Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Bradley Thomas ExcerptsTuesday 3rd February 2026
(2 days, 6 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Chris Vince (Harlow) (Lab/Co-op)
Q
David Cook: There is reform all over the world. At its core, we have got a European law that is transposed in UK national legislation, the General Data Protection Regulation. That talks about personal data and has been seen as the gold standard all over the world. Different jurisdictions have implemented, not quite a copycat law, but one that looks a lot like the GDPR, so organisations have something that they can target, and then within their territory they are often going to hit a compliance threshold as well. Because of changes in the geopolitical environment, we are seeing—for example in Europe, but also in Australia and the United States—specific laws coming in that look at the supply chain in different sectors and provide for more onerous obligations. We are seeing that in the environment. NIS2 is being transposed into national laws. Organisations take a long time to get to the point of compliance. We are probably behind the curve, but this is not a new concept. Adapting to change within tech and change within how organisations themselves are relying on a supply chain that is more vulnerable and fragile is common.
Bradley Thomas (Bromsgrove) (Con)
Q
Jen Ellis: For sure, it should not come down to whether you are public or private; it should be about impact. Figuring out how to measure that is challenging. I will leave that problem with policymakers—you’re welcome. I do not think it is about the number of employees. We have to think about impact in a much more pragmatic way. In the tech sector, relatively small companies can have a very profound impact because they happen to be the thing that is used by everybody. Part of the problem with security is that you have small teams running things that are used ubiquitously.
We have to think a little differently about this. We have seen outages in recent years that are not necessarily maliciously driven, but have demonstrated to us how reliant we are on technology and how widespread the impact can be, even of something like a local managed service provider. One that happened to provide managed services for a whole region’s local government went down in Germany and it knocked out all local services for some time. You are absolutely right: we should be looking at privately held companies as well. We should be thinking about impact, but measuring impact and figuring out who is in scope and who is not will be really challenging. We will have to start looking down the supply chain, where it gets a lot more complex.
Tim Roca (Macclesfield) (Lab)
Q
Jen Ellis: As a starting point, I will clarify that I am a fellow at RUSI. I work closely with Jamie, but I do not work for RUSI. I also take no responsibility for Jamie’s comments.
On the comparisons, David alluded to the fact that Europe is a little bit ahead of us. NIS2, its update to NIS1, came into force three years ago with a dangling timeline: nations had until October 2024 to implement it. My understanding is that not everybody has implemented it amazingly effectively as yet. There is some lag across the member states. I do not think we are too out of scope of what NIS2 includes. However, we are talking about primary legislation now; a lot of the detail will be in the secondary legislation. We do not necessarily know exactly how those two things will line up against each other.
The UK seems to be taking a bit of a different approach. The EU has very specifically tried to make the detail as clearly mandated as possible, because it wants all the member states to adopt the same basis of requirements, which is different from NIS1, whereas it seems as though the UK wants to provide a little bit of flexibility for the regulators to “choose their own adventure”. I am not sure that is the best approach. We might end up with a pretty disparate set of experiences. That might be really confusing for organisations that are covered by more than one competent authority.
The main things that NIS2 and CSRB are looking at are pretty aligned. There is a lot of focus on the same things. It is about expanding scope to make sure that we keep up with what we believe “essential” now looks at, and there is a lot of focus on increased incident reporting and information sharing. Again, the devil will be in the detail in the secondary legislation.
The other thing I would say goes back to the earlier question about what is happening internationally. The nations that David mentioned, like Australia or the jurisdiction around the EU, are really proactive on cyber policy—as is the UK. They are taking a really holistic view, which David alluded to in his introduction, and are really looking at how all the pieces fit together. I am not sure that it is always super clear that the UK is doing the same. I think there is an effort to do so, and UK policymakers are very proactive on cyber policy and are looking at different areas to work on, but the view of how it all goes together may not be as clear. One area where we are definitely behind is legislating around vendor behaviour and what we expect from the people who are making and selling technology.
Dr Gardner
Q
Jill Broom: Some of our members have pointed out that the number of organisations under cyber-regulations is very small, and it is only going to increase a small amount with the advent of this particular Bill. Similarly, in the different jurisdictions there are duties at the board level. There is an argument for it. The key thing is that we need to be mindful of it being risk-based, and also that there are organisations that could be disproportionately affected by this. I think it needs a little more testing, particularly with our members, as to whether a statutory requirement is needed.
Bradley Thomas
Q
Dr Sanjana Mehta: May I weigh in on the second question first? It is good to note that the definition of reportable incident has expanded in the current legislation. One of the concerns that the post-implementation reviews had from the previous regulatory regime was that the regulated entities were under-reporting. We note that the Bill has now expanded the definition to include incidents that could have an adverse impact on the security and operations of network and information systems, in addition to those incidents that are having or have had a negative impact.
While that is clear on the one hand—some factors have been provided, such as the number of customers affected, the geographical reach and the duration of the incident—what is not clear at the moment is the thresholds linked with those factors. In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators.
We must think about regulatory capacity to deal with all the reports that come through to them, and to understand what might be the trade-offs on the regulated entities, particularly if an entity is regulated by more than one competent authority. For those entities, it would mean reporting to multiple authorities. For organisations that are small or medium-sized enterprises, there is a real concern that the trade-offs may result in procedural compliance over genuine cyber-security and resilience. We call on the Government for immediate clarification of the thresholds linked to those factors.
Jill Broom: I would like to come in on that point. Our members would agree with it. Companies need to be clear about what needs to be reported, when it needs to be reported and where they need to report it. A bit of clarity is required on that, certainly around definitions. As Sanjana said, it is good to see that the definition is expanding, but definitions such as “capable of having” a significant impact remain unclear for industry. Therefore, we need a bit more clarity, because again, it means that we could risk capturing absolutely everything that is out there, and we really want to focus on: what is most important that we need to be aware of? Determining materiality is essential before making any report.
