Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting)
Kanishka Narayan ExcerptsThursday 5th February 2026
(3 days, 13 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
The Chair
With this it will be convenient to discuss the following:
Amendment 10, in clause 10, page 9, line 29, at end insert—
“(2A) The measures taken by an RMSP under paragraph (1) must ensure that the number of customers to whom the RMSP provides services does not exceed the critical risk threshold.
(2B) In paragraph (2A), the ‘critical risk threshold’ is the number of customers within a sector or subsector where an incident affecting the provision of services to those customers by the RMSP would result in disruption that is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom.
(2C) Paragraph (2D) applies where the number of customers to whom an RMSP provides services exceeds the critical risk threshold by virtue of contracts entered into before the coming into force of section 10 of the Cyber Security and Resilience (Network and Information Systems) Act 2026.
(2D) The RMSP must take steps to reduce the number of customers to below the critical risk threshold, including exercising any right to terminate a contract or vary the terms of a contract.”
This amendment would place a duty on relevant managed service providers (“RMSPs”) to ensure that they do not provide services to manage the technology systems for a number of customers that exceeds a critical risk threshold, such that an incident affecting those services would be likely to result in significant disruption in the United Kingdom. This would prevent an RMSP managing the technology systems for a whole sector or subsector. Provision is also made for a situation where an RMSP is in breach of the critical risk threshold because of contracts entered into before the enactment of the Bill.
Clauses 10 and 11 stand part.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I welcome you, Ms McVey, to the most exciting event in Parliament this week.
Kanishka Narayan
What a pleasure it is to serve with you in the Chair. Clause 9 brings large and medium-sized managed service providers—MSPs—into the scope of the Network and Information Systems Regulations 2018. MSPs are organisations that provide an ongoing IT function, such as an IT help desk or cyber-security support, to an outside client. In doing so, MSPs often have widespread and trusted access to clients’ networks and systems. A single targeted attack can ripple outward, disrupting thousands of other systems. That makes MSPs attractive targets for cyber-attacks. Last year an attack on Collins Aerospace halted check-in and boarding systems at major European airports, causing international disruption. Such attacks highlight what can happen if a single point of failure is compromised, and the importance of managed service providers implementing robust cyber-protections. Despite that, MSPs are not currently regulated for their cyber-security in the UK. As organisations rely more and more on outsourced technology, we must close that gap. The clause provides essential definitions of a “managed service” and of a “relevant managed service provider” to clearly set out which organisations are in scope of the regulations.
Clause 10 imposes new duties on MSPs that have been brought into scope by clause 9. For the first time, such businesses must identify and manage risks posed to the network and information systems that they rely on to provide their managed services. As part of that duty, MSPs must have
“regard to the start of the art”,
meaning that they must consider new tools, technologies, techniques and methods that threat actors may employ. That includes artificial intelligence, and means that providers must deploy the right tools to mitigate the risks and take action to minimise the impact of incidents if they occur. By bringing MSPs into scope of the regulations and imposing such security duties on them, we will strengthen cyber-security and resilience across supply chains, reduce vulnerabilities in outsourced IT services and better protect businesses and services across the UK.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Bringing MSPs into scope is the right direction of travel, and MSPs sit at points of concentrated risk, but they are not all the same and the real risk is not size alone but the level of privileged access and cross-customer dependency. Proportionality will be critical under these provisions if we want better security, not just box-ticking.
Kanishka Narayan
I agree very much with the hon. Member’s point, and a similar sentiment is expressed elsewhere in the Bill, in that it ensures that the focus is primarily on large and medium-sized MSPs, and that small businesses and microbusinesses are dealt with in a deeply proportionate way. That is an important point to take into account.
Clause 11 defines what it means for a digital or managed service provider to be
“subject to public authority oversight”
under the NIS regulations. Public authority oversight is defined as “management or control” by “UK public authorities” or by a board where the majority of members are appointed by those authorities. Such MSPs are already subject to requirements in the Government cyber-security strategy, which is mandatory for Government organisations. That ensures that cyber-resilience standards remain strong for services linked to public functions, while preventing disproportionate burdens on providers already subject to public authority governance.
In response to points raised by hon. Members in prior Committee sittings, I flag the engagement that we have conducted in coming to the definition of MSPs in question. In particular, beyond the provisions of the 2022 consultation, prior to the introduction of the Bill, we conducted a range of bilateral meetings. We have had multiple conversations with the industry body techUK, roundtables with digital firms, and we engaged through the National Cyber Security Centre-led MSP information exchange with 40 providers in this context, and undertook market research mapping the MSP market. As a consequence, adjustments to the definitions at the heart of this provision have been agreed with incredibly deep and broad engagement across the industry to arrive at a widely-welcomed definition.
Lincoln Jopp (Spelthorne) (Con)
It is a pleasure to serve with you in the Chair, Ms McVey. Small and medium-sized enterprises are defined by the headcount of full-time employees, yet in the world of IT, particularly for managed service providers, data centres and digital service providers, that is not a helpful metric to understand size and scale. Did the Department consider reevaluating the size of digital and managed service providers based on the through-flow of transactions or data rather than headcount? When I worked in the world of tech, there was a ratio for headcount that was totally different from other sorts of businesses.
Kanishka Narayan
The hon. Member raises an important point about the operating leverage of technology businesses. The Bill directly focuses on size as one proxy for risk, but it is not a complete or perfect proxy. That is why, through the critical supplier provisions, it ensures that any smaller providers can be caught in scope as essential services.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Ms McVey.
Clause 9 brings within scope of the NIS regulations a new category of technology service providers, known as relevant managed service providers. MSPs play a critical role in the UK economy. Research conducted by the Department for Science, Innovation and Technology under the last Government suggests that 11,000 MSPs were active in the UK in 2023, of which 1,500 to 1,700 were medium or large organisations that would be in scope of the Bill. Micro and small enterprises that offer managed services are excluded from the scope of regulation but have the potential to be designated as critical suppliers under other provisions, which we will come to shortly.
MSPs are critical to the functioning of the multiple businesses that they serve, offering contracted IT services such as helpdesk and technical support, server and network maintenance, and data back-up. In many cases, they also provide managed cyber-security solutions to their customer bases. Consequently, these businesses often have significant access to their clients’ IT networks, infrastructure and data, which makes them attractive and valuable targets.
Kanishka Narayan
Once again, the shadow Minister is auditioning for roles in the Treasury, by talking about general taxation, and in the Department for Business and Trade, by talking about general philosophies of regulatory reform. I will focus on matters within the scope of our debate, and on four aspects in particular.
First, Opposition Members have raised questions about definition. They have been answered frequently, but I am happy to repeat the answer. The scope of MSP coverage, which focuses on large and medium-sized MSPs, means that something in the order of 11% of MSPs are covered, by number, but 97.6% of the UK’s MSP revenue is covered. I hope that that gives sufficient assurance as to the coverage of the Bill. Of course, the critical supplier provisions cover any others.
Kanishka Narayan
I am happy to proceed and to focus on Crown ownership of data centre provision to others. For those reasons, I continue to commend clauses 9 to 11 to the Committee.
Lincoln Jopp
Will the Minister please clarify whether he thinks that, as page 102 of the impact assessment states, the hourly rate for a lawyer changing a contract is £34?
Kanishka Narayan
I simply point out to the hon. Member that the pricing for law varies materially. I hope that, with the benefit of technology, it continues to be very accessible to all relevant providers.
Lincoln Jopp
I am sorry, but that is nonsense. The footnote on the page that cites £34 an hour for a contract lawyer directs us back to the Office for National Statistics. I hope that the Minister lives in the real world—he has clearly worked in the business world—so he knows that that is nonsense. Does he agree that that pretty well undermines that section of the impact assessment?
Kanishka Narayan
Having closed the debate, I am happy to conclude.
Question put and agreed to.
Clause 9 accordingly ordered to stand part of the Bill.
The Chair
The point has been made clearly on the record. We can take it beyond this room, and perhaps you can write to the Minister afterwards for clarification.
Clauses 10 and 11 ordered to stand part of the Bill.
Clause 12
Critical suppliers
Question put, That the clause stand part of the Bill.
Kanishka Narayan
Clause 12 will introduce a new power for regulators to designate critical suppliers to organisations as in scope of the NIS regulations. These are suppliers that are so pivotal to the provision of essential digital or managed services that a compromise or outage in their systems can cause a disruption that would have serious cascading impacts for our society and economy; I am thinking in particular of the Synnovis incident in 2024, when 11,000 medical appointments were cancelled across London hospitals as a result of an attack on a pathology service provider.
The clause will ensure that the power to designate can be exercised only where suppliers pose a credible risk of systemic disruption and when the regulator has considered whether the risks to the supplier cannot be managed via other means. In other words, it is a very high bar indeed.
The clause provides safeguards for suppliers, which must be consulted and notified during the designation process. It also requires regulators to consult other relevant NIS regulators when they are considering whether to designate, or decide to do so, ensuring that they have an accurate understanding of how suppliers are already regulated.
Finally, the clause provides for designations to be revoked when risks no longer apply or when a supplier has met the thresholds for regulation as a relevant digital service provider or relevant managed service provider. It should be noted that the clause does not set out the security duties on critical suppliers; these will be defined in secondary legislation following an appropriate period of consultation.
By addressing supply chain vulnerabilities, this measure will strengthen the resilience of the UK’s essential and digital services on which the public rely every day. I commend the clause to the Committee.
Alison Griffiths
The clause merits close scrutiny, because it is the point in the Bill where risk is supposed to be addressed beyond the individual operator and into the supply chain. In plain terms, clause 12 will allow the regulator to designate a supplier as critical where disruption to that supplier would have a significant impact on the delivery of an essential or digital service. The trigger is impact, not size or sector. That approach is sensible, but I want to stress-test how it works in the context of operational technology.
Across power, telecoms, transport, water and industry, many essential services rely on the same family of industrial control equipment. Substations, signalling systems and industrial plants may look different, but they often run on identical controlled devices and firmware supplied by a very small number of manufacturers.
The risk is not hypothetical. A single vulnerability in widely deployed OT equipment can create a common mode failure across multiple sectors at the same time, even where each operator is individually compliant with its duties. At the moment, the Bill places obligations squarely on operators of essential services, but in OT environments, operators do not control the design of equipment, the firmware, the vulnerability disclosure process or the remote access arrangements that vendors often require as a condition of support.
As Rik Ferguson highlighted in written evidence to this Committee, uncertainty about how and when suppliers might be brought into scope can lead to defensive behaviour and late engagement. The risk is amplified in OT, where suppliers may discover vulnerabilities before operators do, and where one operator may report an issue, while others in different sectors, using identical equipment, remain unaware.
There is also a traceability problem. OT equipment is frequently sold through integrators and distributors. Manufacturers may not have a clear picture of where the equipment is ultimately deployed. Without that visibility, national-scale vulnerability notification and co-ordinated response become very difficult.
UK Finance has also drawn attention to the complexity of multi-tier supply chains and the need for clear accountability when regulatory reach extends upstream. The clause recognises that reality, but its effectiveness will depend on how consistently and predictably designation decisions are made across sectors.
My concern is not about the existence of the power. It is about whether, in practice, the power will be used early enough and clearly enough to address shared OT risks before they become cross-sector incidents. Operational resilience today depends less on individual sites and more on the security practices of a relatively small— I would say very small—number of OT suppliers that sit behind them. The clause has the potential to address that, but only if its application is focused on genuine systemic risk and supported by clear signals to suppliers and operators alike. For those reasons, the clause warrants careful consideration as the Bill progresses.
Dr Spencer
I really appreciate my hon. Friend’s intervention. It goes incisively to the heart of the concern about how these provisions are currently drafted. I really struggle to see how an OES that is providing a service to another OES could effectively argue that it is not within the full scope of these regulations. We have a lot of OESs in this country. It may be the Minister’s and the Government’s intention to essentially have a proxy regulatory framework for suppliers to OESs going forward—it is being kept very loose, because there is some flexibility in that, but that in itself will be a problem.
I worry that a lot of providers are going to think to themselves, “Why should we provide to an OES when we might be at risk of being designated as a national critical supplier?” Surely that is a concern that will have a chilling effect on organisations supplying to OESs, because of the risk of being found within the scope of this additional regulatory burden.
Don’t get me wrong; as I have said, companies should be taking cyber-security seriously, as should everyone. However, not everyone should be subject to the various regulations and data-sharing requirements that this Bill provides for. I suspect that many organisations will be very concerned. If there is a risk of designation as a critical supplier, companies will already be instructing lawyers and other organisations to manage that corporate risk.
If an organisation starts supplying to a hospital trust, or to whoever it may be, it might think, “Actually, we’re likely at risk of being designated, so we need to start doing some work and investment, either to challenge that designation or begin doing the preparatory work.” Maybe that is the intention: to effectively regulate the entire sector providing to OESs without actually lifting a finger in terms of regulation through this Bill. If that is the case, I am sort of sad, because I think it is better to be clear-cut about it. I would be grateful if the Minister answered that point directly.
Finally, in terms of OESs, we have already mentioned the fact that Government and local authority IT infrastructure and services are among the biggest risks in our system. I was really struck by the evidence from the NHS on Tuesday, in which our witnesses described data-sharing operations with adult social care, which is of course provided by local authorities.
It seems quite perverse, if I may say so, that a GP surgery, which is a private organisation, could be deemed a critical supplier to a hospital in terms of patient information sharing. Quite frankly, I would like the Minister to answer the question specifically: does he envisage primary care GPs being in scope because of data sharing of hospital records with NHS trusts? GPs could fall within scope as critical suppliers, while social care records, which are provided by local authorities, would not. There are all these weird situations that could emerge because of the scope and the looseness of these provisions, with all the consequent harms and problems. I look forward to hearing the Minister’s responses to my points.
Kanishka Narayan
First, I will respond to the apt and thoughtful points from the hon. Member for Bognor Regis and Littlehampton on operational technology. I can confirm to her that both vendors and providers of operational technologies will be covered by the provision of the five-step test for critical supplier designation. That is an important aspect when thinking about supply chains and the presence of operational technology where it is of critical interest.
The hon. Member for Spelthorne raised a very accurate point about proportionality in the provisions of the Bill, and in particular the impact assessments, statements, or limited statements on critical supplier impacts. As he will know very well, the Bill takes a very nuanced position on proportionality. When a sector is designated, there will be total clarity on the number of suppliers affected and on the ultimate impact. We will have sight of that.
The provision on critical suppliers was asked for by industry. The reason why the Bill does not specify critical suppliers is that it is simply not for the Government to specify how a business can or cannot continue. It is for businesses and regulators to work that through by understanding the depth of expertise that businesses have. We have started to do that, but that is precisely why the critical suppliers provisions have been delegated to secondary legislation and subsequent guidance.
Kanishka Narayan
I commit to giving way to the hon. Gentleman at the end of my speech. He asked about schools. I am happy to confirm that schools are not in the scope of the Bill.
In response to the shadow Minister, I highlight that the five-step test is cumulative: a business must meet all the conditions to be designated as critical, not just one. I think that answers the series of logical puzzles that he tied himself up in.
