to require boards or equivalent management bodies of operators of essential services, relevant digital service providers, relevant managed service providers and critical suppliers to take specific measures to oversee the security and resilience of their network and information systems.
Board-level engagement is a necessary part of proactively and effectively managing cyber-risks. That is why we published the cyber governance code of practice last spring, as part of a wider package of action to support boards in more effectively governing digital risks to enhance their organisation’s cyber-resilience. More recently, the Secretary of State, together with the Chancellor, the Business Secretary, the Security Minister, and leaders of the NCSC and NSA, wrote to the CEOs and chairs of the UK’s leading organisations, asking them to make cyber-risk a board level priority.
I agree with the hon. Member that going further on board-level responsibility is necessary. That is why we will introduce security and resilience requirements in secondary legislation, following consultation. We will consult on proposals that are consistent with the NCSC’s cyber assessment framework, as we confirmed in our policy statement last year. The cyber assessment framework includes comprehensive measures on good cyber governance, including clear board level responsibility. It is important that industry is consulted on those measures, that they form part of a holistic package on security and resilience, and that they can be updated flexibly over time. We intend to consult on proposals for security and resilience requirements and wider implementation plans later this year.
New clause 17 seeks to require all organisations in scope of the Bill to test the security and resilience of their network and information systems. We agree that proportionate cyber-security testing is critical to identifying and mitigating vulnerabilities in systems and networks. Organisations in scope need to take appropriate and proportionate measures to manage risks to network and information systems on which they rely, and that can include testing of network and information systems. In particular, relevant digital service providers are already required to account for testing as part of their overarching security duty. Additionally, all regulators can use their powers to mandate testing by an inspector, or by the regulated entity, to verify compliance or investigate potential failures.
I reassure the hon. Member that we are going further. We will be updating and providing more detail on the measures that regulated entities need to take, as well as setting strategic objectives for regulators. As I have said before, our proposals for the security and resilience requirements in secondary legislation will be consistent with the NCSC’s cyber assessment framework, which includes measures on appropriate testing.
Dr Spencer
I will speak to new clause 19, tabled in my name on behalf of His Majesty’s official Opposition. The new clause would compel the Secretary of State, within 12 months of Royal Assent, to review the need for a statutory defence, encompassing legitimate cyber-research activities, to criminal offences under clause 1 of the Computer Misuse Act 1990, which is about unauthorised access to computer programs.
The campaign for reform in this area, CyberUp, has argued that, in its current form, the CMA inadvertently criminalises critical activity such as vulnerability research and threat intelligence, both of which are essential for defending the nation’s digital systems. The new clause would also require the Secretary of State’s review to evaluate whether the creation of such a defence would enable regulated bodies to improve the resilience of their network and information systems via enhanced vulnerability testing and research.
New clause 18, tabled by the hon. Member for Henley and Thame, relates to the same important topic and would require the Secretary of State to review, and report to Parliament within 12 months of the Bill’s entering into law, whether amending the Computer Misuse Act could improve the resilience of network and information systems.
Hon. Members will recall the insightful oral evidence of Professor John Child of the University of Birmingham. Professor Child made a clear and compelling case for the need to amend the Computer Misuse Act to provide statutory defences for legitimate cyber-research—sometimes called ethical hacking activities. Likewise, campaign groups, industry specialists and parliamentarians have all argued that the Computer Misuse Act, which was written before the modern internet, is no longer fit for purpose.
At present, the Act fails to distinguish between malicious attackers and cyber professionals acting in the public interest, inadvertently criminalising a large proportion of research that UK cyber-security professionals can carry out to protect UK critical infrastructure and the UK’s technological ecosystem. This means that cyber-security professionals working to defend UK organisations from real-world threats risk prosecution. That has created a chilling effect—talent is being lost, investment is stifled and security gaps are going unidentified.
If we are to have true UK cyber-resilience—not just among regulated sectors, but across businesses of all types and throughout society—we need a multifaceted approach. Industry and private sector-led initiatives will play a strong role in that. Professor Child made clear that countries that have implemented more favourable regimes, such as the US and Israel, are benefiting from increased cyber-resilience as a result of cyber-research activity.
The Government have acknowledged that reform of the CMA is a pressing issue. Indeed, the Home Office has been reviewing that question for some time. Further, the Minister for Security, the hon. Member for Barnsley North (Dan Jarvis), highlighted the urgent need for changes to the law in this area in a recent speech, stating that Government have
“heard the criticisms about the Computer Misuse Act, and how it can leave many cyber security experts feeling constrained in the activity that they can undertake.”
He went on to say:
“These researchers play an important role in increasing the resilience of UK systems, and securing them from…vulnerabilities.
We shouldn’t be shutting these people out, we should be welcoming them and their work.”
Yet the Home Office has brought forward no specific proposals for reform. Parliament is unlikely to legislate again in the cyber-security domain for some considerable time; we cannot afford to kick the can down the road on this vital issue any longer if we are to have a credible plan for whole-of-society cyber-resilience.
David Chadwick
Can the hon. Gentleman address the point of who he thinks would benefit if that Act was repealed?
Dr Spencer
I am a bit unclear about the hon. Gentleman’s intervention. The point I was making was that there is legitimate concern that people doing research into this area and doing threat assessments risk prosecution, so, across the whole of our society, that work is not being done. We have heard quite a lot of evidence from cyber campaigns about the benefits that changes to this law would make to the system, which is why we tabled the new clause. I commend new clause 19 to the Committee. I hope the Minister agrees that now is the time to address the issue.
I suspect that this will be my last, or penultimate, time speaking to the Committee, so I would like to finish by thanking Members on both sides of the Committee for a fun and, at times, robust debate over the past month. I thank the Chairs, the Clerks and all the teams working on the Bill—and Sophie Thorley from my office, who has done incredible research on the Bill.
Kanishka Narayan
I thank hon. Members for their new clauses; I recognise the strong feeling and thoughtful contributions about reforming the Computer Misuse Act.
I speak first to new clause 18, which seeks to place a duty on the Secretary of State to review whether amendments to the Computer Misuse Act could support the security and resilience of network and information systems used for carrying out essential activities. I assure the hon. Member for Runnymede and Weybridge that the Government remain committed to ensuring that the Act remains up to date and effective.
The Home Office is already conducting a review of the Computer Misuse Act, and is developing proposals that arise from its findings. That includes careful consideration of proposals to introduce a statutory defence that would allow researchers to spot and share vulnerabilities. It will provide an update as soon as the proposals are finalised. However, limiting a defence to only the sectors covered by the NIS regime would be impractical. Any package of workable defence would need to be broad enough to apply economy-wide.
New clause 19 raises the introduction of a statutory defence to the Computer Misuse Act. I acknowledge the strong sentiment regarding reform of the CMA. There is no doubt that UK cyber-security professionals play a significant role in maintaining the country’s overall security and resilience. Supporting them is vital.
I agree with the principle behind the new clause: that a defence to section 1 of the Computer Misuse Act could strengthen the resilience of network and information systems by allowing researchers to spot and share vulnerabilities. The Government are already conducting a review of the Computer Misuse Act, and we have made significant progress in developing a proposal for a limited defence to the offence provided for in section 1 of the Computer Misuse Act.
Kanishka Narayan
Sure. I would not wish to define it technically, but my understanding is that it is research aimed at ethical hacking. It is effectively trying to find vulnerabilities through simulated attack systems, which can broaden our understanding of risks and vulnerabilities and allow us to mitigate them accordingly.
I return to new clause 19. Limiting a defence to just the sectors covered by the NIS regime would be impractical; any proposal for a workable defence needs to be broad enough to apply across the economy. That is why we are making sure that, through the Home Office, we are working as promptly as possible to ensure a proposal that is strong in its safeguards to prevent misuse. Engagement, including with the cyber-security industry, is already under way to refine our approach.
Dr Spencer
We are a responsible Opposition and we are pleased to hear about the work that the Minister and his Department have been doing and about the shared purpose in getting this done and getting it right. Would he give us a bit more detail of the timescales and plans for public consultation? I understand that he has been doing some personal consultation in private, but will there be a public consultation? Given that the reform crosses two Departments, which Department will be taking it forward? What I am really looking for from him is a confirmation at the Dispatch Box that he is personally committed to getting this piece of work over the line during this parliamentary term.
Kanishka Narayan
I thank the shadow Minister for his recognition of our shared approach on this question. Reform of the Computer Misuse Act is led by the Home Office. I have given my personal commitment to ensuring that reform, but I will also write to him and members of the Committee with as much detail as possible on the timeline to ensure that we are moving fast on it.
In that spirit, I thank hon. Members for their work on this question of the amendment to the Computer Misuse Act and use this opportunity to thank you, Ms McVey, the entire Committee staff and hon. Members for their expertise and perhaps for their sense of fun as well. I thank all staff members, in particular the Bill team in the Department, which has been fabulous throughout the entire process.
Online Harm: Child Protection
Ben Spencer Excerpts(1 week ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Dr Ben Spencer (Runnymede and Weybridge) (Con)
On a point of order, Madam Deputy Speaker. This is a procedural question. Given that the long title of the Bill is not in the motion, does that mean that the Bill can effectively cover any subject or theme if the Order Paper is seized on that day?
Madam Deputy Speaker (Caroline Nokes)
I thank the hon. Gentleman for that point of order, which I anticipated might come at some point. If he checks the Order Paper, he will see that paragraph (1)(d) says very specifically that it has to be a Bill on online services age restrictions that is brought forward on 9 March.
Dr Spencer
Further to that point of order, Madam Deputy Speaker. Thank you for that clarification, but my understanding is that that is the short title, not the long title. Is it the case that the long title can be used to tag in any related subjects to expand the scope from the narrow one here?
Madam Deputy Speaker
I thank the hon. Gentleman for his further point of order. Clarification on that point had best be sought from the Public Bill Office. It is my understanding that any Bill brought forward will have to cover online services age restriction, but I appreciate the distinction that he makes between the long and the short titles.
Cyber Security and Resilience (Network and Information Systems) Bill (Sixth sitting)
Ben Spencer ExcerptsTuesday 10th February 2026
(3 weeks ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
Kanishka Narayan
I am grateful to my hon. Friend the Member for Harlow for his affirmation of that important point of parliamentary scrutiny.
As I mentioned, the report in question will set out how NIS regulators have sought and will seek to achieve the objectives in the statement through the exercise of their regulatory functions. The clause requires the Secretary of State to lay the annual report before Parliament, as well as to publish it in an appropriate manner. Clause 28 also introduces information-gathering powers for the Secretary of State so that they can collect the necessary information from regulators to draft the report. I commend the clauses to the Committee.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Stringer.
Clause 25 introduces a power for the Secretary of State to issue a statement of the Government’s strategic priorities in relation to the security and resilience of network and information systems with regard to essential activities. The statement will set out the responsibilities of regulators and specify objectives to secure the Government’s priorities. Competent authorities must be consulted in the drafting of the statement, and the Secretary of State must issue a report in every 12-month period on regulators’ compliance with meeting the objectives within it.
The changes aim to address important challenges around consistency in the approach to regulation that were identified by the previous Government’s second post-implementation review of the NIS regulations. Importantly, the measures also provide for a regular review of competent authorities’ approach to discharging their regulatory obligations. That measure is necessary given the inconsistent approach to oversight and enforcement of the NIS regulations so far.
We know that there are existing challenges relating to the capacity of competent authorities and there is the ongoing issue of securing sufficient cyber-security professionals to staff the teams. It is all well and good making statements, but they need to be followed. What strategies does the Minister anticipate will be needed and used to support—and, where necessary, drive up—standards of regulatory oversight when competent authorities fall short of the aims set out in the statement?
Kanishka Narayan
I thank the shadow Minister for raising an important point. His broader question is one of the most important in this context: Bills are only as good as the ultimate enforcement capability, capacity and framework in which regulators enforce them. Particular aspects of the Bill are focused on that question. One ensures that regulators have not just the resource through the cost recovery and charging schemes that the Bill allows for, but the information through the information-gathering powers—and not just the information, but a statement of strategic priorities as new horizontal risks emerge across sectors. So regulators are armed with resource, information and strategic priorities that emerge from time to time.
Alongside all those resources, data and information powers, regulators need also to have accountability, of course. In that context, the statement of strategic priorities is intended to be one vehicle through which regulators’ compliance with overarching objectives of the Bill will be looked at as well, alongside ongoing oversight of each of the regulators through the usual departmental channels.
Kanishka Narayan
I share the hon. Member’s recognition and her gratitude that we have not experienced the sort of incident that she described. The NCSC has told her, me and other Committee members that it brings regulators together and has done so on a number of occasions in the past to share cross-sectorally an understanding of emerging risks as well as incident-specific impacts. I take no sense of complacency from that precedent, but I do take some confidence from it. As the Minister in charge, I will ensure that the Department keeps a close eye on the ongoing implementation of the co-ordination powers under the Bill.
Dr Spencer
The Minister is being generous with his time during this important debate. I was just thinking through his earlier response to the point made by my hon. Friend the Member for Bognor Regis and Littlehampton about using the cost reclaims to employ cyber-security professionals. That goes to the heart of the concerns about the Bill and its approach to regulation.
We have heard that the industry, including regulators, is struggling to recruit cyber-security professionals. What gives the Minister confidence that, just because some money will be sloshing around in the regulators, there will be the ability to recruit cyber-security professionals, who are going to be essential to the implementation of the Bill?
Kanishka Narayan
First, I will provide some context for agreement. We want more people to be trained in cyber-security so that they can serve in the public and private sectors. Through the Bill, as well as a range of other initiatives, we are making sure that at every stage of the pipeline, there is resourcing, confidence and a demand signal that so more people can benefit from cyber-skills and serve in the industry.
There is a clear financing path for regulators to at least start to hire. Earlier in the pipeline, we are looking at a series of cyber-skills programmes all the way from schools through CyberFirst—I think about 415,000 students have gone through that programme. Ultimately, we want to create a long-term pipeline so that regulators and private companies can make the most of those skills.
The Chair
I thank the hon. Lady for her point of order. I know the Minister is trying very hard; his normal rate of speech is much faster, so he is trying. If you catch my eye, I will interrupt the Minister, or anybody else who is speaking, and remind them. It is important that every Member can hear so that they can participate in the debate.
Dr Spencer
I confess, Mr Stringer, that I suspect I am also guilty of speaking a bit fast in our previous debates. I will do my best to slow down and speak in a lower tone, as I know that can also help, particularly with certain types of hearing impairment.
To continue the theme of agile regulation, clause 29 enables the Secretary of State to update the NIS regulations through secondary legislation. Clause 30 enables the Secretary of State to impose requirements on regulated entities, which may include directions to take specific actions to increase cyber-resilience, to report on certain matters and to appoint a UK representative if the entity is based outside the UK.
Furthermore, clause 31 specifies that the Secretary of State may direct competent authorities to undertake certain activities, including mandating functions in connection with monitoring and securing compliance with relevant requirements, investigating suspected non-compliance and mitigating the effects of non-compliance on the part of regulated entities. Clauses 32 to 35 provide for the Secretary of State to issue ancillary directions to facilitate information-gathering, investigation and enforcement activities on the part of regulators.
Taken together, the clauses give the Secretary of State a strong suite of powers to respond to emerging cyber-security risks. Again, I recognise the necessity of being able to respond quickly in fast-changing circumstances. However, the Government should clearly be reporting on the Secretary of State’s exercise of the powers at regular intervals to ensure transparency. We will discuss that in due course when we come to clause 40, on the report on network and information systems legislation.
Kanishka Narayan
Clause 36 sets out that the Secretary of State may issue a code of practice for regulated entities. The code will describe recommended steps to help these entities to comply with their duties and requirements under the NIS regulations and any new regulations made under the Bill. This will make it simpler for regulated persons to understand what is expected of them, thereby driving consistency and complementing sector-specific guidance from regulators.
The clause will also make enforcement clearer and more effective, as regulators must take the code into account when they assess compliance. The code is designed to be flexible: it can be updated as threats and technology change, and can be tailored to different types of organisations, ensuring that guidance is current, relevant and practical for all.
Given the importance of the measure in providing practical recommendations to regulated entities, it must be consulted on before it is prepared or revised, and this process is set out in clause 37. Before the code can be brought into force, a draft must be laid before Parliament, providing ample opportunity to scrutinise and, if necessary, reject it within a 40 day period. If either House objects, the Secretary of State cannot proceed with that version and may prepare a new draft. If the draft is approved by Parliament, the Secretary of State may issue it and must publish it, and it then comes into effect immediately, unless otherwise specified. The clause also clarifies how the 40-day period is calculated, to ensure consistency and transparency in the process.
As we know too well, cyber-threats continue to evolve as new tactics and technologies are deployed, which is why the clause includes a power for the Secretary of State to amend the procedure for issuing the code. The Secretary of State may, for example, wish to add or amend consultation requirements or extend the 40-day period.
Clause 38 establishes how the code of practice will be used and treated in legal and regulatory settings, to ensure it has the intended effect. For regulated persons, the code of practice is intended to be formal guidance, with recommendations on how to comply with their duties, but not to be legally binding itself.
As we know, there can be more than one way for businesses to meet their obligations and ensure that they have in place appropriate and proportionate security and resilience measures. It is therefore important that there is a degree of flexibility in how they do this, to accommodate sector-specific nuances and business needs. None the less, it is crucial that the code has sufficient legal status and that the good practice it contains is not simply ignored. That is why the code can be admissible as evidence in court when deciding whether legal obligations have been met, and why the courts and regulators must consider it as evidence when assessing compliance.
Clause 39 establishes a formal process for the withdrawal of the code of practice, in case that is ever needed.
Dr Spencer
Clause 36 provides that the Secretary of State may issue a code of practice for regulated entities to set out measures that they should take to demonstrate compliance with their duties under the NIS regulations, or any requirements imposed by the Secretary of State under clause 29. If done well, the code could be a repository of best practice, setting proportionate, consistent and effective standards for regulated industries. That will require constructive and open consultation with regulated sectors to identify the challenges facing those sectors and how best to address them.
One issue that came up in oral evidence was the question of the lag between regulation making and industry adoption. David Cook of DLA Piper commented that, after laws come into effect, the process of businesses understanding where they need to get to
“often requires a multi-year programme of reform.”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 5, Q1.]
The code of practice is not envisaged to be legally binding, in the sense that a failure to comply is not of itself evidence of a failure to meet obligations under the NIS regulations or the Bill. However, clause 38 states that it would be admissible as evidence in legal proceedings so, in that sense, the code is binding in all but name. In view of that, and the fact that codes can be revoked and reissued, can the Minister provide reassurance to regulated industries that a lead-in time will be built into any requirements to allow businesses to prepare to achieve full compliance?
Kanishka Narayan
First, to ensure that the shadow Minister and I are representing the intent behind the code clearly, in legal terms it is not the case that an organisation that fails to follow the code of practice is automatically a regulated organisation that has broken the law. Clause 38 makes it clear that not following the code does not by itself constitute a breach of duty or mean that an organisation is automatically liable to legal action. Organisations can take different approaches to complying with security duties, but if they adopt an approach that is not within the code, they may need to explain why their approach still meets the required standards set out in the regulations, and regulators will be required to take the code into account when preparing guidance.
On the shadow Minister’s question about ensuring appropriate timing and preparation for companies, I would very much expect that the regulators in question would be closely regulated entities to ensure the proportionate implementation of codes.
Kanishka Narayan
I am very happy to give the broad assurance that we will keep codes under review from time to time, and that any changes to the code will require deep consultation with regulators and businesses to ensure that the codes keep in touch with moving technology.
Dr Spencer
For the sake of clarity on the legal status of the codes, I entirely agree with the Minister that it is important to get this right, and my understanding of codes of practice in a different area—statutory codes of practice relating to the Mental Health Act—is that case law says that deviation from the code of practice should be done only for cogent reasons. That is a pretty high bar to pass in terms of deviations. I should declare an interest as a former consultant psychiatrist and someone who operated subject to that particular code of practice.
For absolute certainty, will the Minister write to the Committee and make the status very clear, along with reference to relevant case law in terms of other codes of practice? Does the clause override that jurisprudence or not? That would settle the question as the Bill goes through Parliament.
The Chair
Order. Interventions are getting a bit out of control again. I remind hon. Members that they should be brief.
David Chadwick
Amendment 26, tabled by my hon. Friend the Member for Henley and Thame, seeks to ensure that the Bill keeps pace with the reality that it seeks to regulate. In the world of cyber-security, five years is a lifetime. In the past five years, the size and scale of cyber-attacks has continued to advance at pace, and we can expect the next five years to be the same. In that context, waiting five years for the first formal parliamentary review of the Bill seems dangerous. It risks leaving us with a regulatory framework designed for the threats of yesterday and not tomorrow. The cyber-threat is real, evolving and urgent.
The NCSC has reported that nationally significant cyber-incidents more than doubled in 2025 alone. That is why the amendment would change the reporting cycle to once every three years. That is a pragmatic timeline, which allows the Government to identify gaps and close them before they are exploited. The EU’s NIS2 directive explicitly mandates a review by the Commission every three years, and it is not clear why the Government have decided to diverge from that standard. Is it because they believe that the cyber-threat here is considerably less than the one facing European member states? It is simply not clear, which adds to the general sense of bewilderment about this provision. If our European neighbours are reviewing their cyber-security approach every three years, why are the UK Government content to wait for five?
Dr Spencer
Clause 40 requires the Secretary of State to publish a report every five years on the operation of the NIS regulations and parts 3 and 4 of the Bill. Reports should include a review of any exercise of powers under parts 3 and 4 by the Secretary of State. Given the wide-ranging powers granted to the Secretary of State under those parts, I have some sympathy for amendment 26, tabled by the hon. Member for Henley and Thame, which seeks to reduce reporting intervals from five years to three.
The shadow Secretary of State, my hon. Friend the Member for Hornchurch and Upminster (Julia Lopez), raised this issue on Second Reading. She suggested that annual or biannual reviews might allow for effective parliamentary scrutiny of the NIS regulations and of the Secretary of State’s exercise of powers to respond to emerging threats. In view of the concerns voiced by the hon. Members for Henley and Thame and for Brecon, Radnor and Cwm Tawe, and by the shadow ministerial team, will the Minister explain why five-year intervals have been selected and whether the Government will look at this important issue again?
Kanishka Narayan
I thank the hon. Member for that important point. The expectation is that the powers used here are scrutinised appropriately. If it helps, I can set out which uses of the power, particularly under clause 42, will trigger consultation requirements and the affirmative procedure, which will perhaps give her the assurance she seeks.
In essence, all changes that may have considerable impact on how the NIS regime operates will be subject to consultation and the affirmative procedure. In practice, this means that regulations concerning the designation of essential services, as well as changes to the duties of regulated entities and functions of regulators, will be subject to both consultation and affirmative procedure requirements.
In each of the cases I mentioned, clause 42 requires the Secretary of State to undertake consultation with appropriate persons before any regulations can be made. It also specifies that regulations of this kind can be approved only through the affirmative parliamentary procedure. These provisions ensure that any substantive regulations made through the Bill’s future-proofing powers will be properly tested. They provide the necessary checks and balances that such wide-ranging powers require, and they will ensure the credibility and legitimacy of future regulations made using these powers. For those reasons, I propose that clause 42 stand part of the Bill.
Dr Spencer
I have two questions for the Minister. Given the impact on devolved legislation, can he confirm that the consultation will extend to devolved authorities should it impact on them? My second question is more generally on the theme of devolved authorities. Can he confirm that, as part of the publicised “reset” negotiations with the European Union, bringing Northern Ireland into scope of NIS2 regulations is totally off the table?
David Chadwick
Amendment 27, which I move on behalf of my hon. Friend the Member for Henley and Thame, would give the Government the ability to remove, disable or modify hardware and software that could be used to infiltrate British national infrastructure, such as the cables underneath the now approved Chinese mega-embassy in Tower Hamlets.
The Prime Minister’s greenlighting of the Chinese super-embassy in the heart of London is a grave mistake that presents an open door for the ramping up of Chinese espionage in our country. It sends a regrettable and shameful message to Hongkongers—many of whom have already been targeted, intimidated and coerced by the Chinese Communist party—that trade deals are being prioritised over their safety. The Government must take a robust stance with hostile states such as China.
Dr Spencer
Clause 43 grants the Secretary of State powers to issue directions to regulate entities where there is a risk to national security, or where an action must be taken in the interests of national security. Directions can include requirements relating to the management of systems, the yielding of information and the removal or modification of goods and services. The Secretary of State may also require a regulated entity to engage the services of a skilled person to comply with directions issued. The Secretary of State has wide discretion to dispense with providing reasons for directions or consulting with the affected parties on the basis of national security considerations.
Clause 44 clarifies that the Secretary of State’s directions under part 4 prevail if there is a conflict between those directions and another statutory requirement. The exercise of these powers by the Secretary of State could have far-reaching consequences for businesses, which may experience interruption to their commercial activities, as well as the potentially considerable time and expense in adhering to a request made on national security grounds.
I have spoken on several occasions in the House and in this Committee about the critical risks posed to our cyber-security and national security by hostile state actors and their affiliates. It is, of course, right that the Secretary of State should have this power, but it should be used only in extremis. Like other extensive powers granted to the Secretary of State under part 3, it must be subject to oversight and guardrails. A report to Parliament, which may well be redacted, on the exercise of functions under part 4 will not be sufficient to ensure that this power is used proportionately. Has the Department considered introducing an obligation for the Secretary of State to report to the Intelligence and Security Committee when she exercises powers under part 4?
We discussed the Chinese super-embassy earlier. Later in the Committee’s proceedings, I will talk about an Opposition new clause that would deal with that problem effectively.
Emily Darlington (Milton Keynes Central) (Lab)
As the Minister will be aware, I have spoken consistently of my concern about our reliance on hardware and tech that comes from potentially non-favourable state actors abroad. That also relates to Government procurement, which I have raised before, as the Minister will know.
The Committee has already discussed how local government and Government Departments are not covered by this legislation, and how there is a separate strategy and document. Can the Minister expand on how protections against a reliance on foreign tech within critical infrastructure, in either the private or the public sector, are being dealt with in the Bill or in the strategy that has been published for the public sector? How will that be continually reviewed as our global geopolitical situation remains unstable?
Dr Spencer
I really do not understand the Minister’s answer. If it has not been published on national security grounds, how will we know that it has been laid? The whole thing could be entirely secret. Surely it has to go to the ISC as an accountability mechanism.
Kanishka Narayan
The Bill currently provides for clear parliamentary scrutiny. The Secretary of State is responsible for coming to Parliament, although some information may not be able to be presented in public. I am happy to write to the shadow Minister about the mechanisms that other similar regimes have used to ensure that Parliament’s scrutiny is informed in those cases, whether in Committee or otherwise. The primary mechanism is the one we use for constant parliamentary scrutiny, and it would be unfair for any of us to suggest that most of those channels would not be appropriate for the sort of scrutiny we are looking at.
Dr Spencer
I think the Minister is saying that there will be a parliamentary scrutiny mechanism under these powers. Is that what he is saying?
Kanishka Narayan
To repeat, exactly as I said: once a direction is issued, it will be laid before Parliament for scrutiny. If there is any misunderstanding, I am happy for the shadow Minister to write to me so that I can confirm it.
