Online Harm: Child Protection
Chris Vince Excerpts(5 days, 10 hours ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Wera Hobhouse (Bath) (LD)
Across the country, the dangerous synthetic drug Spice is being brazenly marketed to children over social media. Many vulnerable young people believe that they are buying the less harmful, though still illegal, drug THC only to discover, too late, that what they have been sold is a far more potent and unpredictable substance. In schools, the consequences are already visible. One in six vapes confiscated from pupils now contains Spice—one in six! If we walk through parts of our towns and cities, we see the human cost: Spice users slumped in doorways, trapped in a semi-conscious state, stripped of dignity and control. How terrifying it is that this drug is no longer confined to our streets and prisons, and has entered our classrooms.
Children are collapsing in school corridors. Some are rushed to intensive care and others begin a battle with addiction that may follow them for life. Spice is not simply another illegal drug. Its extreme potency and addictive grip is a fast track to exploitation and criminality. It is always a tragedy when someone falls victim to substance abuse, but when it is an uninformed child who has been misled and targeted over social media, it is not just tragic; it is a profound failure to protect.
I have raised the issue in the House and with this Government repeatedly over the past year and a half, but in that time the situation facing vulnerable children has not improved, but deteriorated. Gone are the days when a young person had to meet a dealer in a dark alley to buy drugs. Today, a child can purchase them from their bedroom, with a few taps on a phone. The marketplace has moved online and our children are paying the price. But do not just take my word for it. The Metropolitan police have warned about children accessing illicit vapes through social media platforms, such as Snapchat and Telegram. A recent BBC investigation revealed how effortlessly an illegal vape laced with Spice can be purchased over Snapchat.
This is not a few small-scale individuals. We are dealing with a global, industrial supply chain, with major chemical suppliers in China providing materials to markets in the UK, the European Union, the United States and Gulf states. Researchers at the University of Bath have identified nearly 10,000 accounts involved in the supply and distribution of Spice, many using TikTok to advertise and communicate. I have met a number of Ministers about this issue, most recently the Minister for Online Safety, who is in his place. I know he understands the scale of the problem and is sympathetic to our concerns, but words are not enough: we need action.
Selling drugs is already a priority offence under the Online Safety Act, and Ofcom has a statutory duty to enforce that. Yet despite clear, sustained evidence that these substances are being openly advertised and sold online, we have not seen the decisive enforcement that the law requires. Instead, the burden is falling on members of the public to report these accounts, effectively asking individual citizens to do the regulator’s job for them.
What happens when an account is removed? Within hours, a near identical profile reappears. An account named “Spice Sales 1” is reported and taken down, only to resurface as “Spice Sales 2”, then “Spice Sales 3” and so on. The name changes slightly, the branding shifts marginally, but the criminality remains the same. This revolving door of reactive takedowns is not a strategy—it is an admission that the current system is not working. If a shop in Bath were openly selling drugs through its front window, the police would intervene immediately. There would be no hesitation and no suggestion that the public should simply keep reporting it. So why, when the shopfront is digital and when the customers are children, are we not treating this with the same seriousness? It is time that we confronted this reality. Social media companies have developed incredibly sophisticated algorithms, as we have already heard this afternoon, that are capable of targeting advertisements to individuals with remarkable precision. They know what we watch, what we like and what we linger on, so it cannot be beyond their capability to deploy artificial intelligence to detect and prevent the sale of illegal drugs on their platforms.
Active detection must replace endless reactive reporting. The technology and resources exist, and the evidence is overwhelming; what is missing is political will and enforcement. It is time to hold social media companies to account, because the safety of our children demands nothing less.
Chris Vince
This is a genuinely friendly intervention. I am raising this point because I know that the hon. Member does a lot to champion and support people with eating disorders. I am completely changing the subject, but does she think that the rise of social media and online platforms has had an increased impact on people with eating disorders?
Wera Hobhouse
I could go on forever about online harm, particularly with regard to eating disorders. It is Eating Disorders Awareness Week, and we will be having a debate on that. I hope that the hon. Gentleman will attend that debate, as he can then raise that point again.
Today I am talking about spice and the responsibility of social media platforms and how we protect children. I therefore support the provision to bring in a Bill on protecting children from online harms, as proposed by my hon. Friend the Member for Twickenham (Munira Wilson). As I have said before, it is time for action; we can no longer dither and delay. I do not accept all the debates saying, “Oh! Process this, that and the other.” If we really mean it and are really serious about this issue, we need to act now. I am pleased that my party is prepared to act and show the public that we want change.
Gareth Snell (Stoke-on-Trent Central) (Lab/Co-op)
I will constrain my comments to three themes, and I want to start with policy. This has been a very interesting and wide-ranging debate. We have heard from many speakers across the House who have articulated the heartfelt and thoughtful concerns that all of us have about the pervasive way in which social media can influence our children, our friends, our families and young people in our society. I am the parent of a 15-year-old. I know what that battle is like—hearing the chirp of Snapchat going off every few seconds, it sounds like, some weekends, as my daughter and her friends communicate in the modern way, and trying to understand what she is doing on Roblox, the games she is playing, who she might be interacting with and the other platforms that, frankly, are alien to me, as someone who is past the age when that stuff makes much sense or is of interest.
The simple answer is to say, “We should ban it all—just lock them all away until they’re 16, and it will all be fine.” I worry about my daughter walking down the street—I worry about who she is going to meet when she is walking to school and her interactions in the physical world—but simply saying, “Right, you’re staying in your bedroom until you’re 35”, which we discuss on occasion, is not a solution to those real-world problems. Part of it is about how we help young people to understand the misinformation and disinformation that they are coming across, and it is also about the way in which we regulate the content that platforms share.
The part that has been missed today, in the many wonderful contributions from Members across the House, is that this is about not just the platforms that share the content but the creators who make that content in the first place—the people who go online to sow the seeds of hate and division: the homophobic content, the Islamophobic content, the antisemitic content that all too often is passed off as criticism of the Israeli Government, and the many far-right commentators in this country who put out toxic masculine culture commentary as though it is a reasoned point of debate. I understand what Conservative Members say about free speech, but we have always been a country and a society where it is not consequence-free speech—there are consequences to the things we say and the actions we take, and that is how we come to understand what the social norms are. We seem to have abdicated our responsibility for that in the online world.
I turn to my second point. The 15-year-old I mentioned in an intervention earlier was, in fact, my daughter, who has now given me permission to out her in that sense. The facilities that I enjoyed when I was in my teens simply do not exist any more. My daughter’s world is as much her online friends and sphere of activity as it is the physical world in which we live. Disconnecting people from that because we think it is unsafe does a disservice to them. I am also slightly worried about the impact of the fact that we are soon to legislate, I understand and hope, on giving 16 and 17-year-olds the right to vote—a policy that I think will mainly get cross-party support.
I like to think that the political literature that I push through letterboxes in my constituency is of such compelling interest that every young person will snatch it from the letterbox, read it and think, “That is why I am going to vote for Gareth at the next election.” I am sure that the Liberal Democrats’ Focus leaflets have the same impact on young people in their constituencies. The reality is, however, that young people do not read the direct mail that we send out. They do not read our leaflets, or at least not as much as they should. Many young people derive their information, news and views from social media. If we say, “You know what? We are going to cut it off”, where will we force those young people to go?
Chris Vince (Harlow) (Lab/Co-op)
I have not mentioned Harlow yet today, so I feel that I should. When I spoke to some young people at Mark Hall Academy in my constituency of Harlow—there we are, I have done it—about the potential social media ban, I was interested to hear what they had to say. They said, “We don’t care about Facebook”—because only old people like us use Facebook—but they did not want us to ban platforms like WhatsApp, which I had not thought of as being social media, although I suppose it is. Does my hon. Friend agree that it is important for young people’s voices to be heard during the Government’s consultation, so that we can understand their views on this issue?
Gareth Snell
Absolutely. I understand that my hon. Friend was a teacher in a previous career.
