Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Bradley Thomas ExcerptsTuesday 24th February 2026
(1 week, 1 day ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 24 February 2026 - (24 Feb 2026)
Dr Spencer
I beg to move, That the clause be read a Second time.
This new clause would require the Secretary of State to review the effect of existing information sharing and analysis centres, with a view to determining whether further such centres should be established. The financial services industry has successful voluntary schemes—the Cyber Defence Alliance, and the Financial Services Information Sharing and Analysis Centre—which act as hubs for collaboration on all matters relating to the prevention, detection, mitigation and investigation of cyber-threats and criminality impacting members. These organisations provide an essential alerting and co-ordinating role for their members, including providing intelligence and technical support during ongoing incidents. They can assist in building partnerships contextualised to particular sector risks.
According to Richard Starnes of the Worshipful Company of Information Technologists, companies
“may be competing with one another in their chosen businesses, but they are all in the same boat with regard to being attacked by whatever entities are attacking them.”
And he said that if the FS-ISAC were replicated
“on an industry-by-industry basis, particularly ones in CNI, that would be helpful. It would also help with information sharing with entities like NCSC and GCHQ.”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 64, Q75-76.]
Bradley Thomas (Bromsgrove) (Con)
On the point about information sharing with a view to bolstering resilience, Marks and Spencer reported to me that it was surprised to have received more information from the FBI on the origin and impact of the cyber-attack that it suffered than it received from UK authorities. That should adequately demonstrate why sufficient data sharing is required to underpin our resilience and bolster our strength.
Freddie van Mierlo
I beg to move, That the clause be read a Second time.
The new clause would place a statutory duty on the Secretary of State to establish a support service dedicated to improving the resilience of small and medium-sized enterprises and, crucially, to provide them with assistance when the worst happens. SMEs are the backbone of our economy. Their growth and continue operation are essential to a strong economy. We heard evidence that even large corporations find it hard to justify the investment in cyber-security and resilience when faced with competing priorities and investment needs. It forms the rationale of the Bill putting this need on a statutory footing, but small and medium-sized businesses undoubtedly find it even harder to make the investments required in cyber-security.
I know from having worked in SMEs at the start of my career that companies experience growing pains and need support in navigating complex statutory requirements. It is not just support for SMEs before an attack takes place that the clause would provide for, but also after. For SMEs, a cyber-attack is not just a disruption; it can be an existential threat to their existence. The clause would ensure that when an SME is hit, they have access to the support they need.
Bradley Thomas
Given that the threshold for a significant impact event will likely be much lower for an SME than for a larger corporation, and while acknowledging and agreeing that SMEs are the backbone of the economy and make up the vast majority of companies that employ people in this country, how does the hon. Gentleman propose to strike the relevant balance between ensuring that SMEs are supported, and at the same time that they are not inundated and overwhelmed as a result of that significant impact threshold likely being much lower for SMEs?
Freddie van Mierlo
The thresholds have been set out in the new clause. Australia already provides support for small businesses during and after attacks. The clause would simply bring the UK up to speed with international partners, ensuring our businesses are not at a competitive disadvantage on cyber-security support. If Australia can support its SMEs, why can we not? It is only fair that if we are increasing the regulatory burden, the Government provide the support required to navigate it. I will press the new clause to a vote.
David Chadwick
New clauses 16 and 17 work in tandem to align the Bill with best practice among our European neighbours, introducing measures that would strengthen ongoing oversight and enhance preparation, therefore improving the UK’s cyber-resilience before incidents occur.
New clause 16 would make cyber-resilience a core responsibility of organisational leadership. It would require boards to oversee security arrangements, approve risk management approaches, satisfy themselves that protections are working on an ongoing basis and, importantly, be accountable. Numerous witnesses that we have spoken to over the past month told us that cyber-security deserves the most senior level of oversight. In fact, those professionals from within the industry told us that they desperately need this to happen to make sure that they can do the job that the Government are asking of them. ISACA, an organisation that I remember looking up to when I was working in cyber-security, has said that it supports both our new clauses.
Bradley Thomas
While I agree with the hon. Member, and acknowledge witnesses’ evidence suggesting that cyber-security should be a board-level responsibility, does he share my concern that, given the complexity and technical nature of cyber-security, there is perhaps a risk of, for want of a better phrase, window dressing? It may be that non-competent people without the relevant technical expertise could be reliant on reports issued by other technical staff who do not sit at board level. We have to strike the right balance. Does the hon. Member share that concern, and how does he propose we address that?
David Chadwick
One of the measures that the new clause would introduce is a requirement for board members to receive education. Clearly, it is necessary for boards to understand cyber-security risk, and the new clause is about putting that into legislation. Board accountability is the cornerstone of corporate governance. Corporate governance is one of the reasons for the Bill. We have seen drastic failures in corporate governance across the UK in numerous sectors. Financial services, historically, is one sector that corporate governance has completely failed in, yet the Conservatives continued to support it with tax cuts.
All we are saying with our new clause is that boards need to be held accountable for the cyber-risk that they pose, and that making boards responsible for that obligation helps the cyber-security professionals responsible for securing those organisations to do their jobs properly. ISACA has 8,000 members. They are the people who will be carrying out this work. Surely, we should listen to them when they tell us that this is what they need. It was not just one organisation that told us that either.
Boards have an obligation to oversee financial risk, for which they need financial literacy. Cyber-risk deserves the same treatment. Importantly, this would bring the UK into line with international best practice. The European Union’s NIS2 framework explicitly places cyber accountability at senior management level, and makes the same demands of board oversight in these areas. That is why it is confusing again to see the Government diverging from that framework without a clear explanation of why. It is not clear why the UK should be settling for less. Why have the Government taken that out?
Rural Mobile Connectivity
Bradley Thomas Excerpts(2 weeks, 6 days ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Bradley Thomas (Bromsgrove) (Con)
I congratulate the hon. Member for North Shropshire (Helen Morgan) on being persistent and finally securing this very important debate.
Few phrases in modern Britain ring as hollow as “world-class connectivity”. Speaking plainly, rural mobile phone connectivity in this country is not merely patchy or inconsistent; in some places, it is so poor that the advertised service bears no resemblance to reality. There are areas in which actual service levels are hundreds of times worse than advertised—that is not a rounding error, or the result of momentary network congestion. It is a difference between promise and performance that is so vast that it would be comic if it were not so economically corrosive.
Take Worcestershire, for example. It is a rural county, with lots of villages, small towns and industrious small businesses. There are farms and villages where the coverage map glows reassuringly in bright corporate colours, but the lived reality is far too often just a single bar if you stand at the upstairs window, facing north and holding your phone aloft like some kind of digital divining rod. We have already heard about how the River Severn Partnership in Worcestershire was a beneficiary of this. Quite innovatively, local councils stuck gadgets on the bin lorries that went up and down every single road, particularly the rural roads, and realised what we probably all suspect: how terrible the service is. In parts of Worcestershire, the mobile phone signal is around 900 times worse than the mobile phone operators claim.
We could forgive the odd dropped call. After all, rural topography presents challenges—there are hills, and trees are inconveniently organic. What cannot be forgiven, though, is the persistent gulf between what is claimed and what is delivered. It is the same with broadband; we hear broadband providers advertise speeds of up to 80 megabits per second, but the reality of what many of my constituents experience is very different. Those advertised figures are in the realm of fiction. This is not just anecdotal grumbling from the shires; a survey by the National Farmers Union has painted a sobering picture, with 21% of respondents reporting broadband speeds under 10 megabits per second in 2026. This is at a time when a single video could devour bandwidth instantly. What my constituents want is the ability to consume data and make voice calls at the same time. I cannot stress enough how sick and tired I am of hearing from mobile phone companies that everyone is just consuming data. As the traditional telephone service is switched off, constituents—particularly those living in rural areas—are increasingly reliant on the ability to make voice calls.
The lived reality for a business in rural Worcestershire attempting to submit mandatory forms online to a regulator or placing an order, is that they must drive to the nearest town to do so. Businesses cannot reliably place orders or process card payments. As banks close in our towns and villages, people are shifting or being pushed towards more online digital services, so it is crucial that we have the mobile connectivity to back that up. If I may say so, there is also a little bit of cultural condescension at work. Rural Britain is far too frequently romanticised as a place of bucolic tranquillity; it is that, but it demands parity with urban Britain at the same time. What does that mean? It means that we want a reliable mobile phone signal, so that we can drive down the road on a short journey without it cutting out, and if we need to receive a call from a loved one, a relative or perhaps a GP, we can have certainty that that call will come through.
Coverage maps have been drawn with a particularly optimistic crayon, and the problem with advertised speeds being hundreds of times better than reality is not merely technical; it also erodes trust. Quite often, those conditions are laboratory conditions that do not bear any resemblance to reality, so I invite the mobile phone companies to come and do a very thorough inspection across Bromsgrove and the villages.
Mims Davies
I concur with every word that my hon. Friend is saying, particularly around the challenges in national parks, where connectivity can be more difficult. If I may, I will take him back to his point about callbacks from GPs or people working remotely, differently and flexibly. Missing that callback is a real problem for anyone, but it can be particularly serious for people in rural areas.
Bradley Thomas
My hon. Friend is spot on. Constituents, particularly older residents, have contacted me because they have missed out on crucial calls from GPs and other supporting services that they require. It is about the safety and wellbeing of our constituents as much as it is about connectivity and the economy.
In the limited time that I have, I have a few points that I implore the Government to focus on. First, transparency must improve. That means bolstering regulatory requirements for the mobile phone companies to advertise speeds that are realistic, not theoretical and based on laboratory conditions. Secondly, it is not just about population coverage, but geographic coverage, which must carry greater regulatory weight. Britain is not composed solely of cities. Land matters, and the people who steward it and rely on these mobile phone connections matter. That means that the Government should give serious consideration to rural roaming. Finally, infrastructure sharing should be pursued with seriousness to ensure that mobile phone coverage across the country, but particularly across Bromsgrove and the villages, is as robust as it can be.
