Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
Debate between Ben Spencer and Kanishka NarayanThursday 5th February 2026
(4 days, 4 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
It is a pleasure to see you in the Chair, Mr Stringer. The Bill will make crucial updates that build on the NIS regulations, which are the UK’s only cross-sector cyber-security regulations. As clause 1 sets out, “NIS regulations” refers to the Network and Information Systems Regulations 2018 (S.I., 2018, No. 506).
Clause 2 gives an overview of the Bill’s parts and what they include. It sets out that part 2 amends the NIS regulations by expanding the scope of the regulations to cover data centres, large load controllers and managed service providers. It also introduces powers for regulators to designate suppliers as being critical for their sector. Part 2 also updates the existing incident-reporting regime and includes provisions relating to the recovery of regulators’ costs, information-gathering and sharing powers, and enforcement powers. Part 3 gives new powers to the Secretary of State to specify other sectors as in scope of the regulations in future, to create new regulations relating to the security and resilience of regulated services, and to issue a code of practice and a statement of strategic priorities. It also requires the Secretary of State to report on this legislation and its implementation. Finally, part 4 gives new national security powers for the Secretary of State to issue directions. I commend the clauses to the Committee.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Stringer. I thank all hon. Members on both sides of the Committee for taking part, and the officials for their work on the Committee stage of this important Bill.
The Bill will significantly update and expand the Network and Information Systems Regulations 2018 by bringing new services within scope of regulation, giving sector regulators the power to designate critical suppliers, updating and expanding the reporting regime for cyber-security incidents and making significant changes to the regulatory funding model and regulators’ information-gathering and sharing powers. The Bill will also grant extensive powers to the Secretary of State to respond to emerging cyber-threats, including the power to bring further sectors within the scope of regulation, giving directions to regulated entities and issuing a code of practice that sets out measures for compliance with duties under the NIS regulations. Recognising the increasing role of malicious cyber-activity as a threat to our national security, part 4 will give the Secretary of State far-reaching powers to issue directions to regulated entities for reasons of national security.
Covid turbocharged the digitalisation of all aspects of the economy and our daily lives, bringing new opportunities but at the same time heightening the exposure of digital systems to exploitation by malicious actors. The previous Government recognised that in their post-implementation reviews of the NIS regulations and in a subsequent series of consultations on proposals to improve the cyber-resilience of the entities that are most important to the UK economy. Those consultations included a review of information security risks relating to outsourced IT provision, data centres and organisations controlling large amounts of electrical load. The last Government’s work assessing those threats has informed this Government’s decision to bring data centres, managed service providers and large load controllers within the scope of the NIS regulations.
Industry stakeholders have welcomed the Bill as essential for bringing the cyber rules governing critical infrastructure in line with modern threats, economic realities and technological developments, and for moving our cyber-security regulatory framework into closer alignment with international partners to ease cross-border operations for businesses that provide services overseas.
In some respects, at least, the Bill identifies the right problems, but, crucially, it falls short of providing workable solutions. In embarking on our scrutiny of the Bill, the Committee should be acutely aware of the raft of digital legislation with which businesses and regulators have been asked to grapple in recent years. Many of those new regulations are necessary, but as lawmakers we should be conscious of the burden that we are placing on industries and particularly on small and medium-sized enterprises, which are the lifeblood of the UK economy and which have fewer resources to navigate complex layers of regulation. It is therefore incumbent on all of us to enact laws that are clear and capable of practical implementation.
Dr Spencer
I thank the hon. Member for his point about balance. I am confident that this is an area to which the Committee will return quite a few times in our line-by-line scrutiny of the Bill, particularly clause 12, which relates to the designation of critical suppliers. Clearly the regulations need to be proportionate, but to make that judgment we will need to know exactly what the regulations are. A lot of the detail is not in the Bill and has instead been left to secondary legislation. As we heard from the experts, it is very difficult to scrutinise legislation that is mostly being left to future regulations rather than being set out in the Bill.
These definitions will be critical if businesses are to have clarity as to whether they will fall within scope. I do not want to go too deeply into clause 12 now, but I see it as an exemplar. How are businesses that could fall within the critical supplier designation to know what they need to do? How is the operator of an essential service to know what information it needs to pass to the regulator on businesses that it may end up regulating? It would be very helpful if the Minister could comment, even at this introductory stage, on how he envisages that balance playing out in the Bill, particularly given that so much of the detail has been left to secondary legislation. Anyway, I digress—I will get back on topic.