I am very happy to confirm to the Committee that it is expected that regulators will use information gathered from their oversight of operators of essential services, relevant managed service providers and relevant digital service providers to identify potential critical suppliers for designation. They can also ask organisations for more information to support their assessments. Future supply chain duties will also require organisations to share supply chain risk assessments with regulators. A supplier can be designated only after the regulator has completed an investigation process, including serving notices and holding a consultation, and confirmed that the criteria are met. Designated suppliers will also have the right to challenge decisions through an independent appeals process.
Kanishka Narayan
I commit to giving way at the end of my speech to the shadow Minister and the hon. Member for Spelthorne.
On the question of consultation, I am happy to confirm that the team in question has set up an implementation-focused effort. We have started to engage with regulators already, and there will be an extensive process of engagement on the Bill with business, as has been conducted historically.
The shadow Minister highlighted a number of logical puzzles. I have worked in a range of businesses and public sector organisations, and most have business continuity services. His hypothetical idea that businesses do not understand alternative provision, and whether they are or are not in a position of exposure, is well solved in the real world. I would give more credit to our expert witnesses from NHS Scotland than he did in recognising that they said that they frequently deal with the question of critical suppliers in co-ordination with competent authorities.
Lincoln Jopp
The Minister came back with an answer on proportionality, saying that it is not for Government to decide what is essential. He missed out the next bit, which is, “We’re just going to regulate critical suppliers and pass laws about them, but we don’t know how many there are, and we don’t know how much the policy is going to cost.” Would he accept that characterisation as the logical conclusion of what he said?
The Minister also said that schools were not covered by the Bill. As far as I am aware, patient data and children’s data are two of the most precious things that we have, so I would like to know why schools are not covered by the Bill.
Kanishka Narayan
On the first point, I am afraid that I do not think that was an appropriate characterisation, because where the sectoral scope is clear and where there is a clear risk of critical national infrastructure and essential services being directly exposed, we have specified that in the Bill. We have looked at the impacts set out in the impact assessment. For the critical suppliers in those sectors—I would expect them to be very limited in number—we have made sure that regulators and businesses have the flexibility to set the requirements directly, rather than them being set here in Parliament.
Chris Vince
I was going to intervene on the hon. and gallant Member for Spelthorne, but he is bigger than me. I recognise the points he made about the number of critical suppliers, but I come at the question from the other angle: doing nothing may leave critical suppliers at risk. Although we might not know the exact number, as he correctly asserted, it is important that we do something and introduce the regulations as soon as we can to protect our critical infrastructure.
Kanishka Narayan
I thank my hon. Friend for that point. This issue has not come out of nowhere. Industry and a number of organisations asked that we introduce the measures in the clause.
Beyond the very clear five-step test for critical supplier designation, the Bill provides that the requirements on critical suppliers are proportionate. The reason why we have both the five-step test and the provisions in the Bill is that, in most cases, if the risk assessment suggests so, the security requirements set out in the Bill will be less onerous in most cases. They will be specified in secondary legislation and guidance.
On the question of schools, and more broadly the question of public sector authorities, I entirely accept that the handling of pupil data in schools is a critical aspect of our public service operations. The reason why public service authorities have largely been left out of the Bill’s scope is because we do not need to wait for the legislative process to act. We have been working, not least closely with the Government’s cyber-security strategy and the cyber action plan, to ensure that pupil data is kept securely and robustly.
Dr Spencer
The Minister is, of course, within his rights to snarkily dismiss the questions that I have raised, but I should point out that the stuff that is debated in Parliament, whether in Committee or on the Floor of the Chamber, is relevant when it comes to future legal disputes after a Bill is passed. The questions I have asked about the application of the Bill’s provisions will be important parts of the legal disputes that I expect will arise after its implementation. When people look back through the Minister’s dismissive comments, I hope they have other resources that they can go to for settling legal arguments. However, he may choose to respond fully now, or in writing if he cannot provide me with an answer.
Kanishka Narayan
I believe that where the shadow Minister laid out any specific concerns, I was able to set out answers, not least on the process for the designation of critical suppliers and the availability of an appeals process. Where his points were more in the realm of specific hypothetical puzzles, I have stayed clear for precisely the reasons that he highlights. This is serious stuff that can form the basis of how businesses and others plan, rather than specific judgments that we ought not to speculate about in this House.
Question put and agreed to.
Clause 12 accordingly ordered to stand part of the Bill.
Clause 13
Provision of information by operators of data centre services
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 13 ensures that operators of data centres provide essential information to regulators, enabling them to properly monitor their sector and its cyber-resilience. The clause requires operators to submit key details, such as names, addresses and contact information, within three months of designation, and to update regulators within seven days if anything changes. Regulators are required to maintain a list of designated entities. By keeping regulatory records current, the clause strengthens our ability to monitor and protect essential services and respond to incidents that could affect businesses, public services and national security. The clause plays a key foundational role in the Bill’s wider framework for cyber-security and resilience.
Like clause 13, clause 14 places legal duties on digital and managed services providers to provide essential information to their regulator—in this case, the information commission. Like operators of data centre services, RDSPs and MSPs will be required to register with the information commission within three months, submitting key details, such as names and contact information, and to update regulators within seven days if anything changes. Organisations based outside the UK will be required to nominate a UK representative and provide contact details. To strengthen cross-agency support and recognise the key role that these businesses play in the UK economy and society, the information commission will be required to share its registers of relevant digital and managed service providers with GCHQ. Those proportionate steps will enable authorities to do their job and respond when it matters.
Dr Spencer
Clause 13 requires in-scope data centre operators to provide certain information to their designated competent authorities, which—subject to Government amendment 11, which we passed earlier—will now be solely Ofcom, and to keep that information up to date. The information includes the data centre operator’s address and the names of directors. It must be provided within three months of the data centre operator’s designation. For data centres that meet the threshold criteria, that would be three months after clause 4 comes into force. Other OESs are not subject to an equivalent requirement to provide information to their sector regulator. That reflects the fact that the Government currently have limited information about the data centre sector.
RDSPs are already required, under regulation 14 of the NIS regulations 2018, to provide their contact details to the information commission, as their sector regulator. Clause 14(2) amends regulation 14 to require RDSPs to provide more information, including about their directors and the digital services they provide. It would also require the information commission to share a copy of its register of RDSPs with GCHQ. Clause 14(9) requires RMSPs to register with the information commission and to submit the same contact details as RDSPs. RMSPs must nominate a UK representative if they are based outside the UK. The information commission will be required to maintain a register of RMSPs and to share it with GCHQ. Clauses 13 and 14 give Ofcom and the information commission access to more detailed information about regulated entities and facilitate regulatory oversight of the data centre RDSP and RMSP industries in the UK.
Question put and agreed to.
Clause 13 accordingly ordered to stand part of the Bill.
Clause 14 ordered to stand part of the Bill.
Clause 15
Reporting of Incidents by Regulated Persons
Kanishka Narayan
I appreciate the intent behind the amendments and the shadow Minister’s position of understanding but not supporting them, which I share. I share his concerns about the potential for emerging risks posed by AI systems, not least in the realm of cyber-security. At the same time, I am conscious that we have not specified any risk factors in the Bill from a reporting point of view for the National Cyber Security Centre or the regulators. To do so in this context would place an undue priority on one category or source of risk.
For those reasons, although I understand the motivation behind the amendments and I am conscious of the risks posed by AI systems, I urge the hon. Member not to press them. The Bill is technology-agnostic rather than focused on particular areas of risk. The Government continue to work on mitigating AI risks, primarily at the point of use, but also through extensive Government capability, not least in the AI Security Institute.
Dr Spencer
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Ordered, That further consideration be now adjourned. —(Taiwo Owatemi.)
Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
Kanishka Narayan ExcerptsThursday 5th February 2026
(3 days, 13 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
It is a pleasure to see you in the Chair, Mr Stringer. The Bill will make crucial updates that build on the NIS regulations, which are the UK’s only cross-sector cyber-security regulations. As clause 1 sets out, “NIS regulations” refers to the Network and Information Systems Regulations 2018 (S.I., 2018, No. 506).
Clause 2 gives an overview of the Bill’s parts and what they include. It sets out that part 2 amends the NIS regulations by expanding the scope of the regulations to cover data centres, large load controllers and managed service providers. It also introduces powers for regulators to designate suppliers as being critical for their sector. Part 2 also updates the existing incident-reporting regime and includes provisions relating to the recovery of regulators’ costs, information-gathering and sharing powers, and enforcement powers. Part 3 gives new powers to the Secretary of State to specify other sectors as in scope of the regulations in future, to create new regulations relating to the security and resilience of regulated services, and to issue a code of practice and a statement of strategic priorities. It also requires the Secretary of State to report on this legislation and its implementation. Finally, part 4 gives new national security powers for the Secretary of State to issue directions. I commend the clauses to the Committee.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Stringer. I thank all hon. Members on both sides of the Committee for taking part, and the officials for their work on the Committee stage of this important Bill.
The Bill will significantly update and expand the Network and Information Systems Regulations 2018 by bringing new services within scope of regulation, giving sector regulators the power to designate critical suppliers, updating and expanding the reporting regime for cyber-security incidents and making significant changes to the regulatory funding model and regulators’ information-gathering and sharing powers. The Bill will also grant extensive powers to the Secretary of State to respond to emerging cyber-threats, including the power to bring further sectors within the scope of regulation, giving directions to regulated entities and issuing a code of practice that sets out measures for compliance with duties under the NIS regulations. Recognising the increasing role of malicious cyber-activity as a threat to our national security, part 4 will give the Secretary of State far-reaching powers to issue directions to regulated entities for reasons of national security.
Covid turbocharged the digitalisation of all aspects of the economy and our daily lives, bringing new opportunities but at the same time heightening the exposure of digital systems to exploitation by malicious actors. The previous Government recognised that in their post-implementation reviews of the NIS regulations and in a subsequent series of consultations on proposals to improve the cyber-resilience of the entities that are most important to the UK economy. Those consultations included a review of information security risks relating to outsourced IT provision, data centres and organisations controlling large amounts of electrical load. The last Government’s work assessing those threats has informed this Government’s decision to bring data centres, managed service providers and large load controllers within the scope of the NIS regulations.
Industry stakeholders have welcomed the Bill as essential for bringing the cyber rules governing critical infrastructure in line with modern threats, economic realities and technological developments, and for moving our cyber-security regulatory framework into closer alignment with international partners to ease cross-border operations for businesses that provide services overseas.
In some respects, at least, the Bill identifies the right problems, but, crucially, it falls short of providing workable solutions. In embarking on our scrutiny of the Bill, the Committee should be acutely aware of the raft of digital legislation with which businesses and regulators have been asked to grapple in recent years. Many of those new regulations are necessary, but as lawmakers we should be conscious of the burden that we are placing on industries and particularly on small and medium-sized enterprises, which are the lifeblood of the UK economy and which have fewer resources to navigate complex layers of regulation. It is therefore incumbent on all of us to enact laws that are clear and capable of practical implementation.
Dr Spencer
I thank the hon. Member for his point about balance. I am confident that this is an area to which the Committee will return quite a few times in our line-by-line scrutiny of the Bill, particularly clause 12, which relates to the designation of critical suppliers. Clearly the regulations need to be proportionate, but to make that judgment we will need to know exactly what the regulations are. A lot of the detail is not in the Bill and has instead been left to secondary legislation. As we heard from the experts, it is very difficult to scrutinise legislation that is mostly being left to future regulations rather than being set out in the Bill.
These definitions will be critical if businesses are to have clarity as to whether they will fall within scope. I do not want to go too deeply into clause 12 now, but I see it as an exemplar. How are businesses that could fall within the critical supplier designation to know what they need to do? How is the operator of an essential service to know what information it needs to pass to the regulator on businesses that it may end up regulating? It would be very helpful if the Minister could comment, even at this introductory stage, on how he envisages that balance playing out in the Bill, particularly given that so much of the detail has been left to secondary legislation. Anyway, I digress—I will get back on topic.
Businesses are struggling with legal uncertainty and the increased costs of regulatory burden. Regulators in the sector lack the resources, the teeth and sometimes even the will to carry out effective oversight and enforcement of existing cyber regulation. Uncertainty about which incidents should be reported will dramatically increase the burden on regulated entities and on regulators. All the while, institutional barriers to effective oversight and enforcement remain.
The Bill fails to give the legal certainty and the proportionate framework that businesses need if we are to achieve widespread adoption and hardened cyber-resilience across the sectors that are most critical to the economy and our society. Perhaps most critically, there is little point in granting the Secretary of State extensive powers to make directions to regulated entities for national security purposes if the Government remain wilfully blind to the greatest threats to our national security. In the past few weeks, reports have circulated that a Chinese state-affiliated group hacked the communications of top Downing Street officials between 2021 and 2024, yet the vital organs of our state, central Government Departments and agencies carrying out the most critical functions, are left unprotected and unaccountable for their cyber-resilience under the Bill.
If we do not address these problems, we risk the Bill becoming yet another missed opportunity for the Government. These are opportunities that we can ill afford to miss if we are to safeguard our economy and our national security.
Kanishka Narayan
I welcome some of the Opposition spokesperson’s comments. Let me briefly address his questions about definitions and public sector inclusion. It is customary for the Opposition to oppose for the sake of opposition, at times, and I am afraid that this is one of those times; I have so far set out only two clauses, which are effectively an index to the Bill. Notwithstanding that, I will address his two particular points.
I was delighted that in our evidence sessions we heard from witness after witness who appreciated the flexibility of the Bill. For the Government to prescribe activities or incident thresholds in the finest detail in primary legislation is not how businesses, Government and regulators ought to engage. I hope that the Opposition will come to appreciate that in due course.
On critical suppliers, which no doubt we will come on to, I thought that in response to Opposition comments at our second sitting, I set out a very clear, precise set of tests. I found no opposition to that claim, but I look forward to hearing any original thoughts on that question.
On incident reporting, I was delighted that there was a witness who noticed that the extension of the definition of incident reporting, to include incidents capable of having an impact, was appropriate and exactly in the right place.
On the question about the public sector’s inclusion, we are here not to prescribe and wait for a law to tell us what we ought to do in the public sector, but instead to move fast and fix things. In that spirit, the Bill focuses on essential services.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2 ordered to stand part of the Bill.
Clause 3
Identification of Operators of Essential Services
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 3 makes important distinctions as to which organisations can and cannot be considered operators of essential services for the purposes of the NIS regulations. It clarifies that a person—in practice, an organisation or business—can be an operator of an essential service regardless of whether that person is established in the UK, as long as they are providing essential services in the UK. That means that organisations established outside the UK can be regulated under the NIS regulations.
Clause 3 also makes it clear that the NIS regulations do not apply to public electronic communications networks or to public electronic communications services. Those are telecoms operators, which are regulated separately under the Communications Act 2003. The amendments in clause 3 will prevent telecoms companies from being subject to duplicate regulations; they will also ensure that all essential services in the UK are protected, even if the company operating them is based outside the UK. I commend the clause to the Committee.
Dr Spencer
Clause 3 will amend the relevant provisions of the NIS regulations, stipulating that operators of essential services are within scope of the regulations whether or not they are operating an essential service in the UK, and regardless of jurisdiction in which they are established. Providers of public electronic communications networks and public electronic communications services are excluded from characterisation as operators of essential services, as the Minister says, to avoid duplication with their sector-specific cyber-security regime.
The clause is an important provision to ensure that entities providing essential services in the UK are compliant with domestic standards. Perhaps the most important aspect of the change is ensuring that serious cyber-security risks that appear within the systems of those entities are reported to the UK authorities for action. That is vital for the National Cyber Security Centre to keep abreast of emerging risks and be able to respond to them.