Peter Fortune
It is sad, but with Valentine’s day just around the corner, perhaps there is the opportunity to reconnect. [Interruption.] It is my first time as a Front Bencher! It was good to hear from the hon. Member for Caerfyrddin (Ann Davies), who is having similar issues with Vodafone. Can I suggest that she takes a leaf out of my hon. Friend’s book and kidnaps one of its Government relations people? Maybe she will get her way that way.
My hon. Friend the Member for Chester South and Eddisbury (Aphra Brandreth), as ever, was on the front foot serving her constituents with her mobile survey, highlighting the issue of digital isolation and the impact it can have on mental health. My hon. Friend the Member for Bromsgrove (Bradley Thomas) talked about the impact on online banking and how, with the closure of front counters, we need that connectivity to keep these services alive. That was echoed by the hon. Member for Lewes (James MacCleary), who talked about the impact on real people. I was sad to hear that for my hon. Friend the Member for Bromsgrove to take a text message, he has to run upstairs and hang out of a window to get reception. Now that I know that—
Bradley Thomas
For the avoidance of doubt, I do not have to do that, but I know many people who do.
Peter Fortune
I thank my hon. Friend for that clarification; it will save me some time, as I was going to spend all weekend texting him.
We have heard about the real issues to do with mobile phone connectivity and how it is impacting people. Based on commercial mapping of 113 local council areas across the UK, EE offers acceptable coverage in only 69% of the UK. For Vodafone the figure is 61%, for O2 it is 50% and for Three it is 38%. The Minister who previously had responsibility for this area engaged with Ofcom on improving data collection standards to get a more accurate picture of 4G coverage. That resulted in Ofcom launching its online coverage checker in June 2025, incorporating some improvements.
The need to ensure that everyone has reliable mobile phone coverage is becoming ever more pressing, as public services are increasingly digitised. The last Government recognised the need to tackle non-commercial barriers to the roll-out of digital infrastructure by amending planning legislation. However, as planning is a devolved matter, standards are not consistent across the four nations, so what discussions has the Minister had with his counterparts in the devolved Administrations on this matter?
On 5G roll-out, the Conservative Government set a target of nationwide coverage of stand-alone 5G for all populated areas of the UK by 2030. The development of this infrastructure has been market-led, and commercial investment has achieved 5G coverage from at least one operator over approximately 65% of the UK landmass.
In December, the Government launched their call for evidence on reforming planning rules to accelerate the deployment of digital infrastructure. The call for evidence is due to end on 26 February. Given the urgency of this matter, when does the Minister expect to be able to update the House on the outcome of the call for evidence and the Government’s proposals for planning reform?
Touching briefly on broadband, I welcome the publication of the draft statement of strategic priorities yesterday, and I know that businesses will appreciate the clarity that it has provided.
The continuation of the Conservatives’ commitment to competition is welcome, and it is important, as the telecoms market consolidates and the Competition and Markets Authority watches over the process, that competition is actively upheld to reduce consumer costs and continue improving services. There is clearly cross-party agreement that we need to do more to ensure that rural areas have improved connectivity, and I hope that the Minister will engage constructively with all Members who have contributed to the debate in order to achieve this.
Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting)
Bradley Thomas ExcerptsTuesday 10th February 2026
(3 weeks, 1 day ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I will begin by discussing clauses 15 and 16. Clause 15 updates the incident reporting provisions in the Network and Information Systems Regulations 2018. Under the current regulations, organisations are required to report incidents only once they have had a significant impact on service continuity. It is widely recognised that this is too narrow, and results in a range of concerning incidents going unreported and a distorted picture of how secure and resilient the UK’s essential services actually are.
To take two examples: a ransomware attack where confidential data has been exfiltrated from an organisation without an immediate impact on service would not be reportable; nor would a pre-positioning attack, where a hostile actor has hacked into a network and is in a position to cause significant disruption down the line, such as to the provision of drinking water. That cannot be right, and does not reflect the cyber-threats that critical services face.
To ensure such incidents are caught, the clause sets a new, wider definition of incidents that must be reported. The focus is now on incidents that have successfully affected the security or operation of an organisation’s network and are likely to have a significant UK impact, which will ensure that regulators and the National Cyber Security Centre are fully aware of the range of cyber-threats affecting the UK’s essential services.
The Bill sets out the factors that should be considered when assessing whether an incident has had, or is likely to have, a significant impact in the UK—including, crucially, whether the confidentiality, authenticity, integrity and availability of data has been compromised. The Government will provide further clarity in secondary legislation, setting out thresholds for each sector for when an incident is considered to have had, or be likely to have, a significant impact. That will be consulted on before it is introduced. Taken together, it means that only meaningful incidents are reported. Over-reporting has been a concern raised by hon. Members throughout the Bill’s progress, so I stress this point: things such as unsuccessful phishing emails will clearly not be reportable, as they would not be likely to have a significant impact.
Given our economy’s systemic dependence on data centre facilities, for that sector alone we will also ensure that Ofcom and the NCSC receive reports on a wider range of potential incidents and near misses. That ensures that not only immediate disruptions but incidents posing future risks are reported.
Clause 15 also streamlines the reporting process for all NIS sectors. It ensures that incident notifications and reports go to the NCSC at the same time as the regulator. It also sets out what those organisations can do with the information they receive, including how the information can be shared to manage the wider impacts of an incident or prevent future incidents. Finally, the clause introduces faster reporting, so that the NCSC and regulators are informed within 24 hours of entities becoming aware that a reportable incident is taking place.
The 24-hour notification will be light touch, but will enable the NCSC and regulators to offer faster support to minimise the negative impacts of the incident. Fuller details will need to be reported within 72 hours of the entity becoming aware that a reportable incident is happening. The changes will protect the UK’s essential services, ensuring that the NCSC and regulators are able to provide the best support that they can.
Clause 16 sets out requirements for managed service providers, relevant digital service providers, and operators of data centres to inform customers who are likely to have been adversely affected by a reportable incident. Under the current regulations, there is no requirement for any regulated entity to inform its customers if it has been impacted by a reportable incident. That may have made sense when the NIS regulations were more heavily focused on operators of essential services and the primary concern was service disruption, but it would be an inexcusable omission now that the Bill is expanding to include managed service providers and operators of data centres, in addition to the digital service providers already in scope.
These are organisations that, if compromised, could leave their customers’ systems, data or services exposed or inaccessible. In such circumstances, it is vital that their customers are notified, so that they can take whatever steps they need to in order to mitigate those risks.
Bradley Thomas (Bromsgrove) (Con)
I have two points for the Minister to address. First, could he clarify whether an organisation would face repercussions if a regulator believed in retrospect that notification should have been provided sooner? Secondly, on customer notification, can the Minister address the concern around striking the right balance between informing the customer and ensuring that the update that they receive is meaningful and not so vague that it causes further distress or worry?
Kanishka Narayan
I thank the hon. Member for those two thoughtful points. On the first, in terms of retrospective regulatory action on the adequacy of notification, I expect that the regulators will set out—in their guidance and by working closely with the entities in scope—their expectations about the nature and timeliness of the notification. That will be one input into a regulator’s broader assessment of entities’ compliance with the regime. I expect that timely notification will be assessed on an ongoing basis by the regulator, but I would not expect it to be an exclusive or primary aspect.
On the question of customer notifications being proportionate, I share the hon. Member’s concern about ensuring that it is timely and efficient and at the same time meaningful for the relevant customers. I hope that exactly those principles are embodied in the guidance that regulators share about notification requirements.
Customers being notified is all the more important given that in many cases, those customers will themselves be operators of essential services and other critical national infrastructure. The Bill therefore places new transparency requirements on managed service providers, relevant digital service providers and operators of data centres. Similar requirements were introduced under the NIS2 regulations in the European Union.
Clause 16 requires those regulated entities to take steps to establish which of their customers, if any, are likely to be adversely affected by a reported incident. It then sets out the information that the entity must share with those identified customers. These new requirements will support the overall resilience of the UK’s essential services and economy, which depend so heavily on these services, and reduce the overall impact of disruptive cyber-attacks.
Bradley Thomas
It is a pleasure to serve under your chairmanship, Dr Murrison.
When introducing new legislation, it is essential that those who fall under its new regulations be clearly identified and given adequate time to prepare for compliance. However, despite the aims of the Bill and the wish to avoid worsening a cyber-attack incident, the Bill still presents far too much ambiguity. It is right to recognise the cyber landscape as continuously evolving. There is no dispute that this terrain becomes increasingly complex each day, requiring a level of flexibility in legislation to ensure that it keeps pace. However, this desire to safeguard such adaptability, and the goal of future-proofing, must not come at the expense of the effectiveness of legislation in the present day.
The powers afforded to the Secretary of State to change the classification of essential activity, and to bring new sectors into scope of the Bill at any time, undoubtedly create uncertainty for many sectors and cast a shadow over long-term compliance. To be clear, we want organisations to comply with this legislation. We want to improve national cyber-resilience, gather vital intelligence and restore public confidence in our security. Why, then, would there not be a significant effort to make these regulations as easy to apply as possible, rather than leaving thousands of businesses second-guessing whether they fall within scope, with the pressure of large financial penalties hanging over their heads?
In addition, many will know that I am a firm supporter of parliamentary process. I support the notion that all legislation should receive the scrutiny it is due by the democratically elected Members of the House of Commons. That is why I believe the Bill must not only set out clearer guidelines for who is in scope, but require an official amendment, debated in the House, to permanently bring any new sectors into scope after the Bill has been passed.