Dr Spencer
I really think we should be very critical about this. What we are doing now is parliamentary scrutiny. There will be directions in future, which we expect to be laid, and they will also be subject to parliamentary scrutiny. Even where they are redacted because of national security concerns, somebody, or some mechanism of Parliament, will be able to scrutinise them. Can the Minister confirm that?
Kanishka Narayan
To return to the point made by my hon. Friend the Member for Milton Keynes Central about the Bill’s provisions, the Bill looks at particular risks posed by hostile states, related actors and a wide range of other actors. Network and information systems for essential services and the identity of risk sources may be one consideration for organisations and regulators as well as the NCSC. The Bill does not look at specific actors but the outcome of the risk. Of course, hostile actors are an important part of that. I am happy to write to my hon. Friend about wider initiatives outside the Bill, particularly in the public sector, which I know is an important concern for her in relation to hostile state actors. There are a range of initiatives that the Government are taking forward in that context.
Clause 43 grants the Secretary of State the power to direct an NIS-regulated entity to take necessary and proportionate actions in response to national security threats. The power can be used where the entity’s network and information systems have been compromised or there is a threat of such compromise. The clause sets out the sorts of action that a direction could require. A direction could, for example, require an energy provider to take action to remove a hostile actor’s presence from their networks, in response to intelligence that a hostile state actor was pre-positioned for an attack.
Cyber-attacks on NIS sectors represent a serious and growing threat to the UK’s national security. High-capability actors and hostile states can mount increasingly targeted and sophisticated attacks. At present, however, the Government lack powers to require regulated entities to take necessary action in response. That gap could be exploited with increasing frequency and impact. The clause will remedy that, ensuring that the Government have the necessary powers to act quickly to protect our national security.
Kanishka Narayan
This group of clauses concerns how compliance with national security directions will be monitored. Clause 45 enables the Secretary of State to delegate the task of monitoring compliance with the direction issued under clause 43 to a NIS regulator. Regulators have valuable sectoral expertise and existing relationships with the entities they regulate. As such, it may be effective to delegate monitoring of compliance to the relevant regulator. The Secretary of State will retain the sole ability to make judgments about whether non-compliance has occurred, or if any penalty is appropriate. The regulator would be required to obtain information relating to compliance, to be shared with the Secretary of State. The Secretary of State would then determine how they would like to receive this information—for example, in reports or at regular intervals.
Clause 46 grants information-gathering powers to the Secretary of State and to regulators that are subject to a monitoring direction or request. In order to determine whether an incident or threat meets the bar for issuing a direction, or whether a regulated entity is complying with the direction, the Secretary of State will need information from that entity and potentially other parties. The clause establishes the power for the Secretary of State to request that information. As the monitoring of compliance with the direction may be delegated to NIS regulators, the clause also equips those regulators with the power to request information needed for their monitoring functions.
Clause 47 grants the Secretary of State the power to carry out or delegate inspections needed to assess compliance with a direction, or with a confirmation decision specifying actions to be taken in the event of non-compliance. The Secretary of State is responsible for judging whether a regulated entity is complying with a direction, and therefore needs access to relevant information that the regulated entity holds. In some cases, this may not be possible to verify without physical attendance. To ensure the effective use of time and resources, the Secretary of State will have the power to appoint a person to carry out an inspection on their behalf, or to direct the recipient of a direction to appoint an approved inspector. The clause also grants these powers to regulators, where the regulator has been directed or requested to monitor compliance on behalf of the Secretary of State. This will ensure that they can provide the Secretary of State with the most accurate information. I commend the clauses to the Committee.
Dr Spencer
Clause 45 gives the Secretary of State powers to require regulatory authorities to monitor and report on regulated entities’ compliance with directions given under clause 43 for reasons of national security. Clause 46 provides the Secretary of State with extensive information-gathering powers through the use of information notices to facilitate the giving of directions and monitoring of compliance with directions under clause 45(4). Clause 47 empowers the Secretary of State to conduct inspections to assess whether a regulated entity is complying with directions issued under clause 45(4). The Secretary of State may appoint a third party to conduct the inspection, and require the regulated entity to meet the costs associated with this.
I reiterate the point that these powers are necessary; however, given the potential for significant cost and administrative burden for businesses, they should be subject to contemporaneous or near-contemporaneous oversight by parliamentary authorities, observing the necessary confidentiality protocols. I also make the point that these information-gathering powers apply extraterritorially and may lead to conflict with regulated entities’ data privacy obligations in other jurisdictions. What discussions has the Secretary of State conducted with industry and law enforcement counterparts in other countries about the approach to information sharing for this purpose, and the implications for companies operating services on a cross-border basis?
Kanishka Narayan
I am reluctant to engage in the specifics of incidents without knowing the full range, but I would expect there to be an initial period of engagement to get to a position of agreement. Where the Secretary of State’s directions are not complied with in the context of a disagreement of the sort that the hon. Gentleman points out, penalties for non-compliance will be available to the Secretary of State. They will have to be justified both in the moment and subsequently, in the light of the particular provisions of the Bill.
The clause sets out the circumstances in which the Secretary of State and relevant regulators can issue a notice of contravention and the details that such a notice should contain, including the steps that an entity should take to rectify or remedy an act of non-compliance and the penalties that are being considered. The ability to issue a notice of contravention is an important procedural mechanism. It gives directed entities the opportunity to address non-compliance before penalties are imposed through a final confirmation decision, and increases the likelihood that the requirements of a direction will be met. That is vital, given the national security risks that a direction is intended to address.
Clause 49 empowers the Secretary of State to determine appropriate and proportionate penalties for non-compliance with a direction. It sets an upper threshold on what the penalties can be. For non-compliance with a direction, penalties are fixed at the greater of £17 million or 10% of turnover for undertakings, subject to turnover and undertaking being defined in regulations, and £17 million for non-undertakings. For requirements concerning the provision of information or inspections, the maximum penalty for non-compliance is set at £10 million.
Clause 49 also provides for daily penalties to be issued. These are set at £100,000 a day for non-compliance with a direction and £50,000 a day for related requirements. They will continue in force until the entity has complied with the relevant requirement. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will be able to issue penalties for non-compliance with an information notice or inspection issued by the regulator.
These provisions have been designed to reflect the gravity of non-compliance with a national security direction and the necessity of ensuring that directed entities comply with the requirements that directions impose. It is also why the maximum penalties have been set at a significantly higher level than they have for the updated NIS enforcement regulations in clause 21. The better comparison in that context is the penalty threshold for national security powers in the Telecommunications (Security) Act 2021, which align with the provisions in clause 49.
Clause 50 grants the Secretary of State and, where relevant, regulators the power to issue a final confirmation notice for non-compliance with a direction or related requirements. The clause specifies that the Secretary of State or regulator can issue a confirmation notice where they have previously notified an entity of suspected non-compliance, and where they are now satisfied that non-compliance has occurred. The notice of confirmation is the mechanism through which the Secretary of State or regulator can issue their final determination about the actions an entity needs to undertake to correct or remedy a contravention, and the penalties it will need to pay, in accordance with the provisions in clause 49.
A confirmation decision can be issued only after a directed entity has had the opportunity to make representations about an earlier notice of contravention. Once it has been issued, the directed entity must comply with it, and this duty can be enforced through civil proceedings. In short, clause 50 ensures that a direction can be enforced effectively and appropriate action taken to penalise non-compliance.
Clause 51 sets out how penalties will be recoverable across the nations of the UK in the event of non-payment. Clause 52 grants the Secretary of State the power to enforce non-disclosure requirements imposed in relation to the issuing of a direction, notice of contravention or final confirmation notice. Failure to respect these requirements could harm national security, for example by exposing vulnerabilities in the UK’s essential services or the security mitigations being put in place to protect their network and information systems. As a result, it is crucial that the Secretary of State has adequate powers to enforce non-disclosure requirements. Clause 52 largely replicates the enforcement process for non-compliance with other requirements of directions issued by the Secretary of State. The maximum penalties will be £10 million or £50,000 per day.
I ask the Committee to support the clauses in order to enable the effective enforcement of directions issued by the Secretary of State to protect the UK’s national security.
Dr Spencer
Clauses 48 to 52 deal with notifications and financial penalties where a regulated entity is deemed not to be compliant with directions issued by the Secretary of State under part 4. In particular, clause 48 would grant enforcement authorities powers to issue a contravention notice if they believe a person has failed to comply with a requirement under part 4. The notice must set out details of remedial steps to address the failure, as well as the financial penalty that the enforcement authority intends to impose.
Clause 49 would require penalties to be set at a level that is appropriate and proportionate, with the maximum penalty being £17 million or 10% of turnover. A maximum daily penalty of £100,000 applies to ongoing breaches. The maximum fines for failing to comply with an information notice or an inspection would be set at £10 million.
Kanishka Narayan
I have two points to make to the shadow Minister on defining turnover. As he will be well aware, “turnover” is a technical term that is best defined in secondary legislation, to keep up to date with accounting principles that at times vary from sector to sector. He asked for factors that might contribute to definitions. The specific determination of turnover will be set out secondary legislation, but we intend to establish a presumption that only the turnover of the regulated entity that breaches the direction will be considered for determining penalties on this point.
Question put and agreed to.
Clause 48 accordingly ordered to stand part of the Bill.
Clauses 49 to 52 ordered to stand part of the Bill.
Clause 53
Power to direct regulatory authorities
Question proposed, That the clause stand part of the Bill.
Dr Spencer
Clause 53 would grant the Secretary of State powers to issue directions to regulators where this is necessary for national security reasons, and to allow a reasonable period for the regulator to comply with that direction. Clause 54 provides that directions may be amended or revoked by the Secretary of State. Under clause 55, directions to regulated entities or regulators must be laid before Parliament unless that
“would be contrary to the interests of national security.”
I repeat my earlier question about the ISC’s role regarding scrutiny. Clause 56 would permit the Secretary of State and regulatory authorities to share any information obtained under part 4 with each other and the NCSC. The provision also allows for the sharing of information with other UK or overseas public authorities with equivalent cyber-security or national security functions. Government amendments 23 and 24 seek to amend that clause to provide for directions and notices issued under this part to be sent by email to relevant persons who provided those contact details to regulatory authorities.
Some reassurance on the extent of information sharing for businesses is delivered through provisions specifying that disclosures of information should be limited to that which is relevant and proportionate. However, those are high-level and subjective terms, open to interpretation by the authority sharing the information. Can the Minister provide any update on the development of protocols between authorities to ensure that information shared is limited to that which is necessary for effective oversight and enforcement in relation to national security risks?
Kanishka Narayan
On the shadow Minister’s first point, I repeat what I said earlier and, of course, acknowledge his concern. I assure him that, while a direction can only be issued out of necessity for national security, it does not follow that public knowledge of that direction or its contents would compromise national security. I would expect a pretty extensive scope of such directions and, therefore, an appropriate channel of scrutiny in Parliament.
On his question of protocols to ensure information shared is not just proportionate in general, but specific to the purpose of national security specified, I am happy to give him the assurance that the Bill contains it and that, in the process of working out implementation, we will make sure that regulators are focused on developing those protocols.
Question put and agreed to.
Clause 53 accordingly ordered to stand part of the Bill.
Clauses 54 to 56 ordered to stand part of the Bill.
Clause 57
Means of giving directions and notices
Amendments made: 23, in clause 57, page 83, line 8, at end insert—
“(za) an email address provided to a regulatory authority as an address for contacting that person,”
This amendment would ensure that a direction or notice can be given to a person using an email address which has been provided to a regulatory authority as a contact email address.
Amendment 24, in clause 57, page 83, line 11, leave out
“there is no such published address”
and insert—
“no email address has been so provided or published”.—(Kanishka Narayan.)
This amendment is consequential on Amendment 23.
Clause 57, as amended, ordered to stand part of the Bill.
Clause 58 ordered to stand part of the Bill.
Clause 59
Extent
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
New clause 3—Register of foreign powers for the purposes of Part 4: review of nature of risk—
“(1) For each foreign power added to the register established under section [Register of foreign powers for the purposes of Part 4], the Secretary of State must review the extent and nature of the risk posed to the network and information systems of operators of essential services and critical suppliers, including whether the risk arises –
(a) from activities undertaken outside of the UK, or
(b) from foreign owned or controlled infrastructure or locations within the UK.
(2) Within six months of the establishment of the register under section [Register of foreign powers for the purposes of Part 4(1)], the Secretary of State must lay before Parliament a report containing –
(a) the findings and conclusions of the review conducted under subsection (1), and
(b) the Government’s plan for addressing the risks identified.
(3) If the Secretary of State considers that laying a report, or any portion of a report, under subsection (2) would be contrary to the interests of national security, the Secretary of State must make a statement to Parliament confirming that –
(a) a review has been conducted under subsection (1), and
(b) that the report, or a portion of the report, cannot be laid before Parliament for reasons of national security.”
This new clause would require the Government to report on the risk to relevant network and information systems posed by foreign powers appearing on the register established by NC2 considering whether such risks arise from extra-territorial activities and infrastructure or premises owned or controlled by foreign powers.
New clause 13—Statement on risks posed to systems by foreign interference—
“(1) The Secretary of State must, within 12 months of the passing of this Act, publish a statement of the Government’s plans in relation to risks to the security and resilience of network and information systems arising from foreign interference.
(2) Any statement under this section must—
(a) set out the Government’s intentions to assess, manage and mitigate the risks posed, or which could potentially be posed, to the security and resilience of network and information systems by foreign interference in such systems;
(b) include risks associated with—
(i) hardware,
(ii) software,
(iii) supply chains,
(iv) procurement processes, and
(v) the use of, or reliance on, foreign technologies or systems;
(c) include a specific focus on government digital procurement processes.
(d) where risks are identified under (2)(b)(v), state whether the Government intends to address these risks by encouraging or supporting the use of domestic technologies or systems.”
This new clause would require the Government to publish a statement of how it intends to address and mitigate any risks to network and information systems posed by foreign interference.
New clause 15—Review of high-risk bodies—
“(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies.
(2) A review under this section must assess—
(a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise;
(b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and
(c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities.
(3) In this section—
“relevant body” means—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.
“foreign state-owned enterprise” means a body corporate in which a foreign state has a controlling interest;
“network and information systems” has the meaning given by section 24(1).”
This new clause would require the Government to review the security risks posed by critical suppliers and essential service providers linked to foreign states and evaluate whether current powers are sufficient to address these threats.
Dr Spencer
New clause 2 contains an obligation for the Secretary of State to establish and maintain by regulation a list of foreign powers presenting a significant cyber-security risk to the UK. The list must include states that have been confirmed by GCHQ as having perpetrated a cyber-attack, whether by a state department, agency or affiliate, on the UK in the preceding seven years. It must also include foreign powers that GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.
New clause 3 would compel the Secretary of State to review and report to Parliament on the risk to networks and information systems posed by foreign powers appearing on the register under new clause 2, with specific regard to activities undertaken from abroad and the risk posed by locations or premises controlled by those states in the United Kingdom. New clauses 13 and 15, in the name of the hon. Member for Henley and Thame, look as if they have been tabled in the same spirit of genuine concern about the risk of foreign hostile state interference and control in critical systems and supply chains.
There is an established precedent in UK legislation for maintaining registers or lists of hostile state actors and other entities presenting a threat to our national security for use by Government. That includes the foreign influence registration scheme under the National Security Act 2023, which came into effect last year. Russia and Iran were placed on an enhanced tier of the scheme, which applies to foreign powers considered to pose a risk to the UK’s safety or interests. The Government said that that was in response to those countries being identified as presenting an elevated national security risk. China was conspicuous by its absence, despite the director of GCHQ having confirmed in 2024 that her organisation devotes more resource to China than to any other single mission.
Chris Vince
The shadow Minister will forgive me for taking the opportunity to defend the Government and the Prime Minister; I was not expecting to do that in this Committee this week. I reassure Members across the House that this Prime Minister and Government put national security first. The shadow Minister will know that intelligence agencies have been consulted about the relocation of the Chinese embassy. He will also be aware that the proposed new site at Royal Mint Court is actually further away from this place than the current site.
Dr Spencer
Frankly, I find it astounding that, according to my understanding, in response to the planning decision being granted our security services said that they would take measures to start moving sensitive digital cables. It strikes me that a decision about sensitive digital cables should have been pertinent to the planning application in the first place.
The Government remain reluctant to name China as a threat to UK national security, despite the overwhelming and growing portfolio of evidence. In case the Government are still in any doubt, we need look only at the oral testimony given to this Committee by the Inter-Parliamentary Alliance on China for a clear picture of the role of China and its state affiliates at the forefront of the cyber-security threats to our critical sectors.
Given that established and growing threat, new clause 3 would compel the Secretary of State to review, among other matters, the cyber-security risk to surrounding critical networks in the vicinity of the super-embassy site in the City of London. In the Commons debate on the embassy application in June last year, my hon. Friend the Member for Thirsk and Malton (Kevin Hollinrake) reminded the Minister for Housing and Planning that the Government’s own cyber-security experts, Innovate UK, have warned about the threat to the City of London from the embassy. My hon. Friend made specific reference to the Wapping telephone and internet exchange that would be surrounded on three sides by this new embassy—not to mention the fibre cables I referred to earlier, which carry highly sensitive information and run beneath this site.
Chris Vince
I recognise that the shadow Minister cares passionately about the security of this country—as do I, which is why we are discussing the Bill. But does he not recognise that the site was purchased by the Chinese Government in 2018? There is a potential threat whether or not the new embassy is built there.
Dr Spencer
I do not want to repeat the discussion that we had a moment ago. I think it is complete lunacy to permit the building of a super-embassy—one of the biggest in the region—next to highly critical data transmission. I am also concerned by media reports that the Prime Minister’s recent visit to China was greenlighted only following the final approval of the embassy. I am deeply depressed that, following the visit, Jimmy Lai has been effectively sentenced for life. I respect the tone and constructive way in which the hon. Member for Harlow approaches this debate, but it is fair to say that the Government are sadly weak on standing up to hostile state actors such as the Chinese Communist party.
As I said at the start, there is simply no point in granting the Secretary of State powers to issue directions on the basis of national security if the Government are not willing to be clear-eyed about the most critical cyber-security risks to the nation. I therefore submit that the new clauses are a vital addition to the Bill to focus the attentions of the Secretary of State to ensure that her functions under part 4 are carried out in the best interests of our national security. No responsible Government would or should vote against such provisions. Parliament should make it crystal clear that the Chinese Communist party is a threat to the United Kingdom. We must support new clauses 2 and 3.
Ordered, That the debate be now adjourned.— (Taiwo Owatemi.)
Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting)
Ben Spencer ExcerptsTuesday 10th February 2026
(3 weeks ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
New clauses 6 and 7 sit together and are linked by the same practical concern regarding clarity and workability when an incident is unfolding.
I will start with new clause 6. Ransomware is no longer an occasional or unusual cyber-event; it is now one of the most common and disruptive threats facing essential services, digital providers and their supply chains. Written evidence to this Committee was clear that ransomware incidents are now routine, high-impact events, and that uncertainty at the outset of an attack often makes the consequences worse. The Bill rightly broadens the definition of an incident to capture events that are capable of causing harm, not just those that already have. That is the right direction of travel, but when organisations are under pressure, particularly in the first 24 hours of an incident, uncertainty slows action. Time is lost debating definitions rather than focusing on containment, escalation and reporting.
New clause 6 addresses that problem directly. It makes it explicit that a ransomware attack is an incident for the purposes of the NIS regulations, and sets out clearly what is meant by ransomware attack. It would not create a new duty; it would remove doubt from an existing one. Clear definitions support better behaviour when organisations are operating under real pressure.
New clause 7 follows naturally from that point. If we want faster and clearer reporting, the system into which organisations are reporting has to work in practice, not just on paper. The Bill expands reporting requirements and introduces new notification duties. That is understandable, but UK Finance told the Committee that many firms already support cyber-incidents under multiple regulatory regimes and that additional reporting layers risk duplication rather than resilience. When an incident is live, that duplication causes friction, slows the response and increases costs. It can reduce the quality of information being shared because teams are stretched across parallel processes rather than focused on managing the incident itself.
We do not seek in new clause 7 to reopen the policy intent of the Bill; the new clause would require a review, once these changes are in force, of how the reporting requirements are working in practice. That review would consider costs and interactions with other reporting frameworks. The new clause would also require that proposals for a single cyber-incident reporting channel be published. That is not a bureaucratic exercise; it reflects concerns raised in evidence that resilience is undermined, not strengthened, when reporting becomes fragmented at moments of stress.
Taken together, new clauses 6 and 7 are about making the system clearer at the front end and more usable overall. Clear definitions encourage timely reporting and coherent reporting channels make that reporting effective. I hope that the Committee will give serious consideration to both new clauses.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Dr Murrison, and it is always a pleasure to follow my hon. Friend the Member for Bognor Regis and Littlehampton. I will speak to clauses 15 and 16 and to new clauses 6 and 7, tabled in my name on behalf of His Majesty’s loyal Opposition.
The previous Government stated in their consultation covering the subject of cyber-incident reporting that security breaches that did not result in a successful attack could still leave organisations open to follow-up attacks. It was identified that reporting how the breach took place would also allow regulators and other organisations to prepare for similar attacks in the future. It is therefore a welcome development that clause 15 significantly increases the scope and speed of cyber-incident reporting by regulated entities to competent authorities and the NCSC.
That increase in scope is achieved by broadening the definition of reportable incidents from the current position, where only cyber-attacks having an actual adverse effect are reportable, to a position to where cyber-incidents that are capable of having an adverse effect on the operation or security of network and information systems must also be reported. The Government’s explanatory notes for the Bill state that this change in definition
“is designed to include incidents that have compromised the integrity or security of a system without causing significant disruption yet, but that could have potential significant impacts in the future.”
This has been broadly welcomed by industry stakeholders as a measure that should provide regulators with greater intelligence about emerging threats, leading to improved risk management and hardened resilience in their sectors.
On the importance of intelligence gathering, we heard evidence from David Cook of DLA Piper and Chung Ching Kwong of the Inter-Parliamentary Alliance on China, among others, about the increasing use of prepositioning and “live off the land” technologies deployed by malicious actors. Once systems are infiltrated, attackers remain in systems, sometimes harvesting data, waiting for the moment when they can cause maximum harm and disruption. Those serious risks should be flagged to regulators wherever they are identified.
Dr Sanjana Mehta of ISC2 described problems of underreporting in relation to the existing NIS regulations regime, and welcomed the principle of expanding reporting, as did Jill Broom of techUK. However, both cautioned that while some high-level factors have been provided as to the criteria indicating whether an attack should be reported, such as the number of users, impact, duration of interruption and geographical reach, what is not clear at present are the thresholds that are linked to those criteria. Those details are vital if reporting is to be successful in ensuring that regulators are kept appraised of the most serious threats.
Dr Mehta summarised that concern succinctly in her comment:
“In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators”. ––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 16, Q14.]
Likewise, techUK has stated in its written briefings on the Bill that
“technically any phishing email is ‘capable of’ having a significant impact if the organisation lacks adequate detection or response capabilities. This will lead to over-reporting of low-level incidents and potentially overwhelm regulators, thereby distracting attention from genuinely significant threats.”
As in many aspects of the Bill, the problem is not on the principle but in the detail. We heard in oral evidence about the concerns of industry and regulators regarding the availability of suitably qualified personnel to build capacity for effective regulatory oversight. We must be alive to that important consideration in ensuring that thresholds are proportionate and risk-based.
The Government have stated in their factsheets on the Bill that they intend
“to introduce thresholds through secondary legislation before this measure is brought into in force”
and after a period of consultation. They have also said that those thresholds will
“clarify the points at which we would consider the impact of an incident to be ‘significant’, and therefore reportable to regulators”.
What discussions has the Minister had to date with regulated entities and regulators about the approach to consultation on these thresholds? What is the feedback on what those organisations consider to be reporting priorities?
Chris Vince
I thank the shadow Minister for remembering my consistency—I have not mentioned Harlow. How is the new clause helpful, given the potential confusion it causes with listing a specific kind of incident as well as the generic one?
Dr Spencer
The Opposition are trying to make it clear that ransomware needs to be in the scope of the reporting. It is really for the Minister to answer if he thinks there are problems with the new clause, and if so, how the Government will go about taking that forward. The widespread and highly damaging nature of ransomware attacks—which are often perpetrated by criminal groups at scale and speed—means that regulators need to have a detailed oversight of this area to prevent those attacks from being deployed more widely. Therefore, the new clause is intended to ensure that all ransomware attacks on regulated entities are reported, regardless of severity or potential severity, so that the risks are picked up.
In tabling new clause 6, I am acutely aware of the existing reporting burden for regulated entities and regulators. Since tabling it, we have heard impactful evidence from Carla Baker from Palo Alto, who highlighted the number of cyber incidents and false positives that many companies encounter each day. As I said in response to an intervention, in the absence of measures brought forward by the Government to address the widespread and urgent risks presented by ransomware attacks—and as the Government themselves identify as part of the Home Office’s review—it would be proportionate to make specific reference to ransomware in the reporting requirements on regulated entities in the Bill.
New clause 7 reflects the concerns of regulated bodies and industry representatives who have set out many, many times—in oral evidence and beyond—the need to ensure that reporting obligations are clear and, as far as possible, simplified across the many different incident reporting regimes that exist for providers of digital services. The new clause would compel the Secretary of State to publish an assessment of the impact of the new reporting regime on regulated entities in the Bill within 12 months of Royal Assent. Importantly, in line with the clear requests articulated by many stakeholders who gave evidence last Tuesday, it requires the Government to publish proposals for the creation of a single cyber incident reporting channel for relevant bodies.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
I worked for the AI and digital regulations service in the NHS. We were linking with all of the regulators to try to have a one stop, one shop door approach to how we do things. It was incredibly difficult, and three years on we were still ironing out all the glitches. New clause 7 is laudable, but because I know how difficult it is, a 12-month proposal is a very tight timeframe in which to try to get this right.
Dr Spencer
I thank the hon. Lady for her intervention. New clause 7 puts forward an assessment of the impact. It is not intended to make definitive changes, but to give time. I have confidence in the Government and the Minister that within 12 months—it is the kiss of death to say that one has confidence at the minute, is it not? [Laughter.] I apologise to the Minister.
Dr Gardner
I will defend myself: my point was not a criticism of the Government. I just know how hard it is for regulators to work together and iron out cross-working. They were very confident in their information-sharing skills, but it is more difficult than that. It was just a kindly meant reminder that there is not an easy solution, and that 12 months is a bit of a tight timeframe.
Dr Spencer
I very much take the hon. Lady’s point and the constructive spirit in which it was presented. Twelve months is a long time for the operations of Government to function, and I have faith—I will change my words—in the Government and all of their powers if they wanted to put their minds to bringing this forward. If there are concerns about the ability of the Department for Science, Innovation and Technology to take this forward, those concerns would spill over into all of the consultation requirements that have to be met to make sure that this Bill functions in the correct way. The argument on what we are debating today could swing both ways.
Industry stakeholders have expressed strong concerns regarding the diverse incident reporting requirements that exist in several pieces of legislation, including UK GDPR, sector-specific regulation and the Telecommunications (Security) Act 2021. As we have already discussed, the Home Office may also bring forward guidelines for reporting ransomware incidents in future. Additional reporting requirements and procedures included in the Bill are viewed as adding a further layer of complexity to a legislative environment that is already very challenging to navigate. Stakeholders report that the current approach, with multiple different reporting procedures and platforms, increases regulatory compliance costs on businesses and detracts from the resources available to implement effective improvements in cyber-resilience. In view of that, will the Minister support this urgently needed review clause to assure industries that the Government have heard their serious and vital concerns on the matter?