Nevertheless, the complex maze of compliance and regulatory standards across jurisdictions is a growing challenge for businesses of all sizes and particularly for small and medium-sized enterprises. This is also a complicating factor facing UK companies when providing services abroad, particularly in the digital domain. Will the Minister lay out what discussions he has had with industry representatives about easing the complexity of cross-border digital service provision to ensure that the UK is a competitive and attractive place to do business?
Kanishka Narayan
On the question about cross-border compliance and making sure that we have a proportionate and effective regime, we have had a series of engagements at ministerial and official level with representatives of techUK, the industry body. The NCSC has convened a series of organisations—not least managed service providers, but others as well—and there has been a pretty extensive period of consultation on that and every other matter in the Bill.
I feel satisfied that the Bill strikes a good balance in ensuring proportionality in what businesses experience. Critically, as supply chains in this context become increasingly cross-border, it is vital that bodies that may not be resident in the UK but which provide essential services here are included in the scope of the Bill.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4
Data centres to be regulated as essential services
Kanishka Narayan
I beg to move amendment 11, in clause 4, page 3, line 5, column 3, leave out from beginning to “the” in line 6.
This amendment and Amendment 12 would remove the Secretary of State for Science, Innovation and Technology as a joint regulator for the data infrastructure subsector, leaving the Office of Communications acting as the sole regulator for that subsector.
The Chair
With this it will be convenient to discuss the following:
Government amendment 12.
Clause stand part.
Clauses 5 and 6 stand part.
Kanishka Narayan
Clause 4 of the Bill amends the NIS regulations by creating a new regulated sector, data infrastructure, and designating the Secretary of State for Science, Innovation and Technology and Ofcom as joint regulators. We have received clear feedback from the data infrastructure sector expressing concerns that a dual regulator model could create unnecessary complexity and limit accountability. Amendments 11 and 12 will remove the Secretary of State for Science, Innovation and Technology as a regulator, leaving Ofcom as the sole regulator, which will streamline the regulatory model for data infrastructure and resolve the concerns raised by stakeholders.
Ofcom already has proven regulatory expertise and is well placed to oversee the new data infrastructure sector effectively. By adopting a single regulator for data infrastructure, the amendments will reduce administrative burden, simplify engagement, and strengthen accountability. This will ensure a clearer, more effective regulatory framework for this rapidly growing sector.
Clause 4 brings qualifying data centre services into the scope of the NIS regulations, recognising both their vital role in underpinning our economy and public services, and that disruption to them can significantly impact productivity, service delivery, and revenue.
Alison Griffiths
Clause 4 relies heavily on capacity as the trigger for regulation. I understand why that is attractive: it is measurable. But capacity is not the same as criticality, and a high-capacity facility used for redundancy can present less systemic risk than a smaller, highly concentrated one. I simply put on record that the way this threshold is applied in practice will matter more than the number itself.
Kanishka Narayan
I thank the hon. Member for that thoughtful point. One assurance I will offer her is that the direct definition of data centres in scope here rely on capacity as a proxy for their essential independent nature, but when data centres below the capacity threshold but high on the criticality threshold are suppliers to essential services, they would be covered in part by the critical suppliers framework in the Bill. I take her point into account.
Bradley Thomas (Bromsgrove) (Con)
What consideration has been given to the potential conflict between data centres’ contractual obligation regarding customer confidentiality and mandatory rapid reporting? What assurance can the Minister give us that data centres will ensure that the conflict does not impact their future business?
Kanishka Narayan
In the course of engaging with firms we have considered what the timeline for reporting ought to be. It is critical that the initial notification requirement, which is a much lower requirement than the full notification requirement, at least gives the NCSC and other enforcement authorities the ability to counter national security and wider-impact risks. I believe that specification to be proportionate in the Bill, but it is of course a matter for implementation that we will keep a close eye on.
An attack on a data centre can have significant impacts beyond the facility itself. As data centres underpin digital services across multiple sectors, disruption or compromise can cascade through essential services, businesses and public services. Incidents may also pose national security and economic risks, given the concentration of sensitive and critical data. Bringing qualifying data centre services into scope of the NIS framework helps ensure these risks are managed proportionately and incidents are reported promptly.
As per Government amendments 11 and 12, we propose that Ofcom is the regulator. Medium and large third party data centres and very large enterprise centres will be required to manage risks and report to Ofcom. Their thresholds have been carefully calibrated to capture data centres whose disruption could have the greatest impact, while avoiding unnecessary burdens on smaller operators. This will strengthen the cyber-security and resilience of data centres, align with international regulations, and introduce structured oversight, notification, and incident reporting to strengthen national security and economic stability.
Dr Spencer
As I risk getting into trouble with Mr Stringer, I will not respond to the hon. Member for Lichfield. I look forward to the opportunity to debate this issue again, perhaps in the emergency Budget in the next couple of weeks.
Clause 6 brings large load controllers, which provide the flow of electricity in and out of smart appliances, within scope of the NIS regulations if the load is above 300 MW. I understand that the threshold has been decided through consultation, given that that pressure could have a substantial impact on the grid. There is a challenge in managing peak demand and supply in the grid and big changes in it, so I entirely understand why the Government are introducing this provision. Smart EV devices—I have a smart charging electric vehicle device myself—used system-wide could cause big grid disruptions, particularly as we integrate infrastructure into our homes such as solar panels, batteries and other energy-related smart devices.
In fact, we need the grid to become more smart device-integrated over the next 10, 15 or 20 years. When we look at projections of energy consumption, we see that we will need to enable people to use the grid by expanding technology such as vehicle-to-grid energy supply, so that we can manage peak load. That is part of expanding our energy, reducing energy costs and supporting renewable energy and the transition to net zero. If anything, this issue will become more important and expansive over the years.
On that basis, I have some questions for the Minister about the clause. Why are data centres and large load controllers the two sectors that he has decided to put on the face of the Bill? I say that with particular reference to the NIS2 regulations, which are expanded a bit more. How does he envisage this area expanding in the future? Is he confident that the scope of the clause is sufficient to cover future technologies that are coming down the track? I am thinking of EV charging apps. The list is prescriptive, but does it have sufficient flexibility? Is the Minister able to come back with secondary legislation if he needs to expand the list in the future, given that it is in the Bill in that form? Would it not be better to put that on the face of the Bill and to use secondary legislation to lay it out, in order to have flexibility? The Minister has been trying to ensure flexibility elsewhere, and understandably so—let us not go back into those debates. I just want to understand his reasoning behind that a bit better. That is certainly not a criticism, but I want to know why those particular sectors have been pulled out, and why it has not been left for secondary legislation.
Kanishka Narayan
With your permission, Mr Stringer, I will restrict my comments to clauses in question—in particular, clauses 5 and 6—and the relevant Government amendments. The shadow Minister has auditioned for roles at the Department for Business and Trade in talking about the philosophy of regulation, at the Department of Health and Social Care in talking about his medical background, and at the Treasury in talking about taxation. I will try to restrict myself to none of those and simply speak to the clauses and address three points in response to his comments.
The first relates to the skills and resourcing of our regulators. On that, I welcome the shadow Minister’s prior engagement with me directly and his questions now. The last Government completely gutted our regulators. Having done so, they achieved neither growth nor regulatory quality, which Opposition Members now talk about. As a consequence, it falls to us to make sure that our regulators are fit for purpose and resourced in the way they need to be. This Bill gives them the powers to secure initial and full notifications in a timely way, the powers to share information in an appropriate way and, fundamentally, the ability of cost recovery, to resource themselves in an appropriate way. Alongside that, our wider initiatives on skills in the cyber-sector and technology more broadly are fundamental to achieving our aspirations, not least through the CyberFirst programme, which I mentioned in a witness session.
Kanishka Narayan
I might just make a slight bit of progress. As I mentioned in a previous session, the programme reached 415,000 students, and it has now been evolved into the wider TechFirst scheme as well.
The shadow Minister, as well as the hon. Member for Bromsgrove, made a very important point about resilience in particular and sovereign capability. Particularly for those reasons, I am really proud of two things. One is that the Bill includes suppliers that may not be resident in the UK but provide essential services in the UK. This is a critical means through which we can secure our capabilities here. The second, which is close to my particular interests in the data centre and compute world, is that, through our initiatives on sovereign AI, and having launched a very innovative advance market commitment in the chips part of the stack, which ends up crowding in wider demand—not least through companies such as Nscale, a fundamental part of our AI growth zone in the north-east—this Government are finally rectifying the errors and omissions of the last Government, in making sure that Britain does not do what it did in the last commercial cloud context, but instead, in this AI compute world, has some actual chips on the table.
Thirdly, I will not try to settle the thrilling debate between the shadow Minister and my hon. Friend the Member for Lichfield on the philosophy of regulation. I will simply make the humble suggestion that in this context we have arrived at, not a full-fat compendium, as the shadow Minister described it, but a very targeted Bill, which has been the result of extensive industry engagement—indeed, some of it was carried out by the prior Government—that aligned on the sectors in question and the inclusion of critical suppliers in scope.
On the shadow Minister’s question about the thresholds and definitional specificity of large load controllers in the Bill, I will of course remain very open to ensuring that the secondary powers, which are intended precisely to enable us to move flexibly as the clean power industry moves, give us the flexibility to move with it. At the same time, the threshold of 300 MW reflected the point at which a large load controller could pose an unacceptable risk to the electricity system and our CNI. This threshold was set very clearly in partnership with technical experts, including the National Energy System Operator. Of course, as the market grows, the potential for cyber-incidents will grow, and we will keep that under close review.
Chris Vince
On the point about flexibility, I think we would recognise that the legislative process in this House does not always move as quickly as we might want it to, but there are reasons for that, because scrutiny is really important. Does the Minister agree that the changing nature of the cyber-threats we face and the changing nature of technology, which he understands far more than me, are the reasons why it is so important to have flexibility in the Bill?
Kanishka Narayan
I thank my hon. Friend for that point. The reality is that neither he nor I am placed to judge exactly where the thresholds should be set on a permanent basis. That is exactly why we have secured the flexibilities that we have in the Bill.
Clause 5 brings Crown-operated data centres into scope of the NIS regulations, ensuring that Government data centres meet robust standards comparable to those in the private sector. Bringing Crown data centres within scope closes a critical gap and guarantees that public sector infrastructure is protected against evolving threats. Exemptions will apply only in defined cases in which a data centre service is provided by an intelligence agency or a facility handling highly classified—“Secret” or “Top Secret”—information. These data centre services are already governed separately, and applying the NIS regime could cause conflict. I urge that clause 5 stand part of the Bill.
Finally, clause 6, on large load controllers, introduces the essential new service of load control under the energy subsector of the NIS regulations. This will capture organisations—
The Chair
Order. I am sorry to interrupt the Minister, but can he speak a little more loudly and slowly for the benefit of all Members?
Kanishka Narayan
Loudly and slowly: this will capture organisations remotely managing significant amounts of electrical load via energy-smart appliances, both in a domestic and non-domestic setting. These organisations play an increasingly important role in the management of the electricity system, but are not currently regulated for cyber-security. A cyber-attack could therefore create major disruptions to the national grid, shutting down public services and critical national infrastructure. Capturing load control as an essential service will safeguard the public from these disruptions. It will also reflect the need to bring in new safeguards to manage a more digitalised and dynamic energy landscape in the transition towards net zero.
Dr Spencer
Before the Minister moves on—I was a bit nervous that he was going to finish—I have an additional question about the Crown data centre. What happens if a data centre is providing services commercially to both the public and the Crown? How is that operated within the scope of the Bill?
Kanishka Narayan
I am happy to write to the shadow Minister on that point. My understanding is that a Crown data centre will be in scope if it is providing, as in that particular example, to both the public and the private sector, but I am happy to write to him to clarify that point.
The load control market is growing exponentially and we need to make it cyber-secure. For that reason, I propose that clause 6 stands part of the Bill.
Amendment 11 agreed to.
Amendment made: 12, in clause 4, page 3, line 7, leave out “(acting jointly)”.—(Kanishka Narayan.)
See the explanatory statement for Amendment 11.
Clause 4, as amended, ordered to stand part of the Bill.
Clauses 5 and 6 ordered to stand part of the Bill.
Clause 7
Digital services
Kanishka Narayan
I beg to move amendment 13, in clause 7, page 7, line 7, leave out paragraph (b) and insert—
“(b) a pool of computing resources is ‘scalable’ if the resources are flexibly allocated by the provider of the service, irrespective of the geographical location of the resources, in order to handle fluctuations in demand;
(c) a pool of computing resources is ‘elastic’ if the resources are provided and released according to demand, in order to rapidly increase and decrease available resources depending on workload;
(d) computing resources are ‘shareable’ if—
(i) multiple users share a common access to the service, which is provided from the same electronic equipment, and
(ii) processing is carried out separately for each user.”
This amendment would refine and make further provision about certain aspects of the definition of “cloud computing service”.
Kanishka Narayan
Clause 7 amends the definitions of “relevant digital service provider” and “cloud computing service” in the existing NIS regulations. As in the original NIS regulations, an RDSP is a cloud computing service, online search engine or online marketplace. To be in scope, they must provide a service in the UK and not be a small or microbusiness. That prevents disproportionate business burden, focusing on those larger businesses whose compromise could have a significant impact on the UK’s economy or society. The changes to the definition in the clause clarify that to be in scope, providers cannot be designated as a critical supplier or be subject to public authority oversight, as defined by clause 11. That maintains consistency with the approach to managed services, and minimises dual regulation and unnecessary burden.
Government amendment 13 strengthens the definition of a cloud computing service in clause 7. It introduces precise, clarified and separate definitions of the three core characteristics of cloud computing resources, which is that they are scalable, elastic and shareable.
Alison Griffiths
Clause 7 is definition-heavy, and rightly so; these terms decide who is regulated and who is not. My only observation is that cloud models are, as the Minister knows, evolving quickly because of the AI revolution. Definitions that track architecture too closely will age fast, so the Committee should be alert to whether these terms will still make sense in five years’ time and not just today.
Kanishka Narayan
I very much welcome that point. In talking about broad architecture characteristics—being able to scale compute and to be elastic to multi-tenants by being shareable—rather than setting out the specific nature of resources, we capture both commercial cloud and AI deployments. However, I am keen to ensure that we keep this under review and, where possible, use the flexibilities provided by the Bill to adapt it to changes in technology.
Although the policy intention behind the definition has not changed, amendment 13 will provide certainty for industry, support effective regulatory oversight and ensure that services whose disruption could significantly impact the UK economy and society are properly captured. In addition, the drafting is more aligned with that of our international partners, which will improve efficiency for providers operating across borders.
This targeted, technical improvement will bring greater clarity, consistency and fairness to the NIS regulations. I urge Members to support both the clause and this important amendment.
Dr Spencer
Clause 7 amends the definition of cloud services, which have been within the scope of regulation since the NIS regulations came into force. The expanded definition emphasises remote accessibility and the “on demand” nature of cloud services, and that services may be delivered from multiple locations. It also excludes managed services from the scope of cloud services to avoid duplication of regulatory requirements and oversight.