In terms of the where and the how, we are also in favour of a single reporting platform, because that reduces friction around the process, and it allows businesses, ultimately, to know exactly where they are going. They do not need to report here for one regulator and there for another. It is a streamlined process, and it makes the regime as easy as possible to deal with, so it helps incentivise people to act upon it.
I have another point to add about the sequencing of alignment with other potential regulation. We know that, for example, the Government’s ransomware proposals include incident-reporting requirements, and they are expected to come via a different legislative vehicle. We need to be careful not to add any additional layers of complexity or other user journeys into an already complex landscape.
Freddie van Mierlo
Q
Secondly, Dr Mehta, you spoke earlier about what is not in scope in this legislation. I am particularly interested in the fact that local government is not included in it, because it has a critical role in electoral services and in local and national democracy. What do you think are the threats from leaving local government out of scope?
Jill Broom: I think that generally, our members would always call for alignment, where possible, in any kind of legislation that spans the geographies. But we understand that the Bill focuses on a particular sector—the critical national infrastructure in the UK—and we welcome the intent of it.
Dr Sanjana Mehta: On sectoral scope, with the way that the Bill is currently drafted, there is obviously flexibility to introduce new sectors, and to bring in more provisions and guidance through secondary legislation and additional guidance. That being said, our recommendation is certainly to expand the sectoral scope at this stage by bringing in public administration.
There are a number of key reasons for that. First, public administration needs to be role model of good cyber-security to the rest of the economy. I think it was the 2025 state of digital government review that pointed out that the risk of cyber-attacks on Government is critical. You mentioned local government, but there are also central Government Departments that hold and process vast amounts of personal and sensitive information; I think, for example, DWP administered £288 billion of benefits over the past year. More than 23 million people claimed some sort of benefits from DWP and, in responding to those claims, DWP must have processed huge amounts of very sensitive medical and financial information on individuals. We think it is an omission to leave it out, and we recommend that the Government consider bringing it into scope.
Andrew Cooper
Q
Stuart McKean: It is about understanding what your service is delivering. Again, one of the key terms in the Bill is resilience. Needing resilience is a key part of the Bill. Whether you need a service that has international boundaries and you need to fail over to another country will be down to the organisations defining where they want their services to be. If they are happy that they are failed over into the US or another country, that is fine; but the reality is that it will be down to the organisation that has a requirement for a resilient service understanding where its data is. As long as it understands where its data is and what it is asking of the MSP, I am not sure the Bill will cover that as such. It is talking about resilience in general. I do not think it goes into the detail of where your data is.
Bradley Thomas
Q
Stuart McKean: Under the designation of a critical supplier, the Bill says:
“any such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom”.
That is a pretty big statement. As a small business owner, how do I know whether what I do is going to have an economic effect on the UK? It will have an economic effect on my business, but whether it has a wider impact is a big statement. I am not sure that it is clear enough.
Bradley Thomas
Q
Stuart McKean: It needs more detail, even if that is about providing some boundaries so that we have something to say, “If it is going to do the following, what is a ‘significant economic impact’?”. I would like to think that none of our services would have a significant economic impact, but they may well affect a person, so I would bring it more on to the citizen and the impact on people. We heard this a number of times in relation to the JLR incident: the impact on the supply chain was huge, it was economically very costly and directly impacted people’s lives. Anything that can provide more clarity in the definition of an impact at that level can only help.
Jill Broom: I agree. More clarity is needed. The Bill should be tighter in terms of defining that sort of systemic risk.
Dr Sanjana Mehta: The Bill as it stands requires competent authorities and regulators to designate an organisation as a critical supplier rather than the regulated entity. Organisations work with complex multi-tier supply chains, and the concern is that competent authorities that are one step further removed from those complex supply chains, and have even less visibility, transparency and control over those supply chains, might find it difficult to determine true criticality and risk within the supply chains. We ask for greater collaboration and co-ordination between the regulated entities and the competent authorities in designating an organisation as a critical supplier.
Dr Spencer
Q
Jill Broom: There is probably a broader point around legal certainty, which is not given on the face of the Bill. Some of our members have highlighted language that could create some pretty significant legal jeopardy for regulated entities. The Bill needs to go a bit further. It could and should do more to provide some legal certainty, because the cost to companies could be quite significant. To the point on consistency across regulators and things like that, we need more frameworks around how that is going to work. Leaving all the detail to secondary legislation is what makes it slightly difficult to examine what is on the face of the Bill, so making sure that everything is consulted on in a mandatory and meaningful way will be important.
The Chair
Four colleagues wish to ask questions, and they have only 20 minutes in which to ask them, so I appeal for brevity, both in the questions and, if you do not mind, in the answers.
Bradley Thomas
Q
Dr Ian Levy: I will start with that one.
The Chair
Please, Gentlemen, do not feel obliged to answer each question.
Dr Ian Levy: On the diverse networks and where they are hosted, it is important to be clear that resilience changes as scale changes. When it comes to the statistical model used to talk about resilience for a national system, if you have, say, three physical data centres in the UK connected by a redundant ring, that has a well-understood statistical model, but as you get bigger and bigger and more diverse, the statistics change, so the way you analyse resilience changes. That is not specific to Amazon Web Services; it applies to any large-scale system.
The way that we talk about resilience needs to be thought through carefully. I would urge you to consider outcomes and talk about availability and resilience to particular events. If somebody drives a JCB into a data centre, in a national-scale resilience model that can have a big impact, but in a hyperscale it will not.
We need to be clear about what the regulation is trying to do. If you look at us as a data centre operator, it is very different from someone who is providing co-location services. We provide our data centres for the sole purposes of providing our services, which have a very particular resilience model that is very different from somebody sticking their own racks in a third-party data centre. Some of the terms need to be better defined.