Kanishka Narayan
I thank the hon. Member for those thoughtful points. On the first question, the charging scheme applies to relevant costs, which are costs that regulators incur precisely when they carry out functions under the NIS regulations relating to cyber-security specifically. Those can include the cost of audits, inspections, handling incident reports or enforcement action, as well as other aspects, such as assessments of cyber-security and the provision of advice. It is important to acknowledge that regulators can decide to recover costs in relation to specific functions or their costs relating in particular to the Bill’s provisions. I hope to have assured the hon. Member that the charging scheme has a clear, tight scope that is related to cyber-security functions.
On the second question, regulators probably ought to look at turnover in a way that is sector-specific, in part because there are already a range of ways in which other regulatory regimes define turnover in particular sectors, so the appropriate definitions for their sectors will be familiar to both regulators and regulated entities. At a later date, secondary legislation may be used if it is found necessary to set out factors that regulators ought to consider in setting up charging schemes, including the possibility of nuanced definitions of turnover. Any future regulations for this purpose will be subject to consultation requirements and the affirmative procedure. I would very much expect, at a sector level, a clear and proportionate definition and charging structure in relation to turnover.
The second requirement is to set out, transparently and clearly, what fees have been paid, what fees are still due, and what costs have been incurred in a given charging period. On Second Reading, many hon. Members discussed the need for properly resourced regulators to successfully implement the Bill. I share that concern, and this clause seeks to achieve exactly that, in a way that is fair and proportionate to regulated organisations.
I commend the clause to the Committee.
Dr Spencer
Clause 17 will amend the NIS regulations to provide a framework for regulators to impose charges on regulated entities to recover the costs incurred by them in carrying out their supervision and enforcement functions. The Government’s explanatory factsheet supporting the Bill suggests that those changes are needed to ensure that regulators are
“better resourced to carry out their responsibilities.”
We have heard at length from witnesses in oral evidence sessions that resourcing is a key consideration for regulators in meeting their new and expanded obligations under the Bill. The concept of our regulators’ being better funded is good. However, as with much of the Bill, the lack of detail around the regulator charging model is causing uncertainty among regulated entities that would be liable to meet the associated costs.
Kanishka Narayan
The clause introduces vital reforms to how information can be shared in the context of the NIS framework. Right now, as we have heard again and again from both hon. Members across the Committee and witnesses, the NIS regulations have limitations that restrict how and with whom information can be shared. That has serious implications for the effectiveness and efficiency of the regime including business burdens as well as the ability of the UK’s authorities to act on national security or criminal intelligence.
One important limitation in the current regulations is the inability of regulators to share information with many public authorities in the UK and vice versa. For example, NIS regulators currently cannot share information to support the evaluation of the NIS framework or policy development relating to cyber-resilience and national security. The clause addresses those concerns by enabling information to be shared between NIS regulators and UK public authorities, including the Government. That will be done for the purposes of supporting the NIS regulations as well as wider objectives alike, reducing business burdens and for national security and crime purposes.
The clause also imposes strict requirements and safeguards on how the information can be further shared. The net effect of the changes will be fewer burdens on business, better and more informed regulatory decision making, joined-up incident response and improved security for the United Kingdom.
Government amendment 14 makes targeted but important changes to the clause. It proposes a further ground for sharing information focused on wider cyber-security and resilience outside the context of the NIS regulations and NIS sectors. In practice, it means that NIS regulators will be able to share information with regulators who are responsible for overseeing the cyber-security and resilience of other vital sectors under different regulatory frameworks and vice versa.
The amendment is a crucial addition to the Bill. It means that the UK’s regulators can think holistically about the risks that their sectors are facing, the interventions they propose to take and the obligations they are placing on business. That in turn will mean better outcomes, more effective and informed incident response, more co-ordinated oversight and lower business burdens.
The amendment will be particularly important in supporting co-ordination with the financial regulators responsible for the critical third parties regime, which could be used to designate organisations already in scope of the NIS regulations such as cloud service providers. It also anticipates the need for co-ordination for other sectors, such as civil nuclear and space, in the future. In short, the amendment is necessary to ensure that UK regulators can take a more co-ordinated approach to protecting the UK’s most essential services.
Government amendments 15 to 18 are consequential on amendment 14. I urge the Committee to support the amendments, and I commend clause 18 to the Committee.
Dr Spencer
Clause 18, which the Government seek to modify through amendments 14 to 18, creates new pathways for information sharing between regulators, public authorities and Government Departments. It also creates a power for NIS enforcement authorities to share information with relevant overseas authorities for specified purposes. The new regime is intended to remove gaps and ambiguities in the existing framework governing the sharing of information obtained in the course of competent authorities and the oversight role of NCSC, and to create legal certainty in this domain.
In turn, it is anticipated that greater information sharing will assist with the detection of crime, enforcement activity and awareness of emerging cyber-risks and with ascertaining the effectiveness of the NIS regulations in building UK cyber-resilience. In particular, the Bill creates a new gateway to ensure that NIS regulators can share information with UK public authorities, and vice versa, as well as sharing and receiving information from organisations outside of the NIS framework, for example other regulators or bodies such as Companies House.
The Bill strengthens safeguards on how information can be used once it has been shared under the NIS regulations by restricting onward disclosure. More effective information sharing will be vital for competent authorities to keep up to date with emerging risks and building resilience in their sectors, and the new measures were broadly welcomed by regulators in our oral evidence session.
However, industry bodies such as techUK have called for further detail on the new information-sharing regime. What steps are the Government taking to ensure that regulators share responsibility for protecting sensitive data, and that information-sharing processes are coherent, proportionate and secure? Could the Minister elaborate on the discussions he has had with regulators on those matters, and on how secure information sharing will work in practice?
Finally, on the detail of the text in Government amendment 14, proposed new paragraph (aa)(ii) refers to persons
“otherwise in connection with…any other matter relating to cyber security and resilience,”.
Given that this is an information-sharing power, that seems a remarkably broad “any other matter” provision. What disclosures that are not already covered in the Bill does the Minister conceive will come up in that scope? What guidance or consultation will the Minister produce to make sure that such powers are proportionate and not at risk of abuse?
Emily Darlington
Again, I welcome the Government amendments and clause 18; they are important to enabling us to share our vulnerabilities in an appropriate way with those people who may be involved. However, some of the aspects of those vulnerabilities that security services—GCHQ, His Majesty’s Government Communications Centre and others—raised with us relate particularly to not only foreign interference, but the potential for interference through technology embedded in our networks. How does the Minister see the measures working within our co-operation with different foreign nations, particularly during these volatile times?
Kanishka Narayan
Clause 19 sets out that regulators must provide guidance on specific issues, including security requirements and incident reporting notifications. Guidance already plays an important role in supporting the implementation of the NIS regime. We have, however, identified some areas where regulated entities would benefit from additional clarity. The clause ensures that every regulated sector has the guidance they need from their sectoral regulators to help them to comply. To ensure consistency across regulators, the clause also requires regulators to co-ordinate with each other when preparing guidance relating to designating critical suppliers. The clause also requires regulators to consider guidance published by the Secretary of State such as the code of practice when preparing guidance on the security and resilience requirements. That will ensure that regulators consider good practice recommendations and take more consistent approaches to preparing guidance.
Dr Spencer
Clause 19 amends the NIS regulations and will require regulators to publish guidance on the security and instant reporting requirements of regulated sectors. In formulating their guidance, regulators are under a duty to co-ordinate and consult with other regulators to ensure consistency as far as is reasonably possible. Relevant provisions in the code of practice, to be issued by the Secretary of State under clause 36, must also be taken into account. Newly regulated entities will, no doubt, welcome proportionate guidance on meeting obligations, and existing regulated entities will appreciate any streamlining that comes from consultation between regulators and their approach. Can the Minister provide further details about whether consultation between regulators and the Secretary of State is under way on a consistent approach to regulation?
Kanishka Narayan
As I have mentioned to the shadow Minister, the Minister for Digital Economy, the Secretary of State and I have engaged with a number of the regulators in scope here. Both those conversations, and the broader framework of this Bill, are intended to drive consistency across sectors through common security requirements, clear guidance and a statement of strategic priorities, which will set objectives that regulators must seek to achieve. I hope that is sufficient assurance not only that those conversations have started, but that they will be a fundamental focus as we ensure consistent regulation across the board.
Question put and agreed to.
Clause 19 accordingly ordered to stand part of the Bill.
Clause 20
Powers to require information
Question proposed, That the clause stand part of the Bill.
Bradley Thomas
Can the Minister elaborate on how he will ensure that regulators have the capacity to cope with large-scale data reports?
Dr Spencer
Clause 20 grants regulators wide-ranging information-gathering powers, in relation both to regulated entities and to organisations currently outside the scope of the regulations. These new powers will be important to competent authorities in gaining access to the information necessary to consider which businesses should be designated as critical suppliers for their sectors. The Minister will remember that we had a very extensive discussion about the allocation, or otherwise, of critical suppliers. What assurance can he give that requests for information under this new clause will be exercised proportionately? That is especially relevant for SMEs, which might struggle administratively to meet broad requests for information within short deadlines.
I know I will be told off by the Chair if I try to rehash the previous debate on clause 12, but one of the points I made during that debate was that the scope of what could fall under the definition of a critical supplier could, in my view, include any supplier to an operator of an essential service. Potentially, therefore, a request for information under this provision could be incredibly broad. Can the Minister give some reassurance about how this will work in practice, relating to the proportionality of data collection? The concern is that this could become a fishing or dredging exercise, rather than something that is proportionate and targeted on the most high-risk suppliers.
Lincoln Jopp
In terms of scope, could the Minister give us some sense, when it comes to managed service providers, whether the purpose behind this clause is to enable regulators to find out their entire client list? I would be grateful for some clarity on that point.
Kanishka Narayan
I will take each of those three questions in order. The hon. Member for Bromsgrove raised a very important point—shared, I think, in sentiment across the House—about ensuring that regulators have the capacity to deal with the volume and quality of information they might receive under the provisions of this clause. Precisely for that reason, we have set out a charging scheme possibility here that allows regulators to equip themselves. Of course, that is initially a question of resourcing, rather than the quality or capability of that resourcing. We will therefore continue to ensure, through our oversight of regulators in appropriate ways, that we are pressing home the importance of enforcement quality and regulatory capability.
To the shadow Minister’s point on proportionality, I share the focus on ensuring that designation and information requirements are proportionate, not least for critical suppliers. Like him, I will avoid repeating the previous debate, but the five-step test for the designation of critical suppliers, combined with the fact that the Bill allows for secondary legislation and guidance to specify more proportionate burdens on them, rather than on key regulated entities, alongside the fact that information notices ought to be proportionate and focus primarily on the purposes of the Bill, gives me—and, I hope, him—assurance about the proportionality embedded in the Bill.
Dr Spencer
Will the Minister talk through what the data exchange flow chart will look like? How will it work in practice? Will the OES proactively contact the regulator and say, “We have all these suppliers—go play”? Will the regulator contact the OES and say, “Give us a list of all your suppliers, and then we are going to start an investigation programme and decide what data we need”? What is the direction of communication in practice? Or—perhaps even worse—will the burden be on suppliers to an OES to contact the regulator and say, “Could we possibly be in scope?” How will it shake out in practice?
Kanishka Narayan
Although I will not specify prescriptively what the activity and flow ought to be, I can share from my experience that many large-scale businesses—and indeed many medium and small-sized businesses—have a very clear business continuity plan mapping their critical suppliers. In this case, I would expect the regulator and the regulated entities to engage. Who sends the email first is an open question, and I would not want to specify it in the Bill, but I would expect each regulator and their regulated entities to work very closely to understand the critical suppliers that meet the tests specified in the Bill, and to engage with those critical suppliers as a consequence.
Dr Spencer
The Minister has mentioned business continuity plans a second time as a justification for not going into detail on this, but the whole reason for the Government bringing in the powers in clause 12, and the designation of critical suppliers, is that there was no business continuity plan in place in the example of Synnovis. I do not see how that argument gets away from the need for clarity, for organisations that could be at risk of being in scope of being assessed and designated as a critical supplier, about what actions they have to take in response to regulation, proactively or otherwise, and the burdens on them. We have just discussed the cost of enforcement, which risks essentially becoming a cyber-security tax.
Kanishka Narayan
I would not want to imply that every organisation has a business continuity plan, but the simple point is that the framework for assessing critical third-party suppliers is established in business and other regulatory regimes, as I have mentioned. The novelty or ambiguity that the shadow Minister suggests simply does not apply. That is not to say that there will not be cases in which new critical third-party suppliers will be designated—that is the point of the provisions of the Bill. The practice will of course need rigour, efficiency and proportionality, but it will be grounded in existing, widely understood frameworks.
I need the hon. Member for Spelthorne to remind me of his question, if I might ask him to do that.
Kanishka Narayan
Just so that I am clear, not least for future records, I think the case described is one where the client is not in the Bill’s scope but is provided to by an MSP that is in the Bill’s scope, and where the relevant responsible individual is in the client business as an employee or agent of that business. The hon. Gentleman raises an important point. Both the obligations and the defined focus of the Bill are on regulated entities. In this instance, if the individual is not in the regulated entity and the regulated entity has complied with the entirety of the wider cyber-security reporting obligations in the Bill, we would look to other venues of legal action against the individual in question. It would be challenging for a Bill that does not regulate the entire economy to ensure that every individual and firm unregulated by it are brought into its scope as well. But that is not to diminish the significance of requiring other pieces of law to act on individuals elsewhere.
Dr Spencer
I will come to my speech, but as we are having a debate on this point, but does the Minister’s answer not risk a gilded defensive posture being set up by MSPs? If they list terms and conditions for the use of their services that essentially bar everything, they can say that any liability—if there is ransomware or they get hacked—is completely on the client, as opposed to themselves. Does the Minister’s explanation not risk MSPs taking a very defensive posture to ensure that the client is liable for any problem? Given that the clients are usually not regulated entities, this provision effectively becomes meaningless.
Kanishka Narayan
I can see the shadow Minister’s hypothetical point, but I assure him that if there is some universal, consistent practice on the part of an MSP to avoid liability, where liability should reside with them, that should be in scope of how the regulator assesses the performance of that MSP. Secondly, I assure him that there remains a degree of competition in the MSP market, given the attractiveness of the UK customer and end user market for MSPs. I would therefore very much expect any MSP that adopts a falsely defensive posture of the sort that the shadow Minister describes not only to be assessed as doing so by the regulator, but to fall foul of the competitive market context that we have and want in the UK.
To conclude, an effective regulatory regime must be backed by fair but effective penalties to ensure that it is followed. The clause ensures that that is the case for NIS regulations, and for that reason I commend it to the Bill.
Dr Spencer
I think I will follow up in writing on my intervention to try to dig down into the explanation of how liability will be laid down when the client is not a regulated entity but is receiving services from regulated entities. That is an important point, because these are quite hefty fines. As my hon. Friend the Member for Spelthorne pointed out, even with £34 an hour lawyers, there will be a lot of industry activity to try to avoid liability in the context of a substantial cyber breach, which can be significant.
More generally, the clause makes significant changes to enforcement practices under the NIS regulations, including to increase the financial penalties regulators can impose for infringement of the regulations, and to set out a clearer system of tiered penalties, based on the severity of infringements. The Government’s impact assessment states that these changes have been made because of concerns reported by regulators that
“enforcement under the NIS Regulations has been constrained by unclear band structures and a maximum penalty which is insufficient to deter non-compliance across all NIS sectors”,
which goes back to my previous point. Enforcement activity under the NIS regulations has been sparse, inconsistent and insufficiently effective to increase cyber-resilience to the levels necessary to meet the proliferating cyber-security risks to our most critical sectors.
Fundamentally, the existing approach to enforcement has not achieved the necessary change in attitude to cyber-risk at the highest levels of regulated entities. It is concerning that board level responsibility for cyber-security has steadily declined among businesses since 2021, with 38% of businesses having a board member responsible for cyber-security in 2021, compared with 27% in 2025.
The enforcement model clearly needs to be more effective, and increasing fines is only one part of that. Regulatory capacity to undertake supervision and enforcement remains a concern, as does perceived reticence on the part of regulators to impose fines on critical infrastructure providers, due to the risk of destabilising essential services and increasing costs for consumers. In our oral evidence sessions, many witnesses, including Richard Starnes of the Worshipful Company of Information Technologists, raised the issue of greater responsibility at the highest levels of management for cyber-resilience. What assessment has the Secretary of State undertaken of whether changes to the penalty regime are likely to influence board-level attitudes towards cyber-security?
Kanishka Narayan
The shadow Minister makes a really important point: cyber-security must be taken seriously at the highest level—at board level. It is part of the cyber assessment framework, which the Government have put at the heart of how we think about assessing cyber-security in firms as well as public sector organisations. It is also part of the guidance we are looking at in the cyber action plan and our wider cyber-security strategy. I take those very seriously. In terms of making sure that businesses have a razor sharp focus, the intent of the fine regime is to ensure that there is a deterrent effect and that it is felt at decision-making levels, which must include boards.
Question put and agreed to.
Clause 21 accordingly ordered to stand part of the Bill.
Clause 22
Enforcement and appeals
Question proposed, That the clause stand part of the Bill.
David Chadwick
The hon. Gentleman makes an important point. We cannot allow these services to be interrupted. He will be well aware of the impact that bins not being collected has on our streets.
Councils are being targeted because they hold sensitive personal data and provide much-needed services to the most vulnerable in society, yet they are being left as soft targets, without statutory requirements and the ringfenced resources that accompany them. We cannot claim to be building a cyber-secure Britain while leaving the frontline of public services unprotected. Resilience must extend beyond councils.
Our new clauses also ask that our political parties and electoral infrastructure are properly protected, because we know that hostile states and non-state actors are actively seeking to undermine democratic systems. An attack does not need to change an electoral result to be devastating; it need only cast doubt on the integrity of the count or prevent legitimate voters from casting their ballots. We know that trust, once lost, is extraordinarily hard to rebuild. The security of our elections is too important to be left to secondary legislation made at some future date.
Finally, our new clauses would require the Government to bring critical manufacturing, food production and large-scale retail distribution into scope. When British companies such as JLR lose billions to cyber-incidents, or when national retailers such as Marks & Spencer are paralysed, it is not just a private commercial issue, but a blow to national economic security, and there is no economic security without cyber-security. The Minister will be aware that the ramifications of the JLR attack were felt across south Wales because of the link to the steel industry supply chain. Our neighbours in the European Union already recognise this issue through the NIS2 framework, which covers food production and transport manufacturing as essential sectors. The new clauses simply ask the Government to match that seriousness.
At their heart, our new clauses are about ending the two-tier approach. We seek the Government’s recognition that councils, political parties, electoral infrastructure and core supply chains are just as critical to national resilience as power stations and data centres. A country is not secure if its public services, at any level, are exposed. Its elections are vulnerable, and its economy can be brought to a standstill by a single cyber-attack. These new clauses hope to close those gaps and make Britain safer.
Dr Spencer
Part 3 is a very important part of the Bill. It gives the Secretary of State a range of powers, including ones to bring additional sectors into the scope of regulation, to update the NIS regulations, to publish statements of strategic priorities for regulators and to publish codes of practice that set out cyber-security measures for entities to comply with their regulatory duties.
Clause 24 includes a power enabling the Secretary of State to specify new services that can be brought into the scope of the NIS regulations, and to designate additional regulatory authorities. Those powers are intended to allow the Secretary of State to identify additional critical sectors and respond to emerging threats quickly. That agility introduced by this measure has been broadly welcomed as appropriate, given the fast-evolving nature of malicious cyber-activity.
Given the extent of the Secretary of State’s new powers, however, it is important to put in place guardrails to ensure that the appropriate response to emerging threats is indeed further regulation, rather than market-led or insurance-based mitigations. Can the Minister provide any further information at this stage about the procedure that will be followed in deciding whether to expand the scope of regulation to ensure consistency and transparency?
Hon. Members have tabled several new clauses that would prompt the Secretary of State to use her duties under clause 24. I will speak to new clause 1, tabled by the hon. Member for Warwick and Leamington (Matt Western), and new clause 9, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe, together, as they have some thematic overlap. New clause 1 seeks to bring all entities, other than small businesses and microbusinesses, in the food production, distribution and retail supply chain into the scope of regulation as operators of essential services. New clause 9 also touches on the regulation of food supply chains. It would require the Secretary of State to designate retailers of
“food and essential goods (when part of a large-scale distribution chain)”
and manufacturers of “critical transport equipment” as providers of essential services to be brought into the scope of regulation.
Those new clauses reflect concerns about the cyber-attacks targeting the food retailers M&S and Co-op last year. New clause 9 reflects issues raised by the major attack on JLR, which cause such disruption and threatened the stability of regional jobs and supply chains. Those attacks caused significant public concern, but they would all remain out of scope after the Bill comes into effect.
Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting)
Ben Spencer ExcerptsThursday 5th February 2026
(3 weeks, 5 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Kanishka Narayan
The hon. Member raises an important point about the operating leverage of technology businesses. The Bill directly focuses on size as one proxy for risk, but it is not a complete or perfect proxy. That is why, through the critical supplier provisions, it ensures that any smaller providers can be caught in scope as essential services.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Ms McVey.
Clause 9 brings within scope of the NIS regulations a new category of technology service providers, known as relevant managed service providers. MSPs play a critical role in the UK economy. Research conducted by the Department for Science, Innovation and Technology under the last Government suggests that 11,000 MSPs were active in the UK in 2023, of which 1,500 to 1,700 were medium or large organisations that would be in scope of the Bill. Micro and small enterprises that offer managed services are excluded from the scope of regulation but have the potential to be designated as critical suppliers under other provisions, which we will come to shortly.
MSPs are critical to the functioning of the multiple businesses that they serve, offering contracted IT services such as helpdesk and technical support, server and network maintenance, and data back-up. In many cases, they also provide managed cyber-security solutions to their customer bases. Consequently, these businesses often have significant access to their clients’ IT networks, infrastructure and data, which makes them attractive and valuable targets.
Chris Vince (Harlow) (Lab/Co-op)
I seek some clarification on the shadow Minister’s statistics about the number of MSPs that are in scope, and what they are as a proportion of the MSPs in the country. Could he clarify that he is talking about individual organisations rather than what they do? For example, if there is one large organisation and nine small ones, but the large one takes up 80% of the market, the proportions are slightly different.
Dr Spencer
The scope and breadth of the organisations regulated by these provisions is one of the most important parts of the debate. If the hon. Member can wait a moment, that point will form the bulk of my speech. It was also mentioned by my constituency neighbour, my hon. Friend the Member for Spelthorne.
The previous Government consulted on bringing MSPs within scope of regulation. Feedback on that consultation indicated strong support, with 86% of respondents in favour. As such, there is a sound policy rationale for imposing cyber-security and instant reporting regulations on MSPs over a certain threshold. Those MSPs will need to take appropriate and proportionate measures to manage risks to the security of the networks and information systems on which they rely to provide managed services in the UK.
However, as I said at the outset and as many people said during evidence, the devil really is in the detail as to whether the Bill is effective in protecting the sectors it seeks to regulate. Several industry stakeholders, including officers of MSPs and industry representation bodies, have raised concerns about the broad definition of MSPs in clause 9. As drafted, that definition has the potential to cause confusion among businesses as to whether they are in scope or not. These relevant provisions will be brought into force with secondary legislation before Royal Assent, allowing time for consultation with industry and specific duties. Could the Minister clarify whether his Department will respond to concerns by consulting on a refined definition of what constitutes an MSP, to provide much-needed certainty to businesses operating in the sector?
I will also take this opportunity to speak to amendment 10, which was tabled in the names of many Members, including the right hon. Member for Stone, Great Wyrley and Penkridge (Sir Gavin Williamson), who I know has a keen interest in this area. He represents an area in the west midlands, which, like many parts of the country, has suffered massively from the impact of the problems with Jaguar Land Rover. The amendment relates to legitimate concerns about the compound risk that could occur when MSP systems are accessed by malicious actors, and those MSPs are providing services to a large number of entities within a regulated sector. Clearly, there are many reservations about the desirability of this particular amendment, including its potential to interfere with customer choice and the inconsistency with the approach to freedom of enterprise in other regulated sectors in the Bill.
It is noteworthy that several witnesses who gave evidence to the Committee pointed out the lack of skilled cyber-security professionals available in the UK employment market to help regulated entities with the effective implementation of the Bill. It is conceivable that many regulated businesses, particularly smaller ones, will be forced to look for external expertise to comply with their obligations, and we would not want to artificially restrict access to expertise, even when done with the best of intentions. The point is rightly made that large MSPs and those providing services to the most critical sectors should observe the highest cyber-security standards. A relevant MSP must have regard to any relevant guidance issued by the Information Commissioner when carrying out the duties imposed on it, so will the Minister confirm whether and to what extent the important issues raised by the amendment will be covered in consultation and industry guidance?
The amendment, and some of the debate that we have had, goes to the heart of some of the thresholds and metrics that are being used as gatekeepers in the Bill when an entity is or is not being regulated. As I mentioned this morning, at least 70% of Government cloud procurement goes to the three big US tech actors. Those are clearly huge operators, but when it comes to the criticality of an MSP, as my hon. Friend the Member for Spelthorne mentioned, size does not in itself necessarily indicate its essentialness in the system.
One can imagine that if a particular unique type of service was being offered, such as a cyber-security service, by a big company—Cloudflare and Salesforce, for example, had a substantial impact on the sector—not merely the size of an organisation, but what they provide, could be relevant in terms of producing systemic risks to our economy as a whole.
Lincoln Jopp
Having read the Bill, does my hon. Friend understand that if a managed service provider provides services to, say, a hospital—so it would be covered by the regulations—and a reportable event happens to the managed service provider, there is any obligation for the hospital trust to report it as well, or is it just the managed service provider that has the responsibility? If he is not clear on that, would he ask the Minister?
Dr Spencer
I thank my hon. Friend for the “get out of jail free” card that he gave me at the end of his question; indeed, I pass that question on to the Minister. The point is well made in terms of trying to dissect the interacting and relevant duties in the Bill. The Bill tries to chop up different actors in the digital ecosystem, as well as public an non-public organisations, although a commercial threshold is being used. The Bill also introduces confusion: it rightly tries to make a carve-out for Crown data centres, but what exactly is a Crown data centre? One could argue that a Crown service is something provided by the state. Is a data centre serving a hospital therefore a Crown data centre?
There are so many different components within the Bill. Not only are there 14 regulators, or however many are operating—earlier this week, Amazon told us in evidence that it is regulated by four regulators—there is also confidential information going through, as my hon. Friend the Member for Spelthorne pointed out. It gets even worse in the clause on critical supply networks. It is just incredibly confusing. The Committee—and, dare I say, the Government—should not ignore the evidence we have received from managed service providers time and again saying that although MSPs should be in scope and these regulations help, we need clarity on what exactly that means.