Businesses are struggling with legal uncertainty and the increased costs of regulatory burden. Regulators in the sector lack the resources, the teeth and sometimes even the will to carry out effective oversight and enforcement of existing cyber regulation. Uncertainty about which incidents should be reported will dramatically increase the burden on regulated entities and on regulators. All the while, institutional barriers to effective oversight and enforcement remain.
The Bill fails to give the legal certainty and the proportionate framework that businesses need if we are to achieve widespread adoption and hardened cyber-resilience across the sectors that are most critical to the economy and our society. Perhaps most critically, there is little point in granting the Secretary of State extensive powers to make directions to regulated entities for national security purposes if the Government remain wilfully blind to the greatest threats to our national security. In the past few weeks, reports have circulated that a Chinese state-affiliated group hacked the communications of top Downing Street officials between 2021 and 2024, yet the vital organs of our state, central Government Departments and agencies carrying out the most critical functions, are left unprotected and unaccountable for their cyber-resilience under the Bill.
If we do not address these problems, we risk the Bill becoming yet another missed opportunity for the Government. These are opportunities that we can ill afford to miss if we are to safeguard our economy and our national security.
Kanishka Narayan
I welcome some of the Opposition spokesperson’s comments. Let me briefly address his questions about definitions and public sector inclusion. It is customary for the Opposition to oppose for the sake of opposition, at times, and I am afraid that this is one of those times; I have so far set out only two clauses, which are effectively an index to the Bill. Notwithstanding that, I will address his two particular points.
I was delighted that in our evidence sessions we heard from witness after witness who appreciated the flexibility of the Bill. For the Government to prescribe activities or incident thresholds in the finest detail in primary legislation is not how businesses, Government and regulators ought to engage. I hope that the Opposition will come to appreciate that in due course.
On critical suppliers, which no doubt we will come on to, I thought that in response to Opposition comments at our second sitting, I set out a very clear, precise set of tests. I found no opposition to that claim, but I look forward to hearing any original thoughts on that question.
On incident reporting, I was delighted that there was a witness who noticed that the extension of the definition of incident reporting, to include incidents capable of having an impact, was appropriate and exactly in the right place.
On the question about the public sector’s inclusion, we are here not to prescribe and wait for a law to tell us what we ought to do in the public sector, but instead to move fast and fix things. In that spirit, the Bill focuses on essential services.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2 ordered to stand part of the Bill.
Clause 3
Identification of Operators of Essential Services
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 3 makes important distinctions as to which organisations can and cannot be considered operators of essential services for the purposes of the NIS regulations. It clarifies that a person—in practice, an organisation or business—can be an operator of an essential service regardless of whether that person is established in the UK, as long as they are providing essential services in the UK. That means that organisations established outside the UK can be regulated under the NIS regulations.
Clause 3 also makes it clear that the NIS regulations do not apply to public electronic communications networks or to public electronic communications services. Those are telecoms operators, which are regulated separately under the Communications Act 2003. The amendments in clause 3 will prevent telecoms companies from being subject to duplicate regulations; they will also ensure that all essential services in the UK are protected, even if the company operating them is based outside the UK. I commend the clause to the Committee.
Dr Spencer
Clause 3 will amend the relevant provisions of the NIS regulations, stipulating that operators of essential services are within scope of the regulations whether or not they are operating an essential service in the UK, and regardless of jurisdiction in which they are established. Providers of public electronic communications networks and public electronic communications services are excluded from characterisation as operators of essential services, as the Minister says, to avoid duplication with their sector-specific cyber-security regime.
The clause is an important provision to ensure that entities providing essential services in the UK are compliant with domestic standards. Perhaps the most important aspect of the change is ensuring that serious cyber-security risks that appear within the systems of those entities are reported to the UK authorities for action. That is vital for the National Cyber Security Centre to keep abreast of emerging risks and be able to respond to them.
Nevertheless, the complex maze of compliance and regulatory standards across jurisdictions is a growing challenge for businesses of all sizes and particularly for small and medium-sized enterprises. This is also a complicating factor facing UK companies when providing services abroad, particularly in the digital domain. Will the Minister lay out what discussions he has had with industry representatives about easing the complexity of cross-border digital service provision to ensure that the UK is a competitive and attractive place to do business?