In terms of balancing growth, regulation, oversight and so on, there is a fallacy about putting specific technologies into legislation, except in very specific circumstances. We talked about post-quantum cryptography and AI. They will affect resilience, but probably not in the way we think they will today, so I would caution about putting specific technology definitions on the face of the Bill.
Matt Houlihan: On the cross-border question, very quickly, there are clearly a lot of jurisdictions looking at legislation in this space. There is absolutely an opportunity in the UK to look at things, such as mutual recognition agreements, that would simplify the international regulatory landscape, but there is also the opportunity for the UK to lead in this space as a very well-respected and cyber-capable country.
Touching on getting the balance right on growth and security, we have seen some useful moves recently from the UK Government and previous Governments on looking at codes of practice, which are voluntary in nature but help engage companies, as the recent software security code of practice did with mine and Chris’s. Techniques like that offer a nice balance and engage companies, but get that message around growth absolutely right.
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Bradley Thomas ExcerptsTuesday 3rd February 2026
(2 days, 6 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Q
The ICO is a horizontal regulator working across all sectors. In your experience, would a single cyber regulator be a good idea? What would be the benefits and the challenges? I will allow Ofcom and Ofgem to jump in and defend themselves.
Ian Hulme: I suppose the challenge with having a single regulator is that—like ourselves, as a whole-economy regulator—it will have to prioritise and direct its resources at the issues of highest harm and risk. One benefit of a sectoral approach is that we understand our sectors at a deeper level; we certainly work together quite closely on a whole range of issues, and my teams have been working with Natalie and Stuart’s teams on the Bill over the last 18 months, and thinking about how we can collaborate better and co-ordinate our activities. It is really pleasing to see that that has been recognised in the Bill with the provisions for information sharing. That is going to be key, because the lack of information-sharing provisions in the current regs has been a bit of a hindrance. There are pros and cons, but a single regulator will need to prioritise its resources, so you may not get the coverage you might with a sectoral approach.
Natalie Black: Having worked in this area for quite some time, I would add that the challenge with a single regulator is that you end up with a race to the bottom, and minimum standards you can apply everywhere. However, with a tailored approach, you can recognise the complexity of the cyber risk and the opportunity to target specific issues—for example, prepositioning and ransomware. That said, we absolutely recognise the challenge for operators and companies in having to bounce between regulators. We hear it all the time, and you will see a real commitment from us to do something about it.
Some of that needs to sit with the Department for Science, Innovation and Technology, which is getting a lot of feedback from all of us about how we need it to co-ordinate and make things as easy as possible for companies—many of which are important investors in our economy, and we absolutely recognise that. We are also doing our bit through the UK Regulators Network and the Digital Regulation Cooperation Forum to find the low-hanging fruit where we can make a difference. To give a tangible example, we think there should be a way to do single reporting of incidents. We do not have the answer for that yet, but that is something we are exploring to try and make companies’ lives easier. To be honest, it will make our lives easier as well, because it wastes our time having to co-ordinate across multiple operators.
Bradley Thomas (Bromsgrove) (Con)
Q
Ian Hulme: Again, to contrast the ICO’s position with that of other colleagues, we have a much larger sector, as it currently exists, and we will have a massively larger sector again in the future. We are also funded slightly differently. The ICO is grant in aid funded from Government, so we are dependent on Government support.
To move from a reactive footing, which is our position at the moment—that is the Government’s guidance to competent authorities and to the ICO specifically—to a proactive footing with a much expanded sector, will need significant uplift in our skills and capability, as well as system development in order to register and ingest intelligence from MSPs and relevant digital service providers in the future.
From our perspective at the ICO, we need significant support from DSIT so that we can transition into the new regulatory regime. It will ultimately be self-funding—it is a sustainable model—but we need continued support during the transition period.
Bradley Thomas
Q
Ian Hulme: At the moment, to give you a few broad numbers our teams are around 15 people, and we anticipate doubling that. In the future, with self-funding, we will be a bit more in control of our own destiny. It is a significant uplift from our perspective.
Natalie Black: The challenge is that the devil is in the detail. Until that detail has worked through secondary legislation, we will have to reserve our position, so that we give you accurate numbers in due course. From Ofcom’s point of view, it is about adding 10s rather than significant numbers. I do not think we are that far off the ICO.
But I want to emphasise that this is about quality, not necessarily quantity. Companies want to work with expert regulators who really know what they are doing. Ofcom is building on the work we are already doing under the Telecommunications (Security) Act 2021. It will be a question of reinforcing that team, rather than setting up a separate one. We want to get the best, high-quality individuals who know how to talk to industry and really know cyber-security, to make sure people have a good experience when engaging with us.
Ian Hulme: To add to that, the one challenge we will face as a group is that we are all fishing in the same pond for skills. MSPs and others will also be fishing in that pond from the sector side. There needs to be recognition that there is going to be a skills challenge in this implementation.
Stuart Okin: To specifically pick up on the numbers, we have a headcount of 43 who are dedicated within cyber regulation. That also includes the investment side. We also have access to the engineering team—the engineering directorate—which is a separate team. There is also our enforcement directorate, as well as the legal side of things. The scope changes proposed in the Bill are just the large load controllers and supply chain, so we are not expecting a major uplift. These will be small numbers in comparison. Unlike my colleagues, we are not expecting a big uplift in resourcing.
Tim Roca (Macclesfield) (Lab)
Q
Ian Hulme: There are two angles to that. From a purely planning and preparation perspective, it is incredibly difficult, without having seen the detail, to know precisely what is expected of MSPs and IDSPs in the future, and therefore what the regulatory activity will be. That is why, when I am answering questions for colleagues, it is difficult to be precise about those numbers.
Equally, we are hearing from industry that it wants that precision as well. What is the expectation on it regarding incident reporting? What does “significant impact” mean? Similarly, with the designation of critical suppliers, precision is needed around the definitions. From a regulatory perspective, without that precision, we will probably find ourselves in a series of potential cases arguing about the definition of an issue. To give an example, if the definition of MSP is vague, and we are saying to an MSP that we think it is in scope, and it is saying, “No, we are not,” then a lot of our time and attention will be taken up with those types of arguments and disputes. Precision will be key for us.