When I think of social media, I think of my Twitter account, which has been dormant for years; my Facebook account, which I use for the clips that all of us in this place are obliged to put out and then deal with the comments beneath them; and my WhatsApp, which it seems that every political party has to run with, because without it we would all stop talking to each other. My daughter would think of her Snapchat account. I too now have a Snapchat account with just one friend—her—and we use that to communicate when I am here and she is at home. It means that I get voice notes and little videos from her, and it is how we keep our weekend conversations going during the week.
We must ask ourselves where we draw the line. Members have mentioned access to YouTube. My daughter will freely use YouTube to help her with her homework. She goes to an all-iPad school, so much of the homework is set on iPads. Apparently the subject of screentime will form part of the consultation, and that should be genuinely considered. Will young people be told, “You cannot use your phone—it is the worst possible thing to have—but here is an iPad to look at for six hours a day, and if you get stuck on question 6, go to YouTube video 4 and follow the methodology”? On one hand we are sending one message, and on the other is something that is inconsistent with that approach. Let us be honest: the first job that all the children and young people we are talking about will have is going to be based on the use of some form of AI assistance, such as Copilot, and will depend almost entirely on the use of technology. We are going to have to think about how we integrate that sort of future-proofing into whatever regulation we produce.
My final point is about procedure. I am very sorry to return to that subject, because this has been an excellent debate. I went to the Public Bill Office—there is no Bill that is referenced in the motion. It is completely blank. I understand that the Liberal Democrats intend, if the motion is passed, to engage in a consensus-based process of writing a Bill in the next two weeks that we can debate and pass in one day. It is clear from what we have heard today—from the hon. Member for Winchester (Dr Chambers), who spoke so eloquently about the perils of eating disorders, from the hon. Member for Bath (Wera Hobhouse), who talked about the ability to sell drugs online, and from those on the Government Benches, including my hon. Friend the Member for Milton Keynes Central (Emily Darlington), who talked about the way in which young people interact—that, as I said earlier, this will be a complex piece of legislation.
The idea that we can complete a Second Reading debate in two hours and the full Committee and Third Reading stages in two hours, on a single day, which will include the discussion of amendments, is simply impractical. I genuinely hope that the content of today’s debate will lead to better legislation, as part of the national consultation that the Ministers are leading, but I think that doing this in such a truncated way, through a single motion and on a single day, will lead to bad legislation.
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Chris Vince ExcerptsTuesday 24th February 2026
(5 days, 10 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 24 February 2026 - (24 Feb 2026)
Kanishka Narayan
I thank the shadow Minister for moving new clause 5, which seeks to require annual reporting on progress towards meeting the recommendations of the National Audit Office’s report on Government cyber-resilience and meeting the implementation milestones of the Government’s cyber action plan.
We recognise the value of accessing the expertise of Parliament to hold the Government accountable for the changes required for our cyber-resilience. That is why, notwithstanding the hon. Member for Spelthorne acknowledging the embarrassment of the Conservative party owning its hypocrisy, this Government have already strongly welcomed the recent reports from the Public Accounts Committee and the National Audit Office on Government cyber-resilience.
Chris Vince (Harlow) (Lab/Co-op)
I declare an interest as a member of the Public Accounts Commission, which regularly scrutinises the National Audit Office. Can the Minister give some reassurance to Labour Members, who are being accused of hypocrisy, that we do make sure that the highest levels of cyber-security are met?
Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting)
Chris Vince ExcerptsTuesday 10th February 2026
(2 weeks, 5 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
Chris Vince
I thank the shadow Minister for remembering my consistency—I have not mentioned Harlow. How is the new clause helpful, given the potential confusion it causes with listing a specific kind of incident as well as the generic one?
Dr Spencer
The Opposition are trying to make it clear that ransomware needs to be in the scope of the reporting. It is really for the Minister to answer if he thinks there are problems with the new clause, and if so, how the Government will go about taking that forward. The widespread and highly damaging nature of ransomware attacks—which are often perpetrated by criminal groups at scale and speed—means that regulators need to have a detailed oversight of this area to prevent those attacks from being deployed more widely. Therefore, the new clause is intended to ensure that all ransomware attacks on regulated entities are reported, regardless of severity or potential severity, so that the risks are picked up.
In tabling new clause 6, I am acutely aware of the existing reporting burden for regulated entities and regulators. Since tabling it, we have heard impactful evidence from Carla Baker from Palo Alto, who highlighted the number of cyber incidents and false positives that many companies encounter each day. As I said in response to an intervention, in the absence of measures brought forward by the Government to address the widespread and urgent risks presented by ransomware attacks—and as the Government themselves identify as part of the Home Office’s review—it would be proportionate to make specific reference to ransomware in the reporting requirements on regulated entities in the Bill.
New clause 7 reflects the concerns of regulated bodies and industry representatives who have set out many, many times—in oral evidence and beyond—the need to ensure that reporting obligations are clear and, as far as possible, simplified across the many different incident reporting regimes that exist for providers of digital services. The new clause would compel the Secretary of State to publish an assessment of the impact of the new reporting regime on regulated entities in the Bill within 12 months of Royal Assent. Importantly, in line with the clear requests articulated by many stakeholders who gave evidence last Tuesday, it requires the Government to publish proposals for the creation of a single cyber incident reporting channel for relevant bodies.
Cyber Security and Resilience (Network and Information Systems) Bill (Sixth sitting)
Chris Vince ExcerptsTuesday 10th February 2026
(2 weeks, 5 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
Kanishka Narayan
The hon. Member raises a very important point. We want Parliament to play an important role in the scrutiny of the overarching regime as a whole, but particularly in the operation of the statement. Perhaps I can break it into two parts: scrutiny of the statement in the first instance, and scrutiny of regulators’ compliance with the statement. Once a draft statement has been consulted on, the Government will be required to lay it before Parliament, and that will be subject to the negative procedure. Parliament will have 40 days to scrutinise the proposed statement and express disagreement with it, which is very similar to the procedure for statements of strategic priorities in other areas—not least online safety. In terms of confidence in Parliament about actions that regulators have taken, the Secretary of State will be required to publish an annual report setting out, in general terms, the activity undertaken by regulators in the prior 12 months, alongside activity planned for the following 12 months. My expectation is that, very similarly, Parliament will have sight of that, and have the ability to scrutinise it and ask questions of the Secretary of State in the usual way.
Kanishka Narayan
I am grateful to my hon. Friend the Member for Harlow for his affirmation of that important point of parliamentary scrutiny.
As I mentioned, the report in question will set out how NIS regulators have sought and will seek to achieve the objectives in the statement through the exercise of their regulatory functions. The clause requires the Secretary of State to lay the annual report before Parliament, as well as to publish it in an appropriate manner. Clause 28 also introduces information-gathering powers for the Secretary of State so that they can collect the necessary information from regulators to draft the report. I commend the clauses to the Committee.
Kanishka Narayan
First, I will provide some context for agreement. We want more people to be trained in cyber-security so that they can serve in the public and private sectors. Through the Bill, as well as a range of other initiatives, we are making sure that at every stage of the pipeline, there is resourcing, confidence and a demand signal that so more people can benefit from cyber-skills and serve in the industry.
There is a clear financing path for regulators to at least start to hire. Earlier in the pipeline, we are looking at a series of cyber-skills programmes all the way from schools through CyberFirst—I think about 415,000 students have gone through that programme. Ultimately, we want to create a long-term pipeline so that regulators and private companies can make the most of those skills.
Chris Vince
I am going to mention Harlow, because Harlow has young people with amazing potential. The point that the shadow Minister and other Opposition Members have made is really important. We need to make sure that this and the next generation of young people are trained up in these skills, because this is an emerging threat. I encourage the Minister to promote the Bill and what the Government are doing in cyber-security, because it is important that the wider public know that these important skills and jobs are available.
Kanishka Narayan
I am, of course, very happy to take on my hon. Friend’s recommendation that I be the promoter and ambassador for the Bill across the country. I am only sad not to have been invited to visit his constituency in the act of promoting said Bill, but I take his point seriously.