Kanishka Narayan
On the question about cross-border compliance and making sure that we have a proportionate and effective regime, we have had a series of engagements at ministerial and official level with representatives of techUK, the industry body. The NCSC has convened a series of organisations—not least managed service providers, but others as well—and there has been a pretty extensive period of consultation on that and every other matter in the Bill.
I feel satisfied that the Bill strikes a good balance in ensuring proportionality in what businesses experience. Critically, as supply chains in this context become increasingly cross-border, it is vital that bodies that may not be resident in the UK but which provide essential services here are included in the scope of the Bill.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4
Data centres to be regulated as essential services
Dr Spencer
As I risk getting into trouble with Mr Stringer, I will not respond to the hon. Member for Lichfield. I look forward to the opportunity to debate this issue again, perhaps in the emergency Budget in the next couple of weeks.
Clause 6 brings large load controllers, which provide the flow of electricity in and out of smart appliances, within scope of the NIS regulations if the load is above 300 MW. I understand that the threshold has been decided through consultation, given that that pressure could have a substantial impact on the grid. There is a challenge in managing peak demand and supply in the grid and big changes in it, so I entirely understand why the Government are introducing this provision. Smart EV devices—I have a smart charging electric vehicle device myself—used system-wide could cause big grid disruptions, particularly as we integrate infrastructure into our homes such as solar panels, batteries and other energy-related smart devices.
In fact, we need the grid to become more smart device-integrated over the next 10, 15 or 20 years. When we look at projections of energy consumption, we see that we will need to enable people to use the grid by expanding technology such as vehicle-to-grid energy supply, so that we can manage peak load. That is part of expanding our energy, reducing energy costs and supporting renewable energy and the transition to net zero. If anything, this issue will become more important and expansive over the years.
On that basis, I have some questions for the Minister about the clause. Why are data centres and large load controllers the two sectors that he has decided to put on the face of the Bill? I say that with particular reference to the NIS2 regulations, which are expanded a bit more. How does he envisage this area expanding in the future? Is he confident that the scope of the clause is sufficient to cover future technologies that are coming down the track? I am thinking of EV charging apps. The list is prescriptive, but does it have sufficient flexibility? Is the Minister able to come back with secondary legislation if he needs to expand the list in the future, given that it is in the Bill in that form? Would it not be better to put that on the face of the Bill and to use secondary legislation to lay it out, in order to have flexibility? The Minister has been trying to ensure flexibility elsewhere, and understandably so—let us not go back into those debates. I just want to understand his reasoning behind that a bit better. That is certainly not a criticism, but I want to know why those particular sectors have been pulled out, and why it has not been left for secondary legislation.
Kanishka Narayan
With your permission, Mr Stringer, I will restrict my comments to clauses in question—in particular, clauses 5 and 6—and the relevant Government amendments. The shadow Minister has auditioned for roles at the Department for Business and Trade in talking about the philosophy of regulation, at the Department of Health and Social Care in talking about his medical background, and at the Treasury in talking about taxation. I will try to restrict myself to none of those and simply speak to the clauses and address three points in response to his comments.
The first relates to the skills and resourcing of our regulators. On that, I welcome the shadow Minister’s prior engagement with me directly and his questions now. The last Government completely gutted our regulators. Having done so, they achieved neither growth nor regulatory quality, which Opposition Members now talk about. As a consequence, it falls to us to make sure that our regulators are fit for purpose and resourced in the way they need to be. This Bill gives them the powers to secure initial and full notifications in a timely way, the powers to share information in an appropriate way and, fundamentally, the ability of cost recovery, to resource themselves in an appropriate way. Alongside that, our wider initiatives on skills in the cyber-sector and technology more broadly are fundamental to achieving our aspirations, not least through the CyberFirst programme, which I mentioned in a witness session.
Kanishka Narayan
Loudly and slowly: this will capture organisations remotely managing significant amounts of electrical load via energy-smart appliances, both in a domestic and non-domestic setting. These organisations play an increasingly important role in the management of the electricity system, but are not currently regulated for cyber-security. A cyber-attack could therefore create major disruptions to the national grid, shutting down public services and critical national infrastructure. Capturing load control as an essential service will safeguard the public from these disruptions. It will also reflect the need to bring in new safeguards to manage a more digitalised and dynamic energy landscape in the transition towards net zero.
Dr Spencer
Before the Minister moves on—I was a bit nervous that he was going to finish—I have an additional question about the Crown data centre. What happens if a data centre is providing services commercially to both the public and the Crown? How is that operated within the scope of the Bill?
