Online Harms
Kanishka Narayan Excerpts(4 days, 11 hours ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I thank the hon. Member for St Neots and Mid Cambridgeshire (Ian Sollom) for bringing this important debate to the House. A number of hon. Members have mentioned bereaved families, and I want to pay tribute to all those families. Ian Russell—with whom I have had a series of meetings, including this morning—Stuart and Amanda Stephens, Ellen Roome and so many others have gone through the most horrific of tragedies, and despite that, they have consistently fought for appropriate action for other families. I carry them in my heart and mind when I think about the prospect of online safety regulation doing justice to future generations of children in this country.
I am grateful to the hon. Member for St Neots and Mid Cambridgeshire and to the other Members who made contributions on this important topic. In the interest of time, I propose to prioritise responses to them individually before talking about the wider context. First and foremost, I thank the hon. Member for St Neots and Mid Cambridgeshire for doing a stocktake of progress on the child safety and illegal content duties so far. He will be aware that Ofcom is due to report on content harmful to children and progress on that question this year. I understand that will be due by October, and I look forward to its findings to assess where we can go further still.
The only other thing I will flag to the hon. Member for St Neots and Mid Cambridgeshire is that the national consultation we have launched on children’s wellbeing includes the question of functionality limitations. The functionalities that he talked about—algorithmic recommendations and the structural aspects that make parts of social media particularly harmful to children—will be in scope. I would very much welcome his submissions on that as well.
I thank my hon. Friend the Member for Blaydon and Consett (Liz Twist) for her consistent advocacy on this question, and for the roundtable she held with the Mental Health Foundation and the Molly Rose Foundation, which I was glad to attend. I thank her for not just shining a light and keeping a consistent focus across the House on the scale of the problem, but flagging the diversity of views on how we should tackle it most effectively. I have been in schools pretty much every week since the launch of the consultation. I was with young people just this morning, and I will be in a school next week. She is right to raise the diversity and depth of views held on how we act, not whether we act.
My hon. Friend the Member for Blaydon and Consett raised concerns about the suicide forum, which my hon. Friend the Member for Cowdenbeath and Kirkcaldy (Melanie Ward) also mentioned. I share those concerns, and I have engaged with Ofcom to ensure that it is acting quickly and robustly. I had a meeting with one of the bereaved families just this morning. I will continue to ensure that Ofcom does everything it can with the powers it has, and that we continue to look at any further powers required to ensure we act robustly to prevent any such incidents happening again. I would, of course, be delighted to meet my hon. Friend the Member for Blaydon and Consett to continue that conversation.
I have had the privilege of engaging with the hon. Member for Bath (Wera Hobhouse) on the illegal sale of drugs; I know that she has been, quite rightly, actively advocating on that question. She will be aware that it has been deemed a priority offence. Ofcom is closely monitoring compliance. I know there is more to do; she has made that point very firmly to me. I will also inform her that the National Crime Agency is looking to identify offenders operating online, both nationally and internationally. She made a very important point on covert filming, and we will take what she raised into consideration. Systems that are designed to remove such content will now have to do so within 48 hours of non-consensual intimate images being put up online. I will continue to look at the implementation of that measure once it comes into force.
My hon. Friend the Member for Gravesham (Dr Sullivan) raised very important points about the impact of social media usage on brain development, which is one motivating factor for our consultation. We are looking at not just acute harms, but the chronic impact over time of engagement on social media. I am grateful to her for raising the point that there is a suite of options that might be appropriate. I very much share her intent that, at the heart of it, the action we take will make platforms, not young people, responsible for the harms being conducted online.
I thank my hon. Friend the Member for Heywood and Middleton North (Mrs Blundell) for advocating on the questions of misinformation and community cohesion, both in her community and nationally. On her point about misinformation and the erosion of public trust, which was also made by the shadow Minister, the hon. Member for Runnymede and Weybridge (Dr Spencer), there is a very clear foreign interference offence in the Online Safety Act. I will continue to look at the implementation of that. Alongside that, I serve on the defending democracy taskforce with the Security Minister. This is a priority question that we have been looking at. I will continue to ensure that we do more to press the enforcement of existing law and to look at where we can go further still.
Both my hon. Friend the Member for Heywood and Middleton North and my hon. Friend the Member for Rochdale (Paul Waugh) raised important points about community cohesion, and how we must use online experiences not to divide but to unite our communities. In that context, we have taken a series of initiatives on media literacy to support the ability to sift fact from fiction across our communities. The foreign interference provisions in the Online Safety Act are also a key vector of enforcement against the causes described.
On antisocial behaviour, I would be interested, in the light of the consultation, to hear from my hon. Friend the Member for Cowdenbeath and Kirkcaldy about where the headteachers and young people she has engaged with think we ought to go. I agree with her on the divisive impacts, and we will continue to look not just at illegal content but at how we empower users in relation to divisive content that, individually, might be legal but, collectively, ends up being deeply harmful to community cohesion, as well as to democratic integrity.