I understand that, in times of emergency, the longer process of House of Commons scrutiny may not always be possible. That is why the Secretary of State should have powers to bring in sectors necessary in an emergency temporarily into scope, with less imposing of non-compliance penalties until their inclusion is made permanent by the House. Such an approach would not only allow for the quick reactions that cyber-security demands, but respect parliamentary processes and safeguard against organisations’ being unaware that they had suddenly been brought into scope until they received a potentially financially ruinous penalty notice for non-compliance.
Looking at the need for more definitive guidelines on who will be regulated under the Bill, we have already heard from numerous industry stakeholders that are unsure whether they, or other organisations in their sector, will fall within the mandatory scope. In addition, industry experts have publicly shared concerns about how far the net may be cast in some sectors, leading to the unintentional inclusion of organisations that are critical only to a single larger organisation, rather than to our national security, while ignoring other essential sectors altogether. Looking at recent cyber-attacks that have had a significant impact on our country, it is concerning that the definition of essential services may not include them within scope.
While it is predicted that many of Jaguar Land Rover’s supply chains will be in scope, it has been publicly questioned whether it will be included. As the largest car manufacturer in the United Kingdom, it directly employs over 30,000 people across the UK and supports around 100,000 jobs indirectly. It is therefore no surprise that the cyber-attack it endured, estimated to have had a financial impact of over £1 billion, was significant to many, including more than 5,000 organisations impacted and many of my constituents, with JLR being one of the largest direct and indirect employers in the west midlands region. How, then, if a key aim of the Bill is to ensure that all essential services whose disruption would profoundly impact our nation in the event of a cyber-attack report all major incidents, can the vagueness of the definition of essential services be allowed to stand—especially when it creates a situation in which previous key victims are excluded?
Of course, JLR is not the only victim where questions of inclusion remain. Also potentially falling outside the regulatory reach is Marks & Spencer, whose recent cyber-attack was another stark reminder of the rapidly advancing cyber-crimes scene and caused significant disruption, with costs estimated to run into the millions of pounds. Having met with M&S representatives recently, I had the opportunity to discuss their experience of enduring such an attack. Archie Norman, M&S chair, gave evidence to the Business and Trade Sub-Committee on Economic Security, Arms and Export Controls, where he said that “a growth economy” is “a cyber-resilient economy”.
Having a cyber-resilient UK, and making the UK the safest place to do business, is a competitive advantage. I agree with that sentiment and firmly believe that increasing our cyber-resilience can only benefit our economy. It is imperative that we get this right. These cyber-threats are not going away; they are only going to get stronger and more technically advanced. We have seen that in the past year, with the National Cyber Security Centre reporting a 50% increase in British cyber-incidents deemed highly significant. Indeed, representatives of M&S told me that, at times, they found it much easier to get updates and information from the United States FBI than they did from our own authorities. We also know that foreign hostile states are becoming bolder in their actions against us.
A few months ago—as a reason for introducing my ten-minute rule Bill, the Cyber Extortion and Ransomware (Reporting) Bill—I stated that research had revealed that 74% of UK IT leaders cited China and 71% cited Russia as their top cyber-security concerns. It is undisputable that last year’s espionage trials threw a harsh spotlight on the threatening scale of state-sponsored cyber-attacks.
Improving our national cyber-resilience, and safeguarding all our infrastructure and essential services, including in the private sector, is vital in order to secure a prosperous economy and reinforce public confidence in our ability to defend ourselves against such threats.
Kanishka Narayan
Clause 17 introduces new charging powers for NIS regulators, enabling them to recover the full costs of their regulatory functions under the NIS regime. This is an important reform that will help to ensure that regulators are effectively funded as they take on their expanded responsibilities under the Bill. It will allow them to move away from a funding model that relies on ad hoc invoicing or Government grants, and to approach their duties with greater confidence and certainty.
The clause sets out detailed procedural requirements that determine how and when the charging powers can be used. These will ensure that regulated organisations know what to expect from regulators; fees will be set proportionately and regulators will provide satisfactory accounting for the sums they have charged.
The first requirement is that regulators consult and publish a charging scheme. It must specify what functions the fees are covering, the amount of fees being charged or how those fees will be calculated, and the charging period they cover. Crucially, regulators will be able to set different levels of fee for different types of organisations—for example, varying charges according to size or turnover, or excluding organisations from the charging scheme if it would be disproportionate or counter-productive to include them.
Bradley Thomas
I have two points for the Minister to address. First, can he address concerns around whether funds raised will be directly reinvested into improving cyber-security, rather than covering administrative overheads? Secondly, there is no specific reference to turnover thresholds, so how can the Minister be sure that a one-size-fits-all approach will not be used, causing many similar organisations to suffer financially?
Kanishka Narayan
I thank the hon. Member for those thoughtful points. On the first question, the charging scheme applies to relevant costs, which are costs that regulators incur precisely when they carry out functions under the NIS regulations relating to cyber-security specifically. Those can include the cost of audits, inspections, handling incident reports or enforcement action, as well as other aspects, such as assessments of cyber-security and the provision of advice. It is important to acknowledge that regulators can decide to recover costs in relation to specific functions or their costs relating in particular to the Bill’s provisions. I hope to have assured the hon. Member that the charging scheme has a clear, tight scope that is related to cyber-security functions.
On the second question, regulators probably ought to look at turnover in a way that is sector-specific, in part because there are already a range of ways in which other regulatory regimes define turnover in particular sectors, so the appropriate definitions for their sectors will be familiar to both regulators and regulated entities. At a later date, secondary legislation may be used if it is found necessary to set out factors that regulators ought to consider in setting up charging schemes, including the possibility of nuanced definitions of turnover. Any future regulations for this purpose will be subject to consultation requirements and the affirmative procedure. I would very much expect, at a sector level, a clear and proportionate definition and charging structure in relation to turnover.
The second requirement is to set out, transparently and clearly, what fees have been paid, what fees are still due, and what costs have been incurred in a given charging period. On Second Reading, many hon. Members discussed the need for properly resourced regulators to successfully implement the Bill. I share that concern, and this clause seeks to achieve exactly that, in a way that is fair and proportionate to regulated organisations.
I commend the clause to the Committee.
Kanishka Narayan
Clause 20 introduces important updates to the information-gathering powers that regulators have under the NIS regime. It ensures that regulators are able to collect any information that they might reasonably require to exercise, or to decide whether to exercise, their functions under the regulations.
While the clause sets out some of the purposes for which a regulator might particularly wish to collect information—for example, to determine whether an organisation should be designated as a critical supplier—this is an explicitly non-exhaustive list. The clause also allows regulators to collect information through the issuing of an information notice. It sets out the details that must be included in such a notice, and the form that it may take. An information notice must, for example, explain why the information is being sought and the form in which it must be provided.
New regulation 15A, as introduced by the clause, makes clear that an information notice can be given to an organisation based outside the UK and can apply to information held outside the UK. An information notice may require the obtaining, generating, collecting or retaining of information or documents. Those changes are critical in ensuring that regulators can access the information they need properly to enforce the NIS regulations. I commend this clause to the Committee.
Bradley Thomas
Can the Minister elaborate on how he will ensure that regulators have the capacity to cope with large-scale data reports?
Dr Spencer
Clause 20 grants regulators wide-ranging information-gathering powers, in relation both to regulated entities and to organisations currently outside the scope of the regulations. These new powers will be important to competent authorities in gaining access to the information necessary to consider which businesses should be designated as critical suppliers for their sectors. The Minister will remember that we had a very extensive discussion about the allocation, or otherwise, of critical suppliers. What assurance can he give that requests for information under this new clause will be exercised proportionately? That is especially relevant for SMEs, which might struggle administratively to meet broad requests for information within short deadlines.
I know I will be told off by the Chair if I try to rehash the previous debate on clause 12, but one of the points I made during that debate was that the scope of what could fall under the definition of a critical supplier could, in my view, include any supplier to an operator of an essential service. Potentially, therefore, a request for information under this provision could be incredibly broad. Can the Minister give some reassurance about how this will work in practice, relating to the proportionality of data collection? The concern is that this could become a fishing or dredging exercise, rather than something that is proportionate and targeted on the most high-risk suppliers.
Kanishka Narayan
Clause 21 reforms the enforcement regime for the NIS regulations. It seeks to ensure that providers of the UK’s most essential services are complying with their obligations under those regulations. Where they are not, it will allow for more meaningful penalties that reflect the risks they introduce to our society and economy as a whole. To do that, the clause makes a number of critical changes.
First, the clause introduces a new penalty maximum based on turnover. The current maximum penalty is £17 million, which can appear disproportionately large for smaller organisations, but could also easily be absorbed by larger ones as the “cost of doing business.” The clause therefore increases the penalty limits from £17 million to a maximum of £17 million or 4% of annual turnover, whichever is higher. I am confident that that strikes the right balance within the UK regulatory context. It brings the regime in line with other UK legislation that regulates cyber-security, such as part 1 of the Product Security and Telecommunications Infrastructure Act 2022, without rushing uncritically to the more severe penalties we see in other CNI regulation.
The second change is to create a simple two-band penalty structure that will provide much-needed clarity to regulators and industry about the penalty tiers for specific acts of non-compliance.
Bradley Thomas
On the point about banding, can the Minister assure us that there will be consistency applied across regulators so that different events are not differentially penalised depending on the regulatory body? On the question of turnover and the financial penalty, can the Minister elaborate on how the figure was derived?
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
New clauses 8 and 9 would close a dangerous gap at the heart of the Government’s cyber-security strategy. Right now, the Bill creates a two-tier system. Private companies running critical national infrastructure face strict legal duties, enforcement and oversight, yet the very public institutions that hold our democracy together and protect our most vulnerable citizens are left outside statutory protection. Nowhere is that more alarming than with our local authorities. Indeed, that is where the Government’s approach diverges from some EU member states. For example, the Netherlands is applying its equivalent legislation to local authorities.