Kanishka Narayan
I very much welcome that point. In talking about broad architecture characteristics—being able to scale compute and to be elastic to multi-tenants by being shareable—rather than setting out the specific nature of resources, we capture both commercial cloud and AI deployments. However, I am keen to ensure that we keep this under review and, where possible, use the flexibilities provided by the Bill to adapt it to changes in technology.
Although the policy intention behind the definition has not changed, amendment 13 will provide certainty for industry, support effective regulatory oversight and ensure that services whose disruption could significantly impact the UK economy and society are properly captured. In addition, the drafting is more aligned with that of our international partners, which will improve efficiency for providers operating across borders.
This targeted, technical improvement will bring greater clarity, consistency and fairness to the NIS regulations. I urge Members to support both the clause and this important amendment.
Dr Spencer
Clause 7 amends the definition of cloud services, which have been within the scope of regulation since the NIS regulations came into force. The expanded definition emphasises remote accessibility and the “on demand” nature of cloud services, and that services may be delivered from multiple locations. It also excludes managed services from the scope of cloud services to avoid duplication of regulatory requirements and oversight.
The Minister proposes changes to this provision in Government amendment 13, which sets out further details regarding the features of in-scope cloud service provision, including common access by multiple users, with each having access to separate processing functions. My question to the Minister builds on the one raised by my hon. Friend the Member for Bognor Regis and Littlehampton. It is obviously difficult—if it is possible at all—to predict how the tech sector will evolve, but what powers will the Government have to adjust these provisions as the cloud ecosystem changes, and what consultation has the Minister done on that within the scope of the Bill?
Kanishka Narayan
On that important point, which the hon. Member for Bognor Regis and Littlehampton also raised, the changes to the definition came about in part through extensive engagement, and in particular by ensuring that the attributes of “elastic” and “scalable” were treated individually rather than jointly and that “shareable”—the ability to have multi-tenants and therefore be a genuine cloud computing service for multiple clients—was considered in scope. As I mentioned to the hon. Member for Bognor Regis and Littlehampton, it is important that we keep this under review, and part of the reason for the secondary powers in the Bill is to make sure it remains both specific, giving clarity and certainty, and flexible at the same time.
Dr Spencer
I broadly agree. This is one of those difficult areas where there can be overlap. I have sympathy with the argument that it is important to use any opportunity, and in particular this Bill, to raise fraud.
We focus on financial fraud, but this area is not limited to that, especially when we think about other malicious operators, and about ransomware and hacktivism, where the boundaries are particularly blurred. In a situation where a fraudulent operator, service, provider or organisation has material, whether on social media or subject to search engines, and the police or other competent authorities have flagged it to the provider as fraudulent—as illegal criminal activity—what duties does that provider have to remove it or take it down? Is that something that the Minister is aware of? Has he looked into it, and what is the Government’s plan to crack down on that activity?
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for tabling amendment 25, which would amend the duties for RDSPs in the NIS regulations. I empathise with the source of his concern about fraud; I think many of us in the House know and feel that concern, through either our personal experience or that of our constituents.
That said, the security duties within NIS require RDSPs to identify and take steps to manage the full spectrum of risks posed to the security of their systems. They must prevent and mitigate relevant incidents, regardless of what the threats are or where they emanate from. That includes taking an all-hazards risk-based approach. Entities must manage risks to cyber-security, physical security and broader operational resilience. “Security” includes the ability to resist any action that may compromise the availability, authenticity, integrity or confidentiality of those systems, including risks that may arise from fraud. I caution against highlighting only one particular vector of risk in the clause; that is unnecessary and would not reflect the full range of risks each RDSP faces.
Further, while the Bill clarifies the high-level duty to manage risks, secondary legislation will give further detail on the security and resilience requirements. Guidance and the code of practice will give further detail still on the types of risks to consider. For that reason, I kindly ask the hon. Gentleman to consider withdrawing the amendment.
The shadow Minister asked about the Government’s treatment of fraud, particularly when it has been found on a platform and the authorities have asked that platform to take it down. The Government made a clear commitment in our manifesto to introduce a new fraud strategy, and the Home Office, as the lead Department, has been working at pace to engage deeply in making that an effective reality.
Alongside that, in my wider role in online safety, I am conscious that fraud is a fundamental area of content in which platforms have to look at where it crosses the border into illegality, as it may well do in the instance the shadow Minister described. That has been a central focus since the illegal content duties came into play last year. I believe that such instances are well covered by the pieces of legislation that I have just mentioned. The Bill is clearly more focused on critical national infrastructure and its exposure to network and information systems.
Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting)
Debate between Ben Spencer and Kanishka NarayanThursday 5th February 2026
(4 days, 4 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Kanishka Narayan
The hon. Member raises an important point about the operating leverage of technology businesses. The Bill directly focuses on size as one proxy for risk, but it is not a complete or perfect proxy. That is why, through the critical supplier provisions, it ensures that any smaller providers can be caught in scope as essential services.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Ms McVey.
Clause 9 brings within scope of the NIS regulations a new category of technology service providers, known as relevant managed service providers. MSPs play a critical role in the UK economy. Research conducted by the Department for Science, Innovation and Technology under the last Government suggests that 11,000 MSPs were active in the UK in 2023, of which 1,500 to 1,700 were medium or large organisations that would be in scope of the Bill. Micro and small enterprises that offer managed services are excluded from the scope of regulation but have the potential to be designated as critical suppliers under other provisions, which we will come to shortly.
MSPs are critical to the functioning of the multiple businesses that they serve, offering contracted IT services such as helpdesk and technical support, server and network maintenance, and data back-up. In many cases, they also provide managed cyber-security solutions to their customer bases. Consequently, these businesses often have significant access to their clients’ IT networks, infrastructure and data, which makes them attractive and valuable targets.
Dr Spencer
I really appreciate my hon. Friend’s intervention. It goes incisively to the heart of the concern about how these provisions are currently drafted. I really struggle to see how an OES that is providing a service to another OES could effectively argue that it is not within the full scope of these regulations. We have a lot of OESs in this country. It may be the Minister’s and the Government’s intention to essentially have a proxy regulatory framework for suppliers to OESs going forward—it is being kept very loose, because there is some flexibility in that, but that in itself will be a problem.
I worry that a lot of providers are going to think to themselves, “Why should we provide to an OES when we might be at risk of being designated as a national critical supplier?” Surely that is a concern that will have a chilling effect on organisations supplying to OESs, because of the risk of being found within the scope of this additional regulatory burden.
Don’t get me wrong; as I have said, companies should be taking cyber-security seriously, as should everyone. However, not everyone should be subject to the various regulations and data-sharing requirements that this Bill provides for. I suspect that many organisations will be very concerned. If there is a risk of designation as a critical supplier, companies will already be instructing lawyers and other organisations to manage that corporate risk.
If an organisation starts supplying to a hospital trust, or to whoever it may be, it might think, “Actually, we’re likely at risk of being designated, so we need to start doing some work and investment, either to challenge that designation or begin doing the preparatory work.” Maybe that is the intention: to effectively regulate the entire sector providing to OESs without actually lifting a finger in terms of regulation through this Bill. If that is the case, I am sort of sad, because I think it is better to be clear-cut about it. I would be grateful if the Minister answered that point directly.
Finally, in terms of OESs, we have already mentioned the fact that Government and local authority IT infrastructure and services are among the biggest risks in our system. I was really struck by the evidence from the NHS on Tuesday, in which our witnesses described data-sharing operations with adult social care, which is of course provided by local authorities.
It seems quite perverse, if I may say so, that a GP surgery, which is a private organisation, could be deemed a critical supplier to a hospital in terms of patient information sharing. Quite frankly, I would like the Minister to answer the question specifically: does he envisage primary care GPs being in scope because of data sharing of hospital records with NHS trusts? GPs could fall within scope as critical suppliers, while social care records, which are provided by local authorities, would not. There are all these weird situations that could emerge because of the scope and the looseness of these provisions, with all the consequent harms and problems. I look forward to hearing the Minister’s responses to my points.
Kanishka Narayan
First, I will respond to the apt and thoughtful points from the hon. Member for Bognor Regis and Littlehampton on operational technology. I can confirm to her that both vendors and providers of operational technologies will be covered by the provision of the five-step test for critical supplier designation. That is an important aspect when thinking about supply chains and the presence of operational technology where it is of critical interest.
The hon. Member for Spelthorne raised a very accurate point about proportionality in the provisions of the Bill, and in particular the impact assessments, statements, or limited statements on critical supplier impacts. As he will know very well, the Bill takes a very nuanced position on proportionality. When a sector is designated, there will be total clarity on the number of suppliers affected and on the ultimate impact. We will have sight of that.