Dave Robertson (Lichfield) (Lab)
Q
Chung Ching Kwong: I think that to a certain extent they will. For hackers or malicious actors aiming for financial gain with more traditional hacking methods, it will definitely do a job in protecting our national security. But the Bill currently views resilience through an IT lens. It is viewing this kind of regulatory framework as a market regulatory tool, instead of something designed to address threats posed by state-sponsored actors. It works for cyber-criminals, but it does not work for state actors such as China, which possess structural leverage over our infrastructure.
As I said before, we have to understand that Chinese vendors are legally obliged to compromise once they are required to. The fine under the Bill is scary, but not as scary as having your existence threatened in China—whether you still have access to that market or you can still exist as a business there. It is not doing the job to address state-sponsored hackers, but it really does help when it comes to traditional hacking, such as phishing attempts, malware and those kinds of things.
Bradley Thomas
Q
Chung Ching Kwong: The US is probably a good example. It passed Executive order 14028 in May 2021, which requires any software vendor selling to the US federal Government to provide something called a software bill of materials—SBOM. That is technically a table of ingredients, but for software, so you can see exactly what components the software is made of. A lot of the time people who code are quite lazy; they will pull in different components that are available on databases online to form a piece of software that we use. By having vendors provide an SBOM, when anything happens, or whenever any kind of vulnerability is detected, you can very easily find out what happened.
That is due to a hack in 2021, in which a tiny, free piece of code called Log4j was found to have a critical vulnerability. It was buried inside thousands of commercial software products. Without that list of ingredients, it would be very difficult for people who had been using the software to find out, because, first, they may not have the technological capabilities and, secondly, they would not even know if their software had that component. This is one of the things the US is doing to mitigate the risks when it comes to software.
Something that is not entirely in the scope of the Bill but is also worth considering is the US’s Uyghur Forced Labour Prevention Act. That is designed to prevent goods made with forced labour from entering the supply chain. The logic of preventing forced labour is probably something that the UK can consider. Because the US realised that it could not inspect every factory in Xinjiang to prove forced labour, it flipped the script: the law creates a rebuttable presumption that all goods from that region are tainted, so the burden of proof is now on the importer to prove, with clear and convincing evidence, that their supply chain is clean.
A similar logic could be considered when it comes to this Bill to protect cyber-security. Any entities that are co-operating with the PLA—the People’s Liberation Army—for example, should be considered as compromised or non-trustworthy until proven otherwise. That way, you are not waiting until problems happen, when you realise, “Oh, this is actually tainted,” but you prevent it before it happens. That is the comparison that I would make.
Tim Roca
Q
Thank you for speaking to us today. May I turn the conversation a little on its head? We have been talking about national security and the threat from China and others. You were an activist in Hong Kong and made a great deal of effort to fight the Chinese Communist party’s invasion of privacy—privacy violations using the national security law—and other things. Do you see any risk in this legislation as regards civil liberties and privacy? We have had a bit of discussion about how much will go into secondary legislation and how broad the Secretary of State’s powers might be.
Chung Ching Kwong: The threat to privacy, especially to my community—the Hong Kong diaspora community in this country—will be in the fact that, under clause 9, we will be allowing remote access for maintenance, patches, updates and so on. If we are dealing with Chinese vendors and Chinese providers, we will have to allow, under the Bill, certain kinds of remote access for those firms to maintain the operation of software of different infrastructures. As a Hongkonger I would be worrying, because I do not know what kind of tier 2 or tier 3 supplier will have access to all those data, and whether or not they will be transmitted back to China or get into the wrong hands. It will be a worry that our data might fall into the wrong hands. Even though we are not talking specifically about personal data, personal data is definitely in scope. Especially for people with bounties on their head, I imagine that it will be a huge worry that there might be more legitimate access to data than there is right now under the Data Protection Act.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Q
DCS Andrew Gould: I love the fact that you have heard of it. One of the things that we struggle with is promoting a lot of these initiatives. Successive Governments actually deserve a lot of credit for the range of services that are provided. We aspire to be a global cyber-power, and in many ways we are. When you look at the range of services, tools, advice and guidance that organisations or the public can get, there is quite a positive story to tell there. I think we struggle to bring that into one single narrative and promote it, which is a real challenge. People just do not know that those services are there.
For those who are not familiar with Police CyberAlarm, it is a Home Office-funded policing tool focused on small and medium-sized organisations that probably do not have the skills or understanding to protect themselves as effectively. They can download that piece of software, and it will sit on their external networks and monitor for attacks. For the first time, it helps us in policing to build a domestic threat picture for small and medium-sized organisations, because everybody has a different piece of the puzzle. GCHQ has great insight into what is coming into the UK infrastructure, but it obviously cannot monitor domestically. Big organisations that provide cyber-security services and monitoring know what is impacting their clients or their organisation, but not everybody else. At policing, we get what is reported, which is a tiny piece of the puzzle. So everyone has a different bit of the jigsaw, and none of it fits together, and, even if it did, there would still be gaps. For SMEs, that is a particular gap.
For us, we get the threat intelligence to drive our operational activity, which has been quite successful for us. The benefit for member organisations—we are up to about 12,000 organisations at the moment, which are mostly schools, because we know that they are the most vulnerable to attack for a variety of reasons—is that, having the free tool available, it can do the monthly vulnerability scans and assessments. So they are getting a report from the police that tells them what they need to fix and what they need to patch.
We do not publicly offer a lifetime monitoring service, because we would not want the liability and responsibility, and we do not have the infrastructure to run that scale of security operation centre. But, in effect, that is actually what we have been doing for a long time—maybe not 24/7, but most of the time—because we have been able to identify precursor activity to ransomware attacks on schools or other organisations, and have been able to step in and prevent it from happening. There have been instances where officers have literally got in cars and gone on a blue light to organisations to say, “You need to shut some stuff off now, because you are about to lose control of your whole organisation.”
