Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank the shadow Minister for moving new clause 5, which seeks to require annual reporting on progress towards meeting the recommendations of the National Audit Office’s report on Government cyber-resilience and meeting the implementation milestones of the Government’s cyber action plan.

We recognise the value of accessing the expertise of Parliament to hold the Government accountable for the changes required for our cyber-resilience. That is why, notwithstanding the hon. Member for Spelthorne acknowledging the embarrassment of the Conservative party owning its hypocrisy, this Government have already strongly welcomed the recent reports from the Public Accounts Committee and the National Audit Office on Government cyber-resilience.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

The hon. Member raises a very important point. We want Parliament to play an important role in the scrutiny of the overarching regime as a whole, but particularly in the operation of the statement. Perhaps I can break it into two parts: scrutiny of the statement in the first instance, and scrutiny of regulators’ compliance with the statement. Once a draft statement has been consulted on, the Government will be required to lay it before Parliament, and that will be subject to the negative procedure. Parliament will have 40 days to scrutinise the proposed statement and express disagreement with it, which is very similar to the procedure for statements of strategic priorities in other areas—not least online safety. In terms of confidence in Parliament about actions that regulators have taken, the Secretary of State will be required to publish an annual report setting out, in general terms, the activity undertaken by regulators in the prior 12 months, alongside activity planned for the following 12 months. My expectation is that, very similarly, Parliament will have sight of that, and have the ability to scrutinise it and ask questions of the Secretary of State in the usual way.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I am grateful to my hon. Friend the Member for Harlow for his affirmation of that important point of parliamentary scrutiny.

As I mentioned, the report in question will set out how NIS regulators have sought and will seek to achieve the objectives in the statement through the exercise of their regulatory functions. The clause requires the Secretary of State to lay the annual report before Parliament, as well as to publish it in an appropriate manner. Clause 28 also introduces information-gathering powers for the Secretary of State so that they can collect the necessary information from regulators to draft the report. I commend the clauses to the Committee.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

First, I will provide some context for agreement. We want more people to be trained in cyber-security so that they can serve in the public and private sectors. Through the Bill, as well as a range of other initiatives, we are making sure that at every stage of the pipeline, there is resourcing, confidence and a demand signal that so more people can benefit from cyber-skills and serve in the industry.

There is a clear financing path for regulators to at least start to hire. Earlier in the pipeline, we are looking at a series of cyber-skills programmes all the way from schools through CyberFirst—I think about 415,000 students have gone through that programme. Ultimately, we want to create a long-term pipeline so that regulators and private companies can make the most of those skills.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I am, of course, very happy to take on my hon. Friend’s recommendation that I be the promoter and ambassador for the Bill across the country. I am only sad not to have been invited to visit his constituency in the act of promoting said Bill, but I take his point seriously.

On the broader point about skills, I entirely agree with both my hon. Friend and the Opposition in recognising that skills are central to the enforcement of the programme. I hope that the funding and the earlier focus on skills across the life cycle give some assurance that the Government are committed to that.

Question put and agreed to.

Clause 25 accordingly ordered to stand part of the Bill.

Clauses 26 to 28 ordered to stand part of the Bill.

Clause 29

Regulations relating to security and resilience of network and information systems

Question proposed, That the clause stand part of the Bill.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

On the first point, I am afraid that I do not think that was an appropriate characterisation, because where the sectoral scope is clear and where there is a clear risk of critical national infrastructure and essential services being directly exposed, we have specified that in the Bill. We have looked at the impacts set out in the impact assessment. For the critical suppliers in those sectors—I would expect them to be very limited in number—we have made sure that regulators and businesses have the flexibility to set the requirements directly, rather than them being set here in Parliament.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for that point. This issue has not come out of nowhere. Industry and a number of organisations asked that we introduce the measures in the clause.

Beyond the very clear five-step test for critical supplier designation, the Bill provides that the requirements on critical suppliers are proportionate. The reason why we have both the five-step test and the provisions in the Bill is that, in most cases, if the risk assessment suggests so, the security requirements set out in the Bill will be less onerous in most cases. They will be specified in secondary legislation and guidance.

On the question of schools, and more broadly the question of public sector authorities, I entirely accept that the handling of pupil data in schools is a critical aspect of our public service operations. The reason why public service authorities have largely been left out of the Bill’s scope is because we do not need to wait for the legislative process to act. We have been working, not least closely with the Government’s cyber-security strategy and the cyber action plan, to ensure that pupil data is kept securely and robustly.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I might just make a slight bit of progress. As I mentioned in a previous session, the programme reached 415,000 students, and it has now been evolved into the wider TechFirst scheme as well.

The shadow Minister, as well as the hon. Member for Bromsgrove, made a very important point about resilience in particular and sovereign capability. Particularly for those reasons, I am really proud of two things. One is that the Bill includes suppliers that may not be resident in the UK but provide essential services in the UK. This is a critical means through which we can secure our capabilities here. The second, which is close to my particular interests in the data centre and compute world, is that, through our initiatives on sovereign AI, and having launched a very innovative advance market commitment in the chips part of the stack, which ends up crowding in wider demand—not least through companies such as Nscale, a fundamental part of our AI growth zone in the north-east—this Government are finally rectifying the errors and omissions of the last Government, in making sure that Britain does not do what it did in the last commercial cloud context, but instead, in this AI compute world, has some actual chips on the table.

Thirdly, I will not try to settle the thrilling debate between the shadow Minister and my hon. Friend the Member for Lichfield on the philosophy of regulation. I will simply make the humble suggestion that in this context we have arrived at, not a full-fat compendium, as the shadow Minister described it, but a very targeted Bill, which has been the result of extensive industry engagement—indeed, some of it was carried out by the prior Government—that aligned on the sectors in question and the inclusion of critical suppliers in scope.

On the shadow Minister’s question about the thresholds and definitional specificity of large load controllers in the Bill, I will of course remain very open to ensuring that the secondary powers, which are intended precisely to enable us to move flexibly as the clean power industry moves, give us the flexibility to move with it. At the same time, the threshold of 300 MW reflected the point at which a large load controller could pose an unacceptable risk to the electricity system and our CNI. This threshold was set very clearly in partnership with technical experts, including the National Energy System Operator. Of course, as the market grows, the potential for cyber-incidents will grow, and we will keep that under close review.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for that point. The reality is that neither he nor I am placed to judge exactly where the thresholds should be set on a permanent basis. That is exactly why we have secured the flexibilities that we have in the Bill.

Clause 5 brings Crown-operated data centres into scope of the NIS regulations, ensuring that Government data centres meet robust standards comparable to those in the private sector.  Bringing Crown data centres within scope closes a critical gap and guarantees that public sector infrastructure is protected against evolving threats.  Exemptions will apply only in defined cases in which a data centre service is provided by an intelligence agency or a facility handling highly classified—“Secret” or “Top Secret”—information. These data centre services are already governed separately, and applying the NIS regime could cause conflict. I urge that clause 5 stand part of the Bill. 

Finally, clause 6, on large load controllers, introduces the essential new service of load control under the energy subsector of the NIS regulations. This will capture organisations—

Kanishka Narayan

- View Speech - Hansard -

Copy Link

- - Excerpts

The hon. Member’s campaign has been noticed and I would be very happy to meet her to discuss how we can work together to ensure that enforcement is robust on this question.

Kanishka Narayan

- View Speech - Hansard -

Copy Link

- - Excerpts

My hon. Friend is a master of short clips in the Chamber, so I will take both his skill and his sincerity on this question to heart and work with him to ensure we robustly enforce the duties already placed on Ofcom under the Online Safety Act.