The provision on critical suppliers was asked for by industry. The reason why the Bill does not specify critical suppliers is that it is simply not for the Government to specify how a business can or cannot continue. It is for businesses and regulators to work that through by understanding the depth of expertise that businesses have. We have started to do that, but that is precisely why the critical suppliers provisions have been delegated to secondary legislation and subsequent guidance.
Kanishka Narayan
I commit to giving way at the end of my speech to the shadow Minister and the hon. Member for Spelthorne.
On the question of consultation, I am happy to confirm that the team in question has set up an implementation-focused effort. We have started to engage with regulators already, and there will be an extensive process of engagement on the Bill with business, as has been conducted historically.
The shadow Minister highlighted a number of logical puzzles. I have worked in a range of businesses and public sector organisations, and most have business continuity services. His hypothetical idea that businesses do not understand alternative provision, and whether they are or are not in a position of exposure, is well solved in the real world. I would give more credit to our expert witnesses from NHS Scotland than he did in recognising that they said that they frequently deal with the question of critical suppliers in co-ordination with competent authorities.
Dr Spencer
The Minister is, of course, within his rights to snarkily dismiss the questions that I have raised, but I should point out that the stuff that is debated in Parliament, whether in Committee or on the Floor of the Chamber, is relevant when it comes to future legal disputes after a Bill is passed. The questions I have asked about the application of the Bill’s provisions will be important parts of the legal disputes that I expect will arise after its implementation. When people look back through the Minister’s dismissive comments, I hope they have other resources that they can go to for settling legal arguments. However, he may choose to respond fully now, or in writing if he cannot provide me with an answer.
Kanishka Narayan
I believe that where the shadow Minister laid out any specific concerns, I was able to set out answers, not least on the process for the designation of critical suppliers and the availability of an appeals process. Where his points were more in the realm of specific hypothetical puzzles, I have stayed clear for precisely the reasons that he highlights. This is serious stuff that can form the basis of how businesses and others plan, rather than specific judgments that we ought not to speculate about in this House.
Question put and agreed to.
Clause 12 accordingly ordered to stand part of the Bill.
Clause 13
Provision of information by operators of data centre services
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 13 ensures that operators of data centres provide essential information to regulators, enabling them to properly monitor their sector and its cyber-resilience. The clause requires operators to submit key details, such as names, addresses and contact information, within three months of designation, and to update regulators within seven days if anything changes. Regulators are required to maintain a list of designated entities. By keeping regulatory records current, the clause strengthens our ability to monitor and protect essential services and respond to incidents that could affect businesses, public services and national security. The clause plays a key foundational role in the Bill’s wider framework for cyber-security and resilience.
Like clause 13, clause 14 places legal duties on digital and managed services providers to provide essential information to their regulator—in this case, the information commission. Like operators of data centre services, RDSPs and MSPs will be required to register with the information commission within three months, submitting key details, such as names and contact information, and to update regulators within seven days if anything changes. Organisations based outside the UK will be required to nominate a UK representative and provide contact details. To strengthen cross-agency support and recognise the key role that these businesses play in the UK economy and society, the information commission will be required to share its registers of relevant digital and managed service providers with GCHQ. Those proportionate steps will enable authorities to do their job and respond when it matters.
Dr Spencer
Clause 13 requires in-scope data centre operators to provide certain information to their designated competent authorities, which—subject to Government amendment 11, which we passed earlier—will now be solely Ofcom, and to keep that information up to date. The information includes the data centre operator’s address and the names of directors. It must be provided within three months of the data centre operator’s designation. For data centres that meet the threshold criteria, that would be three months after clause 4 comes into force. Other OESs are not subject to an equivalent requirement to provide information to their sector regulator. That reflects the fact that the Government currently have limited information about the data centre sector.
RDSPs are already required, under regulation 14 of the NIS regulations 2018, to provide their contact details to the information commission, as their sector regulator. Clause 14(2) amends regulation 14 to require RDSPs to provide more information, including about their directors and the digital services they provide. It would also require the information commission to share a copy of its register of RDSPs with GCHQ. Clause 14(9) requires RMSPs to register with the information commission and to submit the same contact details as RDSPs. RMSPs must nominate a UK representative if they are based outside the UK. The information commission will be required to maintain a register of RMSPs and to share it with GCHQ. Clauses 13 and 14 give Ofcom and the information commission access to more detailed information about regulated entities and facilitate regulatory oversight of the data centre RDSP and RMSP industries in the UK.