On the broader point about skills, I entirely agree with both my hon. Friend and the Opposition in recognising that skills are central to the enforcement of the programme. I hope that the funding and the earlier focus on skills across the life cycle give some assurance that the Government are committed to that.
Question put and agreed to.
Clause 25 accordingly ordered to stand part of the Bill.
Clauses 26 to 28 ordered to stand part of the Bill.
Clause 29
Regulations relating to security and resilience of network and information systems
Question proposed, That the clause stand part of the Bill.
Chris Vince
The shadow Minister will forgive me for taking the opportunity to defend the Government and the Prime Minister; I was not expecting to do that in this Committee this week. I reassure Members across the House that this Prime Minister and Government put national security first. The shadow Minister will know that intelligence agencies have been consulted about the relocation of the Chinese embassy. He will also be aware that the proposed new site at Royal Mint Court is actually further away from this place than the current site.
Dr Spencer
Frankly, I find it astounding that, according to my understanding, in response to the planning decision being granted our security services said that they would take measures to start moving sensitive digital cables. It strikes me that a decision about sensitive digital cables should have been pertinent to the planning application in the first place.
The Government remain reluctant to name China as a threat to UK national security, despite the overwhelming and growing portfolio of evidence. In case the Government are still in any doubt, we need look only at the oral testimony given to this Committee by the Inter-Parliamentary Alliance on China for a clear picture of the role of China and its state affiliates at the forefront of the cyber-security threats to our critical sectors.
Given that established and growing threat, new clause 3 would compel the Secretary of State to review, among other matters, the cyber-security risk to surrounding critical networks in the vicinity of the super-embassy site in the City of London. In the Commons debate on the embassy application in June last year, my hon. Friend the Member for Thirsk and Malton (Kevin Hollinrake) reminded the Minister for Housing and Planning that the Government’s own cyber-security experts, Innovate UK, have warned about the threat to the City of London from the embassy. My hon. Friend made specific reference to the Wapping telephone and internet exchange that would be surrounded on three sides by this new embassy—not to mention the fibre cables I referred to earlier, which carry highly sensitive information and run beneath this site.
Chris Vince
I recognise that the shadow Minister cares passionately about the security of this country—as do I, which is why we are discussing the Bill. But does he not recognise that the site was purchased by the Chinese Government in 2018? There is a potential threat whether or not the new embassy is built there.
Dr Spencer
I do not want to repeat the discussion that we had a moment ago. I think it is complete lunacy to permit the building of a super-embassy—one of the biggest in the region—next to highly critical data transmission. I am also concerned by media reports that the Prime Minister’s recent visit to China was greenlighted only following the final approval of the embassy. I am deeply depressed that, following the visit, Jimmy Lai has been effectively sentenced for life. I respect the tone and constructive way in which the hon. Member for Harlow approaches this debate, but it is fair to say that the Government are sadly weak on standing up to hostile state actors such as the Chinese Communist party.
As I said at the start, there is simply no point in granting the Secretary of State powers to issue directions on the basis of national security if the Government are not willing to be clear-eyed about the most critical cyber-security risks to the nation. I therefore submit that the new clauses are a vital addition to the Bill to focus the attentions of the Secretary of State to ensure that her functions under part 4 are carried out in the best interests of our national security. No responsible Government would or should vote against such provisions. Parliament should make it crystal clear that the Chinese Communist party is a threat to the United Kingdom. We must support new clauses 2 and 3.
Ordered, That the debate be now adjourned.— (Taiwo Owatemi.)
Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
Chris Vince ExcerptsThursday 5th February 2026
(3 weeks, 3 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
The Chair
Good morning, everyone. Will you please ensure that all electronic devices are turned off or switched to silent mode? This morning, we begin line-by-line consideration of the Bill. The selection and grouping list for today’s sitting is available in the room and on the parliamentary website; it shows how the clauses, schedules and selected amendments have been grouped for debate.
I remind Members that the Member who has put their name to the lead amendment in a group is called to speak first. In the case of a stand part debate, the Minister will be called to speak first. Other Members will then be free to indicate they wish to speak by bobbing or catching my eye. At the end of a debate on a group of amendments or new clauses, I shall again call the Member who moved the lead amendment or new clause. Before they sit down, they will need to indicate whether they wish to withdraw the amendment or seek a decision. If any Member wishes to press to a vote any other amendments in a group, they need to let me know. That includes grouped new clauses.
The order of decisions will follow the order in which amendments appear on the amendment paper. Any decisions on new clauses will be taken at the end of proceedings on the Bill, after decisions have been taken on all amendments and clauses of the Bill. I shall use my discretion to decide whether to allow a separate stand part debate on individual clauses and schedules following debate on the relevant amendments. I hope that that is helpful.
There is one more point that is not in my script: there are three members of the Committee who have hearing impairments, so it would be helpful if hon. Members could articulate as clearly as possible.
Are there any declarations of interest?
Chris Vince (Harlow) (Lab/Co-op)
I declare an interest: my father-in-law is a professor of cyber-security at City St George’s, University of London. Also, Kao Data has a large data centre in my constituency.
The Chair
Thank you.
Clause 1
Meaning of “the NIS Regulations”
Question proposed, That the clause stand part of the Bill.
Dr Spencer
I thank my hon. Friend for her intervention. I am reminded of the Committee’s evidence session earlier this week, in which expert after expert lined up to raise concerns around the scope of the definition. Although they acknowledged the importance of and appreciated the reasons for leaving some things to secondary legislation in a climate as fast-moving as the IT and digital sector’s, they raised concerns about the uncertainty that is coming for business and the need for extensive consultation so that businesses can feed into and have some degree of influence over the regulations that they will have to abide by.
Chris Vince
The hon. Gentleman is making an interesting speech. I recognise his desire to be constructive on the issue. Will he recognise that this is about finding a balance? We want to include some flexibility in the legislation, because of the ever-changing threat that he mentioned. Equally, we recognise the challenge that SMEs may face in complying with the legislation on data sharing, but it is important that they do so, because not complying will have an impact on their business.
Dr Spencer
I thank the hon. Member for his point about balance. I am confident that this is an area to which the Committee will return quite a few times in our line-by-line scrutiny of the Bill, particularly clause 12, which relates to the designation of critical suppliers. Clearly the regulations need to be proportionate, but to make that judgment we will need to know exactly what the regulations are. A lot of the detail is not in the Bill and has instead been left to secondary legislation. As we heard from the experts, it is very difficult to scrutinise legislation that is mostly being left to future regulations rather than being set out in the Bill.
These definitions will be critical if businesses are to have clarity as to whether they will fall within scope. I do not want to go too deeply into clause 12 now, but I see it as an exemplar. How are businesses that could fall within the critical supplier designation to know what they need to do? How is the operator of an essential service to know what information it needs to pass to the regulator on businesses that it may end up regulating? It would be very helpful if the Minister could comment, even at this introductory stage, on how he envisages that balance playing out in the Bill, particularly given that so much of the detail has been left to secondary legislation. Anyway, I digress—I will get back on topic.
Businesses are struggling with legal uncertainty and the increased costs of regulatory burden. Regulators in the sector lack the resources, the teeth and sometimes even the will to carry out effective oversight and enforcement of existing cyber regulation. Uncertainty about which incidents should be reported will dramatically increase the burden on regulated entities and on regulators. All the while, institutional barriers to effective oversight and enforcement remain.
The Bill fails to give the legal certainty and the proportionate framework that businesses need if we are to achieve widespread adoption and hardened cyber-resilience across the sectors that are most critical to the economy and our society. Perhaps most critically, there is little point in granting the Secretary of State extensive powers to make directions to regulated entities for national security purposes if the Government remain wilfully blind to the greatest threats to our national security. In the past few weeks, reports have circulated that a Chinese state-affiliated group hacked the communications of top Downing Street officials between 2021 and 2024, yet the vital organs of our state, central Government Departments and agencies carrying out the most critical functions, are left unprotected and unaccountable for their cyber-resilience under the Bill.
