Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
David Chadwick
Main Page: David Chadwick (Liberal Democrat - Brecon, Radnor and Cwm Tawe)Department Debates - View all David Chadwick's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
David Chadwick Excerpts(1 day, 9 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Kanishka Narayan
On that important point, which the hon. Member for Bognor Regis and Littlehampton also raised, the changes to the definition came about in part through extensive engagement, and in particular by ensuring that the attributes of “elastic” and “scalable” were treated individually rather than jointly and that “shareable”—the ability to have multi-tenants and therefore be a genuine cloud computing service for multiple clients—was considered in scope. As I mentioned to the hon. Member for Bognor Regis and Littlehampton, it is important that we keep this under review, and part of the reason for the secondary powers in the Bill is to make sure it remains both specific, giving clarity and certainty, and flexible at the same time.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Currently, the law requires regulated persons to manage risks to the security of their systems. Amendment 28, tabled by the Liberal Democrats, explicitly inserts “risks arising from fraud” into that duty. It would make it clear that a system cannot be considered secure if it is easily exploited by scammers.
Fraud should be considered a national security issue, and there is clearly a relationship between fraud and cyber-security. Scammers across the world are targeting British citizens. Elderly fraud victims in Dyfed-Powys lose £7,900 a day to a tidal wave of scams perpetrated by scammers from many countries across the world, notably Nigeria. UK-wide, in the first half of 2025 alone, criminals stole over £600 million through scams. Surely, we cannot pass a cyber-security and resilience Bill—
The Chair
Order. I think the hon. Member is discussing the next group of amendments, to clause 8. At the moment, we are discussing amendment 13 to clause 7.
Dr Spencer
If I might just help a colleague, I think the grouping and selection of amendments has changed, so the hon. Member for Brecon, Radnor and Cwm Tawe may have the previous iteration.
The Chair
That is very helpful. Thank you.
Amendment 13 agreed to.
Clause 7, as amended, ordered to stand part of the Bill.
Clause 8
Duties of relevant digital service providers
David Chadwick
I beg to move amendment 25, in clause 8, page 7, line 31, at the end insert—
“(1A) In paragraph (1), after ‘risks’ insert ‘, including risks arising from fraud,’”.
This amendment would explicitly include fraud as one of the risks to the security of network and information systems relevant digital service providers must identify and manage.
The Chair
With this it will be convenient to discuss the following:
Amendment 28, in clause 8, page 8, line 4, at end insert—
“(4) After paragraph (2) insert—
‘(2A) When taking measures to manage risks under paragraph (1), a RDSP must, in the design of the relevant digital service—
(a) eliminate unnecessary functions from system requirements;
(b) where risks cannot be managed by the elimination of functions, replace or substitute features in the architecture of the system;
(c) where risks cannot be managed by the replacement or substitution of features, implement active functional controls;
(d) where risks cannot be managed by the implementation of active functional controls, instruct and implement operational and procedural controls;
(e) as a matter of last resort, apply requirements, conditions of use or instructions to service users.
(2B) For the purposes of paragraph (1), “risks” include those relating to the availability, reliability, safety, integrity, maintainability and confidentiality of the relevant services or systems.’”
Clause stand part.
David Chadwick
Surely, we cannot pass a cyber-security and resilience Bill that ignores a crime that affects thousands of people. We know that cyber-security criminals across the world attack individuals to enable themselves to get into systems. Families are losing life savings, and small businesses are shutting down because of this epidemic.
The Government often treat fraud as a policing issue, but the amendment would establish that it should be regarded as a cyber-security issue that needs action at the national security level. By amending regulation 12(1) of the NIS regulations, we place a legal duty on digital providers to identify these vulnerabilities proactively. If we mandate that providers manage fraud risks before an incident occurs, we will reduce the number of victims and the devastation caused to livelihoods. We cannot claim to protect our digital economy while ignoring the billions of pounds lost to scams.
Dr Spencer
Clause 8 provides a new definition of “relevant digital service” and makes it clear that this category includes online marketplaces, online search engines and cloud computing services. The definition of “relevant digital service provider” is updated to encompass all entities providing a relevant digital service in the UK, regardless of whether they are established here. Entities designated as critical suppliers are excluded from the definition to avoid duplication of duties and regulatory oversight from sector-specific competent authorities.
However, the definition excludes from scope of regulation relevant digital service providers subject to public authority oversight, unless they derive over half their income from commercial activities. The exclusion of organisations overseen by public authorities also applies in relation to relevant managed service providers.
In many respects, clauses 7 and 8 provide necessary updates to reflect the changing nature and use of vital digital services. Once again, including within the scope of regulation companies that deliver services to the UK but are established or headquartered elsewhere helps to ensure that those companies report cyber-security incidents to UK authorities, rather than just authorities in their home states. That means that UK regulators and law enforcement are equipped with the most comprehensive knowledge of emerging threats.