Question put and agreed to.
Clause 13 accordingly ordered to stand part of the Bill.
Clause 14 ordered to stand part of the Bill.
Clause 15
Reporting of Incidents by Regulated Persons
Kanishka Narayan
I appreciate the intent behind the amendments and the shadow Minister’s position of understanding but not supporting them, which I share. I share his concerns about the potential for emerging risks posed by AI systems, not least in the realm of cyber-security. At the same time, I am conscious that we have not specified any risk factors in the Bill from a reporting point of view for the National Cyber Security Centre or the regulators. To do so in this context would place an undue priority on one category or source of risk.
For those reasons, although I understand the motivation behind the amendments and I am conscious of the risks posed by AI systems, I urge the hon. Member not to press them. The Bill is technology-agnostic rather than focused on particular areas of risk. The Government continue to work on mitigating AI risks, primarily at the point of use, but also through extensive Government capability, not least in the AI Security Institute.
Dr Spencer
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Ordered, That further consideration be now adjourned. —(Taiwo Owatemi.)
Draft Online Safety Act 2023 (Priority Offences) (Amendment) Regulations 2025
Debate between Ben Spencer and Kanishka Narayan(2 months, 3 weeks ago)
General CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Kanishka Narayan
I thank Committee members for their valuable contributions to the debate. The update in the regulations will bring us closer to achieving the Government’s commitments to improve online safety and strengthen protection for women and girls online. We believe that updating the priority offences list with the new cyber-flashing and self-harm content offences is the correct, proportionate and evidence-led approach to tackling this type of content, and it will provide stronger protections for online users.
I will now respond to the questions asked in the debate; I thank Members for the tone and substance of their contributions. The shadow Minister, the hon. Member for Runnymede and Weybridge, raised the use of VPNs. As I mentioned previously in the House, apart from an initial spike we have seen a significant levelling-off in the usage of VPNs, which points to the likely effectiveness of the age-assurance measures. We have commissioned further evidence on that front, and I hope to bring that to the House’s attention at the earliest opportunity.
The question of chatbots was raised by the shadow Minister, by the hon. Member for Bromley and Biggin Hill, and by the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted. Let me first clarify what I previously mentioned in the House: the legislation covers not only chatbots that allow user-to-user engagement but those that involve one-to-AI engagement and live search. That is extensive coverage of chatbots—both those types are within scope of the Online Safety Act.
There may be further gaps in the Act that pertain to aspects of the risks that Members have raised, and the Secretary of State has commissioned further work to ensure that we keep up with fast-changing technology. A number of the LLMs in question are covered by the Act, given the parameters that I have just defined. Of course, we will continue to review the situation, as both scope and risk need to evolve together.
Dr Spencer
I hope the Minister takes this in a constructive spirit. Concerns have been raised across the House as to the scope of the OSA when it comes to LLMs and the different types and variations of chatbots, which are being used by many people right now. Is he not concerned that he as the Minister, and his Department, are not able to say at the Dispatch Box whether they believe LLMs are completely covered in the scope of the OSA? Has he received legal advice or other advice? How quickly will he be able to give a definitive response? Clearly, if there is a gap, we need to know about it and we need to take action. It surely puts the regulator and the people who are generating this technology in an invidious position if even Her Majesty’s Government think there is a lack of clarity, as he put it, on the scope of the applicability of the OSA to new technologies.
Kanishka Narayan
Let me be clear: there is no lack of clarity in the scope of the Bill. It is extremely clear to a provider whether they are in scope or not. If they have user-to-user engagement on the platform, they are in scope. If they have live search, which is the primary basis in respect of many LLMs at the moment, they are in scope. There is no lack of clarity from a provider point of view. The question at stake is whether the further aspects of LLMs, which do not involve any of those areas of scope, pose a particular risk.
A number of incidents have been reported publicly, and I will obviously not comment on individual instances. The Online Safety Act does not focus on individual content-takedown instances and instead looks at a system. Ofcom has engaged firms that are very much in scope of the Act already. If there are further instances of new risks posed by platforms that are not currently within the scope of the Online Safety Act, we will of course review its scope and make sure we are moving fast in the light of that information.
The hon. Member for Harpenden and Berkhamsted asked about child sexual abuse material. I was very proud that we introduced amendments last week to the Crime and Policing Bill to make sure that organisations such as the Internet Watch Foundation are engaged, alongside targeted experts, particularly the police, in spotting CSAM content and risk way before AI models are released. In that context, we are ensuring that the particular risks posed by AI to children’s safety are countered before they escalate.