If we do not address these problems, we risk the Bill becoming yet another missed opportunity for the Government. These are opportunities that we can ill afford to miss if we are to safeguard our economy and our national security.
Kanishka Narayan
I might just make a slight bit of progress. As I mentioned in a previous session, the programme reached 415,000 students, and it has now been evolved into the wider TechFirst scheme as well.
The shadow Minister, as well as the hon. Member for Bromsgrove, made a very important point about resilience in particular and sovereign capability. Particularly for those reasons, I am really proud of two things. One is that the Bill includes suppliers that may not be resident in the UK but provide essential services in the UK. This is a critical means through which we can secure our capabilities here. The second, which is close to my particular interests in the data centre and compute world, is that, through our initiatives on sovereign AI, and having launched a very innovative advance market commitment in the chips part of the stack, which ends up crowding in wider demand—not least through companies such as Nscale, a fundamental part of our AI growth zone in the north-east—this Government are finally rectifying the errors and omissions of the last Government, in making sure that Britain does not do what it did in the last commercial cloud context, but instead, in this AI compute world, has some actual chips on the table.
Thirdly, I will not try to settle the thrilling debate between the shadow Minister and my hon. Friend the Member for Lichfield on the philosophy of regulation. I will simply make the humble suggestion that in this context we have arrived at, not a full-fat compendium, as the shadow Minister described it, but a very targeted Bill, which has been the result of extensive industry engagement—indeed, some of it was carried out by the prior Government—that aligned on the sectors in question and the inclusion of critical suppliers in scope.
On the shadow Minister’s question about the thresholds and definitional specificity of large load controllers in the Bill, I will of course remain very open to ensuring that the secondary powers, which are intended precisely to enable us to move flexibly as the clean power industry moves, give us the flexibility to move with it. At the same time, the threshold of 300 MW reflected the point at which a large load controller could pose an unacceptable risk to the electricity system and our CNI. This threshold was set very clearly in partnership with technical experts, including the National Energy System Operator. Of course, as the market grows, the potential for cyber-incidents will grow, and we will keep that under close review.
Chris Vince
On the point about flexibility, I think we would recognise that the legislative process in this House does not always move as quickly as we might want it to, but there are reasons for that, because scrutiny is really important. Does the Minister agree that the changing nature of the cyber-threats we face and the changing nature of technology, which he understands far more than me, are the reasons why it is so important to have flexibility in the Bill?
Kanishka Narayan
I thank my hon. Friend for that point. The reality is that neither he nor I am placed to judge exactly where the thresholds should be set on a permanent basis. That is exactly why we have secured the flexibilities that we have in the Bill.
Clause 5 brings Crown-operated data centres into scope of the NIS regulations, ensuring that Government data centres meet robust standards comparable to those in the private sector. Bringing Crown data centres within scope closes a critical gap and guarantees that public sector infrastructure is protected against evolving threats. Exemptions will apply only in defined cases in which a data centre service is provided by an intelligence agency or a facility handling highly classified—“Secret” or “Top Secret”—information. These data centre services are already governed separately, and applying the NIS regime could cause conflict. I urge that clause 5 stand part of the Bill.
Finally, clause 6, on large load controllers, introduces the essential new service of load control under the energy subsector of the NIS regulations. This will capture organisations—
Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting)
Chris Vince ExcerptsThursday 5th February 2026
(3 weeks, 3 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Chris Vince (Harlow) (Lab/Co-op)
I seek some clarification on the shadow Minister’s statistics about the number of MSPs that are in scope, and what they are as a proportion of the MSPs in the country. Could he clarify that he is talking about individual organisations rather than what they do? For example, if there is one large organisation and nine small ones, but the large one takes up 80% of the market, the proportions are slightly different.
Dr Spencer
The scope and breadth of the organisations regulated by these provisions is one of the most important parts of the debate. If the hon. Member can wait a moment, that point will form the bulk of my speech. It was also mentioned by my constituency neighbour, my hon. Friend the Member for Spelthorne.
The previous Government consulted on bringing MSPs within scope of regulation. Feedback on that consultation indicated strong support, with 86% of respondents in favour. As such, there is a sound policy rationale for imposing cyber-security and instant reporting regulations on MSPs over a certain threshold. Those MSPs will need to take appropriate and proportionate measures to manage risks to the security of the networks and information systems on which they rely to provide managed services in the UK.
However, as I said at the outset and as many people said during evidence, the devil really is in the detail as to whether the Bill is effective in protecting the sectors it seeks to regulate. Several industry stakeholders, including officers of MSPs and industry representation bodies, have raised concerns about the broad definition of MSPs in clause 9. As drafted, that definition has the potential to cause confusion among businesses as to whether they are in scope or not. These relevant provisions will be brought into force with secondary legislation before Royal Assent, allowing time for consultation with industry and specific duties. Could the Minister clarify whether his Department will respond to concerns by consulting on a refined definition of what constitutes an MSP, to provide much-needed certainty to businesses operating in the sector?
I will also take this opportunity to speak to amendment 10, which was tabled in the names of many Members, including the right hon. Member for Stone, Great Wyrley and Penkridge (Sir Gavin Williamson), who I know has a keen interest in this area. He represents an area in the west midlands, which, like many parts of the country, has suffered massively from the impact of the problems with Jaguar Land Rover. The amendment relates to legitimate concerns about the compound risk that could occur when MSP systems are accessed by malicious actors, and those MSPs are providing services to a large number of entities within a regulated sector. Clearly, there are many reservations about the desirability of this particular amendment, including its potential to interfere with customer choice and the inconsistency with the approach to freedom of enterprise in other regulated sectors in the Bill.
It is noteworthy that several witnesses who gave evidence to the Committee pointed out the lack of skilled cyber-security professionals available in the UK employment market to help regulated entities with the effective implementation of the Bill. It is conceivable that many regulated businesses, particularly smaller ones, will be forced to look for external expertise to comply with their obligations, and we would not want to artificially restrict access to expertise, even when done with the best of intentions. The point is rightly made that large MSPs and those providing services to the most critical sectors should observe the highest cyber-security standards. A relevant MSP must have regard to any relevant guidance issued by the Information Commissioner when carrying out the duties imposed on it, so will the Minister confirm whether and to what extent the important issues raised by the amendment will be covered in consultation and industry guidance?
The amendment, and some of the debate that we have had, goes to the heart of some of the thresholds and metrics that are being used as gatekeepers in the Bill when an entity is or is not being regulated. As I mentioned this morning, at least 70% of Government cloud procurement goes to the three big US tech actors. Those are clearly huge operators, but when it comes to the criticality of an MSP, as my hon. Friend the Member for Spelthorne mentioned, size does not in itself necessarily indicate its essentialness in the system.
One can imagine that if a particular unique type of service was being offered, such as a cyber-security service, by a big company—Cloudflare and Salesforce, for example, had a substantial impact on the sector—not merely the size of an organisation, but what they provide, could be relevant in terms of producing systemic risks to our economy as a whole.
Dr Spencer
I thank my hon. Friend for that pertinent intervention. The burden she talks about is not just financial; companies could also find themselves in legal jeopardy should they become subject to overlapping and competing duties without realising when the Bill becomes an Act. More than anything else—perhaps even more than a low taxation regime—businesses want certainty about the regulatory environment they operate in. This is made even more complicated by the fact that many organisations operate in different jurisdictions and have to contend with different, competing regulatory frameworks. My understanding is that the majority try to take an approach in one jurisdiction that will also cover them in the other so that they have an overlap, but those are the big companies. They have more capacity and resource to do that. The problem will be for the companies on the margins that are struggling.
Chris Vince
The shadow Minister is always very generous with his time. This is not meant to be a controversial intervention, but does he recognise that micro and small enterprises have been omitted from this legislation because we recognise the challenges they have with the guidance? I appreciate that small can mean mighty when it comes to businesses. The hon. Member for Spelthorne made the point that businesses may have only a small headcount, but a very important role in the cyber-security make-up of this country.