When a council suffers a cyber-attack, it is not just an IT inconvenience; it means real life grinding to halt. Members of the Committee who have served on local authorities will be well aware that a cyber-attack hitting a local authority creates problems with welfare payments, housing services, processing benefits payments, accessing social care for the most vulnerable in our society and collecting bins. Those are crucial activities in the day-to-day life of our society and our democracy. A cyber-attack can leave families without support, vulnerable children without protection and elderly residents without care, yet the Minister has suggested that these services are not necessary to the day-to-day functioning of society. I disagree with that.
We have already seen the consequences at Tewkesbury borough council, where a cyber-attack was so severe that it triggered a major incident and crippled core services. Likewise, the attack on Gloucester city council cost the taxpayer more than £1 million and put at risk some of the most sensitive information held on UK residents, particularly if one considers the nature of employment in Gloucestershire. The reporting from those attacks showed that local authorities, which are cash-strapped and struggling to make do as they are, had to divert staffing resources into addressing those incidents.
Bradley Thomas
I have much sympathy with the hon. Gentleman’s arguments about the importance of local government, and I believe that it should be within scope of the Bill. Essential services are provided by councils on a day-to-day basis, but local councils are increasingly cash-strapped. Does he share my concern about the burden of compliance falling on councils, many of which differ in size and scale from their adjacent neighbours? They have differing degrees of IT infrastructure capability. We run the risk of increasing the compliance and regulatory burden on councils at a time when they may already have stretched budgets and lack the resource and capacity in the system to accommodate that additional burden.
David Chadwick
The hon. Gentleman makes an important point. We cannot allow these services to be interrupted. He will be well aware of the impact that bins not being collected has on our streets.
Councils are being targeted because they hold sensitive personal data and provide much-needed services to the most vulnerable in society, yet they are being left as soft targets, without statutory requirements and the ringfenced resources that accompany them. We cannot claim to be building a cyber-secure Britain while leaving the frontline of public services unprotected. Resilience must extend beyond councils.
Our new clauses also ask that our political parties and electoral infrastructure are properly protected, because we know that hostile states and non-state actors are actively seeking to undermine democratic systems. An attack does not need to change an electoral result to be devastating; it need only cast doubt on the integrity of the count or prevent legitimate voters from casting their ballots. We know that trust, once lost, is extraordinarily hard to rebuild. The security of our elections is too important to be left to secondary legislation made at some future date.
Finally, our new clauses would require the Government to bring critical manufacturing, food production and large-scale retail distribution into scope. When British companies such as JLR lose billions to cyber-incidents, or when national retailers such as Marks & Spencer are paralysed, it is not just a private commercial issue, but a blow to national economic security, and there is no economic security without cyber-security. The Minister will be aware that the ramifications of the JLR attack were felt across south Wales because of the link to the steel industry supply chain. Our neighbours in the European Union already recognise this issue through the NIS2 framework, which covers food production and transport manufacturing as essential sectors. The new clauses simply ask the Government to match that seriousness.
At their heart, our new clauses are about ending the two-tier approach. We seek the Government’s recognition that councils, political parties, electoral infrastructure and core supply chains are just as critical to national resilience as power stations and data centres. A country is not secure if its public services, at any level, are exposed. Its elections are vulnerable, and its economy can be brought to a standstill by a single cyber-attack. These new clauses hope to close those gaps and make Britain safer.
Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
Bradley Thomas ExcerptsThursday 5th February 2026
(3 weeks, 6 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Kanishka Narayan
I thank the hon. Member for that thoughtful point. One assurance I will offer her is that the direct definition of data centres in scope here rely on capacity as a proxy for their essential independent nature, but when data centres below the capacity threshold but high on the criticality threshold are suppliers to essential services, they would be covered in part by the critical suppliers framework in the Bill. I take her point into account.
Bradley Thomas (Bromsgrove) (Con)
What consideration has been given to the potential conflict between data centres’ contractual obligation regarding customer confidentiality and mandatory rapid reporting? What assurance can the Minister give us that data centres will ensure that the conflict does not impact their future business?
Kanishka Narayan
In the course of engaging with firms we have considered what the timeline for reporting ought to be. It is critical that the initial notification requirement, which is a much lower requirement than the full notification requirement, at least gives the NCSC and other enforcement authorities the ability to counter national security and wider-impact risks. I believe that specification to be proportionate in the Bill, but it is of course a matter for implementation that we will keep a close eye on.
An attack on a data centre can have significant impacts beyond the facility itself. As data centres underpin digital services across multiple sectors, disruption or compromise can cascade through essential services, businesses and public services. Incidents may also pose national security and economic risks, given the concentration of sensitive and critical data. Bringing qualifying data centre services into scope of the NIS framework helps ensure these risks are managed proportionately and incidents are reported promptly.
As per Government amendments 11 and 12, we propose that Ofcom is the regulator. Medium and large third party data centres and very large enterprise centres will be required to manage risks and report to Ofcom. Their thresholds have been carefully calibrated to capture data centres whose disruption could have the greatest impact, while avoiding unnecessary burdens on smaller operators. This will strengthen the cyber-security and resilience of data centres, align with international regulations, and introduce structured oversight, notification, and incident reporting to strengthen national security and economic stability.
Dr Spencer
Clause 4 amends the NIS regulations to bring data centres that meet certain thresholds within scope of the regs as operators of essential services. As drafted, these data centres will be regulated by DSIT and Ofcom, but the amendments moved by the Minister propose that Ofcom will be the sole regulator for the subsector. I thank him for his explanation of why he has tabled these amendments.
Given the oral evidence from Ofcom and other sector regulators earlier this week regarding the challenges of recruiting skilled cyber-security staff to regulate effectively, what assessment has the Minister made of the additional regulatory burden on Ofcom of this decision and its capacity to secure adequate resources to meet it? Clause 5 extends the scope of the regulations to data centres operated by the Government, with the exception of services provided by or on behalf of intelligence services handling classified information.
Data centre infrastructure is increasingly vital to the UK’s society, economy and security. Data centres underpin nearly all aspects of our digital lives, from sending emails to booking GP appointments or ordering shopping online. Businesses of all sizes routinely process their workloads in the cloud, supported by data centres. For those reasons, data centres were designated as critical national infrastructure—CNI—in 2024.
The UK digital sector, which is heavily reliant on data centres, contributed more than 7% of the UK’s total gross value added in mid-2024, growing almost three times faster than the rest of the economy. Data centres are also critical to the UK’s ambition to become an AI superpower. Training artificial intelligence models relies on access to an abundance of processing capacity, or compute, located in secure data centres.
In October last year, Amazon Web Services experienced a glitch in one of its US data centres, which set off a chain reaction that took down online services across the globe.
Bradley Thomas
On the growth of this industry, and with 78% of UK enterprises relying on cloud-based services, 96% of companies expected to use public cloud services, 35% of UK businesses outsourcing IT support and, as of last year, 63% of organisations planning to continue or increase their IT outsourcing over the next 12 months, does my hon. Friend the shadow Minister agree that greater consideration—or at least elaboration—must be given to the vulnerability of the supply chain of large load data centres?
Dr Spencer
My hon. Friend will be aware that the issue regarding the bottleneck in the supply of cloud computing, in which I put data centres, compute more generally and access to large language models, in our country is very much on my mind, and we have been raising it with the Government. At the moment, I understand that around 70% of cloud services directly procured by the Government are coming from the three big US providers. I hear from UK SMEs—not just cloud providers, but SMEs of all types—all the time about the challenge that they face with Government procurement contracts to procure domestic UK-company services, whether that is central Government or otherwise.
We are getting ourselves into a very difficult situation from a resilience perspective: not only are we currently heavily reliant on US big tech, but we are not doing the work we need to do right now to support a burgeoning UK tech industry. In the UK, we have fantastic universities and businesses. We really are a centre of innovation, but the problem is that companies can really struggle to take the next step forwards.
Of course, Government procurement is not the be-all and end-all—although, depending what sort of sector the company is operating in, it might be—but we are certainly not focusing enough on supporting our SME sector. The sector is really good and strong, and it has the potential to be great, but we still have not had a hyperscaler. We have not seen the expansion in the UK digital and tech sector that, all things considered, given our background and where we stand in terms of our academic and business resources, we really should have seen.
Dr Spencer
That is something that I know will come up in debate as we go through the Bill. It is curious that we are receiving consistent feedback that some boards are not taking the issue of cyber-security seriously, in terms of allocating resource to it, especially in the light of the very high-profile cyber-attacks on businesses. Obviously, I am all over this issue, given my role as shadow Minister, but I think it is completely insane, certainly for larger companies, not to focus on the challenge of cyber-security. It is a challenge for businesses of all sizes, but I am mindful that implementation is particularly problematic for very small businesses.
Bradley Thomas
Does the shadow Minister agree that the Government should heed the message of Chris Dimitriadis, the chief global strategy officer at the Information Systems Audit and Control Association? He said:
“The era when cyber regulation could focus solely on critical national infrastructure is over. Today, every major employer is part of the digital economy—and therefore part of the threat landscape.”
Surely the Government should heed that message.
Dr Spencer
That is a stark message. Going back to my previous point, I struggle to think how many small businesses can really put in the necessary resource to take these sorts of steps on cyber-security.
There is a broader point here, which goes back to my opening remarks. A chunk of this involves hostile state actors that are attacking our companies, Parliament and the Government, whether directly or through their intermediaries. I find it quite ironic that it was announced earlier this week that our security services are going to work with China’s security services to deal with cyber-security threats. I thought, “Well, hang on a sec. What are they going to say, given that the Chinese Communist party is one of the main drivers of cyber-security threats in the UK?”
Legislating in this area and deciding how to approach it as a society is a particular challenge, given that it is not merely criminals or hacktivists doing this stuff to our companies and institutions; there is also full-fat hostile state inference from Russia, Iran or the Chinese Communist party.