To that extent, it has been really impactful, but the challenge for us is how to scale. How do you scale so that people understand that it is there? How do you make it easier for organisations to install? That is one of the things that we are working on at the moment, so that everybody can benefit from the scans and the threat reporting, and we can benefit from a bigger understanding of what is going on.
The flip side of the SME offer from our point of view is our cyber-resilience centres. By working with some of the top student talent in the country, we can scale to offer our member organisations across the country the latest advice and guidance, help them understand what the NCSC advice and guidance is, and then help them to get the right level of security policies, patch their systems and all that kind of thing. It helps them to take the first steps on their cyber-resilience journey, and hopefully be more mature consumers of cyber-security industry services going forward. We are helping to create a market for growth, but also helping those organisations to understand their specific vulnerabilities and improve from a very base level.
Bradley Thomas
Q
DCS Andrew Gould: That is another really good question. Generally, it is financial, but you will often get what is called the double dip, so there is the extraction of data as well as the encryption of it, so that you no longer have access to it. They might take that data as well, primarily personal data, because of the regulatory pressures and challenges that that brings. There is a sense among a lot of criminal groups that, if they have personal data, you are more likely to pay, because you do not want that reputation, embarrassment and all the rest of it, as opposed to if they take intellectual property, for example. But it is not that that does not happen as well. Primarily, it is financial gain.
Chris Vince
Q
DCS Andrew Gould: It is a tricky one. It feels like the technology change is getting ever faster and ever more challenging, but I first went into cyber-crime in the Met back in 2014, and we are giving the same advice now as we were giving then. Sometimes your head can explode with the technical complexity of it, but a lot of the solution just comes down to doing the really boring basics in a world-class way. It is things like patching and doing your software updates. Whether you are a member of the public or running an organisation, finding a way to do those updates and patches means that 50% of the threat has gone, there and then. With something like multi-factor authentication, it seems like most organisations do not want to inconvenience their staff or customers by putting it in place, but that would be another 40% of the problem solved. It is not infallible—nothing is—but if you are thinking about how attacks are still successful, it is pretty basic: a lot of our protections are not in place. Solving that means that 90% of the threat is gone, there and then. That then leaves the 10% of more sophisticated threats—let’s make the criminals work a bit harder.
Chris Vince
Q
Kanishka Narayan: The primary thing to say is that the range of organisations—commercial ones as well as those from the cyber-security world more generally—coming out to welcome the Bill is testament to the fact that it is deeply needed. I pay tribute to the fact that some of the provisions were engaged on and consulted on by the prior Government, and there is widespread consensus across industry and in the regulatory and enforcement contexts about the necessity and the quality of the Bill. On that front, I feel we are in a good place.
On specific questions, of course, there is debate—we have heard some of that today—but I am very much looking forward to going through clause by clause to explain why the intent of the Bill is reflected in the particular definitions.
Bradley Thomas
Q
Kanishka Narayan: I am shy of making comments on specific incidents, but as a broad brush, clearly the food supply or automotive manufacturing sectors are not directly in scope of the Bill, for reasons I am very much happy to discuss.
Bradley Thomas
Q
Kanishka Narayan: Let me place the focus of this Bill in the global context. As we have heard, there is a range of legislative as well as non-legislative measures on cyber-security. It is deeply important that every organisation, whether in scope of the Bill or not, acts robustly, and we will look at that, not least through the cyber action plan, which I know industry welcomed earlier today and which we are looking forward to publishing very soon.
The particular focus of this Bill is on essential services, the disruption of which would pose an imminent threat—for example, to life and to our economy—in the immediate context. For reasons that we can dive into, if you look at a market such as food supply, the diversity, competitive nature and alternative provision in that market are so obvious that to designate it as fitting the definitional scope I have just highlighted would not be an evidence-led way of engaging.
Bradley Thomas
Q
Kanishka Narayan: As I have said, this legislative vehicle is focused on really high standards of rigour for essential services. I am very keen to ensure that, in the first instance, we are engaging with those companies through the cyber action plan and the National Cyber Security Centre’s framework and to ensure that, as a consequence of those, they are in a robust place.
Bradley Thomas
Q
Kanishka Narayan: This is a great question. There are two things on my mind. One is that the Government have published a cyber action plan, the crux of which is to make sure that, from the point of view of understanding, principles, accountability and, ultimately, skills, there is significant capability in the public sector. The second thing to say is that we have a very broad-based plan on skills more generally across the cyber sector, public and private. For example, I am really proud of the fact that, through the CyberFirst programme, some—I think—415,000 students right across the country have been upskilled in cyber-security. It is deeply important that the public sector ensures that we are standing up to the test of hiring them and making the attraction of the sector clear to them as well. There is a broad-based plan and a specific one for the public sector in the Government context.
Tim Roca
Q
Kanishka Narayan: That is a great question. Broadly, the Bill takes a risk-based and outcomes-focused approach, rather than a technology-specific one. I think that is the right way to go about it. As we have heard today and beyond, there are some areas where frontier technology—new technology such as AI and quantum, which we talked about earlier today—will pose specific risks. There are other areas where the prevalence of legacy systems and legacy database architectures will present particular risks as well.
The Bill effectively says that the sum total of those systems, in their ultimate impact on the risk exposure of an organisation, is the singular focus where regulators should place their emphasis. I would expect that individual regulators will pay heed to the particular prevalence of legacy systems and technical debt as a source of risk in their particular sectors, and as a result to the mitigations that ought to be placed. I think that being technology agnostic is the right approach in this context.