Dr Spencer
Irrespective of their size, whatever definition or metric we use, businesses operate on fine margins for the majority of the time. Regulatory burdens not only impact their ability to operate; they are yet another cost, which means that the cost of services increases. That has a deleterious effect on our economy more generally. Burdens on businesses are passed on to consumers. That makes it more expensive to do business unless there are customers to receive it.
Global business competitiveness, which we have not spoken about yet, is critical. I am very concerned about UK competitiveness in the digital and tech sector. It saddens me to say that we are dwarfed by US big tech in many areas. I want our digital and IT sector to be bigger and better than that of our competitors, but we need a framework to support it. Even for bigger businesses, the regulatory burden is critical, especially as they can choose, to a certain extent, where they incorporate and focus on doing business. We want to ensure that the UK has the best regulations, but the best regulations are often the ones that are least burdensome but that still provide certainty to allow businesses to operate. This is a highly competitive market.
Dr Spencer
My hon. Friend has figured out what I am going to say in a moment, when it comes to the scoping of the regulator and that communication process. Such is the depth of the rabbit hole that the provision creates that, even though my hon. Friend’s intervention did not go where I thought she was going, another problem has just come to mind.
What happens in the circumstance where a critical supplier that acts as a proxy for multiple critical suppliers? How does designation operate in that fashion? There are suppliers that essentially operate as a marketplace to a certain provision of services. Is it the marketplace that is regulated, or is it each supplier within the marketplace? A locum agency could hypothetically be an umbrella company for multiple different smaller locum agencies, each of which would share the corporate risk as part of that.
Going back to my first point, the idea that access to the IT network or system will somehow be discriminatory, or dichotomise between people who are in scope of this measure and people who are not, seems to me complete nonsense. It is difficult to see what organisations, if they provide a service to a modern OES, will be in scope of it.
Secondly, there is systemic or significant disruption. I often say that, if someone wanted to cripple a hospital, the best way to do that would be to stop the cleaners cleaning rooms, and to stop the porters pushing people around the hospital to get them to their appointments and moving beds. There is often a focus on doctors and on the rest of the core medical and nursing staff— I myself often focus perhaps a bit too much on doctors—but it really is a whole-team effort. In fact, the most critical people are often the people who might not be the subject of the most focus, such as the cleaners and porters.
If the cleaners stop work or do not turn up to work, the hospital grinds to a halt. If taxis are not taking people to and from hospital out of hours, or if the patient transport is not taking people to hospital, out-patient departments grind to a halt. If the locum companies that fill gaps in staff rotas are not available to do that, and there are substantial rota gaps that make the provision of services unsafe, the hospital also grinds to a halt. If it is not possible to get access to critical medicines, if staff cannot maintain the blood gas machine or the blood pressure machine, or if the boiler breaks down, the hospital grinds to a halt.
It is not just something as obvious as the tragic situation with blood and pathology testing that causes a hospital to grind to a halt. Indeed, I cannot think of many private sector provisions that would not have a substantial impact on a hospital if they were to be removed; if any other Member can, I will be very happy to stand corrected. However, just skimming through them, I can see that the removal of most of them would cause the hospital to grind to a halt. The idea that the significant impact definition will be a discriminatory factor regarding suppliers just does not work. Someone might say: “Ben, you’re completely wrong. We found some providers.”, but, if that situation arises, how will the arbitration occur in terms of the threshold?
Chris Vince
I am not going to tell the hon. Gentleman that he is completely wrong—he should not worry about that. I will make another point. I wonder whether the distinction might be how time-sensitive losing a particular service would be. That is just a suggestion.
Dr Spencer
I thank the hon. Member so much for that intervention about the time it would take to find an alternative supplier, because it will bring me on nicely to my point about alternative suppliers.
However, before I move on to that point, the hon. Gentleman made a very good point in his intervention, which I will address. To be subject to these provisions will create a regulatory burden, and therefore a cost burden, for an organisation that is designated to be a national critical supplier. If I was a supplier of services, I would want to have the best provision possible. I would want to be cyber-secure; I would want to have a gold-standard service. However, I might also be nervous of being designated as a critical supplier because of the regulatory burden that would impose on me, which would make me potentially less competitive in getting contracts because of the costs that would ensue. There would need to be an arbitration system where a company that is under threat of being designated a critical supplier could have a discussion or debate about whether that designation was relevant or not.
I will now move on to the point that the hon. Gentleman made about alternative services. I really have no idea at all how we can expect a regulator to delve into the complexities and the minutiae of what is available in a local economy to provide these services that the OES is receiving. Do we expect the relevant regulator to check what taxi services are available—actually available, rather than some sort of fantasy availability where they are available on paper, but not in reality—in the local ecosystem that could supply to that hospital, which is the operator of essential services? What is the scope of research that the regulator would have to do? What considerations would they need to take regarding how much the taxis cost and how effective they are? What about the procurement decisions and processes that have already been gone through?
Most public sector organisations have complex procurement rules when setting up their contracts—and that is before we even begin to consider health and safety concerns that are subject to regulatory provisions. For example, if the regulator decided that taxi services are under threat of becoming a critical supplier, then does the taxi service have the ability to deal with someone who has a cardiac arrest, needs oxygen or has a behavioural disturbance? Can it manage people with physical or mental disabilities? What is the scope of that particular service provision? The experts will be the people who commissioned it in the first place; yet on the face of the Bill there is no objective requirement for the regulator to speak to the OES in the first place about how this provision and service was procured.
In terms of the service being available—as per the point made by the hon. Member for Harlow about the time to shift through—how will that be evidenced and investigated? What resource is going into this? That is just for a taxi company. What about when we expand it—and this is just for the NHS—to cleaners, porters, locum agencies or medicines provision? Is the provision of services geographically circumscribed or will this be across the country? I am sure that one can find alternative services to provide taxis to St Thomas’ in Birkenhead, but that does not necessarily mean that it is available in a reasonable timeframe or sense, in terms of the designation of supplier.
Kanishka Narayan
On the first point, I am afraid that I do not think that was an appropriate characterisation, because where the sectoral scope is clear and where there is a clear risk of critical national infrastructure and essential services being directly exposed, we have specified that in the Bill. We have looked at the impacts set out in the impact assessment. For the critical suppliers in those sectors—I would expect them to be very limited in number—we have made sure that regulators and businesses have the flexibility to set the requirements directly, rather than them being set here in Parliament.
Chris Vince
I was going to intervene on the hon. and gallant Member for Spelthorne, but he is bigger than me. I recognise the points he made about the number of critical suppliers, but I come at the question from the other angle: doing nothing may leave critical suppliers at risk. Although we might not know the exact number, as he correctly asserted, it is important that we do something and introduce the regulations as soon as we can to protect our critical infrastructure.
Kanishka Narayan
I thank my hon. Friend for that point. This issue has not come out of nowhere. Industry and a number of organisations asked that we introduce the measures in the clause.
Beyond the very clear five-step test for critical supplier designation, the Bill provides that the requirements on critical suppliers are proportionate. The reason why we have both the five-step test and the provisions in the Bill is that, in most cases, if the risk assessment suggests so, the security requirements set out in the Bill will be less onerous in most cases. They will be specified in secondary legislation and guidance.
On the question of schools, and more broadly the question of public sector authorities, I entirely accept that the handling of pupil data in schools is a critical aspect of our public service operations. The reason why public service authorities have largely been left out of the Bill’s scope is because we do not need to wait for the legislative process to act. We have been working, not least closely with the Government’s cyber-security strategy and the cyber action plan, to ensure that pupil data is kept securely and robustly.
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Chris Vince ExcerptsTuesday 3rd February 2026
(3 weeks, 5 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Dr Ben Spencer (Runnymede and Weybridge) (Con)
Q
Jen Ellis: There is a thing that you always hear people say in the cyber-security industry which is, “There are no silver bullets”. There is no quick fix or one easy thing, and that definitely applies when looking at policy as well. I cannot give you a nice, easy, pat answer to how we solve the problem of attacks like the ones we saw last year. What I can say is that, looking at the Cyber Security and Resilience Bill specifically, I think it could include companies above a certain size or impact to the UK economy. The Bill currently goes sector by sector— which makes lots of sense, to focus on essential services—but I think we could say there is another bucket where organisations beyond a certain level of impact on the economy would also be covered. That could be something like the FTSE350. Including those might be one way to go about it, but it is worth noting that it would not simply solve the problem because the problem is complex and multi-faceted, and this is just one piece of legislation.