Bradley Thomas
The risk and the threat from hostile states is plain to see. Does my hon. Friend have any sympathy for the ten-minute rule Bill that I introduced a few months ago on the Floor of the House? We need to strike a balance between the risk that bureaucratic administration poses to small businesses and the very real risk that cyber-attacks pose to the economy in general. The Government should have the private sector in scope and look at setting a threshold that does not become burdensome on smaller businesses. My proposal was for any company that turns over £25 million or more to be scope, in order to not bear down too heavily on small companies that would otherwise find the process, the risk and the burden of reporting too onerous.
Dr Spencer
I thank my hon. Friend for his interesting proposal, which attempts to crack the nut of one of the problems subsumed in the Bill.
The Bill cherry-picks certain sectors that need to be regulated entities, and there is a whole host of definitions. Then the Secretary of State can allocate some of the bits that they want to tag on through secondary legislation or the designation of a critical supplier. Then we have the MSP component. But there is something the Bill does not deal with. If I were to ask to the man in the street to identify the biggest cyber-security attack they have heard of in the past year or so, their answer would probably depend on where they live. If they live in the west midlands, they would talk about JLR, which has had a catastrophic effect on the local economy. In other parts of the country, the focus might be on Marks & Spencer or the Co-op. The Bill does not fix that, so what needs to be done? Should there be a threshold based on turnover, so that the process is not so onerous on certain companies, or something to support the insurance industry?
The Bill is silent on this issue, and the Government need to come up with some answers. I totally understand what they are trying to do with the Bill and how it is taking us forward—of course the NIS regulations need updating—but it does not fix the big stuff that has had a huge impact on people’s lives and required a massive bail-out of several billions of pounds-worth of taxpayers’ money. How many more JLRs can the Government afford to bail out until they have to do something to resolve the issue? I suspect we will come back to that, but I am glad that my hon. Friend introduced his ten-minute rule Bill.
We need to have a solution, but at the same time, we should not put onerous burdens on companies that are already struggling because of the Government’s anti-growth agenda and the punitive taxes being imposed on them to pay for profligate spending. This goes back to the discussion about prima facie harms. Taxation is the best example of a prima facie harm.
Kanishka Narayan
With your permission, Mr Stringer, I will restrict my comments to clauses in question—in particular, clauses 5 and 6—and the relevant Government amendments. The shadow Minister has auditioned for roles at the Department for Business and Trade in talking about the philosophy of regulation, at the Department of Health and Social Care in talking about his medical background, and at the Treasury in talking about taxation. I will try to restrict myself to none of those and simply speak to the clauses and address three points in response to his comments.
The first relates to the skills and resourcing of our regulators. On that, I welcome the shadow Minister’s prior engagement with me directly and his questions now. The last Government completely gutted our regulators. Having done so, they achieved neither growth nor regulatory quality, which Opposition Members now talk about. As a consequence, it falls to us to make sure that our regulators are fit for purpose and resourced in the way they need to be. This Bill gives them the powers to secure initial and full notifications in a timely way, the powers to share information in an appropriate way and, fundamentally, the ability of cost recovery, to resource themselves in an appropriate way. Alongside that, our wider initiatives on skills in the cyber-sector and technology more broadly are fundamental to achieving our aspirations, not least through the CyberFirst programme, which I mentioned in a witness session.
Kanishka Narayan
I might just make a slight bit of progress. As I mentioned in a previous session, the programme reached 415,000 students, and it has now been evolved into the wider TechFirst scheme as well.
The shadow Minister, as well as the hon. Member for Bromsgrove, made a very important point about resilience in particular and sovereign capability. Particularly for those reasons, I am really proud of two things. One is that the Bill includes suppliers that may not be resident in the UK but provide essential services in the UK. This is a critical means through which we can secure our capabilities here. The second, which is close to my particular interests in the data centre and compute world, is that, through our initiatives on sovereign AI, and having launched a very innovative advance market commitment in the chips part of the stack, which ends up crowding in wider demand—not least through companies such as Nscale, a fundamental part of our AI growth zone in the north-east—this Government are finally rectifying the errors and omissions of the last Government, in making sure that Britain does not do what it did in the last commercial cloud context, but instead, in this AI compute world, has some actual chips on the table.
Thirdly, I will not try to settle the thrilling debate between the shadow Minister and my hon. Friend the Member for Lichfield on the philosophy of regulation. I will simply make the humble suggestion that in this context we have arrived at, not a full-fat compendium, as the shadow Minister described it, but a very targeted Bill, which has been the result of extensive industry engagement—indeed, some of it was carried out by the prior Government—that aligned on the sectors in question and the inclusion of critical suppliers in scope.
On the shadow Minister’s question about the thresholds and definitional specificity of large load controllers in the Bill, I will of course remain very open to ensuring that the secondary powers, which are intended precisely to enable us to move flexibly as the clean power industry moves, give us the flexibility to move with it. At the same time, the threshold of 300 MW reflected the point at which a large load controller could pose an unacceptable risk to the electricity system and our CNI. This threshold was set very clearly in partnership with technical experts, including the National Energy System Operator. Of course, as the market grows, the potential for cyber-incidents will grow, and we will keep that under close review.
Bradley Thomas
Given the blurring of boundary lines between cyber-attacks and financial crime, I can see the compelling reasons why the amendment has been tabled, but does the shadow Minister agree and acknowledge that fraud detection often requires a different skillset from standard network security, so it is important to strike the right balance?
Dr Spencer
I broadly agree. This is one of those difficult areas where there can be overlap. I have sympathy with the argument that it is important to use any opportunity, and in particular this Bill, to raise fraud.
We focus on financial fraud, but this area is not limited to that, especially when we think about other malicious operators, and about ransomware and hacktivism, where the boundaries are particularly blurred. In a situation where a fraudulent operator, service, provider or organisation has material, whether on social media or subject to search engines, and the police or other competent authorities have flagged it to the provider as fraudulent—as illegal criminal activity—what duties does that provider have to remove it or take it down? Is that something that the Minister is aware of? Has he looked into it, and what is the Government’s plan to crack down on that activity?
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Bradley Thomas ExcerptsTuesday 3rd February 2026
(1 month ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Chris Vince (Harlow) (Lab/Co-op)
Q
David Cook: There is reform all over the world. At its core, we have got a European law that is transposed in UK national legislation, the General Data Protection Regulation. That talks about personal data and has been seen as the gold standard all over the world. Different jurisdictions have implemented, not quite a copycat law, but one that looks a lot like the GDPR, so organisations have something that they can target, and then within their territory they are often going to hit a compliance threshold as well. Because of changes in the geopolitical environment, we are seeing—for example in Europe, but also in Australia and the United States—specific laws coming in that look at the supply chain in different sectors and provide for more onerous obligations. We are seeing that in the environment. NIS2 is being transposed into national laws. Organisations take a long time to get to the point of compliance. We are probably behind the curve, but this is not a new concept. Adapting to change within tech and change within how organisations themselves are relying on a supply chain that is more vulnerable and fragile is common.
Bradley Thomas (Bromsgrove) (Con)
Q
Jen Ellis: For sure, it should not come down to whether you are public or private; it should be about impact. Figuring out how to measure that is challenging. I will leave that problem with policymakers—you’re welcome. I do not think it is about the number of employees. We have to think about impact in a much more pragmatic way. In the tech sector, relatively small companies can have a very profound impact because they happen to be the thing that is used by everybody. Part of the problem with security is that you have small teams running things that are used ubiquitously.
We have to think a little differently about this. We have seen outages in recent years that are not necessarily maliciously driven, but have demonstrated to us how reliant we are on technology and how widespread the impact can be, even of something like a local managed service provider. One that happened to provide managed services for a whole region’s local government went down in Germany and it knocked out all local services for some time. You are absolutely right: we should be looking at privately held companies as well. We should be thinking about impact, but measuring impact and figuring out who is in scope and who is not will be really challenging. We will have to start looking down the supply chain, where it gets a lot more complex.
Tim Roca (Macclesfield) (Lab)
Q
Jen Ellis: As a starting point, I will clarify that I am a fellow at RUSI. I work closely with Jamie, but I do not work for RUSI. I also take no responsibility for Jamie’s comments.
On the comparisons, David alluded to the fact that Europe is a little bit ahead of us. NIS2, its update to NIS1, came into force three years ago with a dangling timeline: nations had until October 2024 to implement it. My understanding is that not everybody has implemented it amazingly effectively as yet. There is some lag across the member states. I do not think we are too out of scope of what NIS2 includes. However, we are talking about primary legislation now; a lot of the detail will be in the secondary legislation. We do not necessarily know exactly how those two things will line up against each other.
The UK seems to be taking a bit of a different approach. The EU has very specifically tried to make the detail as clearly mandated as possible, because it wants all the member states to adopt the same basis of requirements, which is different from NIS1, whereas it seems as though the UK wants to provide a little bit of flexibility for the regulators to “choose their own adventure”. I am not sure that is the best approach. We might end up with a pretty disparate set of experiences. That might be really confusing for organisations that are covered by more than one competent authority.
The main things that NIS2 and CSRB are looking at are pretty aligned. There is a lot of focus on the same things. It is about expanding scope to make sure that we keep up with what we believe “essential” now looks at, and there is a lot of focus on increased incident reporting and information sharing. Again, the devil will be in the detail in the secondary legislation.
The other thing I would say goes back to the earlier question about what is happening internationally. The nations that David mentioned, like Australia or the jurisdiction around the EU, are really proactive on cyber policy—as is the UK. They are taking a really holistic view, which David alluded to in his introduction, and are really looking at how all the pieces fit together. I am not sure that it is always super clear that the UK is doing the same. I think there is an effort to do so, and UK policymakers are very proactive on cyber policy and are looking at different areas to work on, but the view of how it all goes together may not be as clear. One area where we are definitely behind is legislating around vendor behaviour and what we expect from the people who are making and selling technology.