Alison Griffiths
I think my hon. Friend is about to reference the commercial impacts on MSPs. We have already referenced the fact that they are of many different sizes. One of the concerns the Committee will need to consider is whether new contracts will need to be written. The level of uncertainty being created may render the existing frameworks within which they operate redundant.
Dr Spencer
I thank my hon. Friend for that pertinent intervention. The burden she talks about is not just financial; companies could also find themselves in legal jeopardy should they become subject to overlapping and competing duties without realising when the Bill becomes an Act. More than anything else—perhaps even more than a low taxation regime—businesses want certainty about the regulatory environment they operate in. This is made even more complicated by the fact that many organisations operate in different jurisdictions and have to contend with different, competing regulatory frameworks. My understanding is that the majority try to take an approach in one jurisdiction that will also cover them in the other so that they have an overlap, but those are the big companies. They have more capacity and resource to do that. The problem will be for the companies on the margins that are struggling.
Chris Vince
The shadow Minister is always very generous with his time. This is not meant to be a controversial intervention, but does he recognise that micro and small enterprises have been omitted from this legislation because we recognise the challenges they have with the guidance? I appreciate that small can mean mighty when it comes to businesses. The hon. Member for Spelthorne made the point that businesses may have only a small headcount, but a very important role in the cyber-security make-up of this country.
Dr Spencer
Irrespective of their size, whatever definition or metric we use, businesses operate on fine margins for the majority of the time. Regulatory burdens not only impact their ability to operate; they are yet another cost, which means that the cost of services increases. That has a deleterious effect on our economy more generally. Burdens on businesses are passed on to consumers. That makes it more expensive to do business unless there are customers to receive it.
Global business competitiveness, which we have not spoken about yet, is critical. I am very concerned about UK competitiveness in the digital and tech sector. It saddens me to say that we are dwarfed by US big tech in many areas. I want our digital and IT sector to be bigger and better than that of our competitors, but we need a framework to support it. Even for bigger businesses, the regulatory burden is critical, especially as they can choose, to a certain extent, where they incorporate and focus on doing business. We want to ensure that the UK has the best regulations, but the best regulations are often the ones that are least burdensome but that still provide certainty to allow businesses to operate. This is a highly competitive market.
Lincoln Jopp
I thank the shadow Minister for his reply to my hon. Friend the Member for Bognor Regis and Littlehampton. Is he as surprised as I am to read in the impact assessment that the hourly rate for a contract lawyer is to be £34 an hour rather than £300 to £500 an hour, which in my experience is the market rate?
Dr Spencer
I thank my hon. Friend for pointing out that discrepancy in the costings. It goes back to the key principle that business and business modelling are best left to businesspeople, not to Government. The Government have a facilitatory role, but fundamentally their role is to get out of the way of business so that it can succeed and our economy can thrive. We need to ensure, for the good of our economy as a whole, that the critical elements of it are regulated in that way.
Given the interconnected operation of MSPs in our digital sector, any burden that we put on business will limit the growth that we all need and will limit competitiveness. In this footloose market especially, that could result in organisations and companies operating in other sectors, notwithstanding the fact that they will have to comply with UK jurisdictional rules. As a general point, regulations will cause footloose industries to move and operate in different sectors, which will mean less taxation revenue and more costs for clients, making it more difficult to do business.
We need to make sure that our economy is as nimble and free as possible, both for those trading as an MSP and more generally. I cannot labour the point enough: the costs that we impose on businesses under the Bill, in particular in the cyber-security and tech sector, will be felt by our economy as a whole. We will have to pay for that through increased inflation in food, energy or anything else that our critical suppliers provide. Even our NHS provision costs will increase as a consequence of the regulatory burden on businesses as disparate and distant from the NHS as those that we see in the Bill.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
The hon. Member is quite right to say that American companies have captured most of the market that he is talking about, particularly the cloud providers. What does he think is stopping British cloud providers from getting a larger share of the market?
Dr Spencer
The cloud providers I have spoken to talk about several things. They talk about the crippling cost of energy in the UK, something that we need to drive down—
The Lord Commissioner of His Majesty’s Treasury (Taiwo Owatemi)
I am sorry, but this is not in scope.
The Chair
Order. You are telling me that you do not think it is in scope, but we consider that it is.
Dr Spencer
The cloud providers tell me that the energy costs are crippling, which is highly problematic, and that is why we need to drive those costs down. They talk about the challenges of getting data centres built and about planning considerations, which are a concern across the country. They talk about the taxation environment and costs on businesses more generally, particularly when they are footloose, and they talk about the regulatory framework. Pretty much all of those things are not specifically in the Bill, with the exception of the regulatory framework, so there is a lot that is suppressing the opportunities for cloud providers and others in the sector and hindering them from doing business and succeeding.
There is a broader point to make about the Bill and the philosophy behind it, because there is something that we have to avoid. There is a sense in the UK that we are getting gummed up by regulation and obsessing more and more about limitations and restrictions to businesses. In that environment, people and organisations that do well financially, succeed and grow are seen as either targets or cheats—as something that we can go for, tax and punish. We have lost or diminished our can-do attitude when it comes to supporting the risk takers and the entrepreneurs, who are the people and organisations building the MSPs and data centres on which our economy relies.
Over and above that, there is a cultural issue that is impacting our IT and tech sector. As legislators we should ensure that the thing we have direct control over, which is the legislation in front of us, imposes as small a regulatory burden as possible while still ensuring that it is sufficient to meet our aims. We must listen to businesses and hear their concerns. We hear time and again that the lack of clarity, particularly in this part of the Bill, is putting them at financial and legal risk. That is a very substantial concern.
Alison Griffiths
On my hon. Friend’s point about the lack of clarity in the Bill, there is a real possibility that firms will find that an MSP has one view of an issue while their client has another. Unless there is sufficient clarity in the wording of the Bill, we will have issues.
Dr Spencer
I thank my hon. Friend for her intervention. Legal clarity is important. I have absolutely no issue with lawyers, but we do not want to make a load of money for lawyers as a consequence of the definitional challenges around the Bill’s implementation. That is not good for businesses, which need certainty as to how to apply the regulatory framework under which they operate. Regulatory uncertainty will not help a business to make decisions. My assumption is that the default position will be for businesses to assume that they are not regulated entities, which means that they will not take actions that we would like them to take as a result of the Bill. Again, we will be making laws under which everybody loses out.
My final point is about the carve-out in respect of public authority oversight. It is all well and good for the Government to say, “We have an action plan and we’re going to sort out Government IT and the cyber-security risk for Government services,” but it is not playing out that way. Our biggest risks, and the most vulnerable components of our digital IT infrastructure, are those that are linked to Government services. Change is needed. My sense is that when a company interacts and shares data with Government and public sector services, the biggest-cyber security risk is likely to be in the aspects that are provided by Government services. We are making legislation that puts a host of burdens on the private sector, yet we are largely silent about what is happening in the public sector. Putting people at risk in that way is really not good enough. We need to support our overall cyber-security.
Dr Spencer
On a point of order, Ms McVey. What mechanism is available to Members who are concerned that there is a factual error in the impact assessment? How can that be corrected?
The Chair
The point has been made clearly on the record. We can take it beyond this room, and perhaps you can write to the Minister afterwards for clarification.
Clauses 10 and 11 ordered to stand part of the Bill.
Clause 12
Critical suppliers
Question put, That the clause stand part of the Bill.
Lincoln Jopp
To understand the impact of what we are discussing, we obviously look at the impact assessment. We in this place are often accused of simply making rules and passing laws with no real sense of the impact downstream, particularly on small businesses. Having worked in the tech sector for 10 years, with data centres and managed service providers, and worked to try to grow many small and medium-sized enterprises, I am acutely conscious of the need not to overburden them. It is clearly hugely important that the Government take account of the impact of the measures they are taking and the burdens they are imposing on small and medium-sized enterprises.
To understand the impact of this measure, it is important to know two things: first, how many companies will be impacted and, secondly, how much it is going to cost. While I am sure that the Minister will say that this provision on critical suppliers is great, and all very clear, it cannot really be that clear. Page 110 of the impact assessment states:
“DSIT is not able to estimate at this stage the number of SMEs or SME DSPs that will be designated as critical suppliers”;
so we cannot tell how many there are. The same page also states:
“Specific duties will be set through secondary legislation so the exact cost of security measures is not possible to estimate.”
We do not know how many there are or how much the measure is going to cost, but Government Members will be whipped to say, “That’s okay—that can be done by someone else at another time.” We do not really have a strong sense of the impact on real-world businesses of what we are doing here. We also talked about the legal costs in an earlier sitting. I look forward to hearing the Minister’s reassuring words about how very clear the clause is and how it is not just a blank cheque, even though we do not know how many people it will affect or how much it will cost them.
Dr Spencer
This clause is one of the provisions that has given rise to widespread industry concern regarding its scope and implications. Business supply chains, particularly for large operators of essential services and multinational companies, are becoming ever more complex. The increased digitisation of service provision across the board means that the delivery of essential services can be vulnerable to severe disruption when the systems of critical supply chain entities are interrupted by cyber-attacks.
The Government have pointed to the 2024 cyber-attack on Synnovis, a pathology lab provider serving several London hospitals, as an example of the severe consequences that can flow from a cyber-attack on a key supply chain provider. In that case, the suspension of Synnovis services caused disruption to more than 11,000 appointments and operations. The attack caused at least two cases of serious harm to patients and, tragically, one patient’s death was attributed to the long wait for blood test results. Estimated financial losses from the attack exceeded £30 million.
The previous Government were conscious of intensifying supply chain risk, and consulted on measures to enable regulators to designate individual suppliers as critical if they provided an IT service on which an OES or RDSP was dependent for the provision of its essential service. The response to that consultation showed overwhelming support for the proposal, but stakeholders argued that the designation process would need to be transparent and based on engagement with industry. It is those vital elements of transparency and engagement, or rather the current lack of them, that are causing high levels of concern among supply chain entities that stand to be brought within scope of regulation when these provisions come into effect.
To break that down, preserving agility for the Secretary of State and regulators to respond to emerging risks has been recognised as both a strength and a weakness of the Bill. However, lack of certainty is a particular concern in a context of critical supplier designation, especially as this part of the Bill has the potential to bring in large numbers of small and even microbusinesses within the scope of regulation, potentially by multiple regulators. That is a daunting prospect for smaller companies, even taking into account the caveated duty on competent authorities to co-ordinate in the approach to regulation of critical suppliers in the proposed new paragraph 14L of the NIS regulations.
Several witnesses in oral evidence, including techUK and ISC2, made strong arguments that SMEs often lack the financial and human resources to develop cyber-security expertise and comply with regulation. Those organisations will need additional time to prepare, and a better indication of the criteria that might be used by regulators to determine which supply chain providers are critical. Industry bodies have called on the Government to ensure meaningful consultation on secondary legislation and guidance, to ensure that the measures are fit for purpose and capable of practical implementation. As part of the planned consultation, will the Minister commit to considering whether there are alternative approaches to regulation for increasing cyber-resilience in companies below a certain size?
Alison Griffiths
The clause is drafted broadly, which is understandable, but in practice many of the supply chains, as my hon. Friend has ably demonstrated, involve several layers of providers and sub-providers. I would welcome clarity on how regulators are expected to approach designation in these cases, so that responsibility is clear and preparation can happen upstream, rather than only after an incident.
Dr Spencer
My hon. Friend has figured out what I am going to say in a moment, when it comes to the scoping of the regulator and that communication process. Such is the depth of the rabbit hole that the provision creates that, even though my hon. Friend’s intervention did not go where I thought she was going, another problem has just come to mind.
What happens in the circumstance where a critical supplier that acts as a proxy for multiple critical suppliers? How does designation operate in that fashion? There are suppliers that essentially operate as a marketplace to a certain provision of services. Is it the marketplace that is regulated, or is it each supplier within the marketplace? A locum agency could hypothetically be an umbrella company for multiple different smaller locum agencies, each of which would share the corporate risk as part of that.
Going back to my first point, the idea that access to the IT network or system will somehow be discriminatory, or dichotomise between people who are in scope of this measure and people who are not, seems to me complete nonsense. It is difficult to see what organisations, if they provide a service to a modern OES, will be in scope of it.
Secondly, there is systemic or significant disruption. I often say that, if someone wanted to cripple a hospital, the best way to do that would be to stop the cleaners cleaning rooms, and to stop the porters pushing people around the hospital to get them to their appointments and moving beds. There is often a focus on doctors and on the rest of the core medical and nursing staff— I myself often focus perhaps a bit too much on doctors—but it really is a whole-team effort. In fact, the most critical people are often the people who might not be the subject of the most focus, such as the cleaners and porters.
If the cleaners stop work or do not turn up to work, the hospital grinds to a halt. If taxis are not taking people to and from hospital out of hours, or if the patient transport is not taking people to hospital, out-patient departments grind to a halt. If the locum companies that fill gaps in staff rotas are not available to do that, and there are substantial rota gaps that make the provision of services unsafe, the hospital also grinds to a halt. If it is not possible to get access to critical medicines, if staff cannot maintain the blood gas machine or the blood pressure machine, or if the boiler breaks down, the hospital grinds to a halt.
It is not just something as obvious as the tragic situation with blood and pathology testing that causes a hospital to grind to a halt. Indeed, I cannot think of many private sector provisions that would not have a substantial impact on a hospital if they were to be removed; if any other Member can, I will be very happy to stand corrected. However, just skimming through them, I can see that the removal of most of them would cause the hospital to grind to a halt. The idea that the significant impact definition will be a discriminatory factor regarding suppliers just does not work. Someone might say: “Ben, you’re completely wrong. We found some providers.”, but, if that situation arises, how will the arbitration occur in terms of the threshold?
Chris Vince
I am not going to tell the hon. Gentleman that he is completely wrong—he should not worry about that. I will make another point. I wonder whether the distinction might be how time-sensitive losing a particular service would be. That is just a suggestion.
Dr Spencer
I thank the hon. Member so much for that intervention about the time it would take to find an alternative supplier, because it will bring me on nicely to my point about alternative suppliers.
However, before I move on to that point, the hon. Gentleman made a very good point in his intervention, which I will address. To be subject to these provisions will create a regulatory burden, and therefore a cost burden, for an organisation that is designated to be a national critical supplier. If I was a supplier of services, I would want to have the best provision possible. I would want to be cyber-secure; I would want to have a gold-standard service. However, I might also be nervous of being designated as a critical supplier because of the regulatory burden that would impose on me, which would make me potentially less competitive in getting contracts because of the costs that would ensue. There would need to be an arbitration system where a company that is under threat of being designated a critical supplier could have a discussion or debate about whether that designation was relevant or not.
I will now move on to the point that the hon. Gentleman made about alternative services. I really have no idea at all how we can expect a regulator to delve into the complexities and the minutiae of what is available in a local economy to provide these services that the OES is receiving. Do we expect the relevant regulator to check what taxi services are available—actually available, rather than some sort of fantasy availability where they are available on paper, but not in reality—in the local ecosystem that could supply to that hospital, which is the operator of essential services? What is the scope of research that the regulator would have to do? What considerations would they need to take regarding how much the taxis cost and how effective they are? What about the procurement decisions and processes that have already been gone through?
Most public sector organisations have complex procurement rules when setting up their contracts—and that is before we even begin to consider health and safety concerns that are subject to regulatory provisions. For example, if the regulator decided that taxi services are under threat of becoming a critical supplier, then does the taxi service have the ability to deal with someone who has a cardiac arrest, needs oxygen or has a behavioural disturbance? Can it manage people with physical or mental disabilities? What is the scope of that particular service provision? The experts will be the people who commissioned it in the first place; yet on the face of the Bill there is no objective requirement for the regulator to speak to the OES in the first place about how this provision and service was procured.
In terms of the service being available—as per the point made by the hon. Member for Harlow about the time to shift through—how will that be evidenced and investigated? What resource is going into this? That is just for a taxi company. What about when we expand it—and this is just for the NHS—to cleaners, porters, locum agencies or medicines provision? Is the provision of services geographically circumscribed or will this be across the country? I am sure that one can find alternative services to provide taxis to St Thomas’ in Birkenhead, but that does not necessarily mean that it is available in a reasonable timeframe or sense, in terms of the designation of supplier.
Lincoln Jopp
I do not want to add spurious hypotheticals, so I will talk about the real world. I visited the Maypole special school in my constituency the other day. It has 20 members of staff and 18 pupils. It has people coming from as far away as Wandsworth. It books the transport, and the transport is paid for by the local education authority in which the pupil lives. It is clearly critical that children get to the school—just as it would be for a hospital. Would it be up to members of staff at the Maypole school to find out whether Addison Lee used a managed service provider or a data centre? That seems quite a tricky thing to know about and then to fulfil.
Dr Spencer
I really appreciate my hon. Friend’s intervention. It goes incisively to the heart of the concern about how these provisions are currently drafted. I really struggle to see how an OES that is providing a service to another OES could effectively argue that it is not within the full scope of these regulations. We have a lot of OESs in this country. It may be the Minister’s and the Government’s intention to essentially have a proxy regulatory framework for suppliers to OESs going forward—it is being kept very loose, because there is some flexibility in that, but that in itself will be a problem.
I worry that a lot of providers are going to think to themselves, “Why should we provide to an OES when we might be at risk of being designated as a national critical supplier?” Surely that is a concern that will have a chilling effect on organisations supplying to OESs, because of the risk of being found within the scope of this additional regulatory burden.
Don’t get me wrong; as I have said, companies should be taking cyber-security seriously, as should everyone. However, not everyone should be subject to the various regulations and data-sharing requirements that this Bill provides for. I suspect that many organisations will be very concerned. If there is a risk of designation as a critical supplier, companies will already be instructing lawyers and other organisations to manage that corporate risk.
If an organisation starts supplying to a hospital trust, or to whoever it may be, it might think, “Actually, we’re likely at risk of being designated, so we need to start doing some work and investment, either to challenge that designation or begin doing the preparatory work.” Maybe that is the intention: to effectively regulate the entire sector providing to OESs without actually lifting a finger in terms of regulation through this Bill. If that is the case, I am sort of sad, because I think it is better to be clear-cut about it. I would be grateful if the Minister answered that point directly.
Finally, in terms of OESs, we have already mentioned the fact that Government and local authority IT infrastructure and services are among the biggest risks in our system. I was really struck by the evidence from the NHS on Tuesday, in which our witnesses described data-sharing operations with adult social care, which is of course provided by local authorities.
It seems quite perverse, if I may say so, that a GP surgery, which is a private organisation, could be deemed a critical supplier to a hospital in terms of patient information sharing. Quite frankly, I would like the Minister to answer the question specifically: does he envisage primary care GPs being in scope because of data sharing of hospital records with NHS trusts? GPs could fall within scope as critical suppliers, while social care records, which are provided by local authorities, would not. There are all these weird situations that could emerge because of the scope and the looseness of these provisions, with all the consequent harms and problems. I look forward to hearing the Minister’s responses to my points.
Kanishka Narayan
First, I will respond to the apt and thoughtful points from the hon. Member for Bognor Regis and Littlehampton on operational technology. I can confirm to her that both vendors and providers of operational technologies will be covered by the provision of the five-step test for critical supplier designation. That is an important aspect when thinking about supply chains and the presence of operational technology where it is of critical interest.
The hon. Member for Spelthorne raised a very accurate point about proportionality in the provisions of the Bill, and in particular the impact assessments, statements, or limited statements on critical supplier impacts. As he will know very well, the Bill takes a very nuanced position on proportionality. When a sector is designated, there will be total clarity on the number of suppliers affected and on the ultimate impact. We will have sight of that.
The provision on critical suppliers was asked for by industry. The reason why the Bill does not specify critical suppliers is that it is simply not for the Government to specify how a business can or cannot continue. It is for businesses and regulators to work that through by understanding the depth of expertise that businesses have. We have started to do that, but that is precisely why the critical suppliers provisions have been delegated to secondary legislation and subsequent guidance.
Kanishka Narayan
I commit to giving way at the end of my speech to the shadow Minister and the hon. Member for Spelthorne.
On the question of consultation, I am happy to confirm that the team in question has set up an implementation-focused effort. We have started to engage with regulators already, and there will be an extensive process of engagement on the Bill with business, as has been conducted historically.
The shadow Minister highlighted a number of logical puzzles. I have worked in a range of businesses and public sector organisations, and most have business continuity services. His hypothetical idea that businesses do not understand alternative provision, and whether they are or are not in a position of exposure, is well solved in the real world. I would give more credit to our expert witnesses from NHS Scotland than he did in recognising that they said that they frequently deal with the question of critical suppliers in co-ordination with competent authorities.
Dr Spencer
The Minister is, of course, within his rights to snarkily dismiss the questions that I have raised, but I should point out that the stuff that is debated in Parliament, whether in Committee or on the Floor of the Chamber, is relevant when it comes to future legal disputes after a Bill is passed. The questions I have asked about the application of the Bill’s provisions will be important parts of the legal disputes that I expect will arise after its implementation. When people look back through the Minister’s dismissive comments, I hope they have other resources that they can go to for settling legal arguments. However, he may choose to respond fully now, or in writing if he cannot provide me with an answer.
Kanishka Narayan
I believe that where the shadow Minister laid out any specific concerns, I was able to set out answers, not least on the process for the designation of critical suppliers and the availability of an appeals process. Where his points were more in the realm of specific hypothetical puzzles, I have stayed clear for precisely the reasons that he highlights. This is serious stuff that can form the basis of how businesses and others plan, rather than specific judgments that we ought not to speculate about in this House.
Question put and agreed to.
Clause 12 accordingly ordered to stand part of the Bill.
Clause 13
Provision of information by operators of data centre services
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 13 ensures that operators of data centres provide essential information to regulators, enabling them to properly monitor their sector and its cyber-resilience. The clause requires operators to submit key details, such as names, addresses and contact information, within three months of designation, and to update regulators within seven days if anything changes. Regulators are required to maintain a list of designated entities. By keeping regulatory records current, the clause strengthens our ability to monitor and protect essential services and respond to incidents that could affect businesses, public services and national security. The clause plays a key foundational role in the Bill’s wider framework for cyber-security and resilience.
Like clause 13, clause 14 places legal duties on digital and managed services providers to provide essential information to their regulator—in this case, the information commission. Like operators of data centre services, RDSPs and MSPs will be required to register with the information commission within three months, submitting key details, such as names and contact information, and to update regulators within seven days if anything changes. Organisations based outside the UK will be required to nominate a UK representative and provide contact details. To strengthen cross-agency support and recognise the key role that these businesses play in the UK economy and society, the information commission will be required to share its registers of relevant digital and managed service providers with GCHQ. Those proportionate steps will enable authorities to do their job and respond when it matters.
Dr Spencer
Clause 13 requires in-scope data centre operators to provide certain information to their designated competent authorities, which—subject to Government amendment 11, which we passed earlier—will now be solely Ofcom, and to keep that information up to date. The information includes the data centre operator’s address and the names of directors. It must be provided within three months of the data centre operator’s designation. For data centres that meet the threshold criteria, that would be three months after clause 4 comes into force. Other OESs are not subject to an equivalent requirement to provide information to their sector regulator. That reflects the fact that the Government currently have limited information about the data centre sector.
RDSPs are already required, under regulation 14 of the NIS regulations 2018, to provide their contact details to the information commission, as their sector regulator. Clause 14(2) amends regulation 14 to require RDSPs to provide more information, including about their directors and the digital services they provide. It would also require the information commission to share a copy of its register of RDSPs with GCHQ. Clause 14(9) requires RMSPs to register with the information commission and to submit the same contact details as RDSPs. RMSPs must nominate a UK representative if they are based outside the UK. The information commission will be required to maintain a register of RMSPs and to share it with GCHQ. Clauses 13 and 14 give Ofcom and the information commission access to more detailed information about regulated entities and facilitate regulatory oversight of the data centre RDSP and RMSP industries in the UK.
Question put and agreed to.
Clause 13 accordingly ordered to stand part of the Bill.
Clause 14 ordered to stand part of the Bill.
Clause 15
Reporting of Incidents by Regulated Persons
Dr Spencer
I beg to move amendment 1, in clause 15, page 22, line 15, at end insert—
“(f) whether the incident involves failure modes not previously observed in the relevant sector materially involving autonomous or adaptive systems based on machine learning, including where the potential impact of such failure modes was mitigated or prevented.”
The Chair
With this it will be convenient to discuss the following:
Amendment 2, in clause 15, page 22, line 25, at end insert—
“(ea) where the incident was associated with one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;”
Amendment 4, in clause 15, page 23, line 32, at end insert—
“(ea) where the incident involved one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;”
Amendment 5, in clause 15, page 26, line 37, at end insert—
“(h) whether the incident involves failure modes not previously observed in the relevant sector materially involving autonomous or adaptive systems based on machine learning, including where the potential impact of such failure modes was mitigated or prevented.”
Amendment 6, in clause 15, page 27, line 7, at end insert—
“(ea) where the incident was associated with one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;”
Amendment 7, in clause 15, page 30, line 8, at end insert—
“(fa) whether the incident involves failure modes not previously observed in the relevant sector materially involving autonomous or adaptive systems based on machine learning, including where the potential impact of such failure modes was mitigated or prevented;”
Amendment 8, in clause 15, page 30, line 21, at end insert—
“(ea) where the incident was associated with one or more autonomous or adaptive systems based on machine learning, details of those systems and their involvement in the incident;”
Amendment 9, in clause 18, page 40, line 10, at end insert—
“(8A) Where the CSIRT receives notification of an incident under regulation 11, 11A, 12A, or 14E that materially involves autonomous or adaptive systems based on machine learning, the CSIRT must share relevant technical information with the relevant body within 72 hours.
(8B) For the purposes of this regulation, a “relevant body” means the AI Security Institute or any successor or replacement body designated by the Secretary of State.”
Dr Spencer
I will speak to the amendments tabled by the hon. Member for Dewsbury and Batley (Iqbal Mohamed), but wait for the next group to speak to clauses 15 and 16 and the amendments to them in the name of the official Opposition.
From the outset, it is important for me to say that while I have spoken to the hon. Member more generally and responded to a debate he secured on AI, I have not spoken to him specifically regarding these amendments and their precise purpose. However, given his concerns about the AI sector and his background, we can see where he is going with them. Broadly speaking, the amendments would ensure that as part of the reporting requirements under these clauses, there is an ability to measure whether adaptive AI or large language models have been responsible for a cyber-security breach or an incident within the systems themselves.
That derives from what we see happening more generally in the cyber-security sector. We heard evidence that, online, people can essentially purchase a cyber-security hack suite of software. It is possible to pay for people to do hacking and one can get training in it. A lot of hacking and cyber-security breaches are now expanding because of large language models and the use of AI to probe systems. I do not know if we have a sense of scope regarding how much this is a problem specifically in the UK, whether for the individual businesses or organisations that will be regulated under the Bill. I understand, as I interpret them, that the point of the amendments is to get a dataset on where AI or automated decision making has been used to pose a particular cyber-security risk.
The amendments also speak to a more general point. There has been a lot of debate in this place over the years about what we as a country, and equivalent democracies, are doing on the regulation of AI and large language models, building on the Bletchley conferences, innovative work and what guardrails we need to think about in terms of imposing LLMs and AI in the UK, and how we approach AI being used by hostile state actors, such as through bot accounts. I understand that the use of deepfakes, bots and so on is an emerging risk as a method of cyber-attack. There are broader issues with regard to transparency when bots on the internet and social media networks can get into various IT systems and accounts, and effectively pretend to be somebody else to get around the cyber-security system. As with all things, we do not know what we do not know. I understand that the amendments were tabled to increase reporting requirements and give us more evidence of the scope of the problem and the threat posed.