David Cook: With respect to NIS2, that is an example of a whole suite of laws that have come in across the European Union—the Digital Decade law; I think there is something like 10 or 15 of these new laws. They do all sorts of different things, and NIS2 sits within that. NIS2 is the reform of the NIS directive, which is the current state of play in UK law. NIS2 gives certainty and definition, by way of the legislation itself and then the implementing legislation, which means that organisations have had a run-up at the issue and a wholesale governance programme, which takes a number of years, but they know where they are headed, because it is a fixed point in the distance, on the horizon.
The Bill we are talking about today has the same framework as a base. The plan then is that secondary legislation can be used in a much more agile way to introduce changes quickly, in the light of the moving parts within the geopolitical ecosystem outside the walls. For global organisations with governance that spans jurisdictions, a lack of certainty is unhelpful. Understanding where they need to get to often requires a multi-year programme of reform. I can see the benefits of having an agile, flexible system, but organisations—especially global ones, which are the sort within the scope of this Bill—need time to prepare, recruit people, get the skillset in place, and understand where they need to get to. That fixed future point needs to be defined.
Chris Vince (Harlow) (Lab/Co-op)
Q
David Cook: There is reform all over the world. At its core, we have got a European law that is transposed in UK national legislation, the General Data Protection Regulation. That talks about personal data and has been seen as the gold standard all over the world. Different jurisdictions have implemented, not quite a copycat law, but one that looks a lot like the GDPR, so organisations have something that they can target, and then within their territory they are often going to hit a compliance threshold as well. Because of changes in the geopolitical environment, we are seeing—for example in Europe, but also in Australia and the United States—specific laws coming in that look at the supply chain in different sectors and provide for more onerous obligations. We are seeing that in the environment. NIS2 is being transposed into national laws. Organisations take a long time to get to the point of compliance. We are probably behind the curve, but this is not a new concept. Adapting to change within tech and change within how organisations themselves are relying on a supply chain that is more vulnerable and fragile is common.
Bradley Thomas (Bromsgrove) (Con)
Q
Jen Ellis: For sure, it should not come down to whether you are public or private; it should be about impact. Figuring out how to measure that is challenging. I will leave that problem with policymakers—you’re welcome. I do not think it is about the number of employees. We have to think about impact in a much more pragmatic way. In the tech sector, relatively small companies can have a very profound impact because they happen to be the thing that is used by everybody. Part of the problem with security is that you have small teams running things that are used ubiquitously.
We have to think a little differently about this. We have seen outages in recent years that are not necessarily maliciously driven, but have demonstrated to us how reliant we are on technology and how widespread the impact can be, even of something like a local managed service provider. One that happened to provide managed services for a whole region’s local government went down in Germany and it knocked out all local services for some time. You are absolutely right: we should be looking at privately held companies as well. We should be thinking about impact, but measuring impact and figuring out who is in scope and who is not will be really challenging. We will have to start looking down the supply chain, where it gets a lot more complex.
Dr Gardner
Q
Ben Lyons: That is something we think very deeply about. We see AI as helping to mitigate some of the risks from cyber-security by making it possible to detect attacks more quickly, understand what might be causing them, and to respond at pace. We are an AI native company and we have thought deeply about how to ensure that the technology is both secure and responsible. We are privacy-preserving by design. We take our AI to the organisation’s environment to build an understanding of what normality looks like for them, rather than vast data lakes of customer data. We take a lot of effort to ensure that the information surfaced by AI is interpretable to human beings, so that it is uplifting human professionals and enabling them to do more with the time they have. We are accredited to a range of standards, like ISO 27001 and ISO 42001, which is a standard for AI management. We have released a white paper on how we approach responsible AI in cyber-security, which I would be happy to share with you and give a bit more detail.
Chris Vince
Q
Matt Houlihan: I am very happy to. Two main comparators come to mind. One is the EU, and we have talked quite a bit about NIS2 and the progress that has made. NIS2 does take a slightly different approach to that of the UK Government, in that it outlines, I think, 18 different sectors, up from seven under NIS1. There is that wide scope in terms of NIS2.
Although NIS2 is an effective piece of legislation, the implementation of it remains patchy over the EU. Something like 19 of the 27 EU member states have implemented it to date in their national laws. There is clearly a bit of work still to do there. There is also some variation in how NIS2 is being implemented, which we feel as an international company operating right across the European Union. As has been touched on briefly, there is now a move, through what are called omnibus proposals, to simplify the reporting requirements and other elements of cyber-security and privacy laws across the EU, which is a welcome step.
I mentioned in a previous answer the work that Australia has been doing, and the Security of Critical Infrastructure Act 2018—SOCI—was genuinely a good standard and has set a good bar for expectations around the world. The Act has rigorous reporting requirements and caveats and guardrails for Government step-in powers. It also covers things like ransomware, which we know the UK Home Office is looking at, and Internet of Things security, which the UK Government recently looked at. Those are probably the two comparators. We hope that the CSRB will take the UK a big step towards that, but as a lot of my colleagues have said, there is a lot of work to do in terms of seeing the guidance and ensuring that it is implemented effectively.
Chris Anley: On the point about where we are perhaps falling behind, with streamlining of reporting we have already mentioned Australia and the EU, which is in progress. On protection of their defenders, other territories are already benefiting from those protections—the EU, the US, and I mentioned Portugal especially. As a third and final point, Australia is an interesting one, as it is providing a cyber-safety net to small and medium-sized enterprises, which provides cyber expertise from the Government to enable smaller entities to get up to code and achieve resilience where those entities lack the personnel and funding.
Emily Darlington
Q
Dr Ian Levy: The previous set of witnesses talked about board responsibility around cyber-security. In my experience, whether a board is engaged or not is a proxy indicator for whether they are looking at risk management properly, and you cannot change corporate culture through regulation—not quickly. There is something to be done around incentives to ensure that companies are really looking at their responsibilities across cyber-security. As the previous panellists have said, this is not just a technical thing.
One of the things that is difficult to reconcile in my head—and always has been—is trying to levy national security requirements on companies that are not set up to do that. In this case I am not talking about Amazon Web Services, because AWS invests hugely in security. We have a default design principle around ensuring that the services are secure and private by design. But something to consider for the Bill is not accidentally putting national security requirements on those entities that cannot possibly meet them.
When I was in government, in the past we accidentally required tiny entities, which could not possibly do so, to defend themselves against the Russians in cyber-space. If you translate that to any other domain—for example, saying that a 10-person company should defend itself against Russian missiles—it is insane, yet we do it in cyber-space. Part of the flow-down requirements that we see for contracting, when there is a Bill like this one, ends up putting those national security requirements on inappropriate entities. I really think we need to be careful how we manage that.
Matt Houlihan: Can I make two very quick points?
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Chris Vince ExcerptsTuesday 3rd February 2026
(3 weeks, 5 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Dr Ben Spencer (Runnymede and Weybridge) (Con)
Q
My second question is jointly for Ian and Stuart, from the ICO and Ofgem. Some industry stakeholders have expressed concern about low levels of incident reporting and enforcement under the NIS1—network and information systems—regs. How will your respective approaches to regulation change as a result of this Bill, to ensure that it is implemented and that cyber-resilience is improved across the sectors you are responsible for regulating?
Natalie Black: I will kick off. We have some additional responsibilities, building on the NIS requirements, but the data centre aspect of the Bill is quite a substantial increase in responsibilities for us. It is worth emphasising that we see that as a natural evolution of our responsibilities in the sector. Communications infrastructure is evolving incredibly quickly, as you will be well aware, and data centres are the next big focus. In terms of preparations, we are spending this time getting to know the sector and making sure we have the right relationships in place, so that we do not have a standing start. I have done a number of visits, for example, to hear at first hand from industry representatives about their concerns and how they want to work with us.