The Minister proposes changes to this provision in Government amendment 13, which sets out further details regarding the features of in-scope cloud service provision, including common access by multiple users, with each having access to separate processing functions. My question to the Minister builds on the one raised by my hon. Friend the Member for Bognor Regis and Littlehampton. It is obviously difficult—if it is possible at all—to predict how the tech sector will evolve, but what powers will the Government have to adjust these provisions as the cloud ecosystem changes, and what consultation has the Minister done on that within the scope of the Bill?
Kanishka Narayan
On that important point, which the hon. Member for Bognor Regis and Littlehampton also raised, the changes to the definition came about in part through extensive engagement, and in particular by ensuring that the attributes of “elastic” and “scalable” were treated individually rather than jointly and that “shareable”—the ability to have multi-tenants and therefore be a genuine cloud computing service for multiple clients—was considered in scope. As I mentioned to the hon. Member for Bognor Regis and Littlehampton, it is important that we keep this under review, and part of the reason for the secondary powers in the Bill is to make sure it remains both specific, giving clarity and certainty, and flexible at the same time.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Currently, the law requires regulated persons to manage risks to the security of their systems. Amendment 28, tabled by the Liberal Democrats, explicitly inserts “risks arising from fraud” into that duty. It would make it clear that a system cannot be considered secure if it is easily exploited by scammers.
Fraud should be considered a national security issue, and there is clearly a relationship between fraud and cyber-security. Scammers across the world are targeting British citizens. Elderly fraud victims in Dyfed-Powys lose £7,900 a day to a tidal wave of scams perpetrated by scammers from many countries across the world, notably Nigeria. UK-wide, in the first half of 2025 alone, criminals stole over £600 million through scams. Surely, we cannot pass a cyber-security and resilience Bill—
Dr Spencer
I broadly agree. This is one of those difficult areas where there can be overlap. I have sympathy with the argument that it is important to use any opportunity, and in particular this Bill, to raise fraud.
We focus on financial fraud, but this area is not limited to that, especially when we think about other malicious operators, and about ransomware and hacktivism, where the boundaries are particularly blurred. In a situation where a fraudulent operator, service, provider or organisation has material, whether on social media or subject to search engines, and the police or other competent authorities have flagged it to the provider as fraudulent—as illegal criminal activity—what duties does that provider have to remove it or take it down? Is that something that the Minister is aware of? Has he looked into it, and what is the Government’s plan to crack down on that activity?
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for tabling amendment 25, which would amend the duties for RDSPs in the NIS regulations. I empathise with the source of his concern about fraud; I think many of us in the House know and feel that concern, through either our personal experience or that of our constituents.
That said, the security duties within NIS require RDSPs to identify and take steps to manage the full spectrum of risks posed to the security of their systems. They must prevent and mitigate relevant incidents, regardless of what the threats are or where they emanate from. That includes taking an all-hazards risk-based approach. Entities must manage risks to cyber-security, physical security and broader operational resilience. “Security” includes the ability to resist any action that may compromise the availability, authenticity, integrity or confidentiality of those systems, including risks that may arise from fraud. I caution against highlighting only one particular vector of risk in the clause; that is unnecessary and would not reflect the full range of risks each RDSP faces.
Further, while the Bill clarifies the high-level duty to manage risks, secondary legislation will give further detail on the security and resilience requirements. Guidance and the code of practice will give further detail still on the types of risks to consider. For that reason, I kindly ask the hon. Gentleman to consider withdrawing the amendment.
The shadow Minister asked about the Government’s treatment of fraud, particularly when it has been found on a platform and the authorities have asked that platform to take it down. The Government made a clear commitment in our manifesto to introduce a new fraud strategy, and the Home Office, as the lead Department, has been working at pace to engage deeply in making that an effective reality.
Alongside that, in my wider role in online safety, I am conscious that fraud is a fundamental area of content in which platforms have to look at where it crosses the border into illegality, as it may well do in the instance the shadow Minister described. That has been a central focus since the illegal content duties came into play last year. I believe that such instances are well covered by the pieces of legislation that I have just mentioned. The Bill is clearly more focused on critical national infrastructure and its exposure to network and information systems.
Lincoln Jopp (Spelthorne) (Con)
Members on both sides of the Committee have referred frequently to the fact that the incident that took Jaguar Land Rover down would not have been covered by the Bill. JLR employs a digital service provider, in the form of Tata Consultancy Services. Would that provider not be covered, meaning that JLR is in scope?
Kanishka Narayan
Although I will not rule a particular provider in or out of scope, if the provider in question met the threshold for RDSP coverage, it would be covered, but the locus of that coverage would be limited to the provider rather than to the end-customer entity. I hope that clarifies that sufficiently.
Let me explain how clause 8 was designed to tackle the risks that Committee members have set out. The clause updates the existing duties for RDSPs in the NIS regulations to ensure that they remain resilient against evolving cyber-threats. It clarifies the requirement for those services, making it clearer that they must secure themselves not just to keep the services they provide running and available but to contribute to wider systems security as a whole.
Lincoln Jopp
Given the scenario we just discussed, it is possible that a digital service provider would have an obligation to report under the Bill, but the parent company employing its services would not. Given the requirements for confidentiality that a client company may put upon a digital managed service provider, how can that conflict be managed?
Kanishka Narayan
I appreciate the hon. Gentleman’s question, and I have two comments to make on that front. First, the relevant digital service provider will have a range of different customers, and my expectation would be that the regulators and the NCSC would seek a deep understanding of the risk exposure across the full breadth of that portfolio, rather than for each particular customer. Of course, that would form part of some analysis.
Secondly—the shadow Minister asked a related question —I am happy to write about the interaction between prompt notification responsibilities and commercial confidentiality duties, on the basis of the engagement we have conducted so far. Especially when questions of major risk exposure are concerned, I would hope there are provisions that allow the relevant digital service provider to notify the NCSC, but I am happy to write to the hon. Member for Spelthorne and the shadow Minister to clarify that point.
Clause 8 also removes a reference to the RDSP’s own network and information system to clarify that the duty is intended to cover all network and information systems that the relevant digital service relies on.
The cyber-risk landscape is diffuse and multifaceted. Hostile actors can use a range of routes and techniques to attempt to take services offline, as well as to extort, steal and surveil. These changes to the NIS regulations support a holistic approach to tackling cyber-risk. They ensure that important dependencies are covered and that facets of security such as the confidentiality of data and integrity of systems are not set aside.
The clause also requires RDSPs to have regard to any relevant guidance issued by the Information Commission when carrying out its duties. Finally, it removes a requirement for relevant digital service providers to consider specific duties referenced in EU regulations. I urge the Committee to support the clause unamended.
Question put, That the amendment be made.
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Kanishka Narayan ExcerptsTuesday 3rd February 2026
(5 days, 13 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
David Chadwick
Q
DCS Andrew Gould: That is a really good question. The international jurisdiction challenge for us is huge. We know that is where most of the volumes are driven from, and obviously we do not have the powers to just go over and get hold of the people we would necessarily want to. You will not be surprised to hear that it really varies between jurisdictions. Some are a lot more keen to address some of the threats emanating from their countries than others. More countries are starting to treat this as more of a priority, but it can take years to investigate an organised crime group or a network, and it takes them seconds to commit the crime. It is a huge challenge.
There are two things that we could do more of better—these are things that are in train already. If you think about the wealth of cyber-crime, online fraud and so on, all the data, and a lot of the skills and expertise to tackle that sit within the private sector, whereas in law enforcement, we have the law enforcement powers to take action to address some of it.
With a recent pilot in the City funded by the Home Office, we have started to move beyond our traditional private sector partnerships. We are working with key existing partners—blockchain analytic companies or open-source intelligence companies—and we are effectively in an openly commercial relationship; we are paying them to undertake operational activity on our behalf. We are saying, “Company a, b or c, we want you to identify UK-based cyber-criminals, online fraudsters, money-laundering and opportunities for crypto-seizure under the Proceeds of Crime Act 2002”. They have the global datasets and the bigger picture; we have only a small piece of the puzzle. By working with them jointly on operations, they might bring a number of targets for us, and we can then develop that into operational activity using some of the other tools and techniques that we have.
It is quite early days with that pilot, but the first investigation we did down in the south-east resulted in a seizure of about £40 million-worth of cryptocurrency. That is off a commercial contract that cost us a couple of hundred grand. There is potential for return on investment and impact as we scale it up. It is a capability that you can point at any area of online threat, not just cyber-crime and fraud, so there are some huge opportunities for it to really start to impact at scale.
One of the other things we do in a much more automated and technical way—again funded by the Home Office—is the replacement of the Action Fraud system with the new Report Fraud system. That will, over the next year or so, start to ingest a lot of private sector datasets from financial institutions, open-source intelligence companies and the like, so we will have a much broader understanding of all those threats and we will also be able to engage in takedowns and disruptions in an automated way at scale, working with a lot of the communication service providers, banks and others.
Instead of the traditional manual way we have always been doing a lot of that protection, we can, through partnerships, start doing it in a much more automated and effective way at scale. Over time, we will be able to design out and remove a lot of the volume you see impacting the UK public now. That is certainly the plan.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Q
DCS Andrew Gould: I love the fact that you have heard of it. One of the things that we struggle with is promoting a lot of these initiatives. Successive Governments actually deserve a lot of credit for the range of services that are provided. We aspire to be a global cyber-power, and in many ways we are. When you look at the range of services, tools, advice and guidance that organisations or the public can get, there is quite a positive story to tell there. I think we struggle to bring that into one single narrative and promote it, which is a real challenge. People just do not know that those services are there.
For those who are not familiar with Police CyberAlarm, it is a Home Office-funded policing tool focused on small and medium-sized organisations that probably do not have the skills or understanding to protect themselves as effectively. They can download that piece of software, and it will sit on their external networks and monitor for attacks. For the first time, it helps us in policing to build a domestic threat picture for small and medium-sized organisations, because everybody has a different piece of the puzzle. GCHQ has great insight into what is coming into the UK infrastructure, but it obviously cannot monitor domestically. Big organisations that provide cyber-security services and monitoring know what is impacting their clients or their organisation, but not everybody else. At policing, we get what is reported, which is a tiny piece of the puzzle. So everyone has a different bit of the jigsaw, and none of it fits together, and, even if it did, there would still be gaps. For SMEs, that is a particular gap.
For us, we get the threat intelligence to drive our operational activity, which has been quite successful for us. The benefit for member organisations—we are up to about 12,000 organisations at the moment, which are mostly schools, because we know that they are the most vulnerable to attack for a variety of reasons—is that, having the free tool available, it can do the monthly vulnerability scans and assessments. So they are getting a report from the police that tells them what they need to fix and what they need to patch.
We do not publicly offer a lifetime monitoring service, because we would not want the liability and responsibility, and we do not have the infrastructure to run that scale of security operation centre. But, in effect, that is actually what we have been doing for a long time—maybe not 24/7, but most of the time—because we have been able to identify precursor activity to ransomware attacks on schools or other organisations, and have been able to step in and prevent it from happening. There have been instances where officers have literally got in cars and gone on a blue light to organisations to say, “You need to shut some stuff off now, because you are about to lose control of your whole organisation.”
To that extent, it has been really impactful, but the challenge for us is how to scale. How do you scale so that people understand that it is there? How do you make it easier for organisations to install? That is one of the things that we are working on at the moment, so that everybody can benefit from the scans and the threat reporting, and we can benefit from a bigger understanding of what is going on.
The flip side of the SME offer from our point of view is our cyber-resilience centres. By working with some of the top student talent in the country, we can scale to offer our member organisations across the country the latest advice and guidance, help them understand what the NCSC advice and guidance is, and then help them to get the right level of security policies, patch their systems and all that kind of thing. It helps them to take the first steps on their cyber-resilience journey, and hopefully be more mature consumers of cyber-security industry services going forward. We are helping to create a market for growth, but also helping those organisations to understand their specific vulnerabilities and improve from a very base level.
Bradley Thomas
Q
DCS Andrew Gould: That is another really good question. Generally, it is financial, but you will often get what is called the double dip, so there is the extraction of data as well as the encryption of it, so that you no longer have access to it. They might take that data as well, primarily personal data, because of the regulatory pressures and challenges that that brings. There is a sense among a lot of criminal groups that, if they have personal data, you are more likely to pay, because you do not want that reputation, embarrassment and all the rest of it, as opposed to if they take intellectual property, for example. But it is not that that does not happen as well. Primarily, it is financial gain.
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Kanishka Narayan ExcerptsTuesday 3rd February 2026
(5 days, 13 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Tim Roca (Macclesfield) (Lab)
Q
Jen Ellis: As a starting point, I will clarify that I am a fellow at RUSI. I work closely with Jamie, but I do not work for RUSI. I also take no responsibility for Jamie’s comments.
On the comparisons, David alluded to the fact that Europe is a little bit ahead of us. NIS2, its update to NIS1, came into force three years ago with a dangling timeline: nations had until October 2024 to implement it. My understanding is that not everybody has implemented it amazingly effectively as yet. There is some lag across the member states. I do not think we are too out of scope of what NIS2 includes. However, we are talking about primary legislation now; a lot of the detail will be in the secondary legislation. We do not necessarily know exactly how those two things will line up against each other.
The UK seems to be taking a bit of a different approach. The EU has very specifically tried to make the detail as clearly mandated as possible, because it wants all the member states to adopt the same basis of requirements, which is different from NIS1, whereas it seems as though the UK wants to provide a little bit of flexibility for the regulators to “choose their own adventure”. I am not sure that is the best approach. We might end up with a pretty disparate set of experiences. That might be really confusing for organisations that are covered by more than one competent authority.
The main things that NIS2 and CSRB are looking at are pretty aligned. There is a lot of focus on the same things. It is about expanding scope to make sure that we keep up with what we believe “essential” now looks at, and there is a lot of focus on increased incident reporting and information sharing. Again, the devil will be in the detail in the secondary legislation.
The other thing I would say goes back to the earlier question about what is happening internationally. The nations that David mentioned, like Australia or the jurisdiction around the EU, are really proactive on cyber policy—as is the UK. They are taking a really holistic view, which David alluded to in his introduction, and are really looking at how all the pieces fit together. I am not sure that it is always super clear that the UK is doing the same. I think there is an effort to do so, and UK policymakers are very proactive on cyber policy and are looking at different areas to work on, but the view of how it all goes together may not be as clear. One area where we are definitely behind is legislating around vendor behaviour and what we expect from the people who are making and selling technology.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Q
Jen Ellis: Again, that is a hugely complex question to cover in a short amount of the time. One of the challenges that we face in UK is that we are a 99% small and mediums economy. It is hard to think about how to place more burdens on small and medium businesses, what they can reasonably get done and what resources are available. That said, that is the problem that we have to deal with; we have to figure out how to make progress.
There is also a challenge here, in that we tend to focus a lot on the behaviour of the victim. It is understandable why—that is the side that we can control—but we are missing the middle piece. There are the bad guys, who we cannot control but who we can try to prosecute and bring to task; and there are the victims, who we can control, and we focus a lot on that—CSRB focuses on that side. Then there is the middle ground of enablers. They are not intending to be enablers, but they are the people who are creating the platforms, mediums and technology. I am not sure that we are where we could be in thinking about how to set a baseline for them. We have a lot of voluntary codes, which is fantastic—that is a really good starting point—but it is about the value of the voluntary and how much it requires behavioural change. What you see is that the organisations that are already doing well and taking security seriously are following the voluntary codes because they were already investing, but there is a really long tail of organisations that are not.