I will be grateful if the Minister gives his sense of how much of a problem this is, particularly with regard to whether reporting requirements are necessary. I believe that the Government’s original plan was to introduce an AI Bill. That would have pros and cons, and I remain agnostic on that, but, speaking for His Majesty’s Opposition, I would like to know the Minister’s plans for the AI landscape and whether, in the upcoming King’s Speech, there is an idea of revisiting an AI Bill, which might make such amendments obsolete.
Kanishka Narayan
I appreciate the intent behind the amendments and the shadow Minister’s position of understanding but not supporting them, which I share. I share his concerns about the potential for emerging risks posed by AI systems, not least in the realm of cyber-security. At the same time, I am conscious that we have not specified any risk factors in the Bill from a reporting point of view for the National Cyber Security Centre or the regulators. To do so in this context would place an undue priority on one category or source of risk.
For those reasons, although I understand the motivation behind the amendments and I am conscious of the risks posed by AI systems, I urge the hon. Member not to press them. The Bill is technology-agnostic rather than focused on particular areas of risk. The Government continue to work on mitigating AI risks, primarily at the point of use, but also through extensive Government capability, not least in the AI Security Institute.
Dr Spencer
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Ordered, That further consideration be now adjourned. —(Taiwo Owatemi.)
Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
Ben Spencer ExcerptsThursday 5th February 2026
(3 weeks, 5 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
It is a pleasure to see you in the Chair, Mr Stringer. The Bill will make crucial updates that build on the NIS regulations, which are the UK’s only cross-sector cyber-security regulations. As clause 1 sets out, “NIS regulations” refers to the Network and Information Systems Regulations 2018 (S.I., 2018, No. 506).
Clause 2 gives an overview of the Bill’s parts and what they include. It sets out that part 2 amends the NIS regulations by expanding the scope of the regulations to cover data centres, large load controllers and managed service providers. It also introduces powers for regulators to designate suppliers as being critical for their sector. Part 2 also updates the existing incident-reporting regime and includes provisions relating to the recovery of regulators’ costs, information-gathering and sharing powers, and enforcement powers. Part 3 gives new powers to the Secretary of State to specify other sectors as in scope of the regulations in future, to create new regulations relating to the security and resilience of regulated services, and to issue a code of practice and a statement of strategic priorities. It also requires the Secretary of State to report on this legislation and its implementation. Finally, part 4 gives new national security powers for the Secretary of State to issue directions. I commend the clauses to the Committee.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Stringer. I thank all hon. Members on both sides of the Committee for taking part, and the officials for their work on the Committee stage of this important Bill.
The Bill will significantly update and expand the Network and Information Systems Regulations 2018 by bringing new services within scope of regulation, giving sector regulators the power to designate critical suppliers, updating and expanding the reporting regime for cyber-security incidents and making significant changes to the regulatory funding model and regulators’ information-gathering and sharing powers. The Bill will also grant extensive powers to the Secretary of State to respond to emerging cyber-threats, including the power to bring further sectors within the scope of regulation, giving directions to regulated entities and issuing a code of practice that sets out measures for compliance with duties under the NIS regulations. Recognising the increasing role of malicious cyber-activity as a threat to our national security, part 4 will give the Secretary of State far-reaching powers to issue directions to regulated entities for reasons of national security.
Covid turbocharged the digitalisation of all aspects of the economy and our daily lives, bringing new opportunities but at the same time heightening the exposure of digital systems to exploitation by malicious actors. The previous Government recognised that in their post-implementation reviews of the NIS regulations and in a subsequent series of consultations on proposals to improve the cyber-resilience of the entities that are most important to the UK economy. Those consultations included a review of information security risks relating to outsourced IT provision, data centres and organisations controlling large amounts of electrical load. The last Government’s work assessing those threats has informed this Government’s decision to bring data centres, managed service providers and large load controllers within the scope of the NIS regulations.
Industry stakeholders have welcomed the Bill as essential for bringing the cyber rules governing critical infrastructure in line with modern threats, economic realities and technological developments, and for moving our cyber-security regulatory framework into closer alignment with international partners to ease cross-border operations for businesses that provide services overseas.
In some respects, at least, the Bill identifies the right problems, but, crucially, it falls short of providing workable solutions. In embarking on our scrutiny of the Bill, the Committee should be acutely aware of the raft of digital legislation with which businesses and regulators have been asked to grapple in recent years. Many of those new regulations are necessary, but as lawmakers we should be conscious of the burden that we are placing on industries and particularly on small and medium-sized enterprises, which are the lifeblood of the UK economy and which have fewer resources to navigate complex layers of regulation. It is therefore incumbent on all of us to enact laws that are clear and capable of practical implementation.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Does my hon. Friend agree that, although we support the intent behind the Bill, clause 2 does a lot of framing work but does not necessarily consider the extensive perimeter that is coming through and how proportionality will be applied in practice? I suggest that the Committee keep that in mind as we move through the detail.
Dr Spencer
I thank my hon. Friend for her intervention. I am reminded of the Committee’s evidence session earlier this week, in which expert after expert lined up to raise concerns around the scope of the definition. Although they acknowledged the importance of and appreciated the reasons for leaving some things to secondary legislation in a climate as fast-moving as the IT and digital sector’s, they raised concerns about the uncertainty that is coming for business and the need for extensive consultation so that businesses can feed into and have some degree of influence over the regulations that they will have to abide by.
Chris Vince
The hon. Gentleman is making an interesting speech. I recognise his desire to be constructive on the issue. Will he recognise that this is about finding a balance? We want to include some flexibility in the legislation, because of the ever-changing threat that he mentioned. Equally, we recognise the challenge that SMEs may face in complying with the legislation on data sharing, but it is important that they do so, because not complying will have an impact on their business.
Dr Spencer
I thank the hon. Member for his point about balance. I am confident that this is an area to which the Committee will return quite a few times in our line-by-line scrutiny of the Bill, particularly clause 12, which relates to the designation of critical suppliers. Clearly the regulations need to be proportionate, but to make that judgment we will need to know exactly what the regulations are. A lot of the detail is not in the Bill and has instead been left to secondary legislation. As we heard from the experts, it is very difficult to scrutinise legislation that is mostly being left to future regulations rather than being set out in the Bill.
These definitions will be critical if businesses are to have clarity as to whether they will fall within scope. I do not want to go too deeply into clause 12 now, but I see it as an exemplar. How are businesses that could fall within the critical supplier designation to know what they need to do? How is the operator of an essential service to know what information it needs to pass to the regulator on businesses that it may end up regulating? It would be very helpful if the Minister could comment, even at this introductory stage, on how he envisages that balance playing out in the Bill, particularly given that so much of the detail has been left to secondary legislation. Anyway, I digress—I will get back on topic.
Businesses are struggling with legal uncertainty and the increased costs of regulatory burden. Regulators in the sector lack the resources, the teeth and sometimes even the will to carry out effective oversight and enforcement of existing cyber regulation. Uncertainty about which incidents should be reported will dramatically increase the burden on regulated entities and on regulators. All the while, institutional barriers to effective oversight and enforcement remain.
The Bill fails to give the legal certainty and the proportionate framework that businesses need if we are to achieve widespread adoption and hardened cyber-resilience across the sectors that are most critical to the economy and our society. Perhaps most critically, there is little point in granting the Secretary of State extensive powers to make directions to regulated entities for national security purposes if the Government remain wilfully blind to the greatest threats to our national security. In the past few weeks, reports have circulated that a Chinese state-affiliated group hacked the communications of top Downing Street officials between 2021 and 2024, yet the vital organs of our state, central Government Departments and agencies carrying out the most critical functions, are left unprotected and unaccountable for their cyber-resilience under the Bill.
If we do not address these problems, we risk the Bill becoming yet another missed opportunity for the Government. These are opportunities that we can ill afford to miss if we are to safeguard our economy and our national security.
Kanishka Narayan
I welcome some of the Opposition spokesperson’s comments. Let me briefly address his questions about definitions and public sector inclusion. It is customary for the Opposition to oppose for the sake of opposition, at times, and I am afraid that this is one of those times; I have so far set out only two clauses, which are effectively an index to the Bill. Notwithstanding that, I will address his two particular points.
I was delighted that in our evidence sessions we heard from witness after witness who appreciated the flexibility of the Bill. For the Government to prescribe activities or incident thresholds in the finest detail in primary legislation is not how businesses, Government and regulators ought to engage. I hope that the Opposition will come to appreciate that in due course.
On critical suppliers, which no doubt we will come on to, I thought that in response to Opposition comments at our second sitting, I set out a very clear, precise set of tests. I found no opposition to that claim, but I look forward to hearing any original thoughts on that question.
On incident reporting, I was delighted that there was a witness who noticed that the extension of the definition of incident reporting, to include incidents capable of having an impact, was appropriate and exactly in the right place.
On the question about the public sector’s inclusion, we are here not to prescribe and wait for a law to tell us what we ought to do in the public sector, but instead to move fast and fix things. In that spirit, the Bill focuses on essential services.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2 ordered to stand part of the Bill.
Clause 3
Identification of Operators of Essential Services
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 3 makes important distinctions as to which organisations can and cannot be considered operators of essential services for the purposes of the NIS regulations. It clarifies that a person—in practice, an organisation or business—can be an operator of an essential service regardless of whether that person is established in the UK, as long as they are providing essential services in the UK. That means that organisations established outside the UK can be regulated under the NIS regulations.
Clause 3 also makes it clear that the NIS regulations do not apply to public electronic communications networks or to public electronic communications services. Those are telecoms operators, which are regulated separately under the Communications Act 2003. The amendments in clause 3 will prevent telecoms companies from being subject to duplicate regulations; they will also ensure that all essential services in the UK are protected, even if the company operating them is based outside the UK. I commend the clause to the Committee.
Dr Spencer
Clause 3 will amend the relevant provisions of the NIS regulations, stipulating that operators of essential services are within scope of the regulations whether or not they are operating an essential service in the UK, and regardless of jurisdiction in which they are established. Providers of public electronic communications networks and public electronic communications services are excluded from characterisation as operators of essential services, as the Minister says, to avoid duplication with their sector-specific cyber-security regime.
The clause is an important provision to ensure that entities providing essential services in the UK are compliant with domestic standards. Perhaps the most important aspect of the change is ensuring that serious cyber-security risks that appear within the systems of those entities are reported to the UK authorities for action. That is vital for the National Cyber Security Centre to keep abreast of emerging risks and be able to respond to them.
Nevertheless, the complex maze of compliance and regulatory standards across jurisdictions is a growing challenge for businesses of all sizes and particularly for small and medium-sized enterprises. This is also a complicating factor facing UK companies when providing services abroad, particularly in the digital domain. Will the Minister lay out what discussions he has had with industry representatives about easing the complexity of cross-border digital service provision to ensure that the UK is a competitive and attractive place to do business?
Kanishka Narayan
On the question about cross-border compliance and making sure that we have a proportionate and effective regime, we have had a series of engagements at ministerial and official level with representatives of techUK, the industry body. The NCSC has convened a series of organisations—not least managed service providers, but others as well—and there has been a pretty extensive period of consultation on that and every other matter in the Bill.
I feel satisfied that the Bill strikes a good balance in ensuring proportionality in what businesses experience. Critically, as supply chains in this context become increasingly cross-border, it is vital that bodies that may not be resident in the UK but which provide essential services here are included in the scope of the Bill.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4
Data centres to be regulated as essential services
Dr Spencer
Clause 4 amends the NIS regulations to bring data centres that meet certain thresholds within scope of the regs as operators of essential services. As drafted, these data centres will be regulated by DSIT and Ofcom, but the amendments moved by the Minister propose that Ofcom will be the sole regulator for the subsector. I thank him for his explanation of why he has tabled these amendments.
Given the oral evidence from Ofcom and other sector regulators earlier this week regarding the challenges of recruiting skilled cyber-security staff to regulate effectively, what assessment has the Minister made of the additional regulatory burden on Ofcom of this decision and its capacity to secure adequate resources to meet it? Clause 5 extends the scope of the regulations to data centres operated by the Government, with the exception of services provided by or on behalf of intelligence services handling classified information.
Data centre infrastructure is increasingly vital to the UK’s society, economy and security. Data centres underpin nearly all aspects of our digital lives, from sending emails to booking GP appointments or ordering shopping online. Businesses of all sizes routinely process their workloads in the cloud, supported by data centres. For those reasons, data centres were designated as critical national infrastructure—CNI—in 2024.
The UK digital sector, which is heavily reliant on data centres, contributed more than 7% of the UK’s total gross value added in mid-2024, growing almost three times faster than the rest of the economy. Data centres are also critical to the UK’s ambition to become an AI superpower. Training artificial intelligence models relies on access to an abundance of processing capacity, or compute, located in secure data centres.
In October last year, Amazon Web Services experienced a glitch in one of its US data centres, which set off a chain reaction that took down online services across the globe.
Bradley Thomas
On the growth of this industry, and with 78% of UK enterprises relying on cloud-based services, 96% of companies expected to use public cloud services, 35% of UK businesses outsourcing IT support and, as of last year, 63% of organisations planning to continue or increase their IT outsourcing over the next 12 months, does my hon. Friend the shadow Minister agree that greater consideration—or at least elaboration—must be given to the vulnerability of the supply chain of large load data centres?
Dr Spencer
My hon. Friend will be aware that the issue regarding the bottleneck in the supply of cloud computing, in which I put data centres, compute more generally and access to large language models, in our country is very much on my mind, and we have been raising it with the Government. At the moment, I understand that around 70% of cloud services directly procured by the Government are coming from the three big US providers. I hear from UK SMEs—not just cloud providers, but SMEs of all types—all the time about the challenge that they face with Government procurement contracts to procure domestic UK-company services, whether that is central Government or otherwise.
We are getting ourselves into a very difficult situation from a resilience perspective: not only are we currently heavily reliant on US big tech, but we are not doing the work we need to do right now to support a burgeoning UK tech industry. In the UK, we have fantastic universities and businesses. We really are a centre of innovation, but the problem is that companies can really struggle to take the next step forwards.
Of course, Government procurement is not the be-all and end-all—although, depending what sort of sector the company is operating in, it might be—but we are certainly not focusing enough on supporting our SME sector. The sector is really good and strong, and it has the potential to be great, but we still have not had a hyperscaler. We have not seen the expansion in the UK digital and tech sector that, all things considered, given our background and where we stand in terms of our academic and business resources, we really should have seen.
The Chair
Order. Interventions should be short and to the point. If any hon. Member wishes to catch my eye, they should not have any difficulty in doing that, but it is important to keep a distinction between interventions and contributions to the debate.
Dr Spencer
The hon. Member for Lichfield may be aware that my background is in medicine; I used to be a doctor before I came to this place. One of the skills and challenges in medicine is that any medical intervention—apart from a small handful—always has a risk of harm or side effects to the patient. It is always a balancing act between the harm and the benefit. My bread and butter before I came to this place was balancing harms and risks in the best interests of the person in front of me.
Although I have never been a businessperson, and I have certainly never owned or run a data centre, my approach to business burdens is to see the extra things that the Government make businesses do—which are not necessarily what businesses would normally do or see as in their direct interests—as a prima facie harm. I will expand my words a bit if that helps in explaining the logic. The starting point is that it is an extra burden and a harm, but then benefits from other angles can outweigh that harm. It is getting businesses to do something more; if they were doing it anyway, we would not need regulations. It is an additional thing that business is being asked to do. It might be that we have decided that overall it is in the best interests of the sector. Individual businesses cannot regulate and change the sector themselves, so we have decided, “For the good of society, we think businesses should do this.”
I am always a little careful when we politicians say that we know what is better for business in terms of what they are doing. I take the point about how regulatory certainty can be helpful in itself. I also take the point about the overall benefit to society and the business network of having confidence that there are secure and working data centres and that the large load controllers—which we will talk about presently—have control. This Bill is a full-fat compendium of cross-regulations and links. I feel for any business looking through the later chapters and finding themselves subject to those requirements. We have to keep that in mind: all of us in this Committee want our businesses to succeed and do well, and we also want stable and flourishing infrastructure.
Going back to my medical roots, the starting point should be, “Primum non nocere”. That is often misinterpreted as, “First, do no harm”; actually, not doing harm is the main thing that we should do. As a legislator, you should have quite a high threshold before you start saying, “The solution is putting in another law. Let’s create another regulation,” or, “Let’s put another burden on business.”
One of the challenges I had when looking at the Bill when it was first published was understanding why we need it in the first place. What is its starting point? That is something that I have been exploring and thinking about as we have been preparing for this Committee stage. Why is our industry not doing it itself and sorting this out? Why is the Minister here today bringing forward these regulations on business and why is that necessary in the first place as opposed to business sorting it out?
I am sure that this is something that the Committee are going to come back to and explore in more detail when we discuss some of the more high-profile cyber-security impacts, particularly on Jaguar Land Rover and M&S. The hon. Member for Lichfield makes a very good point, and I do not think that this debate is settled in some ways—and I am sure we are going to come back to it quite a few times during the passing of this Bill.
Dr Spencer
I am certainly going to come back to it a few times—if not other Members—and I will invite the Minister to come back to it a few times.
Returning to the point about the dependency on particular sectors, I mentioned the impact that Amazon Web Services had on our society and systems; interestingly, the AWS outage was caused not by a cyber-attack, but it demonstrates the disruption to our lives and businesses that could occur in the event of such an attack. The last Government recognised the vital and growing importance of data centres to the UK economy and people’s lives, as well as the risks of serious interruption to these services. That led to a public consultation on enhancing the security and resilience of UK data infrastructure.
The Conservatives therefore welcome that this vital element of our national infrastructure will be subject to cyber-security regulation. However, for regulation to be robust for cyber-resilience and regulator data centres it is essential that there are high rates of industry compliance. The Government stated in their impact assessment for this Bill that there is an ongoing engagement with the data centre sector. Could the Minister lay out what feedback he has received on the sector’s preparedness to meet the cyber-resilience standards set by the NIS regulations?
Likewise, in terms of ensuring effective regulation, Ofcom will have a dramatically increased role in terms of cyber-security regulation when these provisions come into effect. In view of Ofcom’s current regulatory workload and the challenges with recruitment, which I mentioned earlier and highlighted in the evidence session this week, what ongoing engagement is the Minister having with Ofcom more broadly to make sure that it is sufficiently resourced to play its role?
Before I move on to clause 6, on large load controllers, I feel I need to go back to the discussion about proportionality and the purpose and need for these regulations in the Bill. One of the biggest criticisms of the NIS regulations is that they have not really been enforced. I am not saying that a certain rate of enforcement is a marker of efficacy or compliance, but it is curious, and it has been raised to me, that the level of enforcement indicates that the NIS regulations have not really had teeth or changed anything.
In one bad world, we have regulations that are completely disproportionate and place a huge and unnecessary burden on industry. But in some ways the worst of all worlds, or rather another problem that we would need to deal with, would be for us to legislate, produce this wonderful cyber-security Act, and go away happy as legislators—“Hey-ho, it’s all sorted and finished; we can sleep well in our beds about the cyber-security of the UK.” But if the companies cannot follow the legislation, will not follow it or do not have the resources to do so, then all we will have done is waste our time. Worse, we will have given ourselves a false sense of security, rather than delving into some of the real challenges and problems in the sector, which include overall education, encouraging businesses to take the issue more seriously and encouraging people to do Cyber Essentials.
Alison Griffiths
My hon. Friend is making a very good point, which also applies to improving board awareness and ensuring that the enforcement of the regulations incentivises boards to take the issue seriously and make sure that they are equipped to understand the commercial reality of cyber-security for their businesses. Enforcement is an important part of that.
Dr Spencer
That is something that I know will come up in debate as we go through the Bill. It is curious that we are receiving consistent feedback that some boards are not taking the issue of cyber-security seriously, in terms of allocating resource to it, especially in the light of the very high-profile cyber-attacks on businesses. Obviously, I am all over this issue, given my role as shadow Minister, but I think it is completely insane, certainly for larger companies, not to focus on the challenge of cyber-security. It is a challenge for businesses of all sizes, but I am mindful that implementation is particularly problematic for very small businesses.
Bradley Thomas
Does the shadow Minister agree that the Government should heed the message of Chris Dimitriadis, the chief global strategy officer at the Information Systems Audit and Control Association? He said:
“The era when cyber regulation could focus solely on critical national infrastructure is over. Today, every major employer is part of the digital economy—and therefore part of the threat landscape.”
Surely the Government should heed that message.
Dr Spencer
That is a stark message. Going back to my previous point, I struggle to think how many small businesses can really put in the necessary resource to take these sorts of steps on cyber-security.
There is a broader point here, which goes back to my opening remarks. A chunk of this involves hostile state actors that are attacking our companies, Parliament and the Government, whether directly or through their intermediaries. I find it quite ironic that it was announced earlier this week that our security services are going to work with China’s security services to deal with cyber-security threats. I thought, “Well, hang on a sec. What are they going to say, given that the Chinese Communist party is one of the main drivers of cyber-security threats in the UK?”
Legislating in this area and deciding how to approach it as a society is a particular challenge, given that it is not merely criminals or hacktivists doing this stuff to our companies and institutions; there is also full-fat hostile state inference from Russia, Iran or the Chinese Communist party.
Bradley Thomas
The risk and the threat from hostile states is plain to see. Does my hon. Friend have any sympathy for the ten-minute rule Bill that I introduced a few months ago on the Floor of the House? We need to strike a balance between the risk that bureaucratic administration poses to small businesses and the very real risk that cyber-attacks pose to the economy in general. The Government should have the private sector in scope and look at setting a threshold that does not become burdensome on smaller businesses. My proposal was for any company that turns over £25 million or more to be scope, in order to not bear down too heavily on small companies that would otherwise find the process, the risk and the burden of reporting too onerous.
Dr Spencer
I thank my hon. Friend for his interesting proposal, which attempts to crack the nut of one of the problems subsumed in the Bill.
The Bill cherry-picks certain sectors that need to be regulated entities, and there is a whole host of definitions. Then the Secretary of State can allocate some of the bits that they want to tag on through secondary legislation or the designation of a critical supplier. Then we have the MSP component. But there is something the Bill does not deal with. If I were to ask to the man in the street to identify the biggest cyber-security attack they have heard of in the past year or so, their answer would probably depend on where they live. If they live in the west midlands, they would talk about JLR, which has had a catastrophic effect on the local economy. In other parts of the country, the focus might be on Marks & Spencer or the Co-op. The Bill does not fix that, so what needs to be done? Should there be a threshold based on turnover, so that the process is not so onerous on certain companies, or something to support the insurance industry?
The Bill is silent on this issue, and the Government need to come up with some answers. I totally understand what they are trying to do with the Bill and how it is taking us forward—of course the NIS regulations need updating—but it does not fix the big stuff that has had a huge impact on people’s lives and required a massive bail-out of several billions of pounds-worth of taxpayers’ money. How many more JLRs can the Government afford to bail out until they have to do something to resolve the issue? I suspect we will come back to that, but I am glad that my hon. Friend introduced his ten-minute rule Bill.
We need to have a solution, but at the same time, we should not put onerous burdens on companies that are already struggling because of the Government’s anti-growth agenda and the punitive taxes being imposed on them to pay for profligate spending. This goes back to the discussion about prima facie harms. Taxation is the best example of a prima facie harm.
Dave Robertson
I fear I am about to repeat what I said a moment ago. I am aware that nobody gets up in the morning and is excited to pay tax, but tax pays for our roads, for our infrastructure, for our hospitals, which keep our workforce in good health, for the education of the next round of employees, for our security services, and for the police, who help to prevent crime. It pays for a whole variety of things that are essential for business to succeed, so taking an evangelical view that tax is bad is just not—
The Chair
Order. I want to take this opportunity to again remind the hon. Gentleman and the shadow Minister that this Bill is not about tax. It is relatively narrowly drawn, so I would be grateful if hon. Members can come back to what is on the face of the Bill.
Dr Spencer
As I risk getting into trouble with Mr Stringer, I will not respond to the hon. Member for Lichfield. I look forward to the opportunity to debate this issue again, perhaps in the emergency Budget in the next couple of weeks.
Clause 6 brings large load controllers, which provide the flow of electricity in and out of smart appliances, within scope of the NIS regulations if the load is above 300 MW. I understand that the threshold has been decided through consultation, given that that pressure could have a substantial impact on the grid. There is a challenge in managing peak demand and supply in the grid and big changes in it, so I entirely understand why the Government are introducing this provision. Smart EV devices—I have a smart charging electric vehicle device myself—used system-wide could cause big grid disruptions, particularly as we integrate infrastructure into our homes such as solar panels, batteries and other energy-related smart devices.
In fact, we need the grid to become more smart device-integrated over the next 10, 15 or 20 years. When we look at projections of energy consumption, we see that we will need to enable people to use the grid by expanding technology such as vehicle-to-grid energy supply, so that we can manage peak load. That is part of expanding our energy, reducing energy costs and supporting renewable energy and the transition to net zero. If anything, this issue will become more important and expansive over the years.
On that basis, I have some questions for the Minister about the clause. Why are data centres and large load controllers the two sectors that he has decided to put on the face of the Bill? I say that with particular reference to the NIS2 regulations, which are expanded a bit more. How does he envisage this area expanding in the future? Is he confident that the scope of the clause is sufficient to cover future technologies that are coming down the track? I am thinking of EV charging apps. The list is prescriptive, but does it have sufficient flexibility? Is the Minister able to come back with secondary legislation if he needs to expand the list in the future, given that it is in the Bill in that form? Would it not be better to put that on the face of the Bill and to use secondary legislation to lay it out, in order to have flexibility? The Minister has been trying to ensure flexibility elsewhere, and understandably so—let us not go back into those debates. I just want to understand his reasoning behind that a bit better. That is certainly not a criticism, but I want to know why those particular sectors have been pulled out, and why it has not been left for secondary legislation.
Kanishka Narayan
With your permission, Mr Stringer, I will restrict my comments to clauses in question—in particular, clauses 5 and 6—and the relevant Government amendments. The shadow Minister has auditioned for roles at the Department for Business and Trade in talking about the philosophy of regulation, at the Department of Health and Social Care in talking about his medical background, and at the Treasury in talking about taxation. I will try to restrict myself to none of those and simply speak to the clauses and address three points in response to his comments.
The first relates to the skills and resourcing of our regulators. On that, I welcome the shadow Minister’s prior engagement with me directly and his questions now. The last Government completely gutted our regulators. Having done so, they achieved neither growth nor regulatory quality, which Opposition Members now talk about. As a consequence, it falls to us to make sure that our regulators are fit for purpose and resourced in the way they need to be. This Bill gives them the powers to secure initial and full notifications in a timely way, the powers to share information in an appropriate way and, fundamentally, the ability of cost recovery, to resource themselves in an appropriate way. Alongside that, our wider initiatives on skills in the cyber-sector and technology more broadly are fundamental to achieving our aspirations, not least through the CyberFirst programme, which I mentioned in a witness session.