We are also focusing on skills and recruitment. We already have substantial cyber-security responsibilities in the communications infrastructure sector. We are building on the credibility of the team, but we are focused on making sure we continue to invest in them. About 60% of the team already come from the private sector. We want that to continue going forward, but we are not naive to how challenging it is to recruit in the cyber-security sector. For example, we are working with colleagues from the National Cyber Security Centre, and looking at universities it is accrediting, to see how we can recruit directly using those kinds of opportunities.
Ian Hulme: On incident reporting, the thresholds in the existing regulations mean that levels are very low. Certainly, the reports we see from identity service providers do not meet those thresholds. I anticipate that we will see more incidents reported to us. With our enhanced regulatory powers and the expanded scope of organisations we will be responsible for, I anticipate that our oversight will deepen and we will have more ability to undertake enforcement activity. Certainly from our perspective, we welcome the enhanced reporting requirements.
Stuart Okin: To pick up on the incident side of things, I agree with Ian. The thresholds will change. With the new legislation, any type of incident that could potentially cause an issue will obviously be reported, whereas that does not happen today under the NIS requirements.
On enforcement, in seven years we have used all the enforcement regimes available to us, including penalties, and we will continue to do so. We absolutely welcome the changes in the Bill to simplify the levels and to bring them up, similar to the sectorial powers that we have today.
Chris Vince (Harlow) (Lab/Co-op)
Q
Stuart Okin: In the energy sector, we tend to use operational technology rather than IT systems. That might mean technology without a screen, so an embedded system. It is therefore important to be able to customise our guidance. We do that today. We use the cyber assessment framework as a baseline, and we have a 335-page overlay on our website to explain how that applies to operational technology in our particular space. It is important to be able to customise accordingly; indeed, we have added physical elements to the cyber assessment framework, which is incredibly important. We welcome that flexibility being maintained in the Bill.
Ian Hulme: Just to contrast with colleagues from Ofcom and Ofgem, ICO’s sector is the whole economy, so it is important that we are able to produce guidance that speaks to all the operators in that sector. Because our sector is much bigger, we currently have something like 550 trust service providers registered, and that will grow significantly with the inclusion of managed service providers. So guidance will be really important to set expectations from a regulatory perspective.
Natalie Black: To round this off, at the end of the day we always have to come back to the problem we are trying to solve, which is ensuring cyber-security and resilience. As you will have heard from many others today, cyber is a threat that is always evolving. The idea that we can have a stagnant approach is for the birds. We need to be flexible as regulators. We need to evolve and adapt to the threat, and to the different operators we will engage with over the next couple of years. Collectively, we all appreciate that flexibility.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Q
The ICO is a horizontal regulator working across all sectors. In your experience, would a single cyber regulator be a good idea? What would be the benefits and the challenges? I will allow Ofcom and Ofgem to jump in and defend themselves.
Ian Hulme: I suppose the challenge with having a single regulator is that—like ourselves, as a whole-economy regulator—it will have to prioritise and direct its resources at the issues of highest harm and risk. One benefit of a sectoral approach is that we understand our sectors at a deeper level; we certainly work together quite closely on a whole range of issues, and my teams have been working with Natalie and Stuart’s teams on the Bill over the last 18 months, and thinking about how we can collaborate better and co-ordinate our activities. It is really pleasing to see that that has been recognised in the Bill with the provisions for information sharing. That is going to be key, because the lack of information-sharing provisions in the current regs has been a bit of a hindrance. There are pros and cons, but a single regulator will need to prioritise its resources, so you may not get the coverage you might with a sectoral approach.
Natalie Black: Having worked in this area for quite some time, I would add that the challenge with a single regulator is that you end up with a race to the bottom, and minimum standards you can apply everywhere. However, with a tailored approach, you can recognise the complexity of the cyber risk and the opportunity to target specific issues—for example, prepositioning and ransomware. That said, we absolutely recognise the challenge for operators and companies in having to bounce between regulators. We hear it all the time, and you will see a real commitment from us to do something about it.
Some of that needs to sit with the Department for Science, Innovation and Technology, which is getting a lot of feedback from all of us about how we need it to co-ordinate and make things as easy as possible for companies—many of which are important investors in our economy, and we absolutely recognise that. We are also doing our bit through the UK Regulators Network and the Digital Regulation Cooperation Forum to find the low-hanging fruit where we can make a difference. To give a tangible example, we think there should be a way to do single reporting of incidents. We do not have the answer for that yet, but that is something we are exploring to try and make companies’ lives easier. To be honest, it will make our lives easier as well, because it wastes our time having to co-ordinate across multiple operators.
The Chair
We will now hear oral evidence from Chung Ching Kwong, senior analyst for the Inter-Parliamentary Alliance on China. We have until 3 pm for this session.
Chris Vince
Q
Chung Ching Kwong: Just to give some background, I am a senior analyst for the Inter-Parliamentary Alliance on China, and a PhD candidate in law at the University of Hamburg, focusing on data protection and data transfer. My expertise is not entirely on critical infrastructure security, but I do a lot of analysis on China’s legal system and also how it works in general. That is how I can contribute to this evidence session.
The threat posed by the CCP to our critical national infrastructure, such as water, energy and transportation, has shifted from espionage—stealing secrets—to pre-positioning, or preparing for sabotage. We cannot understand the threat without understanding the civil-military fusion of the Chinese state. Chinese companies operating in our CNI are not independent per se, in the way we would normally think about that in our country—in other words, private entities that operate on their own and have their own decision-making mechanisms. They are legally obligated under at least article 7 of China’s national intelligence law to co-operate with the state, to provide information, to provide help with decryption and to gather information at the request of the Government.
As highlighted by the NCSC, groups such as Volt Typhoon are pre-positioning within utility networks in the States. They do not use malware; they live off the land, using legitimate administrative credentials to proceed undetected for years. That is not for financial gain; they do it until the time is right for them to pull the trigger and cause a crisis.
In the transportation sector, there are a lot of cellular IOT modules embedded in e-buses and EVs. These devices require constant communication with servers in China to function, so they are constantly feeding data back to China for maintenance, remote access of data and that kind of thing. It could all be innocent and a feature for operational and functional purposes, but if—and only if—Beijing orders that data to be handed over and actions to be taken, it will become a problem.
That is the context of the risk we are facing when it comes to China, especially in terms of state-sponsored attacks. All entities, be they foreign companies in China or local Chinese-founded companies, have an obligation under Chinese law.
Chris Vince
Q
Chung Ching Kwong: Gathering information and data is definitely one of the main goals, but it is not limited to data transfer. Right now, in the UK, they do not need to rely only on access to critical infrastructure; under the Data Protection Act here in the UK, it is legal to transfer personal data through contractual clauses, so they can have access to personal data as long as they have that.
Of course, gathering data gives them insight into what is happening in the UK; if they want transportation data or power grid data, they can gather those data by different means. But it is also very important to understand Xi Jinping’s comprehensive national security concept. I think this is the reason why they are so determined to collect information, not only in the UK but worldwide.
In that kind of comprehensive security concept, political security, defined as the survival of the regime, is paramount. It overrides anything—not economic gain, not whether or not the GDP of China is going to grow in the next year, but any information or action that they see as necessary to make sure that the CCP is in control. That means it is gathering data of dissidents overseas, it is gathering data on the power grid, it is gathering data on transportation—anything they might find useful for a different purpose, which is, ultimately, to serve the goal of the survival of the regime.
Bradley Thomas
Q
DCS Andrew Gould: That is another really good question. Generally, it is financial, but you will often get what is called the double dip, so there is the extraction of data as well as the encryption of it, so that you no longer have access to it. They might take that data as well, primarily personal data, because of the regulatory pressures and challenges that that brings. There is a sense among a lot of criminal groups that, if they have personal data, you are more likely to pay, because you do not want that reputation, embarrassment and all the rest of it, as opposed to if they take intellectual property, for example. But it is not that that does not happen as well. Primarily, it is financial gain.