Dr Gardner
Q
Jill Broom: Some of our members have pointed out that the number of organisations under cyber-regulations is very small, and it is only going to increase a small amount with the advent of this particular Bill. Similarly, in the different jurisdictions there are duties at the board level. There is an argument for it. The key thing is that we need to be mindful of it being risk-based, and also that there are organisations that could be disproportionately affected by this. I think it needs a little more testing, particularly with our members, as to whether a statutory requirement is needed.
Bradley Thomas
Q
Dr Sanjana Mehta: May I weigh in on the second question first? It is good to note that the definition of reportable incident has expanded in the current legislation. One of the concerns that the post-implementation reviews had from the previous regulatory regime was that the regulated entities were under-reporting. We note that the Bill has now expanded the definition to include incidents that could have an adverse impact on the security and operations of network and information systems, in addition to those incidents that are having or have had a negative impact.
While that is clear on the one hand—some factors have been provided, such as the number of customers affected, the geographical reach and the duration of the incident—what is not clear at the moment is the thresholds linked with those factors. In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators.
We must think about regulatory capacity to deal with all the reports that come through to them, and to understand what might be the trade-offs on the regulated entities, particularly if an entity is regulated by more than one competent authority. For those entities, it would mean reporting to multiple authorities. For organisations that are small or medium-sized enterprises, there is a real concern that the trade-offs may result in procedural compliance over genuine cyber-security and resilience. We call on the Government for immediate clarification of the thresholds linked to those factors.
Jill Broom: I would like to come in on that point. Our members would agree with it. Companies need to be clear about what needs to be reported, when it needs to be reported and where they need to report it. A bit of clarity is required on that, certainly around definitions. As Sanjana said, it is good to see that the definition is expanding, but definitions such as “capable of having” a significant impact remain unclear for industry. Therefore, we need a bit more clarity, because again, it means that we could risk capturing absolutely everything that is out there, and we really want to focus on: what is most important that we need to be aware of? Determining materiality is essential before making any report.
In terms of the where and the how, we are also in favour of a single reporting platform, because that reduces friction around the process, and it allows businesses, ultimately, to know exactly where they are going. They do not need to report here for one regulator and there for another. It is a streamlined process, and it makes the regime as easy as possible to deal with, so it helps incentivise people to act upon it.
I have another point to add about the sequencing of alignment with other potential regulation. We know that, for example, the Government’s ransomware proposals include incident-reporting requirements, and they are expected to come via a different legislative vehicle. We need to be careful not to add any additional layers of complexity or other user journeys into an already complex landscape.
Freddie van Mierlo
Q
Secondly, Dr Mehta, you spoke earlier about what is not in scope in this legislation. I am particularly interested in the fact that local government is not included in it, because it has a critical role in electoral services and in local and national democracy. What do you think are the threats from leaving local government out of scope?
Jill Broom: I think that generally, our members would always call for alignment, where possible, in any kind of legislation that spans the geographies. But we understand that the Bill focuses on a particular sector—the critical national infrastructure in the UK—and we welcome the intent of it.
Dr Sanjana Mehta: On sectoral scope, with the way that the Bill is currently drafted, there is obviously flexibility to introduce new sectors, and to bring in more provisions and guidance through secondary legislation and additional guidance. That being said, our recommendation is certainly to expand the sectoral scope at this stage by bringing in public administration.
There are a number of key reasons for that. First, public administration needs to be role model of good cyber-security to the rest of the economy. I think it was the 2025 state of digital government review that pointed out that the risk of cyber-attacks on Government is critical. You mentioned local government, but there are also central Government Departments that hold and process vast amounts of personal and sensitive information; I think, for example, DWP administered £288 billion of benefits over the past year. More than 23 million people claimed some sort of benefits from DWP and, in responding to those claims, DWP must have processed huge amounts of very sensitive medical and financial information on individuals. We think it is an omission to leave it out, and we recommend that the Government consider bringing it into scope.
Andrew Cooper
Q
Stuart McKean: It is about understanding what your service is delivering. Again, one of the key terms in the Bill is resilience. Needing resilience is a key part of the Bill. Whether you need a service that has international boundaries and you need to fail over to another country will be down to the organisations defining where they want their services to be. If they are happy that they are failed over into the US or another country, that is fine; but the reality is that it will be down to the organisation that has a requirement for a resilient service understanding where its data is. As long as it understands where its data is and what it is asking of the MSP, I am not sure the Bill will cover that as such. It is talking about resilience in general. I do not think it goes into the detail of where your data is.
Bradley Thomas
Q
Stuart McKean: Under the designation of a critical supplier, the Bill says:
“any such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom”.
That is a pretty big statement. As a small business owner, how do I know whether what I do is going to have an economic effect on the UK? It will have an economic effect on my business, but whether it has a wider impact is a big statement. I am not sure that it is clear enough.
Bradley Thomas
Q
Stuart McKean: It needs more detail, even if that is about providing some boundaries so that we have something to say, “If it is going to do the following, what is a ‘significant economic impact’?”. I would like to think that none of our services would have a significant economic impact, but they may well affect a person, so I would bring it more on to the citizen and the impact on people. We heard this a number of times in relation to the JLR incident: the impact on the supply chain was huge, it was economically very costly and directly impacted people’s lives. Anything that can provide more clarity in the definition of an impact at that level can only help.
Jill Broom: I agree. More clarity is needed. The Bill should be tighter in terms of defining that sort of systemic risk.
Dr Sanjana Mehta: The Bill as it stands requires competent authorities and regulators to designate an organisation as a critical supplier rather than the regulated entity. Organisations work with complex multi-tier supply chains, and the concern is that competent authorities that are one step further removed from those complex supply chains, and have even less visibility, transparency and control over those supply chains, might find it difficult to determine true criticality and risk within the supply chains. We ask for greater collaboration and co-ordination between the regulated entities and the competent authorities in designating an organisation as a critical supplier.
Dr Spencer
Q
Jill Broom: There is probably a broader point around legal certainty, which is not given on the face of the Bill. Some of our members have highlighted language that could create some pretty significant legal jeopardy for regulated entities. The Bill needs to go a bit further. It could and should do more to provide some legal certainty, because the cost to companies could be quite significant. To the point on consistency across regulators and things like that, we need more frameworks around how that is going to work. Leaving all the detail to secondary legislation is what makes it slightly difficult to examine what is on the face of the Bill, so making sure that everything is consulted on in a mandatory and meaningful way will be important.
The Chair
Four colleagues wish to ask questions, and they have only 20 minutes in which to ask them, so I appeal for brevity, both in the questions and, if you do not mind, in the answers.
Bradley Thomas
Q
Dr Ian Levy: I will start with that one.
The Chair
Please, Gentlemen, do not feel obliged to answer each question.
Dr Ian Levy: On the diverse networks and where they are hosted, it is important to be clear that resilience changes as scale changes. When it comes to the statistical model used to talk about resilience for a national system, if you have, say, three physical data centres in the UK connected by a redundant ring, that has a well-understood statistical model, but as you get bigger and bigger and more diverse, the statistics change, so the way you analyse resilience changes. That is not specific to Amazon Web Services; it applies to any large-scale system.
The way that we talk about resilience needs to be thought through carefully. I would urge you to consider outcomes and talk about availability and resilience to particular events. If somebody drives a JCB into a data centre, in a national-scale resilience model that can have a big impact, but in a hyperscale it will not.
We need to be clear about what the regulation is trying to do. If you look at us as a data centre operator, it is very different from someone who is providing co-location services. We provide our data centres for the sole purposes of providing our services, which have a very particular resilience model that is very different from somebody sticking their own racks in a third-party data centre. Some of the terms need to be better defined.
In terms of balancing growth, regulation, oversight and so on, there is a fallacy about putting specific technologies into legislation, except in very specific circumstances. We talked about post-quantum cryptography and AI. They will affect resilience, but probably not in the way we think they will today, so I would caution about putting specific technology definitions on the face of the Bill.
Matt Houlihan: On the cross-border question, very quickly, there are clearly a lot of jurisdictions looking at legislation in this space. There is absolutely an opportunity in the UK to look at things, such as mutual recognition agreements, that would simplify the international regulatory landscape, but there is also the opportunity for the UK to lead in this space as a very well-respected and cyber-capable country.
Touching on getting the balance right on growth and security, we have seen some useful moves recently from the UK Government and previous Governments on looking at codes of practice, which are voluntary in nature but help engage companies, as the recent software security code of practice did with mine and Chris’s. Techniques like that offer a nice balance and engage companies, but get that message around growth absolutely right.
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Bradley Thomas ExcerptsTuesday 3rd February 2026
(1 month ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Q
The ICO is a horizontal regulator working across all sectors. In your experience, would a single cyber regulator be a good idea? What would be the benefits and the challenges? I will allow Ofcom and Ofgem to jump in and defend themselves.
Ian Hulme: I suppose the challenge with having a single regulator is that—like ourselves, as a whole-economy regulator—it will have to prioritise and direct its resources at the issues of highest harm and risk. One benefit of a sectoral approach is that we understand our sectors at a deeper level; we certainly work together quite closely on a whole range of issues, and my teams have been working with Natalie and Stuart’s teams on the Bill over the last 18 months, and thinking about how we can collaborate better and co-ordinate our activities. It is really pleasing to see that that has been recognised in the Bill with the provisions for information sharing. That is going to be key, because the lack of information-sharing provisions in the current regs has been a bit of a hindrance. There are pros and cons, but a single regulator will need to prioritise its resources, so you may not get the coverage you might with a sectoral approach.
Natalie Black: Having worked in this area for quite some time, I would add that the challenge with a single regulator is that you end up with a race to the bottom, and minimum standards you can apply everywhere. However, with a tailored approach, you can recognise the complexity of the cyber risk and the opportunity to target specific issues—for example, prepositioning and ransomware. That said, we absolutely recognise the challenge for operators and companies in having to bounce between regulators. We hear it all the time, and you will see a real commitment from us to do something about it.