Kanishka Narayan
Loudly and slowly: this will capture organisations remotely managing significant amounts of electrical load via energy-smart appliances, both in a domestic and non-domestic setting. These organisations play an increasingly important role in the management of the electricity system, but are not currently regulated for cyber-security. A cyber-attack could therefore create major disruptions to the national grid, shutting down public services and critical national infrastructure. Capturing load control as an essential service will safeguard the public from these disruptions. It will also reflect the need to bring in new safeguards to manage a more digitalised and dynamic energy landscape in the transition towards net zero.
Dr Spencer
Before the Minister moves on—I was a bit nervous that he was going to finish—I have an additional question about the Crown data centre. What happens if a data centre is providing services commercially to both the public and the Crown? How is that operated within the scope of the Bill?
Kanishka Narayan
I very much welcome that point. In talking about broad architecture characteristics—being able to scale compute and to be elastic to multi-tenants by being shareable—rather than setting out the specific nature of resources, we capture both commercial cloud and AI deployments. However, I am keen to ensure that we keep this under review and, where possible, use the flexibilities provided by the Bill to adapt it to changes in technology.
Although the policy intention behind the definition has not changed, amendment 13 will provide certainty for industry, support effective regulatory oversight and ensure that services whose disruption could significantly impact the UK economy and society are properly captured. In addition, the drafting is more aligned with that of our international partners, which will improve efficiency for providers operating across borders.
This targeted, technical improvement will bring greater clarity, consistency and fairness to the NIS regulations. I urge Members to support both the clause and this important amendment.
Dr Spencer
Clause 7 amends the definition of cloud services, which have been within the scope of regulation since the NIS regulations came into force. The expanded definition emphasises remote accessibility and the “on demand” nature of cloud services, and that services may be delivered from multiple locations. It also excludes managed services from the scope of cloud services to avoid duplication of regulatory requirements and oversight.
The Minister proposes changes to this provision in Government amendment 13, which sets out further details regarding the features of in-scope cloud service provision, including common access by multiple users, with each having access to separate processing functions. My question to the Minister builds on the one raised by my hon. Friend the Member for Bognor Regis and Littlehampton. It is obviously difficult—if it is possible at all—to predict how the tech sector will evolve, but what powers will the Government have to adjust these provisions as the cloud ecosystem changes, and what consultation has the Minister done on that within the scope of the Bill?
Kanishka Narayan
On that important point, which the hon. Member for Bognor Regis and Littlehampton also raised, the changes to the definition came about in part through extensive engagement, and in particular by ensuring that the attributes of “elastic” and “scalable” were treated individually rather than jointly and that “shareable”—the ability to have multi-tenants and therefore be a genuine cloud computing service for multiple clients—was considered in scope. As I mentioned to the hon. Member for Bognor Regis and Littlehampton, it is important that we keep this under review, and part of the reason for the secondary powers in the Bill is to make sure it remains both specific, giving clarity and certainty, and flexible at the same time.
Dr Spencer
If I might just help a colleague, I think the grouping and selection of amendments has changed, so the hon. Member for Brecon, Radnor and Cwm Tawe may have the previous iteration.
The Chair
That is very helpful. Thank you.
Amendment 13 agreed to.
Clause 7, as amended, ordered to stand part of the Bill.
Clause 8
Duties of relevant digital service providers
David Chadwick
Surely, we cannot pass a cyber-security and resilience Bill that ignores a crime that affects thousands of people. We know that cyber-security criminals across the world attack individuals to enable themselves to get into systems. Families are losing life savings, and small businesses are shutting down because of this epidemic.
The Government often treat fraud as a policing issue, but the amendment would establish that it should be regarded as a cyber-security issue that needs action at the national security level. By amending regulation 12(1) of the NIS regulations, we place a legal duty on digital providers to identify these vulnerabilities proactively. If we mandate that providers manage fraud risks before an incident occurs, we will reduce the number of victims and the devastation caused to livelihoods. We cannot claim to protect our digital economy while ignoring the billions of pounds lost to scams.
Dr Spencer
Clause 8 provides a new definition of “relevant digital service” and makes it clear that this category includes online marketplaces, online search engines and cloud computing services. The definition of “relevant digital service provider” is updated to encompass all entities providing a relevant digital service in the UK, regardless of whether they are established here. Entities designated as critical suppliers are excluded from the definition to avoid duplication of duties and regulatory oversight from sector-specific competent authorities.
However, the definition excludes from scope of regulation relevant digital service providers subject to public authority oversight, unless they derive over half their income from commercial activities. The exclusion of organisations overseen by public authorities also applies in relation to relevant managed service providers.
In many respects, clauses 7 and 8 provide necessary updates to reflect the changing nature and use of vital digital services. Once again, including within the scope of regulation companies that deliver services to the UK but are established or headquartered elsewhere helps to ensure that those companies report cyber-security incidents to UK authorities, rather than just authorities in their home states. That means that UK regulators and law enforcement are equipped with the most comprehensive knowledge of emerging threats.
Bradley Thomas
Given the blurring of boundary lines between cyber-attacks and financial crime, I can see the compelling reasons why the amendment has been tabled, but does the shadow Minister agree and acknowledge that fraud detection often requires a different skillset from standard network security, so it is important to strike the right balance?
Dr Spencer
I broadly agree. This is one of those difficult areas where there can be overlap. I have sympathy with the argument that it is important to use any opportunity, and in particular this Bill, to raise fraud.
We focus on financial fraud, but this area is not limited to that, especially when we think about other malicious operators, and about ransomware and hacktivism, where the boundaries are particularly blurred. In a situation where a fraudulent operator, service, provider or organisation has material, whether on social media or subject to search engines, and the police or other competent authorities have flagged it to the provider as fraudulent—as illegal criminal activity—what duties does that provider have to remove it or take it down? Is that something that the Minister is aware of? Has he looked into it, and what is the Government’s plan to crack down on that activity?
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for tabling amendment 25, which would amend the duties for RDSPs in the NIS regulations. I empathise with the source of his concern about fraud; I think many of us in the House know and feel that concern, through either our personal experience or that of our constituents.
That said, the security duties within NIS require RDSPs to identify and take steps to manage the full spectrum of risks posed to the security of their systems. They must prevent and mitigate relevant incidents, regardless of what the threats are or where they emanate from. That includes taking an all-hazards risk-based approach. Entities must manage risks to cyber-security, physical security and broader operational resilience. “Security” includes the ability to resist any action that may compromise the availability, authenticity, integrity or confidentiality of those systems, including risks that may arise from fraud. I caution against highlighting only one particular vector of risk in the clause; that is unnecessary and would not reflect the full range of risks each RDSP faces.
Further, while the Bill clarifies the high-level duty to manage risks, secondary legislation will give further detail on the security and resilience requirements. Guidance and the code of practice will give further detail still on the types of risks to consider. For that reason, I kindly ask the hon. Gentleman to consider withdrawing the amendment.
The shadow Minister asked about the Government’s treatment of fraud, particularly when it has been found on a platform and the authorities have asked that platform to take it down. The Government made a clear commitment in our manifesto to introduce a new fraud strategy, and the Home Office, as the lead Department, has been working at pace to engage deeply in making that an effective reality.
Alongside that, in my wider role in online safety, I am conscious that fraud is a fundamental area of content in which platforms have to look at where it crosses the border into illegality, as it may well do in the instance the shadow Minister described. That has been a central focus since the illegal content duties came into play last year. I believe that such instances are well covered by the pieces of legislation that I have just mentioned. The Bill is clearly more focused on critical national infrastructure and its exposure to network and information systems.
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Ben Spencer ExcerptsTuesday 3rd February 2026
(1 month ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
The Chair
We are now sitting in public again. We have heard declarations of interest. If there are any other others, please say. We will now hear oral evidence from Jen Ellis, associate fellow for cyber and tech at the Royal United Services Institute, who is joining us online, and David Cook, who is a partner at DLA Piper. Thank you for coming.
Before calling the first Member to ask a question, I remind Members that questions should be limited to matters within the scope of the Bill. We must stick to the timings in the programme order that the Committee has agreed to. For this session, we have until 10 am. I call the shadow Minister.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
Q
Jen Ellis: There is a thing that you always hear people say in the cyber-security industry which is, “There are no silver bullets”. There is no quick fix or one easy thing, and that definitely applies when looking at policy as well. I cannot give you a nice, easy, pat answer to how we solve the problem of attacks like the ones we saw last year. What I can say is that, looking at the Cyber Security and Resilience Bill specifically, I think it could include companies above a certain size or impact to the UK economy. The Bill currently goes sector by sector— which makes lots of sense, to focus on essential services—but I think we could say there is another bucket where organisations beyond a certain level of impact on the economy would also be covered. That could be something like the FTSE350. Including those might be one way to go about it, but it is worth noting that it would not simply solve the problem because the problem is complex and multi-faceted, and this is just one piece of legislation.
David Cook: With respect to NIS2, that is an example of a whole suite of laws that have come in across the European Union—the Digital Decade law; I think there is something like 10 or 15 of these new laws. They do all sorts of different things, and NIS2 sits within that. NIS2 is the reform of the NIS directive, which is the current state of play in UK law. NIS2 gives certainty and definition, by way of the legislation itself and then the implementing legislation, which means that organisations have had a run-up at the issue and a wholesale governance programme, which takes a number of years, but they know where they are headed, because it is a fixed point in the distance, on the horizon.
The Bill we are talking about today has the same framework as a base. The plan then is that secondary legislation can be used in a much more agile way to introduce changes quickly, in the light of the moving parts within the geopolitical ecosystem outside the walls. For global organisations with governance that spans jurisdictions, a lack of certainty is unhelpful. Understanding where they need to get to often requires a multi-year programme of reform. I can see the benefits of having an agile, flexible system, but organisations—especially global ones, which are the sort within the scope of this Bill—need time to prepare, recruit people, get the skillset in place, and understand where they need to get to. That fixed future point needs to be defined.
Chris Vince (Harlow) (Lab/Co-op)
Q
David Cook: There is reform all over the world. At its core, we have got a European law that is transposed in UK national legislation, the General Data Protection Regulation. That talks about personal data and has been seen as the gold standard all over the world. Different jurisdictions have implemented, not quite a copycat law, but one that looks a lot like the GDPR, so organisations have something that they can target, and then within their territory they are often going to hit a compliance threshold as well. Because of changes in the geopolitical environment, we are seeing—for example in Europe, but also in Australia and the United States—specific laws coming in that look at the supply chain in different sectors and provide for more onerous obligations. We are seeing that in the environment. NIS2 is being transposed into national laws. Organisations take a long time to get to the point of compliance. We are probably behind the curve, but this is not a new concept. Adapting to change within tech and change within how organisations themselves are relying on a supply chain that is more vulnerable and fragile is common.
The Chair
Good morning, everyone, and welcome. We will now hear oral evidence from Jill Broom, head of cyber-resilience at techUK, from Stuart McKean, chairman of Nine23, and from Dr Sanjana Mehta, senior director for advocacy at ISC2. We must stick to the timings in the programme motion that the Committee has agreed for this session; we have until 10.40 am. Will the witnesses please briefly introduce themselves for the record?
Dr Sanjana Mehta: Good morning. My name is Sanjana; I work as senior director, advocacy, at ISC2.
Jill Broom: Good morning. My name is Jill Broom; I am head of cyber-resilience at techUK, the trade association for the technology industry in the UK.
Stuart McKean: Good morning. I am Stuart McKean; I am the founder and chairman of Nine23. We are a small MSP, based in the UK.
Dr Spencer
Q
My second question is a bit more technical. Do you consider that the definition in the Bill of a managed service provider is sufficiently clear and certain for businesses to understand whether they are in scope or out of scope of the Bill?
Dr Sanjana Mehta: I appear before the Committee today on behalf of ISC2, which is the world’s largest not-for-profit membership association for cyber-security professionals. We have 265,000 members around the world and 10,000-plus members in the UK.
On your question about sectoral scope, our central message is that we welcome the introduction of the Bill and we believe that it will go a long way towards improving the cyber-resilience of UK plc. Yes, there are certain sectors that are outside the scope of the Bill, and we believe that there are a number of non-legislative measures that could be used to enhance the cyber-security of other industries and parts of the sector. In particular, the forthcoming national cyber action plan should be used as a delivery vehicle for improving the resilience of UK plc as a whole.
On the previous panel, I think Jen mentioned that there are voluntary codes of practice. As an organisation, we have piloted the code of practice for cyber governance, and we have signed up to the ambassadors scheme for the code of practice for secure software development. We think that the upcoming national cyber action plan can further encourage the uptake of such schemes and frameworks. Most importantly, we call upon Government to focus on skills development as a non-legislative measure, because ultimately that will be the key enabler of success, whether it is for organisations that are within or outside the scope of the Bill.
The Chair
The witnesses need not feel obliged to answer every question; if colleagues could direct their questions to individual witnesses, we will get through quicker.
Stuart McKean: I think that the MSP definition is quite broad at the moment, so adding some clarity to it will help. At the moment, the key definition of an MSP is based on size, and whether you are a small, medium, large or even microenterprise. The reality is that only11%, I think, of MSPs are the large and medium-sized enterprises that are going to fall in scope of the Bill as a managed service provider. Although the definition might be quite broad, the clarity on the size of MSP is actually quite particular, and you will lose a lot of MSPs that will not be in scope.
Jill Broom: Although some of our members are content with the definition of managed service provider, others feel that, as Stuart said, it is too broad. It continues to cause a little bit of confusion, since it is likely to encompass virtually any IT service. Probably some further work needs to be done and further consultation. There will be some further detail in the secondary legislation around that definition. I wanted to highlight that a lot of detail is coming in secondary legislation, which can make it quite difficult to scrutinise the primary legislation. A broad call-out for ensuring mandatory and meaningful consultation on that secondary legislation and associated guidance would be really welcome.
We are already working with the Bill team to put some of the pre-consultation engagement sessions in place, but we would call for the consultation to be brought forward to help us to understand some of the detail. The consultation period on the secondary legislation is currently estimated to happen towards the end of the summer, but we would like that to be brought forward, where possible. That consultation is going to cover a lot of detail, so it needs to be a substantial amount of time to allow us to comment. We are keen to be involved in that process as much as possible.
Bradley Thomas
Q
Stuart McKean: It needs more detail, even if that is about providing some boundaries so that we have something to say, “If it is going to do the following, what is a ‘significant economic impact’?”. I would like to think that none of our services would have a significant economic impact, but they may well affect a person, so I would bring it more on to the citizen and the impact on people. We heard this a number of times in relation to the JLR incident: the impact on the supply chain was huge, it was economically very costly and directly impacted people’s lives. Anything that can provide more clarity in the definition of an impact at that level can only help.
Jill Broom: I agree. More clarity is needed. The Bill should be tighter in terms of defining that sort of systemic risk.
Dr Sanjana Mehta: The Bill as it stands requires competent authorities and regulators to designate an organisation as a critical supplier rather than the regulated entity. Organisations work with complex multi-tier supply chains, and the concern is that competent authorities that are one step further removed from those complex supply chains, and have even less visibility, transparency and control over those supply chains, might find it difficult to determine true criticality and risk within the supply chains. We ask for greater collaboration and co-ordination between the regulated entities and the competent authorities in designating an organisation as a critical supplier.
Dr Spencer
Q
Jill Broom: There is probably a broader point around legal certainty, which is not given on the face of the Bill. Some of our members have highlighted language that could create some pretty significant legal jeopardy for regulated entities. The Bill needs to go a bit further. It could and should do more to provide some legal certainty, because the cost to companies could be quite significant. To the point on consistency across regulators and things like that, we need more frameworks around how that is going to work. Leaving all the detail to secondary legislation is what makes it slightly difficult to examine what is on the face of the Bill, so making sure that everything is consulted on in a mandatory and meaningful way will be important.
The Chair
Q
Dr Ian Levy: Good morning. I am Ian Levy, and I am a vice-president and distinguished engineer at Amazon. That job allows me to look across everything that Amazon does, including Amazon Web Services, the bookshop, our new satellite system and everything in between. Prior to that, I spent 23 years in GCHQ, and I was the founding technical director and designer of the National Cyber Security Centre.
Chris Anley: I am Chris Anley, chief scientist at NCC Group. We are a multinational cyber-security company, listed on the London Stock Exchange and headquartered in Manchester.
Matt Houlihan: Hi everyone. I am Matt Houlihan, and I am the vice-president for government affairs in Europe for Cisco, which is a technology company specialising in networking, security and collaboration technologies.
Ben Lyons: Good morning. I am Ben Lyons, and I am senior director for policy and public affairs at Darktrace. We are a company that uses AI for cyber-security, headquartered up in Cambridge.
Dr Spencer
Q
Starting with Ben from Darktrace, how are developing and emerging technologies such as AI and post-quantum crypto changing the nature of cyber-security threats? Do you think the Bill responds adequately to that changing threat landscape?
Moving on to Matt from Cisco, what further guidance and consultation from the Government and the Information Commissioner is needed for MSPs to comply effectively with their obligations under the Bill?
Chris from NCC Group, the National Audit Office report last year highlighted lots of serious deficiencies in Government cyber-resilience. Do you think the cyber action plan goes far enough? How can Government Departments be overseen and held to account in a way that will deliver meaningful improvements in cyber-resilience?
Finally, Ian from Amazon, a core feature of your business model is extensive exposure to supply chain partners. Do you think that the designation of critical suppliers by regulators under the Bill is the correct approach? What further consultation is needed to make sure that that is proportionate, prioritises the most critical suppliers and, crucially, gives a degree of certainty, whether legal or financial?
Ben Lyons: AI is significantly changing cyber-security. You can think about it at three levels: first, the way in which attackers are using AI to mount cyber-attacks; secondly, the need to secure AI systems and AI within companies and organisations; and thirdly, the question of how AI is changing cyber-security on the defensive side.
In brief, we see significant use of AI by attackers. Today, we are releasing the results of a survey in which 73% of surveyed security professionals say that AI-powered threats are having a significant impact on their organisation. These are things like phishing, reconnaissance, and lowering the barriers to being able to launch attacks and review more targets more effectively. Last month, the chief executive officer of Anthropic, which is one of the main frontier AI labs, warned that he sees AI-led cyber-attacks as potentially being the main way in which cyber-attacks are conducted in the future.
At the level of the enterprise, you have a challenge of how you secure the enterprise, in terms of not only developing and deploying AI, but visibility of AI used in an organisation. We are certainly seeing AI transform how cyber-security vendors and organisations manage the threat: they have greater visibility, can detect threats more quickly and the like. On how the Bill responds to that, one positive in its approach is that it is setting out an agile, outcomes-based approach that means that the regulatory regime can be capable of evolving as the threat evolves. It is sensible not to talk about AI in depth on the face of the Bill, but through mechanisms such as the code of practice, it will be possible for expectations to evolve over time as the threat and the technology mature.
The Chair
I should say to the witnesses: do not feel obliged to answer each question if you do not feel that you have anything material to add.
Matt Houlihan: It is very tempting to answer the question on AI, but thank you for the question on managed service providers. It is right that managed service providers are looked at in this Bill. An increasing amount of the work of managing IT services is clearly now outsourced to managed service providers. There needs to be some scrutiny and some baseline of cyber-security with those. I would say a couple of things on what guidance is needed. We broadly support the definition in the Bill. I appreciate the comments in the previous session that suggested that the definition was a little too broad and could be refined, which I think is fair, but when you compare the definition in the CSRB with the definition of managed service providers used in the NIS2 legislation, a couple of bits of clarity are provided in the CSRB. First, the managed service provider needs to provide an
“ongoing management of information technology systems”.
We feel that word “ongoing” is quite important. Secondly, it has to involve
“connecting to or…obtaining access to network and information systems relied on by the customer”.
We feel that
“connecting to or…obtaining access to”
the network is an important part of the definition that should be put forward. One area where more tightness can be provided is where, in the Bill, there is a non-exhaustive list of activities that an MSP could be involved in, such as
“support and maintenance, monitoring, active administration”.
The Bill then says, “or other activities”, which adds quite a bit of uncertainty on what is and is not an MSP.
The other area I would like to highlight and link to Ben’s answer on AI is that the “active administration” activity raises a question about the extent to which AI-enabled managed services would come under that definition. I am sure that lots of managed service providers will use AI more and more in the services that they provide to their end customers; to what extent does “active administration” involve an AI-related service?
To end on that specific question, the Information Commissioner’s Office will, I believe, issue guidance for managed service providers once the Bill is passed. That guidance will be the critical thing to get right, so there should be consultation on it, as my colleague from techUK suggested earlier. I would also suggest that that guidance cannot be a simple check-box list of things that have to be done. We should shift our thinking to have more of an ongoing appreciation of what cyber-security involves in practice for MSP or other regulated entities under the Bill. Making sure there is an ongoing process and that there is effective enforcement will be important.
Chris Anley: On the NAO report , the cyber action plan and public sector cyber-security, you are absolutely right to point out that the NAO report identifies serious issues. The Government recently acknowledged that they are likely to miss their 2030 cyber-resilience targets. It is also important to point out that the cyber action plan lays out an approach with many very positive elements such as an additional £210 million in central funding. There are many benefits to that, including a centralised provision of services at scale, a concentration of expertise and a reduction of costs.
Then there are other broader initiatives in the cyber action plan. The UK software security code of practice, which has been mentioned several times in these sessions, is a voluntary code that organisations can use as a tool to secure their supply chain. Cisco and NCC Group are ambassadors for that scheme and voluntarily comply with it, and it improves our own resilience.
Whether the cyber action plan goes far enough is a very difficult question. The NAO report also points out the extreme complexity of the situation. Within the budgetary constraints, I think it is fair to say that the steps in the plan seem reasonable, but there is a broader budgetary conversation to be had in this area. Two of the most significant issues identified in the report are the skills shortage, which has come up in these sessions—almost a third of cyber-security posts in Government are presently unfilled, which is dangerous—and the fact that Departments rely on vulnerable, outdated legacy IT systems, which may be the cause of an incident in their own right and would certainly make an incident much more severe were one to occur. The problem is that those are both largely budgetary issues. Successive Governments have obviously focused on delivering taxpayer value, as they should—we are all taxpayers—but over a period of a decade or more, that has led to a position where Departments find it difficult to replace legacy IT systems and fill these high-skill, high-cost cyber-security positions. There is very much a broader discussion to be had, as has been raised in these sessions, about where we should be in terms of the budget. You are absolutely right to raise the public sector issues. Although the Bill focuses on the private sector, the public sector obviously must lead by example.
Dr Ian Levy: We think the current definitions of critical suppliers are probably overly broad and risk bringing in SMEs, when you really do not want to do that. That said, we need to think about the transitive nature of supply chains. With previous regulations that talk about cyber-security, we have seen a flow-down of requirements through contracting chains. There is a question about how far it is reasonable to go down those contracting chains. In my experience, the value of the contract and the potential impact are not necessarily correlated. We certainly saw that when we were giving evidence for the Telecommunications (Security) Act 2021.
There is a real question about how you define what supply chain you mean. You mentioned that AWS has a complex supply chain. We certainly do—it is astoundingly complex—but the important thing is that we control the really important parts of that. For example, we build our own central processing units, graphics processing units, servers, data centres and so on. The question then becomes: how does that translate out to customers? If a customer is using a partner’s service running on AWS, where does the liability accrue? I do not think that is adequately covered in the Bill.
In terms of certainty and foreseeability, the Bill as it stands admits a single entity being regulated multiple times in multiple different ways. We are subject today to at least four different sets of regulations and regulators. Some of them conflict, and some of them are ambiguous. As this expands out, a single reporting regime—a lead regulator model—would take some of that ambiguity away so that you have more foreseeability and certainty about what you are trying to do.
There are things in the current drafting of the Bill that we think need some consultation. There are things in primary legislation, such as the Secretary of State’s powers, that seem to be unbounded—that is probably the best way to describe it—and that seems dangerous. We understand the necessity for powers around national security, but we think there need to be some sort of safeguards and consultation about how they are used in practice. For any multinational company, something that is effected in the UK is likely to affect all our customers, so some real constraint is needed around that.
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Ben Spencer ExcerptsTuesday 3rd February 2026
(1 month ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
The Chair
Good afternoon. We will now hear oral evidence from Ian Hulme, the interim executive director of regulatory supervision and director of regulatory assurance for the Information Commissioner’s Office; Natalie Black, group director for infrastructure and connectivity for Ofcom; and Stuart Okin, director of cyber regulation and artificial intelligence for Ofgem. We need to stick to the timings in our programme order, so we have until 2.40 pm for this session. Could the witnesses please introduce themselves briefly before we hand over for questions?
Ian Hulme: Good afternoon. My name is Ian Hulme, and I am interim executive director of regulatory supervision at the ICO.
Natalie Black: Good afternoon. I am Natalie Black, and I am group director for infrastructure and connectivity at Ofcom.
Stuart Okin: My name is Stuart Okin; good afternoon. I am the director for cyber regulation and artificial intelligence at Ofgem.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
Q
My second question is jointly for Ian and Stuart, from the ICO and Ofgem. Some industry stakeholders have expressed concern about low levels of incident reporting and enforcement under the NIS1—network and information systems—regs. How will your respective approaches to regulation change as a result of this Bill, to ensure that it is implemented and that cyber-resilience is improved across the sectors you are responsible for regulating?
Natalie Black: I will kick off. We have some additional responsibilities, building on the NIS requirements, but the data centre aspect of the Bill is quite a substantial increase in responsibilities for us. It is worth emphasising that we see that as a natural evolution of our responsibilities in the sector. Communications infrastructure is evolving incredibly quickly, as you will be well aware, and data centres are the next big focus. In terms of preparations, we are spending this time getting to know the sector and making sure we have the right relationships in place, so that we do not have a standing start. I have done a number of visits, for example, to hear at first hand from industry representatives about their concerns and how they want to work with us.
We are also focusing on skills and recruitment. We already have substantial cyber-security responsibilities in the communications infrastructure sector. We are building on the credibility of the team, but we are focused on making sure we continue to invest in them. About 60% of the team already come from the private sector. We want that to continue going forward, but we are not naive to how challenging it is to recruit in the cyber-security sector. For example, we are working with colleagues from the National Cyber Security Centre, and looking at universities it is accrediting, to see how we can recruit directly using those kinds of opportunities.
Ian Hulme: On incident reporting, the thresholds in the existing regulations mean that levels are very low. Certainly, the reports we see from identity service providers do not meet those thresholds. I anticipate that we will see more incidents reported to us. With our enhanced regulatory powers and the expanded scope of organisations we will be responsible for, I anticipate that our oversight will deepen and we will have more ability to undertake enforcement activity. Certainly from our perspective, we welcome the enhanced reporting requirements.
Stuart Okin: To pick up on the incident side of things, I agree with Ian. The thresholds will change. With the new legislation, any type of incident that could potentially cause an issue will obviously be reported, whereas that does not happen today under the NIS requirements.
On enforcement, in seven years we have used all the enforcement regimes available to us, including penalties, and we will continue to do so. We absolutely welcome the changes in the Bill to simplify the levels and to bring them up, similar to the sectorial powers that we have today.
Chris Vince (Harlow) (Lab/Co-op)
Q
Stuart Okin: In the energy sector, we tend to use operational technology rather than IT systems. That might mean technology without a screen, so an embedded system. It is therefore important to be able to customise our guidance. We do that today. We use the cyber assessment framework as a baseline, and we have a 335-page overlay on our website to explain how that applies to operational technology in our particular space. It is important to be able to customise accordingly; indeed, we have added physical elements to the cyber assessment framework, which is incredibly important. We welcome that flexibility being maintained in the Bill.