Chris Vince
Q
DCS Andrew Gould: It is a tricky one. It feels like the technology change is getting ever faster and ever more challenging, but I first went into cyber-crime in the Met back in 2014, and we are giving the same advice now as we were giving then. Sometimes your head can explode with the technical complexity of it, but a lot of the solution just comes down to doing the really boring basics in a world-class way. It is things like patching and doing your software updates. Whether you are a member of the public or running an organisation, finding a way to do those updates and patches means that 50% of the threat has gone, there and then. With something like multi-factor authentication, it seems like most organisations do not want to inconvenience their staff or customers by putting it in place, but that would be another 40% of the problem solved. It is not infallible—nothing is—but if you are thinking about how attacks are still successful, it is pretty basic: a lot of our protections are not in place. Solving that means that 90% of the threat is gone, there and then. That then leaves the 10% of more sophisticated threats—let’s make the criminals work a bit harder.
The Chair
Order. That brings us to the end of the time allotted for the Committee to ask questions. I thank the witness for his evidence.
Examination of Witness
Richard Starnes gave evidence.
Dr Spencer
Q
Brian Miller: Sometimes, but sometimes not. I do not think we had any physical links with Synnovis, but it did work on our behalf. Emails might have been going back and forward, so although there were no physical connections, it was still important in terms of business email compromise and stuff like that—there was a kind of ancillary risk. Again, when things like that come up, we would look at it: do we have connections with a third party, a trusted partner or a local authority? If we do, what information do we send them and what information do we receive?
Chris Vince
Q
Stewart Whyte: Anything that increases or improves our processes in the NHS for a lot of the procured services that we take in, and anything that is going to strengthen the framework between the health board or health service and the suppliers, is welcome for me. One of our problems in the NHS is that the systems we put in are becoming more and more complex. Being able to risk assess them against a particular framework would certainly help from our perspective. A lot of our suppliers, and a lot of our systems and processes, are procured from elsewhere, so we are looking for anything at all within the health service that will improve the process and the links with third party service providers.
Dr Gardner
Q
Brian Miller: That is a great question. I will touch on some different parts, because I might have slightly different information from some of the information you have heard previously. On reporting—Stewart will deal with the data protection element for reporting into the Information Commissioner’s Office—we report to the Scottish Health Competent Authority. It is important that we have an excellent relationship with the people there. To put that in context, I was speaking to them yesterday regarding our transition to the CAF, as part of our new compliance for NHS Greater Glasgow and Clyde. If there was a reportable incident, we would report into the SHCA. The thresholds are really well defined against the confidentiality, integrity and availability triad—it will be patient impact and stuff like that.
Organisationally, we report up the chain to our director of digital services, and we have an information governance steering group. Our senior information risk officer is the director of digital, and the chief information security officer role sits with our director of digital. We report nationally, and we work really closely with National Services Scotland’s Cyber Security Centre of Excellence, which does a lot of our threat protection and secure operations, 24/7, 365 days a year. We work with the Scottish Government through the Scottish Cyber Co-ordination Centre and what are called CREW—cyber resilience early warning—notices for a lot of threat intelligence. If something met the threshold, we would report to the SHCA. Stewart, do you want to come in on the data protection officer?
Stewart Whyte: We would report to the Information Commissioner, and within 72 hours we also report to the Scottish Government information governance and data protection team. We would risk assess the breaches and determine whether they meet the threshold for reporting. Not every data breach is required to be reported.
From the reporting perspective, it would be helpful to report into one individual organisation. I noticed that in the reporting requirements we are looking at doing it within 24 hours, which could be quite difficult, because sometimes we do not know everything about the breach within that time. We might need more information to be able to risk assess it appropriately. Making regulators aware of the breach as soon as possible is always going to be a good thing.
Dr Spencer
Q
Kanishka Narayan: I think the guardrails in the Bill are very important, absolutely. The Bill provides that, where there is an impact on organisations or regulators, there is an appropriate requirement for both deep consultation and an affirmative motion of the House. I think that is exactly where it ought to be, and I do not think anything short of that would be acceptable.
Chris Vince
Q
Kanishka Narayan: The primary thing to say is that the range of organisations—commercial ones as well as those from the cyber-security world more generally—coming out to welcome the Bill is testament to the fact that it is deeply needed. I pay tribute to the fact that some of the provisions were engaged on and consulted on by the prior Government, and there is widespread consensus across industry and in the regulatory and enforcement contexts about the necessity and the quality of the Bill. On that front, I feel we are in a good place.
On specific questions, of course, there is debate—we have heard some of that today—but I am very much looking forward to going through clause by clause to explain why the intent of the Bill is reflected in the particular definitions.
Bradley Thomas
Q
Kanishka Narayan: I am shy of making comments on specific incidents, but as a broad brush, clearly the food supply or automotive manufacturing sectors are not directly in scope of the Bill, for reasons I am very much happy to discuss.
Hospitality Sector
Chris Vince Excerpts(5 months, 3 weeks ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Chris Bryant
I am more of a Chelsea bun person than an iced bun person, but my hon. Friend makes a good point: there are businesses up and down the country opening anew and afresh. Far from such businesses dismissing the opportunity of having a national health service that works more effectively, a rail service that works effectively and a secure set of working rights for people; they welcome that provision, and they want people to have a proper wage when in work because they know that motivates their staff better.
Chris Vince (Harlow) (Lab/Co-op)
Talking of businesses opening, in my constituency of Harlow we have just welcomed a new branch of IKEA. It is the first business in my constituency that has spoken to me about the Employment Rights Bill; it is really excited about it and wants us to hurry up and get on with it—[Interruption.] It is no wonder that IKEA employees across the country are very happy in their jobs, are loyal to their jobs and like working for that company.
Chris Bryant
I agree. I note that an awful lot of Conservative MPs are saying, “Oh, they’re Swedish”, as if foreign investment in the UK were a bad idea. [Interruption.] Yes, that is what they were doing—they can furrow their brows as much as they want.
The shadow Secretary of State pointed to the increases in employer national insurance contributions. Yes, of course the Government have taken a number of difficult but necessary decisions on tax, welfare and spending to fix the public finances, to fund public services and to restore economic stability after the situation that we inherited from the previous Administration, but I have to point out to the hon. Gentleman—because he does not seem to understand the facts—that the hospitality sector is made up predominantly of smaller businesses, and we took decisive steps to protect the smallest businesses from the impact of the increase in employer national insurance by increasing the employment allowance from £5,000 to £10,500. That means that 865,000 employers will pay no employer national insurance contributions at all this year and that more than half of all employers will either gain or see no change. Employers will be able to employ up to four full-time workers on the national living wage without paying a penny of employer national insurance contributions.
Music Streaming: Label-led Principles
Chris Vince Excerpts(7 months, 1 week ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Madam Deputy Speaker (Judith Cummins)
For the final question, I call Chris Vince.
Chris Vince (Harlow) (Lab/Co-op)
Thank you, Madam Deputy Speaker. There was some mention of national treasures earlier; to quote Alison Moyet, “Only you”. [Laughter.] I won’t be called last next time.
From the Newtown Neurotics to Don’t Worry and The Subways, Harlow has always had a vibrant music scene. What plans does the Minister have to engage with artists at all stages of their careers to ensure that these welcome changes provide meaningful improvement?
Chris Bryant
Well, I am “All Cried Out” that I was not on my hon. Friend’s list of national treasures.
He makes a very important point. We need to ensure that these changes apply across the whole of the United Kingdom. In her performance at Kew, Alison Moyet also made the point that every child is a musician and an artist until they are persuaded not to be at some point in their life. This is what I really want to embrace in everything that the Government do in this area, in relation to the creative industries; we talk about film and the big, famous successes that we have in the UK, but actually, a lot of it is about real hard graft by people who have had to learn how to perform well, what it is to be in front of an audience, how it is to market their performance and all the rest of it. It is tough, tough, tough. Half the time, all those musicians are saying to the record labels is, “You pay my rent.”