Any policy approach, legislation or otherwise, comes down to the fact that you can build the best thing in the world, but you need a plan for adoption or the engagement piece—what it looks like to go into communities and see how people are wrestling with this stuff and the challenges that are blocking adoption. You also need to think about how to address and remove those challenges, and, where necessary, how to ensure appropriate enforcement, accountability and transparency. That is critical, and I am not sure that we see a huge amount of that at the moment. That is an area where there is potential for growth.
With CSRB, the piece around enforcement is going to be critical, and not just for the covered entities. We are also giving new authorities to the regulators, so what are we doing to say to them, “We expect you to use them, to be accountable for using them and to demonstrate that your sector is improving”? There needs to be stronger conversations about what it looks like to not meet the requirements. We should be looking more broadly, beyond just telling small companies to do more. If we are going to tell small companies to do more, how do we make it something that they can prioritise, care about and take seriously, in the same way that health and safety is taken seriously?
David Cook: To achieve the outcome in question, which is about the practicalities of a supply chain where smaller entities are relying on it, I can see the benefit of bringing those small entities in scope, but there could be something rather more forthright in the legislation on how the supply chain is dealt with on a contractual basis. In reality, we see that when a smaller entity tries to contract with a much larger entity—an IT outsourced provider, for example—it may find pushback if the contractual terms that it asks for would help it but are not required under legislation.
Where an organisation can rely on the GDPR, which has very specific requirements as to what contracts should contain, or the Digital Operational Resilience Act, which is a European financial services law and is very prescriptive as to what a contract must contain, any kind of entity doing deals and entering into a contract cannot really push back, because the requirements are set out in stone. The Bill does not have a similar requirement as to what a contract with providers might look like.
Pushing that requirement into the negotiation between, for example, a massive global IT outsourced provider and a much smaller entity means either that we will see piecemeal clauses that do not always achieve the outcomes you are after, or that we will not see those clauses in place at all because of the commercial reality. Having a similarly prescriptive set of requirements for what that contract would contain means that anybody negotiating could point to the law and say, “We have to have this in place, and there’s no wriggle room.” That would achieve the outcome you are after: those small entities would all have identical contracts, at least as a baseline.
Emily Darlington (Milton Keynes Central) (Lab)
Q
David Cook: The original NIS regulations came out of a directive from 2016, so this is 10 years old now, and the world changes quickly, especially when it comes to technology. Not only is this supply chain vulnerability systemic, but it causes a significant risk to UK and global businesses. Ransomware groups, threat actors or cyber-criminals—however you want to badge that—are looking for a one-to-many model. Rather than going after each organisation piecemeal, if they can find a route through one organisation that leads to millions, they will always follow it. At the moment, they are out of scope.
The reality is that those organisations, which are global in nature, often do not pay due regard to UK law because they are acting all over the world and we are one of many jurisdictions. They are the threat vector that is allowing an attack into an organisation, but it then sits with the organisations that are attacked to deal with the fallout. Often, although they do not get away scot-free, they are outside legislative scrutiny and can carry on operating as they did before. That causes a vulnerability. The one-to-many attack route is a vulnerability, and at the moment the law is lacking in how it is equipped to deal with the fallout.
Jen Ellis: In terms of what the landscape looks like, our dialogue often has a huge focus on cyber-crime and we look a lot at data protection and that kind of thing. Last year, we saw the impact of disruptive attacks, but in the past few years we have also heard a lot more about state-sponsored attacks.
I do not know how familiar everyone in the room is with Volt Typhoon and Salt Typhoon; they were widespread nation-state attacks that were uncovered in the US. We are not immune to such attacks; we could just as easily fall victim to them. We should take the discovery of Volt Typhoon as a massive wake-up call to the fact that although we are aware of the challenge, we are not moving fast enough to address it. Volt Typhoon particularly targeted US critical infrastructure, with a view to being able to massively disrupt it at scale should a reason to do so arise. We cannot have that level of disruption across our society; the impacts would be catastrophic.
Part of what NIS is doing and what the CSRB is looking to do is to take NIS and update it to make sure that it is covering the relevant things, but I also hope that we will see a new level of urgency and an understanding that the risks are very prevalent and are coming from different sources with all sorts of different motivations. There is huge complexity, which David has spoken to, around the supply chain. We really need to see the critical infrastructure and the core service providers becoming hugely more vigilant and taking their role as providers of a critical service very seriously when it comes to security. They need to think about what they are doing to be part of the solution and to harden and protect the UK against outside interference.
David Cook: By way of example, NIS1 talks about reporting to the regulator if there is a significant impact. What we are seeing with some of the attacks that Jen has spoken about is pre-positioning, whereby a criminal or a threat actor sits on the network and the environment and waits for the day when they are going to push the big red button and cause an attack. That is outside NIS1: if that sort of issue were identified, it would not be reportable to the regulator. The regulator would therefore not have any visibility of it.
NIS2 and the Bill talk about something being identified that is caused by or is capable of causing severe operational disruption. It widens the ambit of visibility and allows the UK state, as well as regulators, to understand what is going in the environment more broadly, because if there are trends—if a number of organisations report to a regulator that they have found that pre-positioning—they know that a malicious actor is planning something. The footprints are there.
The Chair
The witnesses need not feel obliged to answer every question; if colleagues could direct their questions to individual witnesses, we will get through quicker.
Stuart McKean: I think that the MSP definition is quite broad at the moment, so adding some clarity to it will help. At the moment, the key definition of an MSP is based on size, and whether you are a small, medium, large or even microenterprise. The reality is that only11%, I think, of MSPs are the large and medium-sized enterprises that are going to fall in scope of the Bill as a managed service provider. Although the definition might be quite broad, the clarity on the size of MSP is actually quite particular, and you will lose a lot of MSPs that will not be in scope.
Jill Broom: Although some of our members are content with the definition of managed service provider, others feel that, as Stuart said, it is too broad. It continues to cause a little bit of confusion, since it is likely to encompass virtually any IT service. Probably some further work needs to be done and further consultation. There will be some further detail in the secondary legislation around that definition. I wanted to highlight that a lot of detail is coming in secondary legislation, which can make it quite difficult to scrutinise the primary legislation. A broad call-out for ensuring mandatory and meaningful consultation on that secondary legislation and associated guidance would be really welcome.
We are already working with the Bill team to put some of the pre-consultation engagement sessions in place, but we would call for the consultation to be brought forward to help us to understand some of the detail. The consultation period on the secondary legislation is currently estimated to happen towards the end of the summer, but we would like that to be brought forward, where possible. That consultation is going to cover a lot of detail, so it needs to be a substantial amount of time to allow us to comment. We are keen to be involved in that process as much as possible.
Kanishka Narayan
Q
Stuart McKean: You are going to hear the word “complex” a lot in this session. It is hugely complex. I would almost say that everyone likes to dabble. Everyone has little bits of expertise. Certain companies might be cloud-focused, or focused on toolsets; there are a whole range of skillsets. Of course, the larger organisations have multiple teams, multiple scopes and much more credibility in operating in different areas. As that flows down the supply chain, in many cases it becomes more difficult to really unpick the supply chain.
For example, if I am a managed service provider delivering a cloud service from a US hyperscaler, who is responsible? Am I, as the managed service provider, ultimately on the hook, even though I might be using a US-based hyperscaler? That is not just to pick on the hyperscalers, by the way—it could be a US software-based system or a set of tools that I am using. There are a whole range of parts that need to become clearer, because otherwise the managed service community will be saying, “Well, is that my responsibility? Do I have to deliver that?”.
You are then into the legislation side with procurement, because procurement will flow down. Although I might not be in scope directly as a small business, the reality is that the primes and Government Departments that are funding work will flow those requirements down on to the smaller MSPs. Although we might not be in scope directly, when it comes to implementing and meeting the legislation, we will have to follow those rules.
Dr Gardner
Q
Jill Broom: With the board, historically, cyber has not been viewed as a business risk, but as a technical problem to be addressed by the technical teams, instead of being a valuable, fundamental enabler of your business and a commercial advantage as well, because you are secure and resilient. That has been a problem, historically. It is about changing that culture and thinking about how we get the boards to think about this.
I think a fair amount of work is happening; I know the Government have written to the FTSE 350 companies to ask them to put the cyber governance code of practice into play. That is just to make cyber a board-level responsibility, and also to take account of things such as what they need to do in their supply chain.
The Chair
I should say to the witnesses: do not feel obliged to answer each question if you do not feel that you have anything material to add.
Matt Houlihan: It is very tempting to answer the question on AI, but thank you for the question on managed service providers. It is right that managed service providers are looked at in this Bill. An increasing amount of the work of managing IT services is clearly now outsourced to managed service providers. There needs to be some scrutiny and some baseline of cyber-security with those. I would say a couple of things on what guidance is needed. We broadly support the definition in the Bill. I appreciate the comments in the previous session that suggested that the definition was a little too broad and could be refined, which I think is fair, but when you compare the definition in the CSRB with the definition of managed service providers used in the NIS2 legislation, a couple of bits of clarity are provided in the CSRB. First, the managed service provider needs to provide an
“ongoing management of information technology systems”.
We feel that word “ongoing” is quite important. Secondly, it has to involve
“connecting to or…obtaining access to network and information systems relied on by the customer”.
We feel that
“connecting to or…obtaining access to”
the network is an important part of the definition that should be put forward. One area where more tightness can be provided is where, in the Bill, there is a non-exhaustive list of activities that an MSP could be involved in, such as
“support and maintenance, monitoring, active administration”.
The Bill then says, “or other activities”, which adds quite a bit of uncertainty on what is and is not an MSP.
The other area I would like to highlight and link to Ben’s answer on AI is that the “active administration” activity raises a question about the extent to which AI-enabled managed services would come under that definition. I am sure that lots of managed service providers will use AI more and more in the services that they provide to their end customers; to what extent does “active administration” involve an AI-related service?
To end on that specific question, the Information Commissioner’s Office will, I believe, issue guidance for managed service providers once the Bill is passed. That guidance will be the critical thing to get right, so there should be consultation on it, as my colleague from techUK suggested earlier. I would also suggest that that guidance cannot be a simple check-box list of things that have to be done. We should shift our thinking to have more of an ongoing appreciation of what cyber-security involves in practice for MSP or other regulated entities under the Bill. Making sure there is an ongoing process and that there is effective enforcement will be important.
Chris Anley: On the NAO report , the cyber action plan and public sector cyber-security, you are absolutely right to point out that the NAO report identifies serious issues. The Government recently acknowledged that they are likely to miss their 2030 cyber-resilience targets. It is also important to point out that the cyber action plan lays out an approach with many very positive elements such as an additional £210 million in central funding. There are many benefits to that, including a centralised provision of services at scale, a concentration of expertise and a reduction of costs.
Then there are other broader initiatives in the cyber action plan. The UK software security code of practice, which has been mentioned several times in these sessions, is a voluntary code that organisations can use as a tool to secure their supply chain. Cisco and NCC Group are ambassadors for that scheme and voluntarily comply with it, and it improves our own resilience.
Whether the cyber action plan goes far enough is a very difficult question. The NAO report also points out the extreme complexity of the situation. Within the budgetary constraints, I think it is fair to say that the steps in the plan seem reasonable, but there is a broader budgetary conversation to be had in this area. Two of the most significant issues identified in the report are the skills shortage, which has come up in these sessions—almost a third of cyber-security posts in Government are presently unfilled, which is dangerous—and the fact that Departments rely on vulnerable, outdated legacy IT systems, which may be the cause of an incident in their own right and would certainly make an incident much more severe were one to occur. The problem is that those are both largely budgetary issues. Successive Governments have obviously focused on delivering taxpayer value, as they should—we are all taxpayers—but over a period of a decade or more, that has led to a position where Departments find it difficult to replace legacy IT systems and fill these high-skill, high-cost cyber-security positions. There is very much a broader discussion to be had, as has been raised in these sessions, about where we should be in terms of the budget. You are absolutely right to raise the public sector issues. Although the Bill focuses on the private sector, the public sector obviously must lead by example.
Dr Ian Levy: We think the current definitions of critical suppliers are probably overly broad and risk bringing in SMEs, when you really do not want to do that. That said, we need to think about the transitive nature of supply chains. With previous regulations that talk about cyber-security, we have seen a flow-down of requirements through contracting chains. There is a question about how far it is reasonable to go down those contracting chains. In my experience, the value of the contract and the potential impact are not necessarily correlated. We certainly saw that when we were giving evidence for the Telecommunications (Security) Act 2021.
There is a real question about how you define what supply chain you mean. You mentioned that AWS has a complex supply chain. We certainly do—it is astoundingly complex—but the important thing is that we control the really important parts of that. For example, we build our own central processing units, graphics processing units, servers, data centres and so on. The question then becomes: how does that translate out to customers? If a customer is using a partner’s service running on AWS, where does the liability accrue? I do not think that is adequately covered in the Bill.
In terms of certainty and foreseeability, the Bill as it stands admits a single entity being regulated multiple times in multiple different ways. We are subject today to at least four different sets of regulations and regulators. Some of them conflict, and some of them are ambiguous. As this expands out, a single reporting regime—a lead regulator model—would take some of that ambiguity away so that you have more foreseeability and certainty about what you are trying to do.
There are things in the current drafting of the Bill that we think need some consultation. There are things in primary legislation, such as the Secretary of State’s powers, that seem to be unbounded—that is probably the best way to describe it—and that seems dangerous. We understand the necessity for powers around national security, but we think there need to be some sort of safeguards and consultation about how they are used in practice. For any multinational company, something that is effected in the UK is likely to affect all our customers, so some real constraint is needed around that.
Kanishka Narayan
Q
Chris Anley: By our calculation, as you say, the number of organisations that fall under the scope of the Bill in terms of the Government’s impact assessment is 0.1% of the private sector, which is one one-hundredth of the tip of the iceberg. We are going to have to adopt a whole-of-economy approach if we are going to secure the UK—we have already talked about the public sector issues.
On the Bill itself, we have three main comments. First, the secondary legislation forms the bulk of the technical measures, so we are calling for early consultation on that. Secondly, the Bill imposes additional reporting obligations, adding to an already complicated situation for reporting cyber-incidents in the UK. The reporting obligations trigger at a time of great complexity for an organisation, so we are calling for a single point of contact for reporting all cyber-security incidents in the UK and a single timeline. That may sound like a big ask—an impossible dream. Australia has already done it, and the EU is in the process of doing it in its digital omnibus streamlining package.
Finally, in terms of cyber professionals, the passage of a cyber-security Bill through Parliament is a golden opportunity to address the serious problems with the Computer Misuse Act 1990. Cyber professionals who are defending the UK cannot currently do so without risking criminal prosecution. We cannot carry out basic identification and verification actions without potentially committing the offence of unauthorised access to computer material, because a ransomware gang, for example, is unlikely to give us authorisation to identify the command and control system they are using to attack the UK.
We support the CyberUp campaign, which is proposing an amendment to the Computer Misuse Act to provide a statutory defence, resting on four strong safeguarding principles. We believe that that would help to protect our defenders while maintaining the integrity of the law. Based on the campaign’s research into the size of the cyber-security industry in the UK, the amendment would not only help to prevent incidents and mitigate incidents in progress, but add 9,500 highly skilled jobs and over £2.5 billion in revenue to the UK economy. Other nations are already benefiting from this type of safeguard, including our oldest ally, Portugal, which has implemented them in its recent amendments to NIS2, which is the exact legislative equivalent of the process we are in today. In summary, please help us to defend the UK by protecting our defenders.