Mobile Phones and Social Media: Use by Children
Bradley Thomas Excerpts(2 weeks, 2 days ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Liz Kendall
My hon. Friend raises a really important issue, which is making sure that young people trust us and feel confident in raising these matters. It is our job to make sure that nobody is frightened to say what is happening to them. We will not get this right unless we talk to people of all ages and from all backgrounds, in all parts of the country. Hon. Members know that they have a vital job to play in their constituency. As Secretary of State, I am responsible for the entire United Kingdom, so I urge hon. Members, for all the politics and show in this House, to engage locally, because then we will get this right.
Bradley Thomas (Bromsgrove) (Con)
It is quite clear that social media is causing a health and wellbeing crisis among young people. Parents are absolutely terrified about the content that their children are viewing and the amount of time that they are spending online. Just a couple of months ago, 14 and 15-year-olds in my constituency told me about the profound pressure that they feel to be on social media. They feel a compulsion to use it, but they do not want to. Will the Government get off the pot and announce a ban? Perfection really is the enemy of the good here. The evidence is plain to see. We need action, not words.
Liz Kendall
The hon. Gentleman knows what I think about why we have to do a consultation, so I disagree with him on that, but he is right to say that we should not let perfection be the enemy of the good. The right hon. Member for East Hampshire (Damian Hinds) made a point about the evidence. I discovered 10 years ago, before so much had changed online, that young people know that some of this stuff is bad; they do not want to do it, but they cannot help themselves. If we were all honest with our ourselves, we would know that we behave like that sometimes, too.
Digital ID
Bradley Thomas Excerpts(3 months, 3 weeks ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Liz Kendall
Yes, I do. My hon. Friend is right that the citizens of this country rightly want to know who has a right to be here and who has a right to work here. That is a very important principle.
Bradley Thomas (Bromsgrove) (Con)
I am wholly opposed to this policy, as I know are many of my constituents. While the Government have talked about the so-called economic benefits of accessing services and digitalising how we interact with Government, my constituents are concerned about infringements on liberty and the shifting relationship between the individual and the state. The state must always be accountable to the individual. Can the Secretary of State rule out this system ever becoming one through which the Government can track location, consumer spending habits or social media activity?
Oral Answers to Questions
Bradley Thomas Excerpts(7 months, 1 week ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Chris Bryant
I have been very keen to ensure that the withdrawal of the PSTN—which is being done because it is necessary, as the copper system is not working any more and is more fallible—does not leave anybody unable to contact 999 or get the services that they need. I am very happy to arrange for my hon. Friend a meeting with BDUK to go through precisely how we can ensure that we have proper investment in every constituency in the land so that people have the mobile signal they need to live in the modern era.
Bradley Thomas (Bromsgrove) (Con)
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Feryal Clark)
My Department is working closely with the Department for Education and Skills England to ensure that the education system is ready for the opportunities and the challenges that AI poses. We are assessing the AI skills gap and mapping pathways to address it. My officials have been working closely with the DFE on the education content store, for example, which is a pilot project that seeks to help developers to make better AI tools for teachers by providing a store of reliable and relevant UK data. Last week, the DFE produced guidance to support schools with the safe and effective use of AI in education.
Bradley Thomas
Will the Minister outline what steps are being taken to reduce academic dishonesty and plagiarism in schools resulting from the use of artificial intelligence tools?
Feryal Clark
AI has demonstrated that it can help the education workforce by reducing some of the administrative burdens and the hard work that teaching staff and school leaders face in their day-to-day role. On the hon. Gentleman’s question, evidence is still emerging on the benefits and risks of pupils and students using generative AI. We will continue to work with the education sector on use cases to develop our understanding of how to use AI safely and effectively. As I have said, the Department has issued guidance to teachers on how to identify and best use AI in schools.
Oral Answers to Questions
Bradley Thomas Excerpts(10 months, 1 week ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Prime Minister
I congratulate all colleagues working on the Bill and taking part in the debate. It is an important issue on which there are different views across the House and within parties. The Bill is a matter for the House, but it is the Government’s role to ensure that every piece of legislation that passes through Parliament is effective and workable, so we will continue to work with my hon. Friend, as the Bill’s promoter, to do that in the same way that we do for every private Member’s Bill that passes Second Reading. If Parliament chooses to pass the Bill, the Government will implement it in a way that is safe and practicable.
Bradley Thomas (Bromsgrove) (Con)
The Prime Minister
We are investing £100 million in adult and children’s hospices to improve facilities, equipment and accommodation, as well as £26 million in funding through the children’s hospice grant. [Interruption.] Conservative Members’ cries and moaning would have a lot more value if they started their questions with an apology for crashing the economy in the first place.
Listed Places of Worship Scheme
Bradley Thomas Excerpts(1 year ago)
Westminster HallRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
Bradley Thomas (Bromsgrove) (Con)
I beg to move,
That this House has considered the Listed Places of Worship Scheme.
It is a pleasure to serve under your chairmanship, Mr Western. There are around 20,000 listed—
Sir Christopher Chope (Christchurch) (Con)
On a point of order, Mr Western. Before my hon. Friend develops the debate, may I inquire about the fact that, according to the Order Paper, the fourth of the written statements to be made today, by the Secretary of State for Culture, Media and Sport, is titled “Future of the Listed Places of Worship Grant Scheme”? If that statement is being made today, would it not be convenient for us to see a copy of it before this debate begins, so that it can inform the debate, rather than that being left until after the debate?
Matt Western (in the Chair)
Sir Christopher, thank you for your point of order. I am sure that that is something the Minister will attend to in his winding-up speech.
Bradley Thomas
There are about 20,000 listed cathedrals, churches and chapels in use across the UK, belonging to a wide range of denominations, together with a number of important listed synagogues, mosques and temples. The buildings are valued for their architecture and history and for the economic and social benefit they bring to the communities they serve. These beautiful buildings, with storied histories, serve both as sacred spaces for the religious community and as spaces for the wider public.
The listed places of worship grant scheme supports faith communities by allowing them to reclaim the full amount of VAT spent on eligible repairs, alterations and additions to their building. That includes vital repair works to roofs and stonework, and improvements to facilities such as kitchens and toilets and to the thermal performance of the building.