Some of that needs to sit with the Department for Science, Innovation and Technology, which is getting a lot of feedback from all of us about how we need it to co-ordinate and make things as easy as possible for companies—many of which are important investors in our economy, and we absolutely recognise that. We are also doing our bit through the UK Regulators Network and the Digital Regulation Cooperation Forum to find the low-hanging fruit where we can make a difference. To give a tangible example, we think there should be a way to do single reporting of incidents. We do not have the answer for that yet, but that is something we are exploring to try and make companies’ lives easier. To be honest, it will make our lives easier as well, because it wastes our time having to co-ordinate across multiple operators.
Bradley Thomas (Bromsgrove) (Con)
Q
Ian Hulme: Again, to contrast the ICO’s position with that of other colleagues, we have a much larger sector, as it currently exists, and we will have a massively larger sector again in the future. We are also funded slightly differently. The ICO is grant in aid funded from Government, so we are dependent on Government support.
To move from a reactive footing, which is our position at the moment—that is the Government’s guidance to competent authorities and to the ICO specifically—to a proactive footing with a much expanded sector, will need significant uplift in our skills and capability, as well as system development in order to register and ingest intelligence from MSPs and relevant digital service providers in the future.
From our perspective at the ICO, we need significant support from DSIT so that we can transition into the new regulatory regime. It will ultimately be self-funding—it is a sustainable model—but we need continued support during the transition period.
Bradley Thomas
Q
Ian Hulme: At the moment, to give you a few broad numbers our teams are around 15 people, and we anticipate doubling that. In the future, with self-funding, we will be a bit more in control of our own destiny. It is a significant uplift from our perspective.
Natalie Black: The challenge is that the devil is in the detail. Until that detail has worked through secondary legislation, we will have to reserve our position, so that we give you accurate numbers in due course. From Ofcom’s point of view, it is about adding 10s rather than significant numbers. I do not think we are that far off the ICO.
But I want to emphasise that this is about quality, not necessarily quantity. Companies want to work with expert regulators who really know what they are doing. Ofcom is building on the work we are already doing under the Telecommunications (Security) Act 2021. It will be a question of reinforcing that team, rather than setting up a separate one. We want to get the best, high-quality individuals who know how to talk to industry and really know cyber-security, to make sure people have a good experience when engaging with us.
Ian Hulme: To add to that, the one challenge we will face as a group is that we are all fishing in the same pond for skills. MSPs and others will also be fishing in that pond from the sector side. There needs to be recognition that there is going to be a skills challenge in this implementation.
Stuart Okin: To specifically pick up on the numbers, we have a headcount of 43 who are dedicated within cyber regulation. That also includes the investment side. We also have access to the engineering team—the engineering directorate—which is a separate team. There is also our enforcement directorate, as well as the legal side of things. The scope changes proposed in the Bill are just the large load controllers and supply chain, so we are not expecting a major uplift. These will be small numbers in comparison. Unlike my colleagues, we are not expecting a big uplift in resourcing.
Tim Roca (Macclesfield) (Lab)
Q
Ian Hulme: There are two angles to that. From a purely planning and preparation perspective, it is incredibly difficult, without having seen the detail, to know precisely what is expected of MSPs and IDSPs in the future, and therefore what the regulatory activity will be. That is why, when I am answering questions for colleagues, it is difficult to be precise about those numbers.
Equally, we are hearing from industry that it wants that precision as well. What is the expectation on it regarding incident reporting? What does “significant impact” mean? Similarly, with the designation of critical suppliers, precision is needed around the definitions. From a regulatory perspective, without that precision, we will probably find ourselves in a series of potential cases arguing about the definition of an issue. To give an example, if the definition of MSP is vague, and we are saying to an MSP that we think it is in scope, and it is saying, “No, we are not,” then a lot of our time and attention will be taken up with those types of arguments and disputes. Precision will be key for us.
Dave Robertson (Lichfield) (Lab)
Q
Chung Ching Kwong: I think that to a certain extent they will. For hackers or malicious actors aiming for financial gain with more traditional hacking methods, it will definitely do a job in protecting our national security. But the Bill currently views resilience through an IT lens. It is viewing this kind of regulatory framework as a market regulatory tool, instead of something designed to address threats posed by state-sponsored actors. It works for cyber-criminals, but it does not work for state actors such as China, which possess structural leverage over our infrastructure.
As I said before, we have to understand that Chinese vendors are legally obliged to compromise once they are required to. The fine under the Bill is scary, but not as scary as having your existence threatened in China—whether you still have access to that market or you can still exist as a business there. It is not doing the job to address state-sponsored hackers, but it really does help when it comes to traditional hacking, such as phishing attempts, malware and those kinds of things.
Bradley Thomas
Q
Chung Ching Kwong: The US is probably a good example. It passed Executive order 14028 in May 2021, which requires any software vendor selling to the US federal Government to provide something called a software bill of materials—SBOM. That is technically a table of ingredients, but for software, so you can see exactly what components the software is made of. A lot of the time people who code are quite lazy; they will pull in different components that are available on databases online to form a piece of software that we use. By having vendors provide an SBOM, when anything happens, or whenever any kind of vulnerability is detected, you can very easily find out what happened.
That is due to a hack in 2021, in which a tiny, free piece of code called Log4j was found to have a critical vulnerability. It was buried inside thousands of commercial software products. Without that list of ingredients, it would be very difficult for people who had been using the software to find out, because, first, they may not have the technological capabilities and, secondly, they would not even know if their software had that component. This is one of the things the US is doing to mitigate the risks when it comes to software.
Something that is not entirely in the scope of the Bill but is also worth considering is the US’s Uyghur Forced Labour Prevention Act. That is designed to prevent goods made with forced labour from entering the supply chain. The logic of preventing forced labour is probably something that the UK can consider. Because the US realised that it could not inspect every factory in Xinjiang to prove forced labour, it flipped the script: the law creates a rebuttable presumption that all goods from that region are tainted, so the burden of proof is now on the importer to prove, with clear and convincing evidence, that their supply chain is clean.
A similar logic could be considered when it comes to this Bill to protect cyber-security. Any entities that are co-operating with the PLA—the People’s Liberation Army—for example, should be considered as compromised or non-trustworthy until proven otherwise. That way, you are not waiting until problems happen, when you realise, “Oh, this is actually tainted,” but you prevent it before it happens. That is the comparison that I would make.
Tim Roca
Q
Thank you for speaking to us today. May I turn the conversation a little on its head? We have been talking about national security and the threat from China and others. You were an activist in Hong Kong and made a great deal of effort to fight the Chinese Communist party’s invasion of privacy—privacy violations using the national security law—and other things. Do you see any risk in this legislation as regards civil liberties and privacy? We have had a bit of discussion about how much will go into secondary legislation and how broad the Secretary of State’s powers might be.
Chung Ching Kwong: The threat to privacy, especially to my community—the Hong Kong diaspora community in this country—will be in the fact that, under clause 9, we will be allowing remote access for maintenance, patches, updates and so on. If we are dealing with Chinese vendors and Chinese providers, we will have to allow, under the Bill, certain kinds of remote access for those firms to maintain the operation of software of different infrastructures. As a Hongkonger I would be worrying, because I do not know what kind of tier 2 or tier 3 supplier will have access to all those data, and whether or not they will be transmitted back to China or get into the wrong hands. It will be a worry that our data might fall into the wrong hands. Even though we are not talking specifically about personal data, personal data is definitely in scope. Especially for people with bounties on their head, I imagine that it will be a huge worry that there might be more legitimate access to data than there is right now under the Data Protection Act.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Q
DCS Andrew Gould: I love the fact that you have heard of it. One of the things that we struggle with is promoting a lot of these initiatives. Successive Governments actually deserve a lot of credit for the range of services that are provided. We aspire to be a global cyber-power, and in many ways we are. When you look at the range of services, tools, advice and guidance that organisations or the public can get, there is quite a positive story to tell there. I think we struggle to bring that into one single narrative and promote it, which is a real challenge. People just do not know that those services are there.
For those who are not familiar with Police CyberAlarm, it is a Home Office-funded policing tool focused on small and medium-sized organisations that probably do not have the skills or understanding to protect themselves as effectively. They can download that piece of software, and it will sit on their external networks and monitor for attacks. For the first time, it helps us in policing to build a domestic threat picture for small and medium-sized organisations, because everybody has a different piece of the puzzle. GCHQ has great insight into what is coming into the UK infrastructure, but it obviously cannot monitor domestically. Big organisations that provide cyber-security services and monitoring know what is impacting their clients or their organisation, but not everybody else. At policing, we get what is reported, which is a tiny piece of the puzzle. So everyone has a different bit of the jigsaw, and none of it fits together, and, even if it did, there would still be gaps. For SMEs, that is a particular gap.
For us, we get the threat intelligence to drive our operational activity, which has been quite successful for us. The benefit for member organisations—we are up to about 12,000 organisations at the moment, which are mostly schools, because we know that they are the most vulnerable to attack for a variety of reasons—is that, having the free tool available, it can do the monthly vulnerability scans and assessments. So they are getting a report from the police that tells them what they need to fix and what they need to patch.
We do not publicly offer a lifetime monitoring service, because we would not want the liability and responsibility, and we do not have the infrastructure to run that scale of security operation centre. But, in effect, that is actually what we have been doing for a long time—maybe not 24/7, but most of the time—because we have been able to identify precursor activity to ransomware attacks on schools or other organisations, and have been able to step in and prevent it from happening. There have been instances where officers have literally got in cars and gone on a blue light to organisations to say, “You need to shut some stuff off now, because you are about to lose control of your whole organisation.”
To that extent, it has been really impactful, but the challenge for us is how to scale. How do you scale so that people understand that it is there? How do you make it easier for organisations to install? That is one of the things that we are working on at the moment, so that everybody can benefit from the scans and the threat reporting, and we can benefit from a bigger understanding of what is going on.