Dr Ian Levy: To follow up on what Chris says, we strongly agree on early consultation on the technical detail of the secondary legislation. Somebody said in the previous session that, in security, the devil is always in the detail. Well-meaning text can be massively misinterpreted. We need to be very careful about that, so wide, early consultation is key.
On incident reporting, I will make two points. Chris made the point that when you are being asked to report, you are at your most desperate, because you have just found out that you have been attacked and you do not know what is going to happen. A lot of legislation accidentally ignores the victim. When we set up the NCSC, one of the primary things was that we were there to support the victims. I urge you not to lose sight of that. Absolutely, go after and find the culprits later, but in the moment, the victims are absolutely key to this.
The second part of that, about a single reporting timeline and a single reporting route, is that it is not just good for the victims but the only way that we generate strategic intelligence. That is one of the things that is missing in the UK—and has been for decades. We have five, six or seven different reporting portals that all characterise things differently and take different types of information, and bringing them together to have a single picture about the actual threat to the UK is incredibly difficult. A single reporting forum could fix that.
Ben Lyons: I might distinguish between what organisations need to do and whether organisations are in scope. In terms of what they need to do, the outcomes-based approach is sensible. If you think about when the Johnson Government were consulting on the measures that would go on to form this Bill, that was a time when ChatGPT had not been invented and the geopolitical environment was very different. The world is moving fast, and I think that the cyber assessment framework is a good starting place for what a code of practice could look like, because it is already understood by industry and is outcomes-driven.
I agree with the previous comments about incident reporting. I think that there is a lot of merit in the suggestion around a shared portal so that it is easier to report incidents in that moment of dealing with a cyber-attack. Within the regime as envisaged, probably the most important bit with reference to reporting is about improving that early clarity and visibility for the NCSC so that they can help. That is probably where I would place the emphasis, more than on regulators having that information within 24 hours. In that context, an approach that recognises best efforts in that first 24 hours but is focused on tackling the problem will be important for dealing with the issue.
On the supply chain, I would say—and we have heard about this before—that there could be more clarity there in terms of who would be in scope for designated suppliers. Thinking a bit around both systemic dependency and the potential for wider disruption would be important factors to give it more clarity.
Matt Houlihan: To round off the responses, on the question about finding the balance between specificity and agility, the Bill does a reasonable job at that. We can totally see the need to keep some of the doors open, because not only is the nature of the threat changing rapidly but the nature of technology—and of our capabilities to defend—is changing as well. We have already talked about AI, and we have lots of quantum research taking place as well that will have a big bearing on cyber-security.
It is right that the Bill has some agility in it, but it is clear from the responses today that there is a need to tighten it up in certain places. We talked about incident reporting, and having a simpler, more co-ordinated system for regulated entities to work with so that that reporting process is easier. The definition of “incident” itself needs to be looked at, we believe. The idea of an instance not only having, but being capable of having, an adverse effect on information systems opens the door very widely to lots of potential incidents that may need to be reported on. Having a tighter definition there would be very useful.
To touch on the point about Secretary of State powers, we feel that the door is a little bit too wide. If you look at legislation such as Australia’s cyber-security legislation from 2018, the Security of Critical Infrastructure Act, that also has some good Secretary of State powers, but there are lots of guardrails contained in it that make it clear that it is a power of last resort, where the entity is unwilling or unable to carry out the remedial action itself. There are also other guardrails contained in that legislation. We urge the Committee and the Government to look at that Act and take inspiration from it to think about where those guardrails could be worked into the UK law.
The Chair
Four colleagues wish to ask questions, and they have only 20 minutes in which to ask them, so I appeal for brevity, both in the questions and, if you do not mind, in the answers.
Lanarkshire AI Growth Zone and AI Opportunities Action Plan
Kanishka Narayan Excerpts(1 week, 3 days ago)
Written StatementsRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Today I am updating the House on a number of developments: the designation of Lanarkshire as the UK’s newest AI growth zone, the establishment of the AI and the Future of Work programme, the expansion of the AI upskilling programme, and progress on delivery of the “AI Opportunities Action Plan”, one year on from its publication.
Lanarkshire AI growth zone
The Government are today designating Lanarkshire as the latest AI growth zone, marking a major step in our modern industrial strategy and strengthening Scotland’s position in the UK’s growing AI economy.
The Lanarkshire site will be delivered by UK company DataVita, in partnership with CoreWeave. It will support more than 3,400 jobs over the coming years and will crowd in £8.2 billion in private investment, with a further £540 million committed over 15 years to support the local community. This will fund skills and training packages, after school coding and digital clubs, and support for local charities and food banks.
The 9,000 acre site will be one of the most advanced AI campuses in the world, drawing on on site renewable energy to power up to 500MW of compute and exploring how excess heat generated by data centre cooling could support nearby facilities such as University Hospital Monklands, Scotland’s first fully digital and net zero hospital.
Lanarkshire becomes the fifth AI growth zone announced since the launch of the action plan, joining Oxfordshire, north Wales, south Wales and the north-east. AI growth zones are expected to support up to 15,000 jobs and at least £28 billion in private investment.
Establishment of the AI and the Future of Work programme and expansion of the AI upskilling programme
The Government are establishing a comprehensive AI and the Future of Work programme to ensure the UK is prepared to benefit from and adapt to the profound changes AI will bring to jobs, workers and the labour market. This includes launching a new cross Government AI and the Future of Work Unit and appointing an independent expert panel drawn from industry, academia, civil society and trade unions to guide this work.
Building on last year’s commitment to provide free AI training for all workers, the Government are expanding their national upskilling programme—delivered with major industry and now public sector partners—to equip 10 million workers with AI skills by 2030, up from the original 7.5 million ambition.
This forms part of a wider effort to ensure that AI-driven transformation delivers opportunities, supports economic growth, and helps workers and communities benefit from technological change.
AI opportunities action plan—delivery update
AI growth zones were a core commitment of the AI opportunities action plan, which the Government published a year ago to ensure the UK leads in shaping the AI revolution.
One year on, we have moved decisively from ambition to delivery. We have now met 38 of the action plan’s 50 commitments, and today we are publishing our one- year-on update. Per the action plan, we have focused on three goals: laying the foundations to enable AI, changing lives for the better, and securing our future.
Laying the foundations.
We have designated five AI growth zones, accelerating data centre build out. We have expanded national compute capacity, with Isambard AI switched on in Bristol and committed to procure to increase the supercomputer capacity at the University of Cambridge—already home to the DAWN supercomputer—sixfold by spring 2026. We have also begun the biggest AI skills drive in a generation: over 1 million AI training courses have already been delivered in just the last six months.
Changing Lives.
AI is already delivering practical benefits for citizens. AI-assisted diagnostics are supporting one third of NHS chest X-rays, improving detection and treatment times. We have announced trials of AI tutoring tools to support learning and reduce teacher workload.
Securing our Future.
UK AI companies raised more than £6 billion last year, and there are now over 185 UK tech unicorns valued at over $1 billion. The Government have now established the Sovereign AI Unit, backed by up to £500 million, to invest in UK AI companies and support them to become world-leading in critical parts of the AI value chain.
There is much more to do to seize the opportunities of AI. Over the coming year we will continue to bring AI growth zones from designation to delivery, operationalising the Sovereign AI Unit—backed by up to £500 million in funding—and equip millions of workers with the skills they need for the AI age.
But our achievements over the last year show what is possible when ambition meets delivery. If we sustain this pace, Britain will continue not just adapt to technological change, but to shape it in the public interest.
[HCWS1289]
Rural Broadband: Installation
Kanishka Narayan Excerpts(1 week, 5 days ago)
Westminster HallRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
It is a pleasure to serve with you in the Chair, Dr Murrison. First and foremost, I thank the hon. Member for Bridgwater (Sir Ashley Fox) for securing today’s debate on the impact of the time taken to install gigabit-capable broadband in rural communities, and for once again drawing to the attention of the House the importance of delivering fast and reliable digital connectivity to them.
I also thank all other hon. Members across the House who have persistently championed the cause of improving rural broadband, and not least for their gift of anticipation when it comes to the speech of the hon. Member for Bridgwater.
Mr Angus MacDonald (Inverness, Skye and West Ross-shire) (LD)
May I intervene, seeing that we have been so generous on interventions?
Mr MacDonald
We have heard about the 78% and the 99%. In north-east Skye we have 3% gigabit availability, and in south Skye we have 4.5%. We are dealing with enormous levels of depopulation among our young, with the number of children under the age of 15 at school halving in the last 15 years. A large part of that is because the place is an internet desert. Can the Minister reflect on that?
Kanishka Narayan
I thank the hon. Member for making that point, and I am very happy to engage with him both individually and with my colleague, the Minister for Digital Economy, on the particular experience of his constituents.
The contributions we have heard today from across the House again highlight just how essential connectivity has become to daily life. We have heard about its centrality to work, education and, as my hon. Friend the Member for Monmouthshire (Catherine Fookes) said, to healthcare, online banking, farming, running a business or simply staying connected with friends and family.
The Government recognise that delays in broadband delivery can be particularly frustrating for rural residents, who often have fewer alternatives than urban residents, and for whom a slow or unreliable internet connection can have a deep impact on their quality of life and economic opportunities. Our mission is to ensure that 99% of premises can access a gigabit-capable connection by 2032. According to the latest figures from the independent website thinkbroadband.com, over 89% of UK premises already have access to a gigabit-capable connection.
Through Project Gigabit, we are targeting precisely the communities that have been highlighted in today’s debate. Commercial roll-out would not otherwise take place for these communities, and public investment is therefore essential. As at the end of September 2025, over 1.3 million premises in rural and hard-to-reach communities across the UK had been upgraded to gigabit-capable broadband through Government-funded programmes. In addition, over 1 million premises are now included in signed Project Gigabit contracts worth £2.4 billion in total.
Luke Myer (Middlesbrough South and East Cleveland) (Lab)
There is a persistent issue in the Stainton and Thornton area of my constituency, which residents have raised with me. Would the Minister commit to meet me to discuss this issue?
Kanishka Narayan
I know my hon. Friend is a deeply committed champion for his constituency, so I would be very happy to meet him—both on my own and with my colleague, the Minister for Digital Economy—to look at the issues in his constituency.
We are making good progress on delivering these contracts. We have already celebrated the completion of the first three Project Gigabit contracts in Northumberland, Teesdale and north Dorset, which marks an important milestone in our programme. These early completions show that the programme is working, and rural communities are beginning to see the benefits of this investment.
The majority of premises receiving Government funding for broadband upgrades continue to be rural. Between April 2024 and March 2025, 89% of the premises benefiting from our interventions in this sector were in rural areas, including proud farming communities. We remain absolutely committed to ensuring that these communities receive the gigabit-capable connectivity they need and deeply deserve.
I also recognise, with honesty, that there have been delays to subsidised roll-out across Devon and Somerset in particular, as a result of premises being descoped from contracts under the earlier superfast broadband programme, including in the constituency of the hon. Member for Bridgwater.
When suppliers encounter financial, operational or technical challenges, I know that rural communities feel the impact the most, and as a proud representative of rural communities in south Wales, I feel it, too. I want to reassure hon. Members that we are closely engaging with Connecting Devon and Somerset, and with suppliers, to establish a clear path forward.
Following the announcement in 2025, descoped premises, particularly in the constituency of the hon. Member for Bridgwater, were made available for suppliers to bring forward proposals under the gigabit broadband voucher scheme. Several suppliers expressed interest, and I am pleased to say that approximately 3,000 premises are now included in approved voucher projects. Around 8,500 descoped premises remain without confirmed commercial or subsidised plans. However, these premises are now being considered for inclusion in the Project Gigabit contract with Openreach. We expect to finalise the amended scope of that contract in the spring. The hon. Member feels that work is urgent, and I do, too.
Approximately 3,100 premises in the hon. Gentleman’s Bridgwater constituency are currently included in the Project Gigabit contract delivered by Openreach, and my hope is that this intervention will deliver gigabit-capable connections to homes and businesses across the constituency, such as those in Nether Stowey, North Petherton and Westonzoyland.
Although 3,400 premises in Bridgwater were descoped from the previous superfast broadband contracts, almost half of those premises have since been connected through a supplier’s commercial roll-out, without the need for public subsidy. The remainder are included within the scope of the current contract change discussions we are undertaking with Openreach.
A healthy, competitive broadband market is fundamental to achieving our national gigabit ambition. Commercial delivery has been and will remain the backbone of the UK’s digital transformation. The majority of gigabit-capable connections have been delivered entirely through private investment. The Government’s role is to create the right environment for such investment to continue at pace. That is why we continue to work in close partnership with both industry and Ofcom to support the roll-out of fibre networks across the UK, including in the most rural and hard-to-reach areas.
Our approach is designed to complement commercial build, not to replace it, ensuring that public funding is targeted only where the market cannot deliver on its own. In July last year, we published a consultation on our draft statement of strategic priorities to Ofcom, setting out the Government’s view on the importance of promoting competition and maintaining a stable regulatory environment that gives investors confidence. A predictable and proportionate regulatory framework is essential for suppliers to continue investing billions in our fibre networks. Ensuring that regulation is not lifted prematurely is central to protecting our consumers, which is why competition must be properly established before we can relax regulatory safeguards. That is the approach needed to deliver long-term benefits.
I know there has been a question about where the Government are in this process. Our draft statement set out our position on infrastructure sharing, which has become one of the sector’s most important enablers of competition. In particular, Ofcom’s physical infrastructure access product has allowed over 100 alternative networks to roll out fibre using Openreach’s ducts and poles, lowering barriers to entry and helping to accelerate competition. We have asked Ofcom to provide greater transparency on how PIA pricing is calculated and set, because transparency is the underpinning driver of confidence for investors.
We are reviewing responses to the consultation on our draft statement of strategic priorities, and we will set out the Government’s conclusions in due course. I of course note the hon. Member’s comments, and we are all hoping for pace as well as rigour in the response to the consultation.
Sir Ashley Fox
I referred to Openreach’s comments to me. It said that it did not believe there is sufficient funding in the spending review for the Government to meet their target of 99% by 2032. Does the Minister believe he has sufficient funding to meet that target?
Kanishka Narayan
Openreach has not made that representation to me. The Government are squarely focused on reaching the 99% target, and we are doing all we can to make sure that all providers are in a place to do so. I am happy to engage with Openreach if it wants to make a representation to me.
To ensure that the commercial market can continue to deliver as fast as possible, the Government remain committed to removing deployment barriers. Whether that is done by reforming wayleave processes, improving access to land and multi-dwelling units, enhancing the co-ordination of street works or accelerating planning decisions, every barrier we remove helps the industry to build networks faster and more efficiently.
Even with the scale of commercial investment and the ambition of Project Gigabit, the expectation is that some remote premises will remain too expensive to reach with gigabit-capable fibre in the immediate term. We are therefore continuing to consider what more we can do to enable high-quality alternatives for those in the “very hard to reach” category. The satellite market is developing at pace. We expect to see more competition in that market imminently, with rapidly improving terminal equipment, higher speeds and falling costs for end users. We continue to monitor and support the development of that market, recognising its role in connecting the most remote communities.