At present the scheme, which spends only around £30 million per year, is due to close on 31 March 2025, and no extension or alternative is yet known about. If the scheme is cancelled or scaled back, it will be devastating for these historic buildings, local communities and the heritage construction sector. What a travesty it would be if, for the sake of £30 million to the Exchequer, the Government exacerbated the decay of our historical, spiritual and social heritage, with no upside.
Danny Kruger (East Wiltshire) (Con)
I am very pleased my hon. Friend has secured this debate. He mentions the trifling sum the tax could bring to the Exchequer, but does he recognise the enormous, quantifiable economic value—billions of pounds—that church buildings bring to our communities? I particularly reference the work that Bishop Andrew Rumsey, the Bishop of Ramsbury in my constituency, is leading for the Church of England on this issue. Does my hon. Friend agree that the economic value outweighs the receipts that the Treasury would get?
Bradley Thomas
I agree wholeheartedly that this is not just about the social value. There is a profound economic value that goes beyond the £30 million I referenced.
The Church of England alone has a backlog of repairs to parish churches estimated at more than £1 billion, with the annual need estimated at £150 million per year. Large-scale closures are also sweeping across Scotland and Wales. There are 969 places of worship on Historic England’s 2024 heritage at risk register, and more than 60% of MPs in England have a church, chapel, meeting house or cathedral in their constituency that is on the register.
The listed places of worship grant scheme is the only regular financial support the Government provide to help those looking after these buildings. By “financial support”, I mean simply a refund of the tax already paid to the Exchequer.
Sir Christopher Chope
Christchurch priory is on the list of churches at risk. Will my hon. Friend confirm that the Department for Culture, Media and Sport could be saved any costs if my private Member’s Bill—the Exemption from Value Added Tax (Listed Places of Worship) Bill—which is due for a hearing in the House on Friday 28 March, were passed? It would exempt listed places of worship repairs from value added tax, which in itself would sort the problem out.
Bradley Thomas
I thank my hon. Friend for highlighting Christchurch priory. I am certain that he will be the strongest advocate of the proposal he puts forward on that Friday.
Refunding the tax our places of worship have already paid is vital because in the UK, unlike in the rest of Europe, they depend overwhelmingly on local people to raise the funding for their buildings. In France, Belgium, Germany and Italy, by contrast, such buildings are either owned by the state or supported by special taxes.
The scheme was introduced in its current form by the Labour Government in 2001, when the right hon. Gordon Brown, as Chancellor of the Exchequer, recognised the harm that changes to VAT could cause these buildings. It was launched in the House of Lords in December 2001 by Baroness Blackstone, who stated:
“This new grant will provide much-needed public support for these historic buildings. The scheme underlines the value this Government place on our important historic environment.”—[Official Report, House of Lords, 4 December 2001; Vol. 629, c. WA129.]
I plead with the current Government to recognise that.
Dr Neil Hudson (Epping Forest) (Con)
I congratulate my hon. Friend on securing this important debate. The listed places of worship grant scheme is vital for our communities. The previous Conservative Government extended it in 2023, and since 2022 five grants have been awarded in my constituency. I have been contacted by a number of places of worship that are deeply concerned about the future of the scheme. Does my hon. Friend agree that, for the sake of worship, outreach, youth work, helping vulnerable people, and community hubs, it is right for the Government to extend the scheme?
Bradley Thomas
I wholeheartedly agree that the scheme should be extended, given all the economic and social benefits my hon. Friend touched on and the many others that Members will cite. It is a no-brainer that the Government should pursue this.
Since 2004, the scheme has been renewed by every Government, but now a new commitment must be made, because the current commitment comes to an end in just a few weeks’ time. Since 2001, the scheme has supported 13,000 places of worship, safeguarding the future of some of our most important local heritage. In addition to their architectural significance, cathedrals, churches and chapels form the nation’s largest art collections, including sculpture, stained glass, wall paintings, woodwork, metalwork and vernacular art. Church buildings also form a vital part of the identity of Britain’s landscapes and townscapes. They are the visual centre for tens of thousands of communities.
St John’s in my constituency is a grade II listed church in the centre of the town. The top section of the spire needs replacing to ensure that the church remains structurally safe and continues to be a beacon for Bromsgrove. The parochial church council and the Friends of St John’s are in receipt of nearly £250,000 from the National Lottery Heritage Fund, plus match funding from trusts, foundations and local fundraising, to meet a total project cost in the region of £430,000. If a VAT bill in excess of £80,000 becomes unclaimable, there is a risk that the project could become untenable.
Members from across the House will have stories from their own constituencies. Residents raise money to repair their local place of worship and keep it as a community asset to pass down to the next generation. We are merely custodians of these assets. St John’s is just one example, but there are more than 20 listed places of worship in my constituency that benefit from the scheme, and I want to highlight a few of them. They include Christ Church in Catshill, Holy Trinity and St Mary’s church at Dodford, St Leonard’s church at Frankley, St John the Baptist church at Hagley, St Kenelm’s church at Romsley, St Bartholomew’s church at Tardebigge, St Michael and All Angels at Stoke Prior, St Laurence church at Alvechurch, the church of St John the Baptist on St John Street, the church of All Saints on Birmingham Road, St Leonard’s in Clent, St Leonard’s in Beoley, the Roman Catholic church in Bromsgrove, St Catherine’s church in Lickey and Blackwell, St Mary’s church at Wythall, Holy Trinity in Belbroughton, St Michael and All Angels in Cofton Hackett, the church of St Wulstan and St Oswald in Clent, St Godwald’s church, and St Andrew’s church in Barnt Green.
We all have at least a dozen, 20 or maybe more churches or listed places of worship that are under threat because the Government have not committed to £30 million.
