Tuesday 1st April 2025

(3 days ago)

Written Statements
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Feryal Clark Portrait The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Feryal Clark)
- Hansard - -

Today the Government have published a policy statement on proposed legislative measures to bolster the UK’s cyber-security and resilience.

Our digital economy and essential services are increasingly being attacked by cyber-criminals and state actors, threatening essential public services and infrastructure. This poses a serious risk not only to UK citizens, with core services like hospitals being targeted, but also to the performance of our economy. UK businesses lost around £87 billion from cyber-attacks between 2015 and 2019—that is £87 billion taken from our economy, much of which went into the hands of cyber-criminals.

Enhanced cyber-security is an essential pillar not only of our national security, but of the UK’s economic growth. We cannot have economic growth without stability, and we cannot have stability without national security.

The UK’s only existing cross-sector cyber legislation—the Network and Information Systems (NIS) Regulations—was introduced in 2018 when the UK was still an EU member state. The rapidly evolving threat landscape and changing nature of digital services mean that these regulations need to be updated, and we no longer have powers in primary legislation to make the amendments needed.

That is why we committed to introduce a cyber-security and resilience Bill in the King’s Speech in July last year. As set out in the policy statement published today, the Bill will strengthen the UK’s cyber-defences and make sure that the critical infrastructure and digital services UK citizens and business rely on are more secure. This will enhance the UK’s level of cyber-security and resilience at a time when similar steps are being taken by our international counterparts, such as the EU, which has updated the NIS framework through its own updated directive.

The policy statement provides more detail to the Bill’s measures announced in the King’s Speech:

Expanding the scope of regulations to protect more digital services and supply chains. The Bill will bring managed IT service providers that provide digital services into the scope of the regulatory framework. The Bill will allow individual regulators to designate a small number of important suppliers to regulated entities as “critical suppliers”, including those that would otherwise be exempted from regulation as SMEs. This, in addition to embedding supply chain security requirements directly into our regulatory framework, will address supply chain vulnerabilities and reduce the threat of significant disruptions to critical services. This will build a better picture of the threats facing our critical national infrastructure and protect a broader range of services from cyber-attacks.

Empowering regulators and enhancing oversight. Regulators will be better equipped with the tools they need to perform their duties effectively, including enhanced oversight of cyber-incidents affecting regulated entities and improved cost recovery powers. The Information Commissioner’s information gathering powers will be strengthened, to improve its understanding of the landscape of cyber-security threats affecting the expanded portfolio of digital service providers that it will oversee.

Ensuring the regulatory framework can keep pace with the ever-changing cyber-landscape. The Bill will allow the Government to update the regulatory framework in the future via secondary legislation, if necessary. For example, the Government would be able to bring new sectors into scope of the regulations, if necessary to do so. The Bill will enable the Government to update the security requirements for regulated services in line with best practice, improving clarity for service providers in terms of what is expected of them.

In addition to the policy proposals outlined in the King’s Speech for inclusion in the Bill, we have identified a number of additional cyber-security and resilience proposals, as set out in the policy statement. The appropriate legislative vehicle for these has yet to be determined.

The Government propose bringing data infrastructure into the scope of the regulatory framework, recognising their new status as critical national infrastructure and essential role in ensuring the stability and growth of our digital economy. Additionally, to ensure our regulatory framework is implemented with a consistent understanding of the Government’s cyber-security and resilience objectives, we propose enabling the Secretary of State to publish a statement of strategic priorities. This will establish a unified set of objectives and expectations for regulators. Finally, we intend to provide new powers to the Secretary of State to direct a regulator, or regulated entities, to take action when it is necessary for national security. This will be invaluable in responding to the constant evolution of both the cyber-landscape and the changes in tactics used by cyber threat actors.

The Government have listened to the views expressed to the previous Government in the 2022 consultation on cyber-security to develop the Bill’s measures. The measures set out in the policy statement build on what we have learned from our engagement with key international partners, including learnings from the European Union on the implementation of the NIS2 directive (Directive (EU) 2022-2555) and 2023 data infrastructure consultation. We will continue to engage with and learn from the actions taken by other nations to improve cyber-security.

These cyber-security and resilience measures represent a significant step forward in our efforts to protect the UK from the growing threats of cyber-attacks. Cyber-security is a critical enabler of economic growth, and by protecting our digital assets and ensuring the resilience of our critical services we are creating a stable environment that fosters innovation and attracts investment.

My officials and I will engage with parliamentarians, regulators and industry groups to thoroughly test the proposals before the Bill is introduced to Parliament this year.

[HCWS572]