(2 years, 11 months ago)
General CommitteesIt is a pleasure to serve under your chairmanship, Mr Bone. May I start by saying that I hope that in the months ahead I can work constructively with the Minister in my new role? I accept that there will be times when we will disagree, but I hope that she will always know that that will be on matters of policy and never, ever personal.
We do not oppose the regulations, which address EU exit-related deficiencies in the retained EU legislation that regulates the security of network and information systems of core UK service providers. There are no specific points that I would like to raise in direct relation to the regulations, which seek to recognise the UK’s position outside the European Union and the necessary legislative changes that need to be addressed. I also note that no concerns were raised by the Secondary Legislation Scrutiny Committee. I would, however, like to make some more general observations on the SI itself, and I would be grateful to the Minister if she could answer my questions either now or in writing.
The prevalence of cyber-related attacks has only grown in recent years. In August it was reported that nine cyber-attacks on the UK’s transport infrastructure were missed by mandatory reporting laws due to the reporting thresholds being so high. To add further concern, the Government were alerted to those attacks only because the information was given voluntarily.
It is clear, given the UK’s position outside the European Union, that changes need to made to the setting of parameters for digital service providers, which is currently still retained in EU legislation. However, given that it has been over a year since the end of the transition period, there is concern that we are only now finding time to debate issues relating to our national cyber infrastructure. As noted in the SI, having the EU set the parameters for incident reporting by digital service providers does not work effectively for the UK as a stand-alone nation, as the Minister has touched on. The main issue is that the reporting threshold for EU nations is too high to trigger reporting in the UK. The Opposition recognise and agree that changes need to be made to reflect the UK outside the EU. We cannot have a situation where the Information Commissioner is not alerted to cyber incidents that have caused disruption to the activities of digital service providers, many of which are crucial to the smooth, day-to-day running of society.
The Minister has said that this statutory instrument is not going to be used as part of any future relationship agreement with the European Union. Cyber-attacks and breaches of digital infrastructure are not unique to one nation. Digital is a shared commodity, not bound by physical borders. Could the Minister elaborate on what discussions are being had with European neighbours on joint working reporting of cyber-attacks against digital service providers? Although I recognise the need for the UK to have its own reporting mechanism, close collaboration on shared security issues remains crucial.
Does the hon. Gentleman agree that this is not just about the European Union? The United Kingdom has just entered into an agreement with the state of Israel, which is perhaps, some would argue, the most advanced country in the world on cyber-security. Does he welcome that?
For the avoidance of doubt and for the record, I do welcome the collaborative agreement. Clearly, the issue of cyber-security applies beyond the European Union; in fact, it affects all nations around the world. What we are discussing today, however, as the Minister has said, is the need to improve the current state of play from when we left the European Union—the transition period ended over a year ago. Of course, I agree entirely that the more relationships we have in terms of improving our data and cyber-security, the better.
I am delighted.
Given that the proposed changes will increase the scope and responsibilities of the Information Commissioner’s Office, does the Minister believe that the Information Commissioner has enough staff and wider resource to complete those duties? The explanatory memorandum states that the next post-implementation review of the NIS regulations will take place by May 2022 and that subsequent reviews will take place no later than every five years. Given the rapid pace of change in innovation in digital services, will the Minister seek to ensure that reviews take place no later than every two years, to keep pace with any change in the sector?
Finally, the explanatory memorandum states:
“The legislation does not apply to activities that are undertaken by small businesses.”
I am sure that all Members present recognise that the pandemic has accelerated the growing trend for more and more businesses to move online, especially small business owners. What discussions are taking place to protect small businesses that are classed as digital service providers but are not recognised by the ICO as relevant data service providers, as they continue to grow in number? Beyond that, as I have said, we do not object to the regulations.