Ian Hulme: Just to contrast with colleagues from Ofcom and Ofgem, ICO’s sector is the whole economy, so it is important that we are able to produce guidance that speaks to all the operators in that sector. Because our sector is much bigger, we currently have something like 550 trust service providers registered, and that will grow significantly with the inclusion of managed service providers. So guidance will be really important to set expectations from a regulatory perspective.
Natalie Black: To round this off, at the end of the day we always have to come back to the problem we are trying to solve, which is ensuring cyber-security and resilience. As you will have heard from many others today, cyber is a threat that is always evolving. The idea that we can have a stagnant approach is for the birds. We need to be flexible as regulators. We need to evolve and adapt to the threat, and to the different operators we will engage with over the next couple of years. Collectively, we all appreciate that flexibility.
Tim Roca
Q
Ian Hulme: There is a balance to be struck. When something is written on the face of the Bill and things change—and we know that this is a fast-moving sector—it makes it incredibly difficult to change things. There is a balance to be struck between primary and secondary, but what we are hearing and saying is that more precision around some of the definitions will be critical.
Natalie Black: I strongly agree with Ian. A regulator is only as good as the rules that it enforces. If you want us to hold the companies to account, we need to be absolutely clear on what you are asking us to do. The balance is just about right in terms of primary and secondary, particularly because the secondary vehicle gives us the opportunity to ensure that there is a lot of consultation. The Committee will have heard throughout the day—as we do all the time from industry—that that is what industry is looking for. They are looking for periods of business adjustment—we hear that loud and clear—and they really want to be involved in the consultation period. We also want to be involved in looking at what we need to take from the secondary legislation into codes of practice and guidance.
Dr Spencer
Q
Natalie Black: That is a great question, and I am not at all surprised that you have asked it, given everything that is going on at the moment. As well as being group director for infrastructure and connectivity, I am also the executive member of the board, sitting alongside our chief executive officer, so from first-hand experience I can say that Ofcom really recognises how fast technology is changing. I do not think there is another sector that is really at the forefront of change in this way, apart from the communications sector. There are a lot of benefits to being able to sit across all that, because many of the stakeholders and issues are the same, and our organisation is learning to evolve and adapt very quickly with the pace of change. That is why the Bill feels very much like a natural evolution of our responsibility in the security and resilience space.
We already have substantial responsibilities under NIS and the Telecommunications (Security) Act 2021. We are taking on these additional responsibilities, particularly over data centres, but we already know some of the actors and issues. We are using our international team to understand the dynamics that are affecting the Online Safety Act, which will potentially materialise in the security and resilience world. As a collective leadership team, we look across these issues together. The real value comes from joining the dots. In the current environment, that is where you can make a real difference.
Dr Spencer
Q
Natalie Black: That is definitely not what I am saying. You can cut the cake in many different ways. From where I sit—from my experience to date—you need specific sector regulators because you need regulators that understand the business dynamics, the commercial dynamics, the people dynamics and the issues on a day-to-day basis.
We have many people who have worked at Ofcom for a very long time, and who know the history and have seen these issues before. When it comes to threats, which is ultimately what we are dealing with—cyber-security is a threat—it is cross-cutting. It adapts, evolves and impacts in different ways. The knack is having a sector regulator that really understands what is going on. That means that when you are dealing with cyber-incidents, you understand the impact on real people and businesses, and ultimately you can do something more quickly about it.
Dr Spencer
Q
Stuart Okin: We have a clear understanding of the responsibilities within Ofgem. We are the joint competent authority with the Department for Energy Security and Net Zero. The Department does the designation and instant handling, and we do all the rest of the operations, including monitoring, enforcement and inspections. We understand our remit with NCSC. GCHQ is part of the cyber-security incident response team; it is ultimately responsible there.
Going back to your main concern, we are part of an ecosystem. We have to understand where our lines are drawn, where NCSC’s responsibilities are and what the jobs are. To go back to us specifically, we can talk about engineering aspects, electrical engineering, gas engineering and the cyber elements that affect that, including technology resilience—not cyber. As long as we have clear gateways and communication between each other—and I think that the Bill provides those gateways—that will also assist, but there are clear lines of responsibilities.
Natalie Black: It is clear that there is work to do to get in the same place for the Bill. Exactly as Stuart said, the information gateways will make a massive difference. It is too hard, at the moment, to share information between us and with the National Cyber Security Centre. The fact that companies will have to report within 24 hours not only to us but to the NCSC is very welcome.
To return to my earlier point, we think that there is a bit of work for DSIT to do to help to co-ordinate this quite complicated landscape, and I think that industry would really welcome that.
Ian Hulme: I agree with colleagues. From an ICO perspective, we see our responsibilities as a NIS competent authority as complementary to our role as a data protection regulator. If you want secure data, you have to have secure and resilient networks, which are obviously used to process data. We see it as a complementary set of regulations to our function as a data protection regulator.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Q
It strikes me that, if one of the things that this legislation is to guard against is pre-positioning, and there are 14 parallel reporting systems in place, it could be the case that those pre-positioning attacks are not picked up as co-ordinated attacks from another nation state or organisation, because they are not pulled together in time.
Natalie Black: I point to my earlier remarks about information sharing. You are right: that is one of the great benefits of the Bill. To be able to do more, particularly when it comes to pre-positioning attacks, is really important. You will have heard from the NCSC, among others, that that is certainly a threat that we are seeing more and more of.
At the moment, it is too difficult to share information between us. The requirement to have an annual report to the NCSC is a good mechanism for consolidating what we are all seeing, and then for the NCSC to play the role of drawing conclusions. It is worth emphasising that Ofcom is not an operational organisation; we are a regulator. We look to the NCSC to provide threat leadership for what is going on across the piece. I think that that answers your question about where it all comes together.
Stuart Okin: I fully support that. The NSCS will be the hub for that type of threat intel and communications, in terms of risks such as pre-positioning and other areas. The gateways will help us to communicate.
Ian Hulme: Bringing it back to the practicalities of instant reporting, you said that there are potentially 14 lines of incident reporting because there are 14 competent authorities. How that can be consolidated is something to be explored. Put yourself in a position of an organisation that is having to make a report: there needs to be clarity on where it has to make it to and what it needs to report.
Dr Spencer
Q
Secondly, it has been reported recently that communications of senior Government aides were hacked by Chinese state affiliates between 2021 and 2024. In view of that threat to telecoms networks, what are the potential cyber-risks to communications infrastructure that you see arising from the intended location of China’s super-embassy in the City of London?
Chung Ching Kwong: On the first question, about what can be done to help sectors understand the risks, education is paramount. At this point, we do not have a comprehensive understanding of what kind of risks state actors like China pose. We are very used to the idea that private entities are private entities, because that is how the UK system works; we do not see that organisations, entities or companies associated with China or the Chinese state are not independent actors as we would expect, or want to expect.
There is a lot of awareness-raising to be done and guidance to be issued around how to deal with these actors. There is a lot of scholarly work that says that every part of Chinese society—overseas companies and so on—is a node of intelligence collection within the system of the CCP. Those things are very important when it comes to educating.
Also, the burden of identifying what is a national security risk and what is not should not be put on small and medium-sized businesses, or even big companies, because they are not trained to understand what the risks are. If you are not someone specialising in the PLA and a lot of other things academically, it would be very difficult to have to deal with those things on a day-to-day basis and identify, “That’s a threat, and that’s a threat.”
Sorry, what was the second question?
Dr Spencer
Q
Chung Ching Kwong: There is not a lot of publicly available information on the sensitive cabling that is around the area, so I cannot confidently say what is really going to happen if they start to build the embassy and have such close contact with those cables. The limit of this Bill when it comes to the Chinese embassy is that it cannot mitigate the risks that are posed by this mega-embassy in the centre of London, because it regulates operators and not neighbours or any random building in the City. If the embassy uses passive interception technology to harvest data from local wi-fi or cellular networks, no UK water or energy company is breached. There is no breach if they are only pre-positioning there to collect information, instead of actually cutting off the cables, so when they do cut off the cables, it will be too late. There will be no report filed under the Bill, even if it is under the scope of the Bill when it comes to regulation. The threat in this case is environmental and really bypasses the Bill’s regulatory scope.
Dave Robertson (Lichfield) (Lab)
Q
Chung Ching Kwong: I think that to a certain extent they will. For hackers or malicious actors aiming for financial gain with more traditional hacking methods, it will definitely do a job in protecting our national security. But the Bill currently views resilience through an IT lens. It is viewing this kind of regulatory framework as a market regulatory tool, instead of something designed to address threats posed by state-sponsored actors. It works for cyber-criminals, but it does not work for state actors such as China, which possess structural leverage over our infrastructure.
As I said before, we have to understand that Chinese vendors are legally obliged to compromise once they are required to. The fine under the Bill is scary, but not as scary as having your existence threatened in China—whether you still have access to that market or you can still exist as a business there. It is not doing the job to address state-sponsored hackers, but it really does help when it comes to traditional hacking, such as phishing attempts, malware and those kinds of things.
The Chair
We will now hear evidence from Professor John Child, professor of criminal law at the University of Birmingham and co-founding director of the Criminal Law Reform Now Network. For this session, we have until 3.20 pm.
Dr Spencer
Q
Professor John Child: My specialism is in criminal law, so this is a bit of a side-step from a number of the pieces of evidence you have heard so far. Indeed, when it comes to the Bill, I will focus on—and the group I work for focuses on—the potential in complementary pieces of legislation, and particularly the Computer Misuse Act 1990, for criminalisation and the role of criminalisation in this field.
I think that speaks directly to the first question, on effective collaboration. It is important to recognise in this field, where you have hostile actors and threats, that you have a process of potential criminalisation, which is obviously designed to be effective as a barrier. But the reality is that, where you have threats that are difficult to identify and mostly originating overseas, the actual potential for criminalisation and criminal prosecution is slight, and that is borne out in the statistics. The best way of protecting against threats is therefore very much through the use of our cyber-security expertise within the jurisdiction.
When we think about pure numbers, and the 70,000-odd cyber-security private experts, compared with a matter of hundreds in the public sector, police and others, better collaboration is absolutely vital for effective resilience in the system. Yet what you have at the moment is a piece of legislation, the Computer Misuse Act, that—perfectly sensibly for 1990—went with a protective criminalisation across-the-board approach, whereby any unauthorised access becomes a criminal offence, without mechanisms to recognise a role for a private sector, because essentially there was not a private sector doing this kind of work at the time.
When we think about potential collaboration, first and foremost for me—from a criminal law perspective—we should make sure we are not criminalising effective cyber-security. The reality is that, when we look at the current system, if any authorised access of any kind becomes a criminal offence, you are routinely criminalising engagement in legitimate cyber-security, which is a matter of course across the board. If you are encouraging those cyber-security experts to step back from those kinds of practices—which may make good sense—you are also lessening that level of protection and/or outsourcing to other jurisdictions or other cyber-security firms, with which you do not necessarily have that effective co-operation, reporting and so on. That is my perspective. Yes, you are absolutely right, but we now have mechanisms in place that actively disincentivise that close collaboration and professionalisation.
Sarah Russell
Q
Professor John Child: Yes. It is not the easiest criminal law tale, if you like. If there were a problem of overcriminalisation in the sense of prosecutions, penalisation, high sentences and so on, the solution would be to look at a whole range of options, including prosecutorial discretion, sentencing or whatever it might be, to try to solve that problem. That is not the problem under the status quo. The current problem is purely the original point of criminalisation. Think of an industry carrying out potentially criminalised activity. Even if no one is going to be prosecuted, the chilling effect is that either the work is not done or it is done under the veil of potential criminalisation, which leads to pretty obvious problems in terms of insurance for that kind of industry, the professionalisation of the industry and making sure that reporting mechanisms are accurate.
We have sat through many meetings with the CPS and those within the cyber-security industry who say that the channels of communication—that back and forth of reporting—is vital. However, a necessary step before that communication can happen is the decriminalisation of basic practices. No industry can effectively be told on the one hand, “What you are doing is vital,” but on the other, “It is a criminal offence, and we would like you to document it and report it to us in an itemised fashion over a period of time.” It is just not a realistic relationship to engender.
The cyber-security industry has evolved in a fragmented way both nationally and internationally, and the only way to get those professionalisation and cyber-resilience pay-offs is by recognising that the criminal law is a barrier—not because it is prosecuting or sentencing, but because of its very existence. It does not allow individuals to say, “If, heaven forbid, I were prosecuted, I can explain that what I was doing was nationally important. That is the basis on which I should not be convicted, not because of the good will of a prosecutor.”
Dave Robertson
Q
Professor John Child: Yes. As I understand it, it does. This is part of the reason, incidentally, why my organisation, which focuses very much on criminal law aspects, ended up doing some collaborative work with the CyberUp campaign. That is because, from the industry perspective, they can do that kind of business modelling in a way that we do not. Whereas we can make the case for sensible criminal law reform, they can talk about how that reform translates into both the security environment and the commercial environment. Their perspective on this is, first, that we can see that there is already outsourcing of these kinds of services, particularly to the US, Israel and other more permissive jurisdictions. That is simply because, if you are a cyber-security expert in one of those jurisdictions, you are freer to do the work companies would like you to do to make sure their systems are safe here.
There are also the sectoral surveys and so on, and the predictions about what it is likely to do to the profession if you allow it to do these kinds of services in this jurisdiction. That is about the security benefits, but they are also talking about something like a 10% increase in the likely projection of what cyber-security looks like in this jurisdiction—personnel, GDP and so on.
Dr Spencer
Q
Professor John Child: There are obviously a number. It is always more comfortable when you have a beginning point of criminalisation. The argument to decriminalise in an environment where you want to protect against threats is sometimes a slightly unintuitive sell. Is the criminalisation that we have doing the necessary work in terms of actually fighting the threats? To some extent, yes, but it is limited. Is it doing harms? There is an argument to say that it is doing harms.
This comes back to the point that was made earlier, which was perfectly sensible. When you speak to the CPS and others, their position as prosecutors is to say, “Very few people are being prosecuted, and we certainly don’t want to be prosecuting legitimate cyber-security experts, so there is no problem.” Admittedly, that means there is no problem in terms of actual criminalisation and prosecution, but that is the wrong problem. If you focus on the problem being the chilling effect of the existence of the criminalisation in the first place, you simply cannot solve that through prosecutorial discretion, and nor should you, when it comes to identifying what a wrong is that deserves to be criminalised. You certainly cannot resolve it through sentencing provisions.
The only way that you can sensibly resolve this is either by changing the offence—that is very difficult, not least because, from a position of criminalisation, it might be where other civil jurisdictions begin—or by way of defence, which realistically is the best solve from the point we are at now. If you have a defence that can be specifically tailored for cyber-security and legitimate actors, you can build in reverse burdens of proof. You can build in objective standards of what is required in terms of public interest.
The point here is that the worry is one of bad actors taking advantage. The reality is that that is very unlikely. The idea that the bad actors we identify within the system would be able to demonstrate how they are acting in the public best interest is almost ridiculous. Indeed, the prospect of better threat intelligence, better securities and so on provides more information and better information-sharing to the NCSC and others and actually leads to more potential for prosecution of nefarious actors rather than less.
It is a more complicated story than we might like in terms of a standard case for changing the criminal law, but it is nevertheless an important one.
The Chair
That brings us to the end of the time allotted to ask questions. On behalf of the Committee, I thank our witness for his evidence. We move on to our next panel.
Examination of witness
Detective Chief Superintendent Andrew Gould gave evidence.
The Chair
We will now hear oral evidence from Detective Chief Superintendent Andrew Gould, programme lead for the National Police Chiefs’ Council cyber-crime programme. For this session, we have until 3.40 pm. I call Dr Ben Spencer.
Dr Spencer
Q
Secondly, on ransomware attacks, you will know that the Government review states that ransomware is
“the greatest of all serious and organised cybercrime threats”.
In your view, what is the scale of that threat and what sectors and businesses are the primary targets?
DCS Andrew Gould: To take the actors first, they are probably quite well known, in terms of the general groupings. Yes, we have our state actors—the traditional adversaries that we regularly talk about—and they generally offer very much a higher-end capability, as you will all be aware.
The next biggest threat group is organised crime groups. You see a real diversity of capability within that. You will see some that are highly capable, often from foreign jurisdictions—Russian jurisdictions or Russian-speaking. The malware developers are often the more sophisticated as service-type offerings. We see more and more ransomware and other crime types almost operating as franchises—“Here is the capability, off you go, give us a cut.” Then they have less control over how those capabilities are used, so we are seeing a real diversification of the threat, particularly when it comes to ransomware.
Then, where you have that proximity to state-directed, if not quite state-controlled—that crossover between some of those high-end crime groups and the state; I am thinking primarily of Russia—it is a lot harder to attribute the intent behind an attack. There is a blurring of who was it and for what purpose was it done, and there is that element of deniability because it is that one further step away.
Moving back down the levels of the organised crime groups, you have a real profusion of less capable actors within that space, from all around the world, driving huge volumes, often using quite sophisticated tools but not really understanding how they work.
What we have seen is almost like a fragmentation in the criminal marketplace. The barrier to criminal entry is probably lower than it has ever been. You can download these capabilities quite readily—you can watch a tutorial on YouTube or anywhere else on how to use them, and off you go, even if you do not necessarily understand the impact. We certainly saw a real shift post pandemic from traditional criminals and crime groups into more online crime, because it was easier and less risky.
You look more broadly at hacktivists, terrorists—who are probably a lot less capable; they might have the intent but not so much the capability—and then the group that are sometimes slightly patronisingly described as script kiddies. These are young individuals with a real interest in developing their skills. They have an understanding that what they are doing is wrong, but they are probably not financially or criminally motivated. If they were not engaging in that kind of cyber-crime, they probably would not be engaging in other forms of criminality, but they can still do a lot of damage with the tools they can get their hands on, given that so many organisations seem to struggle to deliver even a basic level of cyber-resilience and cyber-security.
One of the things that we really noticed changing over the last 18 months is the diversification of UK threats. Your traditional UK cyber-criminal, if there is such a thing, is primarily focused on hacking for personal benefit, ransomware and other activity. Now we are seeing a diversification, and more of a hybrid, cross-organised crime threat. There are often two factors to that. We often hear it described in the media or by us within law enforcement publicly as the common threat—this emerging community online—otherwise known as Scattered Spider.
There, we are seeing two elements to those sorts of groups. You see an element of maybe more traditional cyber-skills engaged in hacking or using those skills for fraud, but we also see those skills being used for Computer Misuse Act offences, in order to enable other offences. One of the big areas for that at the moment that we see is around intimate image abuse. We see more and more UK-based criminals hacking individuals’ devices to access, they hope, intimate images. They then identify the subject of those intimate images, most predominantly women, and then engage in acts of extortion, bullying or harassment. We have seen some instances of real-world contact away from that online contact.
Think of the scale of that and the challenge that presents to policing. I can think of cases in cyber-crime unit investigations across the country where you have got a handful of individuals who have victimised thousands of women in the UK and abroad. You have got these small cyber-crime units of a handful of people trying to manage 4,000 or 10,000 victims.
It is very difficult and very challenging, but the flipside of that is that, if they are UK-based, we have a much better chance of getting hold of them, so we are seeing a lot more arrests for those cross-hybrid threats, which is a positive. There is definitely an emerging cohort that then starts to blend in with threats like Southport and violence-fixated individuals. There seems to be a real mishmash of online threat coming together and then separating apart in a way that we have never seen historically. That is a real change in the UK threat that is driving a lot of policing activity.
Turning to your ransomware question, what is interesting, in terms of the kinds of organisations that are impacted by ransomware, a lot of the ransomware actors do not want to come to notice for hitting critical national infrastructure. They do not want to do the cloning of pipelines. They do not want to be taking out hospitals and the NHS. They know they will not get paid if they hit UK critical national infrastructure, for starters, so there is a disincentive, but they also do not want that level of Government or law enforcement attention.
Think of the disruptive effect that the UK NCA and policing had on LockBit the year before last. LockBit went from being the No. 1 ransomware strain globally to being out of the top 10 and struggling to come back. We saw a real fragmentation of the ransomware market post that. There is no dominant strain or group within that that has emerged to cover that. A lot of those groups that are coming into that space may be a bit less skilled, sophisticated and successful.
The overall threat to organisations is pretty much the same. The volume is the volume, but it is probably less CNI and more smaller organisations because they are more vulnerable and it is less likely to play out very publicly than if there is a big impact on the economy or critical national infrastructure. As such, there is probably not the level of impact in the areas that people would expect, notwithstanding some of the really high-profile incidents we had last year.
David Chadwick
Q
DCS Andrew Gould: That is a really good question. The international jurisdiction challenge for us is huge. We know that is where most of the volumes are driven from, and obviously we do not have the powers to just go over and get hold of the people we would necessarily want to. You will not be surprised to hear that it really varies between jurisdictions. Some are a lot more keen to address some of the threats emanating from their countries than others. More countries are starting to treat this as more of a priority, but it can take years to investigate an organised crime group or a network, and it takes them seconds to commit the crime. It is a huge challenge.
There are two things that we could do more of better—these are things that are in train already. If you think about the wealth of cyber-crime, online fraud and so on, all the data, and a lot of the skills and expertise to tackle that sit within the private sector, whereas in law enforcement, we have the law enforcement powers to take action to address some of it.
With a recent pilot in the City funded by the Home Office, we have started to move beyond our traditional private sector partnerships. We are working with key existing partners—blockchain analytic companies or open-source intelligence companies—and we are effectively in an openly commercial relationship; we are paying them to undertake operational activity on our behalf. We are saying, “Company a, b or c, we want you to identify UK-based cyber-criminals, online fraudsters, money-laundering and opportunities for crypto-seizure under the Proceeds of Crime Act 2002”. They have the global datasets and the bigger picture; we have only a small piece of the puzzle. By working with them jointly on operations, they might bring a number of targets for us, and we can then develop that into operational activity using some of the other tools and techniques that we have.
It is quite early days with that pilot, but the first investigation we did down in the south-east resulted in a seizure of about £40 million-worth of cryptocurrency. That is off a commercial contract that cost us a couple of hundred grand. There is potential for return on investment and impact as we scale it up. It is a capability that you can point at any area of online threat, not just cyber-crime and fraud, so there are some huge opportunities for it to really start to impact at scale.
One of the other things we do in a much more automated and technical way—again funded by the Home Office—is the replacement of the Action Fraud system with the new Report Fraud system. That will, over the next year or so, start to ingest a lot of private sector datasets from financial institutions, open-source intelligence companies and the like, so we will have a much broader understanding of all those threats and we will also be able to engage in takedowns and disruptions in an automated way at scale, working with a lot of the communication service providers, banks and others.
Instead of the traditional manual way we have always been doing a lot of that protection, we can, through partnerships, start doing it in a much more automated and effective way at scale. Over time, we will be able to design out and remove a lot of the volume you see impacting the UK public now. That is certainly the plan.
The Chair
We will now hear oral evidence from Richard Starnes, chair of the information security panel for the Worshipful Company of Information Technologists. We have until 4 pm for this session.
Dr Spencer
Q
Richard Starnes: The question about effectiveness is difficult to answer. There is the apparent effectiveness and the actual effectiveness. The reason I answer in that way is that you have regulators that are operating in environments where they may choose to not publicly disclose how they are regulating; it may be classified due to the nature of the company that was compromised, or who compromised the company. There may not necessarily be a public view of how much of that regulation is actually going on. That is understandable, but it has the natural downside of creating instances where somebody is being taken to task for not doing it correctly, but that is not exposed to the rest of the world. You do not know that it is happening, so the deterrent effect is not there.
Information sharing and analysis centres started in the United States 20 or 25 years ago, when different companies were in the same boat. The first one that I was aware of was the Financial Services ISAC, which comprises large entities—banks, clearing houses and so on—that share intelligence about the types of attacks that they are receiving internationally. They may be competing with one another in their chosen businesses, but they are all in the same boat with regard to being attacked by whatever entities are attacking them. Those have been relatively good at helping develop defences for those industries.
Dr Spencer
Q
Richard Starnes: Yes. We have FS-ISAC operating in the United Kingdom and in Europe, with all the major banks, but if you took this and replicated it on an industry-by-industry basis, particularly ones in CNI, that would be helpful. It would also help with information sharing with entities like NCSC and GCHQ.
David Chadwick
Q
Richard Starnes: On what you say about the 18-month tenure, one of the problems is stress. A lot of CISOs are burning out and moving to companies that they consider to have boards that are more receptive to what they do for a living. Some companies get it. Some companies support the CISOs, and maybe have them reporting to a parallel to the CIO, or chief information officer. A big discussion among CISOs is that having a CISO reporting to a CIO is a conflict of interest. A CISO is essentially a governance position, so you wind up having to govern your boss, which I would submit is a bit of a challenge.
How do we help CISOs? First, with stringent application of regulatory instruments. We should also look at or discuss the idea of having C-level or board-level executives specifically liable for not doing proper risk governance of cyber-security—that is something that I think needs to be discussed. Section 172 of the Companies Act 2006 states that you must act in the best interests of your company. In this day and age, I would submit that not addressing cyber-risk is a direct attack on your bottom line.
The Chair
We will now hear oral evidence from Brian Miller, head of IT security and compliance, and Stewart Whyte, data protection officer, both from NHS Greater Glasgow and Clyde and joining us online. For this session we have until 4.20 pm. Will the witnesses please introduce themselves for the record?
Brian Miller: Good afternoon, Chair. It is nice to see you all. I am Brian Miller and I head up IT security and compliance at NHS Greater Glasgow and Clyde. It is a privilege to be here, albeit remotely. I have worked at NHS Greater Glasgow and Clyde for four years. Prior to that, I was infrastructure manager at a local authority for 16 years and I spent 10 years at the Ministry of Defence in infrastructure management. I look at the Bill not only through the lens of working with a large health board, but from a personal perspective with a philosophy of “defenders win” across the entire public sector.
Stewart Whyte: Good afternoon, Chair, and everyone. My name is Stewart Whyte and I am the data protection officer at NHS Greater Glasgow and Clyde. I am by no means a cyber-security expert, but hopefully I can provide some insight into the data protection side and how things fit together.
Dr Spencer
Q
Brian Miller: That is a good question. Some of our colleagues mentioned the follow-up secondary legislation that will help us to identify those kinds of things. I suppose there is no difference from where we are at now. We would look at any provision of services from a risk management perspective and say what security controls apply. For example, would they be critical suppliers in terms of infrastructure and cyber-security? Does a cleaning service hold identifiable data? What are the links? Is it intrinsically linked from a technological perspective?
I mentioned looking at this through a “defenders win” lens. Yes, some of these technologies are covered. I saw some of the conversations earlier about local authorities not being in scope, but services are so intrinsically linked that they can well come into scope. It might well be that some of the suppliers you mentioned fall under the category of critical suppliers, but that might be the case just now. There might be provision of a new service for medical devices, which are a good example because they are unique and different compliance standards apply to them. For anything like that, where we stand just now—outside the Bill—we risk assess it. There is such an intrinsic link. A colleague on another panel mentioned data across the services; that is why Stewart is here alongside me. I look after the IT security element and Stewart looks after the data protection element.