On the question about Ofcom’s spending and capacity more generally to counter the nature of the risk, the spending cap at Ofcom allows it to enforce against the offences that we deem to be priority offences. In part, when we make the judgment about designating offences as a priority, we make a proportionate assessment about whether we believe there is both severity and the capacity context for robust enforcement. I will continue to review that situation as the nature of the offences changes.
Finally, I am glad that the Government have committed throughout to ensure that sexually explicit non-consensual images, particularly deepfakes, are robustly enforced against. That remains the position. I hope the Committee agrees with me on the importance of updating the priority offences in the Online Safety Act as swiftly as possible. I commend the regulations to the Committee.
Question put and agreed to.
Draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025
Debate between Ben Spencer and Kanishka Narayan(3 months ago)
General CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Kanishka Narayan
I thank hon. Members for their contributions. I will address first the questions that were asked.
I thank the hon. Member for Runnymede and Weybridge for his warm welcome. On the question of how assurances were sought about the equivalence of the Japanese and Singaporean standards, the maturity of those standards and the time for which the countries have been implementing them have been particularly material assurances. Japan and Singapore have aligned their security requirements and labelling schemes to the globally accepted ETSI EN 303 645 standard, which happens to be the same standard that underpins the UK’s PSTI regime. Therefore, products that have a valid label issued by Japan or Singapore will meet the security requirements specified in our regime. The Office for Product Safety and Standards, as the regulator of the regime as a whole, is equipped with a comprehensive set of enforcement powers and will continue to keep under review any mutual recognition agreements.
Of course the Government recognise the strategic importance of the European Union as the UK’s largest trading partner, and we will explore opportunities to reduce technical barriers to trade in the security space in that context, too.
On the question of benefits, my understanding is that we have had representations from a number of small and medium-sized businesses, in particular, about how this measure will open up export markets in Japan and Singapore, allow Japanese and Singaporean firms to trade, and ensure that British consumers can benefit. I do not have a number to give, but I hope very much that we will see the benefits of that freer flow of trade in connected devices very soon.
On the cyber-security context, more everyday products than ever before are connected to the internet, ranging from smart TVs to fitness trackers and voice assistants. From April 2024 to March 2025, we surveyed the participation of consumers and found that 96% of folks personally owned and used a smartphone, 76% a smart TV, and 68% a laptop computer. It is now very rare to find a UK household that does not own a connected device in the scope of these regulations; less than 1% of people reported that they did not own a smartphone, laptop, desktop PC, tablet, games console, smart printer or smart TV.
This growing connectivity brings convenience but also new risks. The Government have taken action to ensure that UK consumers and businesses purchasing consumer connectable products are better protected from the risk of cyber-attacks, fraud or even, in the most serious cases, physical danger. The cyber-security regulatory landscape is evolving, with countries around the world, including Japan and Singapore, introducing similar regimes. The UK must remain agile and forward-looking to maintain its leadership in this space. The draft regulations will ensure that the UK remains a global leader in product cyber-security, while strengthening our position as an attractive destination for digital innovation and trade.
By recognising Japanese and Singaporean IOT labelling schemes, we are reducing unnecessary regulatory burdens, supporting UK businesses to expand internationally and enabling Japanese and Singaporean manufacturers to bring compliant products to our market more efficiently. This measure is a practical step forward in delivering the Government’s mission to drive economic growth and build a more resilient digital economy. It also complements our efforts to harmonise security standards across major economies, in partnership with Brunei, the United Arab Emirates, Australia, Germany, Finland, South Korea, Canada, Japan, Singapore and Hungary, via the global cyber-security labelling initiative. With forecasts suggesting that the global IOT market will grow to 24.1 billion devices by 2030, generating more than £1.1 trillion in annual revenue, it is more essential than ever that we enhance the security of connected products on a global scale.
Dr Spencer
The Minister has referred a few times to cyber-security strategy. Can he update us on when we will see the Government’s cyber-security and resilience Bill?
Kanishka Narayan
I am afraid that I cannot commit to a legislative timeline, but we want to move very fast on the Bill and are looking for the right opportunity in Parliament to introduce it.
The draft regulations are a significant step in achieving our goal for cyber-security. I look forward to continuing this work and building on the momentum we have established.
Question put and agreed to.