The Chair

- Hansard -

Copy Link

Good morning, everyone. Will you please ensure that all electronic devices are turned off or switched to silent mode? This morning, we begin line-by-line consideration of the Bill. The selection and grouping list for today’s sitting is available in the room and on the parliamentary website; it shows how the clauses, schedules and selected amendments have been grouped for debate.

I remind Members that the Member who has put their name to the lead amendment in a group is called to speak first. In the case of a stand part debate, the Minister will be called to speak first. Other Members will then be free to indicate they wish to speak by bobbing or catching my eye. At the end of a debate on a group of amendments or new clauses, I shall again call the Member who moved the lead amendment or new clause. Before they sit down, they will need to indicate whether they wish to withdraw the amendment or seek a decision. If any Member wishes to press to a vote any other amendments in a group, they need to let me know. That includes grouped new clauses.

The order of decisions will follow the order in which amendments appear on the amendment paper. Any decisions on new clauses will be taken at the end of proceedings on the Bill, after decisions have been taken on all amendments and clauses of the Bill. I shall use my discretion to decide whether to allow a separate stand part debate on individual clauses and schedules following debate on the relevant amendments. I hope that that is helpful.

There is one more point that is not in my script: there are three members of the Committee who have hearing impairments, so it would be helpful if hon. Members could articulate as clearly as possible.

Are there any declarations of interest?

The Chair

- Hansard -

Copy Link

Thank you.

Clause 1

Meaning of “the NIS Regulations”

Question proposed, That the clause stand part of the Bill.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for her intervention. I am reminded of the Committee’s evidence session earlier this week, in which expert after expert lined up to raise concerns around the scope of the definition. Although they acknowledged the importance of and appreciated the reasons for leaving some things to secondary legislation in a climate as fast-moving as the IT and digital sector’s, they raised concerns about the uncertainty that is coming for business and the need for extensive consultation so that businesses can feed into and have some degree of influence over the regulations that they will have to abide by.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank the hon. Member for his point about balance. I am confident that this is an area to which the Committee will return quite a few times in our line-by-line scrutiny of the Bill, particularly clause 12, which relates to the designation of critical suppliers. Clearly the regulations need to be proportionate, but to make that judgment we will need to know exactly what the regulations are. A lot of the detail is not in the Bill and has instead been left to secondary legislation. As we heard from the experts, it is very difficult to scrutinise legislation that is mostly being left to future regulations rather than being set out in the Bill.

These definitions will be critical if businesses are to have clarity as to whether they will fall within scope. I do not want to go too deeply into clause 12 now, but I see it as an exemplar. How are businesses that could fall within the critical supplier designation to know what they need to do? How is the operator of an essential service to know what information it needs to pass to the regulator on businesses that it may end up regulating? It would be very helpful if the Minister could comment, even at this introductory stage, on how he envisages that balance playing out in the Bill, particularly given that so much of the detail has been left to secondary legislation. Anyway, I digress—I will get back on topic.

Businesses are struggling with legal uncertainty and the increased costs of regulatory burden. Regulators in the sector lack the resources, the teeth and sometimes even the will to carry out effective oversight and enforcement of existing cyber regulation. Uncertainty about which incidents should be reported will dramatically increase the burden on regulated entities and on regulators. All the while, institutional barriers to effective oversight and enforcement remain.

The Bill fails to give the legal certainty and the proportionate framework that businesses need if we are to achieve widespread adoption and hardened cyber-resilience across the sectors that are most critical to the economy and our society. Perhaps most critically, there is little point in granting the Secretary of State extensive powers to make directions to regulated entities for national security purposes if the Government remain wilfully blind to the greatest threats to our national security. In the past few weeks, reports have circulated that a Chinese state-affiliated group hacked the communications of top Downing Street officials between 2021 and 2024, yet the vital organs of our state, central Government Departments and agencies carrying out the most critical functions, are left unprotected and unaccountable for their cyber-resilience under the Bill.

If we do not address these problems, we risk the Bill becoming yet another missed opportunity for the Government. These are opportunities that we can ill afford to miss if we are to safeguard our economy and our national security.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I might just make a slight bit of progress. As I mentioned in a previous session, the programme reached 415,000 students, and it has now been evolved into the wider TechFirst scheme as well.

The shadow Minister, as well as the hon. Member for Bromsgrove, made a very important point about resilience in particular and sovereign capability. Particularly for those reasons, I am really proud of two things. One is that the Bill includes suppliers that may not be resident in the UK but provide essential services in the UK. This is a critical means through which we can secure our capabilities here. The second, which is close to my particular interests in the data centre and compute world, is that, through our initiatives on sovereign AI, and having launched a very innovative advance market commitment in the chips part of the stack, which ends up crowding in wider demand—not least through companies such as Nscale, a fundamental part of our AI growth zone in the north-east—this Government are finally rectifying the errors and omissions of the last Government, in making sure that Britain does not do what it did in the last commercial cloud context, but instead, in this AI compute world, has some actual chips on the table.

Thirdly, I will not try to settle the thrilling debate between the shadow Minister and my hon. Friend the Member for Lichfield on the philosophy of regulation. I will simply make the humble suggestion that in this context we have arrived at, not a full-fat compendium, as the shadow Minister described it, but a very targeted Bill, which has been the result of extensive industry engagement—indeed, some of it was carried out by the prior Government—that aligned on the sectors in question and the inclusion of critical suppliers in scope.

On the shadow Minister’s question about the thresholds and definitional specificity of large load controllers in the Bill, I will of course remain very open to ensuring that the secondary powers, which are intended precisely to enable us to move flexibly as the clean power industry moves, give us the flexibility to move with it. At the same time, the threshold of 300 MW reflected the point at which a large load controller could pose an unacceptable risk to the electricity system and our CNI. This threshold was set very clearly in partnership with technical experts, including the National Energy System Operator. Of course, as the market grows, the potential for cyber-incidents will grow, and we will keep that under close review.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for that point. The reality is that neither he nor I am placed to judge exactly where the thresholds should be set on a permanent basis. That is exactly why we have secured the flexibilities that we have in the Bill.

Clause 5 brings Crown-operated data centres into scope of the NIS regulations, ensuring that Government data centres meet robust standards comparable to those in the private sector.  Bringing Crown data centres within scope closes a critical gap and guarantees that public sector infrastructure is protected against evolving threats.  Exemptions will apply only in defined cases in which a data centre service is provided by an intelligence agency or a facility handling highly classified—“Secret” or “Top Secret”—information. These data centre services are already governed separately, and applying the NIS regime could cause conflict. I urge that clause 5 stand part of the Bill. 

Finally, clause 6, on large load controllers, introduces the essential new service of load control under the energy subsector of the NIS regulations. This will capture organisations—