Dr Spencer
Q
Brian Miller: Sometimes, but sometimes not. I do not think we had any physical links with Synnovis, but it did work on our behalf. Emails might have been going back and forward, so although there were no physical connections, it was still important in terms of business email compromise and stuff like that—there was a kind of ancillary risk. Again, when things like that come up, we would look at it: do we have connections with a third party, a trusted partner or a local authority? If we do, what information do we send them and what information do we receive?
Chris Vince
Q
Stewart Whyte: Anything that increases or improves our processes in the NHS for a lot of the procured services that we take in, and anything that is going to strengthen the framework between the health board or health service and the suppliers, is welcome for me. One of our problems in the NHS is that the systems we put in are becoming more and more complex. Being able to risk assess them against a particular framework would certainly help from our perspective. A lot of our suppliers, and a lot of our systems and processes, are procured from elsewhere, so we are looking for anything at all within the health service that will improve the process and the links with third party service providers.
Lincoln Jopp
Q
Brian Miller: I think we would work with the regulator, but we are looking for more detail in any secondary legislation that comes along. We have read what the designation of critical suppliers would be. I would look to work with the Scottish Health Competent Authority and colleagues in National Services Scotland on what that would look like.
Stewart Whyte: On how we would make that decision, from our perspective we are looking at what the supplier is providing and what sort of data they are processing on our behalf. From the NHS perspective, 90% of the data that we process will be special category, very sensitive information. It could be that, from our side, a lot of the people in the supply chain would fall into that designation, but for some other sectors it might not be so critical. We have a unique challenge in the NHS because of the service we provide, the effect that cyber-crime would have on our organisations, and the sensitivity of the data we process.
Dr Spencer
Q
Stewart Whyte: For me, it would be a slightly different assessment from Brian’s. We would be looking at anything where there is no processing of personal data. For me, that would not be a critical supplier from a data protection perspective. But there might be some other integration with NHS board systems that Brian might have concerns about. There is a crossover in terms of what we do, but my role is to look at how we manage data within the NHS. If there are suppliers where there is no involvement with identifiable data of either staff or patients, I would not see them as a critical supplier under this piece of legislation.
Lincoln Jopp
Q
Brian Miller: I do not want to step out of my lane. There will be clinical stuff that absolutely would be essential. I would not be able to speak in any depth on that part of it; I purely look at the cyber element of it. As an organisation, we would be identifying those kinds of aspects.
In terms of suppliers, you are absolutely right. We have suppliers that supply some sort of IT services to us. If we are procuring anything, we will do a risk assessment—that might be a basic risk assessment because it is relatively low risk, it might be a rapid risk assessment, or it may be a really in-depth assessment for someone that would be a critical supplier or we could deem essential—but there are absolutely suppliers that would not fall under any of that criteria for the board. The board is large in scale, with 40,000 users. It is the largest health board in the country.
Dr Spencer
Q
Stewart Whyte: Yes. There is a lot of information sharing between acute services and primary care via integrated systems. We send discharge letters and information directly to GP practices that then goes straight into the patient record with the GP. There is a lot of integration there, yes.
Dr Spencer
Q
Stewart Whyte: Yes, there is integration between ourselves and the local authorities.
The Chair
If there are no further questions from Members, I thank witnesses for their evidence. We will move on to the next panel.
Examination of Witnesses
Chris Parker MBE and Carla Baker gave evidence.
The Chair
We will now hear oral evidence from Chris Parker, director of government strategy at Fortinet and co-chair of the UK cyber resilience committee at techUK, and Carla Baker, senior director of government affairs in the UK and Ireland at Palo Alto Networks. For this session, we have until 4.50 pm.
Dr Spencer
Q
Carla, from the Palo Alto Networks perspective, what are your views on the changes to the incident reporting regime under the Bill? Will the approach help or hinder regulators in identifying and responding to the most serious threats quickly?
Chris Parker: I should point out that Carla is also co-chair of the cyber resilience committee, so you have both co-chairs here today.
As large cyber companies, we are very proud of one thing that is pertinent to the sector that may not be clear to everybody outside. I have worked in many sectors, and this is the most collaborative—most of it unseen—and sharing sector in the world. It has to be, because cyber does not respect borders. When we go to the most vulnerable organisations, which one would expect cannot afford things and therefore there must be a function of price, such as SMEs—I was an SME owner in a previous life—that is very dear to us. With the technology that is available, what is really good news is that when people buy cyber-security for their small business—in the UK or anywhere in the world—they are actually buying the same technology; it is effectively just a different engine size in most cases. There are different phases of technology. There is the latest stuff that is coming in, which they may not be getting into yet. However, the first thing to say is that it is a very fair system, and pricing-wise, it is a very fair system indeed for SMEs.
The second point is about making sure we are aware of the amount of free training going on across the world, and most of the vendors—the manufacturers—do that. Fortinet has a huge system of free training available for all people. What does that give? It is not just technical training for cyber-security staff; it is for ordinary people, including administrative workers and the people who are sometimes the ones who let the bad actor in. There are a lot of efforts. There is a human factor, as well as technological and commercial factors.
The other thing I would like to mention is that the cyber resilience committee, which Carla and I are lucky to co-chair, is elected. We have elected quite a large proportion of SME members. There is also a separate committee run by techUK. You heard from Stuart McKean earlier today, and he is one of the co-chairs, or the vice chair, of that committee.
Carla Baker: On incident reporting, as I am sure you are aware, the Bill states that organisations must report an incident if it is
“likely to have an impact”.
Our view, and I think that of techUK, is that the definition is far too broad. Anything that is likely to cause an impact could be a phishing email that an organisation has received. Organisations receive lots and lots of spoof emails.
I will give an example. Palo Alto Networks is one of the largest pure-play cyber-security companies. Our security operations centre—the hub of our organisation—processes something like 90 billion alerts a day. That is just our organisation. Through analysis and automation, the number is whittled down to just over 20,000. Then, through technology and capabilities, it is further whittled down, so that we are analysing about 75 alerts.
You can equate it to a car, for example. If you are driving and see a flashing yellow light, something is wrong. That is like 20,000 alerts. It is then whittled down to about 75, so we would potentially have to report up to 75 incidents per day, and that is just one organisation. There are a lot more. The burden on the regulator would be massive because there would be a lot of noise. It would struggle to ascertain what is the real problem—the high-risk incidents that impact the UK as a whole—and the noise would get in the way of that.
We have come up with a suggestion, an amendment to the legislation, that would involve a more tiered approach. There would be a more measurable and proportionate reporting threshold, with three tiers. The first is an incident that causes material service disruption, affecting a core service, a critical customer or a significant portion of users. The second is unauthorised, persistent access to a system. The third is an incident that has compromised core security controls—that is, security systems. Having a threshold that is measurable and proportionate is easier for organisations to understand than referring to an incident that is
“likely to have an impact”,
because, as I said, a phishing email is likely to cause an impact if an organisation does not have the right security measures in place.
David Chadwick
Q
Chris Parker: That is an excellent question. The good news is that a lot is happening already. An enormous amount of collaborative effort is going on at the moment. We must also give grace to the fact that it is a very new sector and a new problem, so everybody is going at it. That leads me on to the fact that the UK has a critical role in this, but it is a global problem, and therefore the amount of international collaboration is significant—not only from law enforcement and cyber-security agencies, but from businesses. Of course, our footprints, as big businesses, mean that we are always collaborating and talking to our teams around the world.
In terms of what the UK can do more of, a lot of the things that have to change are a function of two words: culture and harmonisation—harmonisation of standards. It is about trying not to be too concerned about getting everything absolutely right scientifically, which is quite tempting, but to make sure we can harmonise examples of international cyber-standards. It is about going after some commonality and those sorts of things.
I think the UK could have a unique role in driving that, as we have done with other organisations based out of London, such as the International Maritime Organisation for shipping standards. That is an aspiration, but we should all drive towards it. I think it is something the UK could definitely do because of our unique position in looking at multiple jurisdictions. We also have our own responsibilities, not only with the Commonwealth but with other bodies that we are part of, such as the United Nations.
It is not all good news. The challenge is that, as much as we know that harmonisation is okay, unfortunately everyone is moving. Things have started, and everyone is running hot. An important point to make is that it is one of the busiest sectors in the world right now, and everybody is very busy. This comes back to the UK having a particular eye on regulatory load, versus the important part that other elements of our society want, which is growth and economic prosperity. We talked earlier about SMEs. They do not have the capability to cover compliance and regulatory load easily, and we would probably all accept that. We have to be careful when talking about things such as designating critical suppliers.
All of this wraps up into increasing collaboration through public-private partnerships and building trust, so that when the Government and hard-working civil servants want to see which boundaries are right to push and which are not, bodies such as the UK cyber resilience committee, which Carla and I are on, can use those collaborative examples as much as possible.
There is quite a lot there, but something the UK certainly should be pushing to do is culture change, which we know has to be part of it—things have been talked about today by various speakers—as well as the harmonisation of standards.
Carla Baker: I think we are in a really interesting and exciting part of policy development: we have the Bill, and we have recently had the Government cyber action plan, which you may have heard about; and the national cyber action plan is coming in a few months’ time. The Government cyber action plan is internally facing, looking at what the Government need to do to address their resilience. The national cyber action plan is wider and looks at what the UK must do. We are at a really exciting point, with lots of focus and attention on cyber-security.
To address your point, I think there are three overarching things that we should be looking at. First is incentivising organisations, which is part of the Bill and will hopefully be a big part of the national cyber action plan. We must incentivise organisations to do more around cyber-security to improve their security posture. We heard from previous panellists about the threats that are arising, so organisations have to take a step forward.
Secondly, I think the Government should use their purchasing power and their position to start supporting organisations that are doing the right thing and are championing good cyber-security. There is more that the Government can do there. They could use procurement processes to mandate certain security requirements. We know that Cyber Essentials is nearly always on procurement tenders and all those types of things, but more can be done here to embed the need for enhanced security requirements.
Thirdly, I think a previous witness talked about information sharing. There is a bit of a void at the moment around information sharing. The cyber security information sharing partnership was set up, I think, 10 years ago—
Chris Parker: Yes, 10 years ago.
Carla Baker: It was disbanded a couple of months ago, and that has left a massive void. How does industry share intelligence and information about the threats they are seeing? Likewise, how can they receive information about the threat landscape? We have sector-specific things, but there isn’t a global pool, and there is a slight void at the moment.
Andrew Cooper (Mid Cheshire) (Lab)
Q
I can imagine that the legislation has been worded as it is to try to capture that situation where activity might occur, but not have an impact. Would you accept that that is important, and how would that fit in with the tiered approach that you described?
Carla Baker: I completely get your point. We have looked at that; my legal colleagues have looked at things such as spyware, where you have malware in the system that is not doing anything but is living there, for example, or pre-emptive, where they are waiting to launch an attack, and we think this amendment would still cover those scenarios. It is not necessarily cause and impact: the lights have not gone out, but if there is, for example, a nation state actor in your network, we think the amendment would still cover that.
Dr Spencer
Q
Chris Parker: Yes, absolutely.
Carla Baker: Yes, completely. That is similar to my point, which was probably not explained well enough: how you are deemed critical should be more about your criticality to the entire ecosystem, not just to one organisation.
Dr Spencer
Q
Carla Baker: I think that is part of the issue about not having clear criteria about how regulators will designate. That also means that different regulators will take different approaches, so we would welcome more clarity and early consultation around the criteria that will be used for the regulators to designate a critical dependency, which prevents having different regulatory approaches across the 12 different regulators, which we obviously do not want, and gives greater harmonisation and greater clarity for organisations to know, “Okay, I might be brought in, because those are the clear criteria the Government will be using.”
David Chadwick
Q
Chris Parker: The consultation has been a best effort and I think it is a best effort as a function of three things. First, we have a new sector, a new Bill—something very new, it is not repeating something. Secondly, we are doing something at pace, it is a moving target, we have to get on with this, and so there is some compulsion involved. Thirdly, there are already some collaborative areas set up, such as techUK, that have been used. Would I personally have liked to have seen more? Yes—but I am realistic about how much time is needed; when you only have a certain resource, some people have got to do some writing and crafting as well as discussing.
One thing that we could look at, if we did the process again, would be more modelling, exercising and testing the Bill until it shakes a bit more—that is something that perhaps we could do, if we were to do this again. With the Telecommunications (Security) Act 2021, that was done at length and collaboratively with industry, on a nearly fortnightly basis, for some time. Beyond that, I think that we are realistic in industry because we understand the pressures on the people trying to bring legislation in. A second point to remember is that we are all volunteers. Carla and I, and all those on the Cyber Resilience Committee, volunteer away from our day jobs—which are busy—to do all this. There is a realistic expectation, if you like—but I would say there has been a best effort.
Carla Baker: I would like to look to the future. We have all the secondary legislation that is coming—and there will be lot—so we recommend early insights, and time to review and consult, in order to provide that industry insight that we are happy to provide. Let us look to the secondary legislation and hope that there is good consultation there.
The Chair
We will now hear oral evidence from the Minister for AI and Online Safety, Kanishka Narayan. For this session, we have until 5.10 pm.
Dr Spencer
Q
Kanishka Narayan: Thank you for the question on definitions. I have two things to say on that. First, observing the evidence today, it is interesting that there are views in both directions on pretty much every definitional question. For example, on the definition of “incident thresholds”, I heard an expert witness at the outset of the day say that it is in exactly the right place, precisely because it adds incidents that have the capability to have an impact, even if not a directness of impact, to cover pre-positioning threats. A subsequent witness said that they felt that that precise definitional point made it not a fitting definition. The starting point is that there is a particular intent behind the definitions used in the Bill, and I am looking forward to going through it clause by clause, but I am glad that some of those tensions have been surfaced.
Secondly, in answer to your question on consultation, a number of the particular priority measures in the Bill were also consulted on under the previous Government. We have been engaging with industry and, in the course of implementation, the team has started setting up engagement with regulators and a whole programme of engagement with industry as well.
Dr Spencer
Q
Kanishka Narayan: I have met a number of companies, but the relevant Minister has also had extensive engagement with both companies and regulators, including on the question of definitions. I do not have a record of her meetings, but if that is of interest, I would be very happy to follow up on it.
Dr Spencer
Q
Kanishka Narayan: I am referring to the Minister for Digital Economy, who is in the other place.
Dr Spencer
Q
Kanishka Narayan: I have had some meetings but, as the Minister in charge of this Bill, she has been very engaged with businesses, so I think that is fitting. We have obviously worked very closely together, as we normally do, in the course of co-ordinating across the two Chambers.
Dr Spencer
Q
Kanishka Narayan: I have spoken to the Secretary of State about the Bill, including the reserve powers, and we have agreed that the policy objective is very clear. I do not think I am in a position to divulge particular details of policy discussions that we have had; I do not think that would be either appropriate or a fitting test of my memory.
Dr Spencer
Q
Kanishka Narayan: I think the guardrails in the Bill are very important, absolutely. The Bill provides that, where there is an impact on organisations or regulators, there is an appropriate requirement for both deep consultation and an affirmative motion of the House. I think that is exactly where it ought to be, and I do not think anything short of that would be acceptable.
Chris Vince
Q
Kanishka Narayan: The primary thing to say is that the range of organisations—commercial ones as well as those from the cyber-security world more generally—coming out to welcome the Bill is testament to the fact that it is deeply needed. I pay tribute to the fact that some of the provisions were engaged on and consulted on by the prior Government, and there is widespread consensus across industry and in the regulatory and enforcement contexts about the necessity and the quality of the Bill. On that front, I feel we are in a good place.
On specific questions, of course, there is debate—we have heard some of that today—but I am very much looking forward to going through clause by clause to explain why the intent of the Bill is reflected in the particular definitions.
AI Safety
Ben Spencer Excerpts(2 months, 3 weeks ago)
Westminster HallRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Ms Butler. I am very grateful to the hon. Member for Dewsbury and Batley (Iqbal Mohamed) for bringing this important debate to the House today. He gave a very thoughtful speech, which reflected his clearly very strongly held beliefs about the risks that AI poses. It was quite a broad and wide-ranging debate, and a very interesting one. I will try to be quite brief because I am really keen to hear the hon. Member’s response, along with that of the Minister.
We heard some great points about biased data, shadow banning, the impact on BSL, large language models producing, in effect, regulated advice, and the need for AI in the curriculum—and, of course, copyright came up. What happens when AI is used to mimic MPs’ output—something I suspect our AI Prime Minister also uses?
As hon. Members have observed, the advent of artificial intelligence entails risks but is also a once-in-a-generation opportunity. The previous Government were acutely aware of putting the UK at the forefront of both intergovernmental and industry discussions regarding the development of AI. They convened the world’s first AI safety summit, which took place at Bletchley Park in late 2023 and which many Members have referenced, and established the AI Safety Institute—now renamed the AI Security Institute—in the same year.
Reports about the risks to children’s safety posed by tools such as one-to-one and personal agent chatbots promoting suicide and self-harm content are of great concern. It is right that policymakers act quickly to address serious and specific threats when they emerge, and we welcome the Government’s recent action on measures to tackle AI-generated child sexual abuse images.
Recently, other hon. Members and I have pressed the Government to clarify the application of the Online Safety Act to one-to-one and personal agent AI chatbots. The Minister has confirmed that the Government have commissioned work to look at whether there are any loopholes in the Act that would mean that some AI chatbot services are unregulated. The recent report of the Science, Innovation and Technology Committee has also highlighted the risks to democratic integrity posed by cyber-bots pushing out AI-generated deepfake material purporting to represent authentic political content to distort public narratives, particularly during elections. We clearly need to go further to address those important and growing risks, so I would be grateful if the Minister could provide an update on those two points.
Despite much rhetoric, the Government have been completely inconsistent regarding their intentions on AI legislation. Having stated in their manifesto that they would bring in “binding regulation” for the “most powerful AI models”, the can has been repeatedly kicked down the road, with the Secretary of State suggesting during a SIT Committee evidence session earlier this month that there would be no generally applicable AI legislation in this Parliament. The uncertainty caused by the Government’s failure to be clear about their plans for AI regulation damages public confidence in this developing technology. Crucially, it also undermines business confidence, with a chilling knock-on effect on investment and innovation.
We appreciate that AI regulation is far from straightforward, given the rapidly evolving innovations, challenges and developments, and we caution against going down the route that the EU has taken for AI regulation. However, it is clear that we need a plan that ensures that our education system equips children with the skills necessary for the jobs of the future, and a strategy to prepare and, where necessary, retrain the parts of our workforce that stand to be the most affected by changes to the employment market brought about by AI.
We need to be alert to the risks and changes that AI development brings—AI must always be the agent and never the principal—but we must not lose sight of the tremendous opportunities that it offers. The UK should be at the forefront of developing artificial intelligence and reap the benefits of a substantial home-grown AI industry. AI has the potential to revolutionise service delivery and improve productivity on an unprecedented scale, and those productivity gains can drive much-needed improvements in our overstretched public services, hospitals, local authorities, court services and prisons, to name but a few. The rapid processing of routine tasks will lead to better and quicker service provision across the board.
Perhaps the most pressing issue is the role that AI will play in the defence of our country. Some hon. Members have spoken about the existential risk posed to humanity by the most powerful AI models, but in an era of regional conflict and intensifying global competition, the notion that hostile state actors will observe international protocols on AI development are naive at best and dangerous at worst. AI has become indispensable to our defence capacity and security. The ability of AI to detect and neutralise cyber and biosecurity threats will become increasingly vital. High-tech AI drone warfare has drastically changed the nature of conflict, as we see in Ukraine. Put simply, the UK, working wherever possible with its international allies and partners, must be in a position to counter the deployment of AI systems that disregard the norms and ethics that the UK seeks to uphold.
We cannot afford to be left behind. We must develop our capabilities at speed, by tackling the barriers to the development of the UK AI industry, including the high costs of energy and the availability of investment. We must ensure that we are alive to, and safeguard against, the most serious emerging risks. With that in mind, will the Minister provide an update on the Government’s plans to support growth in the UK AI industry, including in relation to securing lawful access to reliable datasets for training?
Draft Online Safety Act 2023 (Priority Offences) (Amendment) Regulations 2025
Ben Spencer Excerpts(3 months, 1 week ago)
General CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Vickers.
This statutory instrument represents an important development in the obligations on platforms regulated under the Online Safety Act to protect people from encountering illegal content online. The OSA was enacted by the last Government with the primary aim of safeguarding children and removing serious illegal material from the internet. Tackling the most harmful content, such as that which is the subject of today’s discussion, goes to the heart of the Online Safety Act’s aims. His Majesty’s Opposition therefore welcome and support the draft regulations.
The experiences and opportunities offered by the online world change rapidly. It is right that legislators are responsive when new risks emerge or when certain types of unlawful content proliferate on the internet. Under the last Government, the OSA amended the Sexual Offences Act 2003 to criminalise several forms of sexual misconduct and abusive behaviour online. The new offences included cyber-flashing and the sharing of or threatening to share intimate images without consent. The amendments were made to keep pace with novel threats and forms of abuse, the victims of which are too often women and girls.
Baroness Bertin’s independent review of pornography, which was published in February this year, highlighted the damaging impact on victims of intimate image abuse, ranging from physical illness to mental health effects such as anxiety, depression, post-traumatic stress disorder and suicidal thoughts. The effects of cyber-flashing and intimate image abuse on victims is severe. It is therefore right that this statutory instrument brings cyber-flashing within the scope of the priority offences in schedule 7 to the Online Safety Act, while retaining as a priority offence the sharing of or threatening to share intimate images.
We also strongly support the addition as a priority offence of encouraging or assisting serious self-harm, which is the other important component of this statutory instrument. Desperate people who contemplate self-harm need early intervention and support, not encouragement to self-harm. Under this SI, regulated services will be obliged to proactively remove the material when they become aware of it on their platforms and take measures to prevent it from appearing in the first place. One can only wonder why it has taken so long to get to this position. I am sure we will have a unanimous view not only in the House but in society of the importance of removing such material.
The regulations will work only if they are adopted by the industry and subject to rigorous oversight, coupled with enforcement when platforms fail in their obligations. That is a necessity, and why we had to introduce the Online Safety Act in the first place. It is right that Government regulators should look to identify obstacles to the implementation of the OSA and take action where necessary. Since the introduction of Ofcom’s protection of children codes in the summer, important questions have arisen around the use of virtual private networks to circumvent age verification, as well as data security and privacy in the age-verification process.
Peter Fortune (Bromley and Biggin Hill) (Con)
On that point, does my hon. Friend the shadow Minister agree that we need to give some thought to the rise of chatbots and their nefarious activity, especially where they encourage self-harm or encourage children to do worse?
Dr Spencer
I thank my hon. Friend for his question on a very important point, which was raised just last week in Department for Science, Innovation and Technology questions by my hon. Friend the Member for Harrow East (Bob Blackman) and others. The Lib Dem spokesperson, the hon. Member for Harpenden and Berkhamsted, also raised questions about the importance of the scope of regulations for chatbots.
The Government seem all over the place as to whether the large language models, as we understand them, regulate the content that comes into scope. Given the response we received last week, it would be helpful to have some clarity from the Minister. Does he believe that LLMs are covered by the OSA when it comes to encouraging self-harm material? If there is a gap, what is he going to do about it? I recognise that he is commissioning Ofcom to look at the issue, but in his view, right now, is there a gap that will need someone to fix it? What are his reflections on that? This is increasingly becoming a priority area that we need to resolve. If there is a gap in legislation, we need to get on and sort it.
Kanishka Narayan
I thank Committee members for their valuable contributions to the debate. The update in the regulations will bring us closer to achieving the Government’s commitments to improve online safety and strengthen protection for women and girls online. We believe that updating the priority offences list with the new cyber-flashing and self-harm content offences is the correct, proportionate and evidence-led approach to tackling this type of content, and it will provide stronger protections for online users.
I will now respond to the questions asked in the debate; I thank Members for the tone and substance of their contributions. The shadow Minister, the hon. Member for Runnymede and Weybridge, raised the use of VPNs. As I mentioned previously in the House, apart from an initial spike we have seen a significant levelling-off in the usage of VPNs, which points to the likely effectiveness of the age-assurance measures. We have commissioned further evidence on that front, and I hope to bring that to the House’s attention at the earliest opportunity.
The question of chatbots was raised by the shadow Minister, by the hon. Member for Bromley and Biggin Hill, and by the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted. Let me first clarify what I previously mentioned in the House: the legislation covers not only chatbots that allow user-to-user engagement but those that involve one-to-AI engagement and live search. That is extensive coverage of chatbots—both those types are within scope of the Online Safety Act.
There may be further gaps in the Act that pertain to aspects of the risks that Members have raised, and the Secretary of State has commissioned further work to ensure that we keep up with fast-changing technology. A number of the LLMs in question are covered by the Act, given the parameters that I have just defined. Of course, we will continue to review the situation, as both scope and risk need to evolve together.
Dr Spencer
I hope the Minister takes this in a constructive spirit. Concerns have been raised across the House as to the scope of the OSA when it comes to LLMs and the different types and variations of chatbots, which are being used by many people right now. Is he not concerned that he as the Minister, and his Department, are not able to say at the Dispatch Box whether they believe LLMs are completely covered in the scope of the OSA? Has he received legal advice or other advice? How quickly will he be able to give a definitive response? Clearly, if there is a gap, we need to know about it and we need to take action. It surely puts the regulator and the people who are generating this technology in an invidious position if even Her Majesty’s Government think there is a lack of clarity, as he put it, on the scope of the applicability of the OSA to new technologies.
Kanishka Narayan
Let me be clear: there is no lack of clarity in the scope of the Bill. It is extremely clear to a provider whether they are in scope or not. If they have user-to-user engagement on the platform, they are in scope. If they have live search, which is the primary basis in respect of many LLMs at the moment, they are in scope. There is no lack of clarity from a provider point of view. The question at stake is whether the further aspects of LLMs, which do not involve any of those areas of scope, pose a particular risk.
A number of incidents have been reported publicly, and I will obviously not comment on individual instances. The Online Safety Act does not focus on individual content-takedown instances and instead looks at a system. Ofcom has engaged firms that are very much in scope of the Act already. If there are further instances of new risks posed by platforms that are not currently within the scope of the Online Safety Act, we will of course review its scope and make sure we are moving fast in the light of that information.
The hon. Member for Harpenden and Berkhamsted asked about child sexual abuse material. I was very proud that we introduced amendments last week to the Crime and Policing Bill to make sure that organisations such as the Internet Watch Foundation are engaged, alongside targeted experts, particularly the police, in spotting CSAM content and risk way before AI models are released. In that context, we are ensuring that the particular risks posed by AI to children’s safety are countered before they escalate.
On the question about Ofcom’s spending and capacity more generally to counter the nature of the risk, the spending cap at Ofcom allows it to enforce against the offences that we deem to be priority offences. In part, when we make the judgment about designating offences as a priority, we make a proportionate assessment about whether we believe there is both severity and the capacity context for robust enforcement. I will continue to review that situation as the nature of the offences changes.
Finally, I am glad that the Government have committed throughout to ensure that sexually explicit non-consensual images, particularly deepfakes, are robustly enforced against. That remains the position. I hope the Committee agrees with me on the importance of updating the priority offences in the Online Safety Act as swiftly as possible. I commend the regulations to the Committee.
Question put and agreed to.