The flip side of the SME offer from our point of view is our cyber-resilience centres. By working with some of the top student talent in the country, we can scale to offer our member organisations across the country the latest advice and guidance, help them understand what the NCSC advice and guidance is, and then help them to get the right level of security policies, patch their systems and all that kind of thing. It helps them to take the first steps on their cyber-resilience journey, and hopefully be more mature consumers of cyber-security industry services going forward. We are helping to create a market for growth, but also helping those organisations to understand their specific vulnerabilities and improve from a very base level.
Bradley Thomas
Q
DCS Andrew Gould: That is another really good question. Generally, it is financial, but you will often get what is called the double dip, so there is the extraction of data as well as the encryption of it, so that you no longer have access to it. They might take that data as well, primarily personal data, because of the regulatory pressures and challenges that that brings. There is a sense among a lot of criminal groups that, if they have personal data, you are more likely to pay, because you do not want that reputation, embarrassment and all the rest of it, as opposed to if they take intellectual property, for example. But it is not that that does not happen as well. Primarily, it is financial gain.
Chris Vince
Q
DCS Andrew Gould: It is a tricky one. It feels like the technology change is getting ever faster and ever more challenging, but I first went into cyber-crime in the Met back in 2014, and we are giving the same advice now as we were giving then. Sometimes your head can explode with the technical complexity of it, but a lot of the solution just comes down to doing the really boring basics in a world-class way. It is things like patching and doing your software updates. Whether you are a member of the public or running an organisation, finding a way to do those updates and patches means that 50% of the threat has gone, there and then. With something like multi-factor authentication, it seems like most organisations do not want to inconvenience their staff or customers by putting it in place, but that would be another 40% of the problem solved. It is not infallible—nothing is—but if you are thinking about how attacks are still successful, it is pretty basic: a lot of our protections are not in place. Solving that means that 90% of the threat is gone, there and then. That then leaves the 10% of more sophisticated threats—let’s make the criminals work a bit harder.
Chris Vince
Q
Kanishka Narayan: The primary thing to say is that the range of organisations—commercial ones as well as those from the cyber-security world more generally—coming out to welcome the Bill is testament to the fact that it is deeply needed. I pay tribute to the fact that some of the provisions were engaged on and consulted on by the prior Government, and there is widespread consensus across industry and in the regulatory and enforcement contexts about the necessity and the quality of the Bill. On that front, I feel we are in a good place.
On specific questions, of course, there is debate—we have heard some of that today—but I am very much looking forward to going through clause by clause to explain why the intent of the Bill is reflected in the particular definitions.
Bradley Thomas
Q
Kanishka Narayan: I am shy of making comments on specific incidents, but as a broad brush, clearly the food supply or automotive manufacturing sectors are not directly in scope of the Bill, for reasons I am very much happy to discuss.
Bradley Thomas
Q
Kanishka Narayan: Let me place the focus of this Bill in the global context. As we have heard, there is a range of legislative as well as non-legislative measures on cyber-security. It is deeply important that every organisation, whether in scope of the Bill or not, acts robustly, and we will look at that, not least through the cyber action plan, which I know industry welcomed earlier today and which we are looking forward to publishing very soon.
The particular focus of this Bill is on essential services, the disruption of which would pose an imminent threat—for example, to life and to our economy—in the immediate context. For reasons that we can dive into, if you look at a market such as food supply, the diversity, competitive nature and alternative provision in that market are so obvious that to designate it as fitting the definitional scope I have just highlighted would not be an evidence-led way of engaging.
Bradley Thomas
Q
Kanishka Narayan: As I have said, this legislative vehicle is focused on really high standards of rigour for essential services. I am very keen to ensure that, in the first instance, we are engaging with those companies through the cyber action plan and the National Cyber Security Centre’s framework and to ensure that, as a consequence of those, they are in a robust place.
Bradley Thomas
Q
Kanishka Narayan: This is a great question. There are two things on my mind. One is that the Government have published a cyber action plan, the crux of which is to make sure that, from the point of view of understanding, principles, accountability and, ultimately, skills, there is significant capability in the public sector. The second thing to say is that we have a very broad-based plan on skills more generally across the cyber sector, public and private. For example, I am really proud of the fact that, through the CyberFirst programme, some—I think—415,000 students right across the country have been upskilled in cyber-security. It is deeply important that the public sector ensures that we are standing up to the test of hiring them and making the attraction of the sector clear to them as well. There is a broad-based plan and a specific one for the public sector in the Government context.
Tim Roca
Q
Kanishka Narayan: That is a great question. Broadly, the Bill takes a risk-based and outcomes-focused approach, rather than a technology-specific one. I think that is the right way to go about it. As we have heard today and beyond, there are some areas where frontier technology—new technology such as AI and quantum, which we talked about earlier today—will pose specific risks. There are other areas where the prevalence of legacy systems and legacy database architectures will present particular risks as well.
The Bill effectively says that the sum total of those systems, in their ultimate impact on the risk exposure of an organisation, is the singular focus where regulators should place their emphasis. I would expect that individual regulators will pay heed to the particular prevalence of legacy systems and technical debt as a source of risk in their particular sectors, and as a result to the mitigations that ought to be placed. I think that being technology agnostic is the right approach in this context.
Mobile Phones and Social Media: Use by Children
Bradley Thomas Excerpts(1 month, 1 week ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Liz Kendall
My hon. Friend raises a really important issue, which is making sure that young people trust us and feel confident in raising these matters. It is our job to make sure that nobody is frightened to say what is happening to them. We will not get this right unless we talk to people of all ages and from all backgrounds, in all parts of the country. Hon. Members know that they have a vital job to play in their constituency. As Secretary of State, I am responsible for the entire United Kingdom, so I urge hon. Members, for all the politics and show in this House, to engage locally, because then we will get this right.
Bradley Thomas (Bromsgrove) (Con)
It is quite clear that social media is causing a health and wellbeing crisis among young people. Parents are absolutely terrified about the content that their children are viewing and the amount of time that they are spending online. Just a couple of months ago, 14 and 15-year-olds in my constituency told me about the profound pressure that they feel to be on social media. They feel a compulsion to use it, but they do not want to. Will the Government get off the pot and announce a ban? Perfection really is the enemy of the good here. The evidence is plain to see. We need action, not words.
Liz Kendall
The hon. Gentleman knows what I think about why we have to do a consultation, so I disagree with him on that, but he is right to say that we should not let perfection be the enemy of the good. The right hon. Member for East Hampshire (Damian Hinds) made a point about the evidence. I discovered 10 years ago, before so much had changed online, that young people know that some of this stuff is bad; they do not want to do it, but they cannot help themselves. If we were all honest with our ourselves, we would know that we behave like that sometimes, too.
Digital ID
Bradley Thomas Excerpts(4 months, 2 weeks ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Liz Kendall
Yes, I do. My hon. Friend is right that the citizens of this country rightly want to know who has a right to be here and who has a right to work here. That is a very important principle.
Bradley Thomas (Bromsgrove) (Con)
I am wholly opposed to this policy, as I know are many of my constituents. While the Government have talked about the so-called economic benefits of accessing services and digitalising how we interact with Government, my constituents are concerned about infringements on liberty and the shifting relationship between the individual and the state. The state must always be accountable to the individual. Can the Secretary of State rule out this system ever becoming one through which the Government can track location, consumer spending habits or social media activity?
Oral Answers to Questions
Bradley Thomas Excerpts(8 months, 1 week ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Chris Bryant
I have been very keen to ensure that the withdrawal of the PSTN—which is being done because it is necessary, as the copper system is not working any more and is more fallible—does not leave anybody unable to contact 999 or get the services that they need. I am very happy to arrange for my hon. Friend a meeting with BDUK to go through precisely how we can ensure that we have proper investment in every constituency in the land so that people have the mobile signal they need to live in the modern era.
Bradley Thomas (Bromsgrove) (Con)
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Feryal Clark)
My Department is working closely with the Department for Education and Skills England to ensure that the education system is ready for the opportunities and the challenges that AI poses. We are assessing the AI skills gap and mapping pathways to address it. My officials have been working closely with the DFE on the education content store, for example, which is a pilot project that seeks to help developers to make better AI tools for teachers by providing a store of reliable and relevant UK data. Last week, the DFE produced guidance to support schools with the safe and effective use of AI in education.
Bradley Thomas
Will the Minister outline what steps are being taken to reduce academic dishonesty and plagiarism in schools resulting from the use of artificial intelligence tools?
Feryal Clark
AI has demonstrated that it can help the education workforce by reducing some of the administrative burdens and the hard work that teaching staff and school leaders face in their day-to-day role. On the hon. Gentleman’s question, evidence is still emerging on the benefits and risks of pupils and students using generative AI. We will continue to work with the education sector on use cases to develop our understanding of how to use AI safely and effectively. As I have said, the Department has issued guidance to teachers on how to identify and best use AI in schools.
Oral Answers to Questions
Bradley Thomas Excerpts(11 months ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Prime Minister
I congratulate all colleagues working on the Bill and taking part in the debate. It is an important issue on which there are different views across the House and within parties. The Bill is a matter for the House, but it is the Government’s role to ensure that every piece of legislation that passes through Parliament is effective and workable, so we will continue to work with my hon. Friend, as the Bill’s promoter, to do that in the same way that we do for every private Member’s Bill that passes Second Reading. If Parliament chooses to pass the Bill, the Government will implement it in a way that is safe and practicable.
Bradley Thomas (Bromsgrove) (Con)
The Prime Minister
We are investing £100 million in adult and children’s hospices to improve facilities, equipment and accommodation, as well as £26 million in funding through the children’s hospice grant. [Interruption.] Conservative Members’ cries and moaning would have a lot more value if they started their questions with an apology for crashing the economy in the first place.