I am conscious of the points made on mobile connectivity, not least those made by the hon. Member for Winchester (Dr Chambers). With increasing 5G coverage from mobile network operators, fixed wireless access is becoming an increasingly viable connectivity option. Ofcom estimates that fixed wireless access delivered over mobile networks is already available to 96% of UK premises, with wireless internet service providers offering fixed wireless access to around 8% of premises.
I thank the hon. Member for Bridgwater for securing this important debate, and I thank all Members who have contributed. In response to the hon. Member for Chester South and Eddisbury (Aphra Brandreth), I want to flag that, since Building Digital UK and Freedom Fibre mutually agreed to terminate the Project Gigabit contract for Cheshire, we have launched a new procurement for Cheshire. We expect it to be in place by the spring, and we will be sure to let her know of its progress.
Let me be clear that, although challenges remain, the Government are acting. We are committed to working at pace with suppliers, local authorities, communities and devolved Governments to ensure that progress continues. Rural communities must not and will not be left behind as we work towards our goal of 99% gigabit coverage. Given that the hon. Member for Bridgwater brought up wider support for rural communities, I put on record that this Government are squarely on the side of rural communities across the UK, which were abandoned by the previous Government on trade negotiations and farming funding and were not given appropriate representation.
Question put and agreed to.
5G Connectivity: Telford and West Midlands
Kanishka Narayan Excerpts(2 weeks, 5 days ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
First and foremost, I thank my hon. Friend the Member for Telford (Shaun Davies) for securing this Adjournment debate. Throughout his entire tenure as the local MP, he has been a relentless champion for the people of Telford on the question of 5G and mobile coverage. He has listened closely to those he represents in person and through surveys. He has represented their voices in the media and to my hon. Friend the Minister for the Digital Economy in the other place, and he has done that again in this debate with both an impressive speech and a deep understanding of Telford.
Mobile coverage is an extremely important topic, which is reflected in the amount of interest shown across from the House in any parliamentary activity on the subject. Access to high-quality, reliable and secure mobile connectivity is critical for people to participate effectively in the modern digital economy. It is essential for day-to-day life in many cases. Whether it is to run a business online, to access essential public services, to manage finances online, to contact GP surgeries or to stay in touch with loved ones, we all need reliable mobile connectivity.
The Government have an ambition for all populated areas to have access to higher-quality stand-alone 5G by 2030. That of course includes Telford and areas right across the west midlands. It is true that Ofcom currently reports that stand-alone 5G is available outside of only 1% of premises across my hon. Friend’s constituency. That is clearly unacceptable. I am also conscious that the picture has slightly updated in recent months, and I will take the opportunity to shine some light on that. The published coverage stats were last collected in July last year, and there has been some improvement in the picture since then. We expect that the figure will further increase significantly in the next report published by Ofcom as reporting catches up with network roll-out.
Mobile network operators are investing significantly to improve coverage and I know that progress continues at pace. I have been assured that that is leading to coverage improvements in many areas, including Telford. The operators’ significant investment plans are public. VodafoneThree has committed £11 billion as a result of the merger, BT has an ambition to deliver stand-alone 5G to 99% of the UK population by the end of financial year 2030, and Virgin Media O2, as part of its mobile transformation plan, committed £700 million of further investment in its mobile network nationwide.
In preparation for this debate, officials have engaged with the operators to understand their specific coverage improvement plans in my hon. Friend’s constituency and across the west midlands. BT has confirmed that, in line with its announcement of October of last year, 99% of residents across the Telford constituency can now access stand-alone 5G. I will come to points of dissatisfaction between that claim and the wider experience of people in Telford imminently.
VodafoneThree has confirmed that stand-alone 5G coverage will increase in the Telford constituency to 100% by its first reporting milestone in 2028, in line with its merger commitments. Virgin Media O2 has made strides to improve mobile coverage across the west midlands, including boosting 4G and 5G capacity across Coventry and deploying stand-alone 5G small cells in Birmingham city centre in 2024. That feedback from operators starts to show the significant progress being made in rolling out stand-alone 5G across Telford and the west midlands region. I encourage all Members to contact the operators if they too would like to understand plans for their constituency.
I am deeply sorry to hear of the difficulties that my hon. Friend reports about the reliability of services in the region. I recognise that in our modern economy and way of life, services need to be reliable for everyone in all parts of the country. Communications providers have legal obligations to ensure that their services are appropriately resilient, as overseen by Ofcom, and I recommend that if customers are having continuing difficulties, as my hon. Friend has mentioned, they can contact their provider and, in the instance of serious and repeated failures, also report to Ofcom.
At this point, may I raise the particular issue that my hon. Friend has highlighted about the discrepancy between people’s lived experience and the reported data? It is an experience familiar to me, both from my constituency and more widely, and Government recognise that there are discrepancies in cases between the lived experience of people and the level of coverage that Ofcom reports.
The launch of our Map Your Mobile tool in June last year was a positive step forward, but the work of our Government does not stop there. We have restated in our proposed statement of strategic priorities for Ofcom the importance of continuing to improve the reporting of mobile coverage, for example, by building on the launch of the tool through the exploration of measured and crowdsourced data. Alongside that, I also point out that the Streetwave coverage checker is a tool available on the River Severn Partnership website which has also been funded by Government and the 5G Innovation Regions project. I am conscious that that, in particular, includes my hon. Friend’s constituency in Telford.
I understand my hon. Friend’s concerns about flooding in his local area. I know he has brought that up with the Department. There are potential safety risks arising when flooding is combined with a lack of mobile signal, and I thank my hon. Friend for raising that important issue. Clearly, it is right to raise the risk to public safety so that it can be looked into and addressed accordingly. In relation to mobile signal, I hope that some of the information provided starts to give him some reassurance on what is available in the local area and what is planned for the future. I am happy to work with him and colleagues from both the Department for Environment, Food and Rural Affairs and the Environment Agency so that the matters that he has raised can be investigated by the correct authorities.
As I know my hon. Friend will be aware, satellite services can provide another new means of connecting residents in otherwise hard-to-reach areas. I am pleased that the rapid advance of low Earth orbit technology for satellites means that the performance of services is also increasing through that measure. As well as satellite services offering home broadband that are already on the market, Vodafone and O2 have both announced that direct-to-mobile device services will launch and be available to consumers this year.
To help operators achieve their ambitious roll-out plans, we continue to work closely with them to identify and remove barriers to deployment where it is practical to do so. That includes implementing the remaining provisions of the Product Security and Telecommunications Infrastructure Act 2022 and launching a call for evidence to see where planning rules can be relaxed to support the deployment of mobile infrastructure. Alongside that work at national level, we have also provided funding to both the west midlands and Shropshire as part of our 5G Innovation Regions programme to increase the uptake of 5G services and to drive investment in networks.
I know that we need to do more to ensure investment in high-quality mobile connectivity. That is why we are undertaking a full mobile market review. We want to understand better the factors impacting investment in widespread high-quality mobile connectivity and what more the Government can do to support it over the long term. We will soon be publishing a call for evidence to support our assessment and we encourage all relevant parties to engage with this process. I also encourage all Members of the House to be champions of digital infrastructure deployment. It is only through working in our constituencies, with constituents and with the local planning authority, that we can together champion digital connectivity.
Finally, I would like to repeat my thanks to my hon. Friend the Member for Telford for securing this debate on such an important topic, and to all Members who have intervened and contributed to the debate today. It would, of course, be remiss of me not to end on a note of acceptance of his kind invitation. I will be very happy, either directly or through my hon. Friend in the other place, to visit him and to support his hard work for the people of Telford.
Science and Discovery Centres
Kanishka Narayan Excerpts(3 weeks, 4 days ago)
Westminster HallRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Thank you, Mrs Harris. I pay my due respects to you as the godmother of the Welsh mafia. It is always a pleasure to serve with you in the Chair, but particularly on this occasion. With my hon. Friend the Member for Montgomeryshire and Glyndŵr (Steve Witherden) initiating his first Westminster Hall debate on this deeply important subject, you in the Chair and me responding on behalf of the Government, I am deeply proud that the Welsh enthusiasm for science and technology is right at the heart of the debate.
I thank my hon. Friend the Member for Montgomeryshire and Glyndŵr for securing this important debate on the impact of science and discovery centres on national science and technology priorities. I am grateful to all Members who contributed to the debate. It has been a total delight to hear about the wonderfully distinct flavours of science and discovery centres across the country, and about the distinct stages of our lives at which they have touched us. As my hon. Friend said, they include the experiences of our parents, of our childhood, of our schooling, of our enlightened first girls’ holidays, of our weddings and of our professional work too.
Growing the economy is the Government’s No. 1 priority, and science and technology are central to achieving that ambition. That is why the Government have committed to an unprecedented £86 billion investment in UK research and development over the next five years—the largest ever by any Government. That investment is about driving innovation, creating jobs and securing long-term economic growth. It signals our determination to put science and technology at the heart of our national priorities.
Of that investment, £38 billion is allocated to UK Research and Innovation to deliver our core priorities across the research and innovation buckets. That includes £14 billion for advancing curiosity-driven research, £7 billion to support the formation and growth of innovative companies and £8 billion for funding research into the Government’s priorities, including the industrial strategy priority areas. For the first time, UKRI will map its investments against priority sectors, with £9 billion of direct support for the industrial strategy across buckets 2 and 3. Those allocations reflect our national science and technology priorities, ensuring the UK leads in critical fields such as artificial intelligence, clean energy, advanced manufacturing and life sciences—areas that are essential to our future prosperity.
I am conscious that investment alone is not enough. To turn this unprecedented commitment into real-world impact, we need a world-class STEM workforce—a pipeline of talented individuals equipped to transform ideas into breakthroughs. That is why the Government believe in the value of a strong STEM workforce and have committed to ensuring that everyone, regardless of background, has the opportunity to pursue a rewarding career in science, technology, engineering and maths.
A strong, skilled STEM workforce is vital to delivering innovation, driving productivity and strengthening our country through our mission-led approach. That means inspiring the next generation, broadening participation and ensuring that science does not just happen behind closed doors but belongs to everyone. That is exactly the motivation behind our £187 million TechFirst programme, which will touch the lives of 1 million young people right across the UK.
The Government acknowledge that that is one of the key areas in which science and discovery centres play a deeply important role. Although some centres conduct research, their primary purpose is to serve as cultural institutions and visitor attractions that embed science within the UK’s cultural fabric, making it open, inclusive and aspirational. They maintain strong civic links with schools, teachers, industry, businesses and research partners, and they meet the growing demand for STEM education and learning opportunities for people of all ages, backgrounds and abilities. Through their engagement right across the UK, these centres enrich our cultural life, much like museums and galleries do for art and heritage. They deliver outstanding experiences that spark curiosity, foster critical thinking and build problem-solving skills, which are qualities that collectively drive innovation.
The Explore Your Universe: Valuing Inclusion programme has taken hands-on science into schools and communities that rarely have access to those opportunities, building confidence and inspiring future STEM careers. The Life Science Centre in Newcastle and Dynamic Earth in Edinburgh are active delivery partners in this national programme, bringing inclusive, practical physical science engagement to schools and families.
Through Next Gen Earth, centres are connecting young people with climate and environmental science, linking classroom concepts to real-world data and local action. The Centre for Alternative Technology in the constituency of my hon. Friend the Member for Montgomeryshire and Glyndŵr continues to play a leading role in this programme, helping young people to engage with climate science through hands-on workshops and youth-led projects. Mindsets + Missions has supported new ways for science and discovery centres and museums to co-create with local audiences, strengthening trust, inclusion and civic value, alongside scientific literacy. UKRI support, through its research councils, has been pivotal in enabling those programmes, aligning public investment with priority sectors and ensuring that research outcomes reach learners, teachers and under-represented communities nationwide.
The scale of these centres’ reach is remarkable. In 2024 alone, they welcomed over 5.2 million visitors, including hundreds of thousands of schoolchildren and families. More than 450,000 people from disadvantaged or under-represented communities were able to access the centres free of charge. Over the past two years, science and discovery centres have worked with 37% of UK schools, supporting the science curriculum and STEM skills in 96% of parliamentary constituencies. Importantly, these centres help us to tackle one of the biggest challenges in science and technology: diversity. Last year, 55% of visitors were female, and targeted outreach programmes are bringing science to communities that have historically been excluded from STEM careers.
Close to my heart, I am particularly excited about the way in which the centres speak to diversity of place as well, ensuring an offer for rural places, such as those highlighted by my hon. Friends the Members for Montgomeryshire and Glyndŵr and for Widnes and Halewood (Derek Twigg). That is the case right across every part of our Union, as represented so ably by Members’ contributions today from across England, Scotland, Northern Ireland and Wales—diversity not just in theory, but in practice.
I listened carefully to the concerns expressed by Members about the financial and operational challenges faced by the centres. As highlighted, many have ageing infrastructure, which needs replacement, and many operate as charities without a consistent funding stream. They often rely on low ticket prices to ensure that accessibility is a priority and to deliver on inclusive community engagement. I recognise those pressures, as we do right across Government, and we understand the difficult decisions that many centres face, but with limited income sources and major infrastructure needs, building financial resilience will be a key part of long-term success for the centres. I know that they will reflect on diversifying income and exploring innovative ways to strengthen sustainability as part of the solution.
I am also keen to highlight the available funding streams that UKRI will continue to provide, some of which may be of relevance and support to the centres. I am conscious of the focus on investment that delivers the greatest impact across the centres—working with centres to develop sustainable models and innovative partnerships will deliver on resilience and value for money.
Dr Sullivan
To clarify on UKRI, will the Government therefore allow it to distribute funds to the science centres? Will the Minister clarify the point that he made?
Kanishka Narayan
I thank my hon. Friend for her question and for her experience of science societies that she described so vividly. Historically, as I mentioned, UKRI has funded specific programmes. I am conscious that where there is available programme funding for eligible centres, they ought to ensure that they apply for it. I am keen to make sure that UKRI is working keenly and engaging with the centres, flagging up such funds as relevant.
Looking ahead, we remain committed to strengthening the STEM pipeline in collaboration with science and discovery centres, UKRI and industry, so that together we can inspire the next generation and secure the UK’s future as a science and technology leader. We will continue to champion programmes that broaden participation and that embed science in our culture, while exploring practical ways to support the infrastructure that enables the centres to thrive, always guided by the principle of long-term sustainability.
I am particularly conscious of the questions asked by Members from across the House. In response to the question about departmental engagement, I am keen—I have turned up here—that DSIT engages closely, but I am also conscious that the cultural contribution of discovery centres is a fundamental part of what motivates them and those who visit them. I am therefore keen to commit to close cross-Government working right across DCMS, DSIT and any other Departments.
I am keen not just to meet the low bar of having turned up to the debate as a Minister, but to take up the requests of hon. Members across the House to ensure that today is the start of the conversation, not the end of it. I am therefore delighted to commit to a meeting with my hon. Friend the Member for Montgomeryshire and Glyndŵr and with the Association for Science and Discovery Centres to progress the conversation in a tangible way as well.
On the question of potential sources of funding, whether underspends or Treasury, I am afraid that I have neither the power, nor—on this occasion—the willingness to commit to particular sources of funding and to write a fiscal event live in this debate, but I have heard loud and clear the concerns expressed about the funding resilience of science and discovery centres.