Jess Brown-Fuller (Chichester) (LD)
The grant scheme we are debating enabled St Paul’s in my constituency to undergo some radical improvements to accessibility and its community spaces. Without the community spaces that operate out of churches and cathedrals, the homes for charities no longer exist. Does the hon. Gentleman agree that, given that every £1 spent in churches gives a £16 return to the community, this scheme is an investment in the future of community groups and charities?
Bradley Thomas
The hon. Lady has summed it up perfectly, and I thank her for highlighting the example of St Paul’s in Chichester. That is a perfect segue into the point I was just about to make: it is not just heritage and religion that are at risk if the scheme lapses. Churches and other places of worship are hubs of their local communities. Church of England churches alone support over 35,000 social action projects, including food banks, community larders, and debt, drug and alcohol advice and rehabilitation groups. In recent years, during which we have seen energy prices rise, churches have acted as warm spaces, and at times of extreme weather events they have been gathering points, providing the safety and hospitality required by communities seeking refuge from flooding and other weather events. Churches, chapels and meeting houses in the UK host and run vital support services—everything from Alcoholics Anonymous meetings to mental health support and parent and toddler groups. The saving to the NHS from delivering this kind of facility to communities is estimated as £8.4 billion a year.
The contribution that churches and cathedrals make to our creative industries and to tourism is also very significant. Some 9.3 million people visited English cathedrals in 2023—a staggering 17% increase on the year before—with many of those visitors coming from overseas. In that sense, churches, cathedrals and places of worship are a UK export.
Churches are also by far the largest base for amateur music-making by choirs and orchestras, as well as housing thousands of professional performances each year, ranging from pop to classical music. They foster talent, and musicians including singer-songwriter Ed Sheeran and leading violinist Tasmin Little began their musical careers by taking part in church music.
John Glen (Salisbury) (Con)
My hon. Friend will obviously want to recognise the centrality to the country of Salisbury cathedral’s contribution in terms of music and architectural elegance. He will also want to recognise the fact that every church takes on great responsibility for raising funds itself before it looks to the Government. The Churches Conservation Trust and the National Churches Trust do a great deal to support churches that are trying to help themselves, but the continuity of VAT support from Government is a crucial additional element that goes alongside that private endeavour.
Bradley Thomas
I thank my right hon. Friend for his contribution and for highlighting the significant cultural importance of Salisbury cathedral. He is spot on: volunteers across our communities sweat everything they possibly can out of fundraising endeavours. This is not a case of going to the Government in the first instance; this is people simply asking for support that ultimately enables churches to be net economic contributors to the communities in which they operate.
Sir Roger Gale (Herne Bay and Sandwich) (Con)
Mr Western, I probably ought to indicate that I have proudly served in the past as a member of the Ecclesiastical Committee, although I do not regard this as just an Anglican issue at all. Further to the point raised by my right hon. Friend the Member for Salisbury (John Glen), the support for these buildings—for our churches—comes from generous donations by members of the public, which are given for a very specific purpose. Does my hon. Friend agree that this money is freely given, but that it is not freely given to be taxed? I hope the Minister will be able to comment on that later.
Bradley Thomas
My right hon. Friend makes an excellent point. There are so many generous benefactors across the country who are giving their funds—which, in most cases, they have paid income tax on—to support churches and places that provide spiritual and social wellbeing. Government should recognise that, and I certainly hope the Minister will reference that point in his remarks.
These buildings are loved by their communities, and in most cases they are also cared for by volunteers. Particularly in rural communities, the care of these magnificent buildings is in the hands of a few committed people, many of whom are later in their years. They diligently raise funds for the repair of the church building that has shaped the life of their village and community for centuries. Although I raised major projects earlier, the potential loss of the listed places of worship grant scheme in the places I have just mentioned—which may claim only a few thousand pounds per year—will determine how much maintenance and repair can take place. At worst, it could be the difference between being solvent or not, and determine the long-term survival and preservation of those buildings.
Places of worship are the very essence of place-making and community. They provide enormous value to society—value that our country would be immeasurably poorer without. The National Churches Trust’s “House of Good” report calculated that the total UK-wide economic and social value of places of worship had a market value and replacement cost of £2.4 billion per year. I hope that that puts into perspective what excellent value the listed places of worship grant scheme is for the long-term preservation of those assets. That is £2.4 billion of value for a scheme that costs just £29 million a year. Clearly, that amount of money makes no material difference to the country’s £1 trillion expenditure, so I simply cannot understand what is under threat. If the Government were not to renew the listed places of worship grant scheme, the task of keeping church buildings in good repair and open for people to use would be made much harder. More money would need to be raised by local people to pay VAT to the Government, on top of money for skilled labour, materials and other project costs.
The damage done to parish churches across England will come at a difficult time, when our communities are becoming less united than ever. The past 50 years have seen unprecedented change, with mass immigration, enhanced social mobility and evolving social attitudes. All of those factors have changed and pushed our communities in different directions and made society less cohesive. Instead of attacking one of the last few community spaces left, I ask the Government to continue funding the scheme.
I urge the Government to look now at making the scheme permanent, and not just at giving it a temporary reprieve. A permanent scheme would enable the larger places of worship, such as cathedrals that plan their repair work over five to 20 years, to commit to long-term projects with certainty that VAT costs will be covered by the scheme.
Bradley Thomas
Because I am conscious of time, I will not thank hon. Members individually, but I thank everyone collectively. I am really pleased to see the extent of cross-party support here. We have approached the matter in a non-political spirit, recognising the heritage and identity of churches and listed places of worship and the spiritual contributions they make across the entire country.
I welcome the Minister providing a continuation of the scheme for 2025-26, although the hon. Member for Taunton and Wellington (Gideon Amos) was spot on when he said that the scheme was a bargain as it was. It would be a false economy to reduce the scheme and not to give it a degree of permanence. I implore the Minister to go back to his Department and consider how the scheme can be extended permanently—
Motion lapsed (Standing Order No.10(6)).