It would be remiss of me not to pay a personal tribute to the science and discovery centres. As true as the preference for magazines of the hon. Member for Winchester (Dr Chambers) is, it is also true that growing up faced with the choice between Techniquest in Cardiff Bay, and the cinema and bowling alley neighbouring it, I made a commitment to my parents—and I commit the same to the House—that my preference was always Techniquest.
On that note, I thank all Members who have spoken today. The debate has highlighted not only the extraordinary contribution of science and discovery centres, but the shared responsibility that we all have to ensure that they succeed in a sustainable way, and that the inclusive way in which they engage young people and families right across this country is maintained for as long as possible.
AI Safety
Kanishka Narayan Excerpts(1 month, 4 weeks ago)
Westminster HallRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
It is a pleasure to serve with you in the Chair, Ms Butler, for my first Westminster Hall debate. It is a particular pleasure not only to have you bring your technological expertise to the Chair, but for the hon. Member for Strangford (Jim Shannon) to be reliably present in my first debate, as well as the UK’s—perhaps the world’s—first AI MP, my hon. Friend the Member for Leeds South West and Morley (Mark Sewards). It is a distinct pleasure to serve with everyone present and the expertise they bring. I thank the hon. Member for Dewsbury and Batley (Iqbal Mohamed) for securing this debate on AI safety. I am grateful to him and to all Members for their very thoughtful contributions to the debate.
It is no exaggeration to say that the future of our country and our prosperity will be led by science, technology and AI. That is exactly why, in response to the question on growth posed by the hon. Member for Runnymede and Weybridge (Dr Spencer), we recently announced a package of new reforms and investments to use AI to power national renewal. We will drive growth through developing new AI growth zones across north and south Wales, Oxfordshire and the north-east, creating opportunities for innovation by expanding access to compute for British researchers and scientists.
We are investing in AI to drive breakthroughs in developing new drugs, cures and treatments. But we cannot harness those opportunities without ensuring that AI is safe for the British public and businesses, nor without agency over its development. I was grateful for the points made by my hon. Friend the Member for Milton Keynes Central (Emily Darlington) on the importance of standards and the hon. Member for Harpenden and Berkhamsted (Victoria Collins) about the importance of trust.
That is why the Government are determined to make the UK one of the best places to start a business, to scale up, to stay on our shores, especially for the UK AI assurance and standards market. Our trusted third-party AI assurance roadmap and AI assurance innovation fund are focused on supporting the growth of UK businesses and organisations providing innovative AI products that are proven to be safe for sale and use. We must ensure that the AI transformation happens not to the UK but with and through the UK.
In consistency with the points raised by my hon. Friend the Member for Milton Keynes Central, that is why we are backing the sovereign AI unit, with almost £500 million in investment, to help build and scale AI capabilities on British shores, which will reflect our country’s needs, values and laws. Our approach to those AI laws seeks to ensure that we balance growth and safety, and that we remain adaptable in the face of inevitable AI change.
On growth, I am glad to hear the points made by my hon. Friend the Member for Leeds South West and Morley about a space for businesses to experiment. We have announced proposals for an AI growth lab that will support responsible AI innovation by making targeted regulatory modifications under robust safeguards. That will help drive trust by providing a precisely safe space for experimentation and trialling of innovative products and services. Regulators will monitor that very closely.
On safety, we understand that AI is a general-purpose technology, with a wide range of applications. In recognition of the contribution from the hon. Member for Newton Abbot (Martin Wrigley), I reaffirm some of the points he made about being thoughtful in regulatory approaches that distinguish between the technology and the specific use cases. That is why we believe that the vast majority of AI should be regulated at the point of use, where the risk relates and tractable action is most feasible.
A range of existing rules already applies to those AI systems in application contexts. Data protection and equality legislation protect the UK public’s data rights. They prevent AI-driven discrimination where the systems decide, for example, who is offered a job or credit. Competition law helps shields markets from AI uses that could distort them, including algorithmic collusion to set unfair prices.
Sarah Russell
As a specialist equality lawyer, I am not currently aware of any cases in the UK around the kind of algorithmic bias that I am talking about. I would be delighted to see some, and delighted to see the Minister encouraging that, but I am not sure that the regulatory framework would achieve that at present.
Kanishka Narayan
My hon. Friend brings deep expertise from her past career. If she feels there are particular absences in the legislation on equalities, I would be happy to take a look, though that has not been pointed out to me, to date.
The Online Safety Act 2023 requires platforms to manage harmful and illegal content risks, and offers significant protection against harms online, including those driven by AI services. We are supporting regulators to ensure that those laws are respected and enforced. The AI action plan commits to boosting AI capabilities through funding, strategic steers and increased public accountability.
There is a great deal of interest in the Government’s proposals for new cross-cutting AI regulation, not least shown compellingly by my right hon. Friend the Member for Oxford East (Anneliese Dodds). The Government do not speculate on legislation, so I am not able to predict future parliamentary sessions, although we will keep Parliament updated on the timings of any consultation ahead of bringing forward any legislation.
Notwithstanding that, the Government are clearly not standing still on AI governance. The Technology Secretary confirmed in Parliament last week that the Government will look at what more can be done to manage the emergent risks of AI chatbots, raised by my hon. Friend the Member for York Outer (Mr Charters), my right hon. Friend the Member for Oxford East, my hon. Friend the Member for Milton Keynes Central and others.
Alongside the comments the Technology Secretary made, she urged Ofcom to use its existing powers to ensure AI chatbots in scope of the Act are safe for children. Further to the clarifications I have provided previously across the House, if hon. Members have a particular view on where there are exceptions or spaces in the Online Safety Act on AI chatbots that correlate with risk, we would welcome any contribution through the usual correspondence channels.
Kanishka Narayan
I have about two minutes, so I will continue the conversation with my hon. Friend outside.
We will act to ensure that AI companies are able to make their own products safe. For example, the Government are tackling the disgusting harm of child sexual exploitation and abuse with a new offence to criminalise AI models that have been optimised for that purpose. The AI Security Institute, which I was delighted to hear praised across the House, works with AI labs to make their products safer and has tested over 30 models at the frontier of development. It is uniquely the best in the world at developing partnerships, understanding security risks, and innovating safeguards, too. Findings from AISI testing are used to strengthen model safeguards in partnership with AI companies, improving safety in areas such as cyber-tasks and biological weapon development.
The UK Government do not act alone on security. In response to the points made by the hon. Members for Ceredigion Preseli (Ben Lake), for Harpenden and Berkhamsted, and for Runnymede and Weybridge, it is clear that we are working closely with allies to raise security standards, share scientific insights and shape responsible norms for frontier AI. We are leading discussions on AI at the G7, the OECD and the UN. We are strengthening our bilateral relationships on AI for growth and security, including AI collaboration as part of recent agreements with the US, Germany and Japan.
I will take the points raised by the hon. Members for Dewsbury and Batley, for Winchester (Dr Chambers) and for Strangford, and by my hon. Friend the Member for York Outer (Mr Charters) on health advice, and how we can ensure that the quality of NHS advice is privileged in wider AI chatbot engagement, as well as the points made by my hon. Friend the Member for Congleton and my right hon. Friend the Member for Oxford East on British Sign Language standards in AI, which are important points that I will look further at.
To conclude, the UK is realising the opportunities for transformative AI while ensuring that growth does not come at the cost of security and safety. We do this through stimulating AI safety assurance markets, empowering our regulators and ensuring our laws are fit for purpose, driving change through AISI and diplomacy.
Draft Online Safety Act 2023 (Priority Offences) (Amendment) Regulations 2025
Kanishka Narayan Excerpts(2 months, 3 weeks ago)
General CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I beg to move,
That the Committee has considered the draft Online Safety Act 2023 (Priority Offences) (Amendment) Regulations 2025.
It is a pleasure to serve under your chairmanship, Mr Vickers. The draft regulations were laid before the House on 21 October. Before I proceed, I draw the Committee’s attention to the correction slip that was issued for the regulations in October. It relates to minor drafting changes in respect of the date of the Sexual Offences Act 2003 in the explanatory memorandum and the order of the words in the title of the offence inserted by paragraph (2) of regulation 2.
The Government have committed to taking decisive action against the most severe and damaging online harms. Through this statutory instrument, we are strengthening the Online Safety Act 2023 by creating new priority offences to tackle cyber-flashing and self-harm. This will ensure that platforms take stronger, more proactive steps to protect users from these harms.
There is compelling evidence that cyber-flashing and content encouraging self-harm are widespread and cause serious harm to individuals. The frequency of these harms is significantly higher among young age groups: of those aged 18 to 24, 9% had experienced cyber-flashing and 7% had experienced content encouraging self-harm. That means that across the country around 530,000 people in that age group have seen cyber-flashing and around 450,000 have seen self-harm content. That is clearly unacceptable.
Some 27% of UK users who were exposed to cyber-flashing reported significant emotional discomfort, and exposure to self-harm content has been shown to worsen mental health. A 2019 study found that 64% of Instagram users in the US who were exposed to self-harm content were deeply emotionally disturbed by it, and a 2018 study found that 8% of adults and 26% of children aged eight to 18 who were hospitalised after self-harming had encountered self-harm or suicide-related content online. Those figures demonstrate that the content is not isolated but widespread. It affects a significant portion of the online population.
As Members will know, the Online Safety Act, which received Royal Assent on 26 October 2023, places strong duties on platforms and services to protect users. Providers must assess how likely their services are to expose users to illegal content or to be used to commit or facilitate priority offences. Providers then need to take steps to mitigate the identified risks, including by implementing safety-by-design measures to reduce risks and content moderation systems to remove illegal content when it appears. The Act sets out a list of priority offences for the purposes of providers’ illegal content duties. Those relate primarily to the most serious and prevalent online illegal content and activity. Platforms need to take additional steps to tackle such illegal activity under their illegal content duties.
The draft regulations will add cyber-flashing and content encouraging self-harm to the list of priority offences under the Act. The offences are currently covered under the Act’s general illegal content duties, but without priority status. Without that status, platforms are not obliged to carry out specific risk assessments for harm to users that derives from this kind of harmful content or to put in place measures to prevent users from seeing such content in the first place. Stakeholders have welcomed the additions. Charities such as the Molly Rose Foundation and Samaritans have long campaigned for strengthened protections for vulnerable users.
The changes to the Act will take effect 21 days after the regulations are made, which can be done after the regulations are approved by both Houses. Ofcom, as the online safety regulator, sets out in codes of practice the measures that providers can take to fulfil their statutory illegal-content duties. The safety duties on providers to prioritise tackling self-harm and cyber-flashing will fully take effect when Ofcom makes the relevant updates to its codes on the measures that can be taken to fulfil the duties.
We anticipate that Ofcom will recommend that providers should take action in a number of areas. It could include content moderation, reporting and complaints procedures, and safety-by-design steps, such as providers testing algorithm systems to see whether illegal content is being recommended to users. Where providers fail to meet the duties, such as by not having proportionate measures to remove and proactively prevent this vile material from appearing on their platforms, Ofcom has robust powers to take enforcement action against them, including a power to impose fines of up to £18 million or 10% of qualifying worldwide revenue, whichever is the higher.
The statutory instrument upgrades cyber-flashing and self-harm content to priority status, thereby strengthening the impact of the Online Safety Act and protecting users from such content. Service providers will be required to take more proactive and robust action to protect, remove and limit exposure to this kind of illegal content. That will ensure that platforms take stronger steps to protect users, reduce the prevalence of these behaviours online and help to make the internet a safer place for everyone.
Kanishka Narayan
I thank Committee members for their valuable contributions to the debate. The update in the regulations will bring us closer to achieving the Government’s commitments to improve online safety and strengthen protection for women and girls online. We believe that updating the priority offences list with the new cyber-flashing and self-harm content offences is the correct, proportionate and evidence-led approach to tackling this type of content, and it will provide stronger protections for online users.
I will now respond to the questions asked in the debate; I thank Members for the tone and substance of their contributions. The shadow Minister, the hon. Member for Runnymede and Weybridge, raised the use of VPNs. As I mentioned previously in the House, apart from an initial spike we have seen a significant levelling-off in the usage of VPNs, which points to the likely effectiveness of the age-assurance measures. We have commissioned further evidence on that front, and I hope to bring that to the House’s attention at the earliest opportunity.
The question of chatbots was raised by the shadow Minister, by the hon. Member for Bromley and Biggin Hill, and by the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted. Let me first clarify what I previously mentioned in the House: the legislation covers not only chatbots that allow user-to-user engagement but those that involve one-to-AI engagement and live search. That is extensive coverage of chatbots—both those types are within scope of the Online Safety Act.
There may be further gaps in the Act that pertain to aspects of the risks that Members have raised, and the Secretary of State has commissioned further work to ensure that we keep up with fast-changing technology. A number of the LLMs in question are covered by the Act, given the parameters that I have just defined. Of course, we will continue to review the situation, as both scope and risk need to evolve together.
Dr Spencer
I hope the Minister takes this in a constructive spirit. Concerns have been raised across the House as to the scope of the OSA when it comes to LLMs and the different types and variations of chatbots, which are being used by many people right now. Is he not concerned that he as the Minister, and his Department, are not able to say at the Dispatch Box whether they believe LLMs are completely covered in the scope of the OSA? Has he received legal advice or other advice? How quickly will he be able to give a definitive response? Clearly, if there is a gap, we need to know about it and we need to take action. It surely puts the regulator and the people who are generating this technology in an invidious position if even Her Majesty’s Government think there is a lack of clarity, as he put it, on the scope of the applicability of the OSA to new technologies.
Kanishka Narayan
Let me be clear: there is no lack of clarity in the scope of the Bill. It is extremely clear to a provider whether they are in scope or not. If they have user-to-user engagement on the platform, they are in scope. If they have live search, which is the primary basis in respect of many LLMs at the moment, they are in scope. There is no lack of clarity from a provider point of view. The question at stake is whether the further aspects of LLMs, which do not involve any of those areas of scope, pose a particular risk.
A number of incidents have been reported publicly, and I will obviously not comment on individual instances. The Online Safety Act does not focus on individual content-takedown instances and instead looks at a system. Ofcom has engaged firms that are very much in scope of the Act already. If there are further instances of new risks posed by platforms that are not currently within the scope of the Online Safety Act, we will of course review its scope and make sure we are moving fast in the light of that information.
The hon. Member for Harpenden and Berkhamsted asked about child sexual abuse material. I was very proud that we introduced amendments last week to the Crime and Policing Bill to make sure that organisations such as the Internet Watch Foundation are engaged, alongside targeted experts, particularly the police, in spotting CSAM content and risk way before AI models are released. In that context, we are ensuring that the particular risks posed by AI to children’s safety are countered before they escalate.
On the question about Ofcom’s spending and capacity more generally to counter the nature of the risk, the spending cap at Ofcom allows it to enforce against the offences that we deem to be priority offences. In part, when we make the judgment about designating offences as a priority, we make a proportionate assessment about whether we believe there is both severity and the capacity context for robust enforcement. I will continue to review that situation as the nature of the offences changes.
Finally, I am glad that the Government have committed throughout to ensure that sexually explicit non-consensual images, particularly deepfakes, are robustly enforced against. That remains the position. I hope the Committee agrees with me on the importance of updating the priority offences in the Online Safety Act as swiftly as possible. I commend the regulations to the Committee.
Question put and agreed to.