My hon. Friend the Member for Reading Central (Matt Rodda) reaffirmed the point that he has made to me in person about this issue. I pay tribute again to Stuart and Amanda Stephens, who have gone through the most horrific tragedy in their family. I am deeply grateful for their grit and resilience through it, and for my hon. Friend’s advocacy alongside them. He asked me for a sense of direction on where the consultation is going. I will not pre-empt its substantive content, but we have had almost 25,000 responses—I hope and expect that this will be the most engaged-with consultation in the history of British national consultations—including thousands of young people. We have designed a dedicated version of the consultation for young people as well as one for parents and carers. I am keen to hear my hon. Friend’s views from his engagement, as well as those of other Members.
My hon. Friend the Member for Rochdale raised a very important point about the documentary “Inside The Manosphere”, the growing cause of misogyny in this country and this Government’s priority of tackling violence against women and girls. He will be aware that in December, we published our landmark cross-Government violence against women and girls strategy. That was the underpinning force for our making cyber-flashing and intimate image abuse priority offences in this country, banning the creation of nudification apps and banning people from creating and sharing that content, and it is why we are going further still in ensuring that such content is taken down robustly and quickly, within 48 hours. On the point that he and my hon. Friend the Member for Heywood and Middleton North raised about the growing prevalence of antisemitism and division online, I look forward to an imminent meeting with the Antisemitism Policy Trust to figure out how we can go further not just in law but in terms of awareness of it across our communities.
I turn to the contribution from the Liberal Democrat spokesperson, the hon. Member for Winchester (Dr Chambers). I have met the Liberal Democrat Front-Bench team to talk about their suggestions on functionalities and age ratings. I would of course be happy to continue the conversation, and I encourage them to contribute to the consultation.
Finally, the shadow Minister, the hon. Member for Runnymede and Weybridge, raised a very important point about chatbots. I hope it is very clear that chatbots ought never to replace professional support. We will continue to look at that, and I will update the House when we have decided on specific steps. We announced just yesterday that we are looking at the issues of labelling and personality rights, and I hope to update the House on them soon.
Media Literacy Action Plan
Kanishka Narayan Excerpts(1 week ago)
Written StatementsRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Today I am laying before Parliament the Government’s media literacy action plan. It sets out our commitment to fostering a safe, informed and resilient digital society.
Media literacy is an essential everyday skill that supports people to understand and take part in modern life. It helps people of all ages to: make sense of the information they encounter online and assess whether it is reliable; communicate safely; and navigate the internet with confidence. It supports understanding of how platforms and new technologies, including artificial intelligence, shape what people see and share, and enables informed choices about personal information. It also supports participation in everyday activities, including exploring new interests, connecting with others and taking part in democratic life. It is central to digital inclusion and to ensuring that people can benefit from online services and opportunities.
The importance of media literacy, and the need for cross-Government co-ordination, was highlighted by the Lords Communications and Digital Committee in its 2025 inquiry. While the Online Safety Act 2023 provides the regulatory foundation for safer online experiences, regulation alone cannot address the challenges created by misleading information, harmful content and rapid technological change. Significant work on media literacy is already taking place, with Government Departments, Ofcom, charities, educators, libraries and industry partners delivering media literacy activity across the UK. Education and public empowerment are essential, and the Government’s wider programme of work, including the consultation, “Growing up in the online world: a national consultation”, will support skills development and help to build resilience across society.
This plan sets out a clear approach for a single, co-ordinated, cross-Government framework for the next three years, establishes shared principles and priority areas for action, and provides a clearer picture of the support available across the UK. The Department for Science, Innovation and Technology has provided funding for a pilot media literacy campaign, and the plan otherwise integrates media literacy into existing initiatives within departmental budgets.
Over the next three years, the Government will focus on priorities in building public awareness of media literacy and supporting access to trusted information; preparing children and young people for a digital future; boosting local initiatives to support people facing barriers to participation; and ensuring a coherent, co-ordinated approach across Government and with partners beyond it.
Through this work, the Government’s ambition is to ensure that everyone can take part in the online world with confidence and benefit fully from the opportunities it offers.
[HCWS1399]
UK-based Tech Companies
Kanishka Narayan Excerpts(1 week, 5 days ago)
Westminster HallRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
It is a pleasure to serve with you in the Chair, Mr Betts. I thank the hon. Member for Bromley and Biggin Hill (Peter Fortune) for securing this important debate on Government support for UK-based tech companies. I am grateful to him and to all other hon. Members across the Chamber for their contributions. They did a sterling job of showing that the UK is truly a buzzing tech economy in every single part of the country—right across the constituencies represented here and beyond.
This Government are committed to supporting the UK’s thriving tech ecosystem. We are proud to be home to the largest tech sector in Europe, valued at nearly £1 trillion. The success of UK-based technology firms benefits us all. These are some of the fastest growing parts of the economy and are already employing millions of people. The innovations they bring are delivering major benefits to people and communities right across the country, transforming everything from the way we work to how we manage our health.
Given the luxury of time, I propose to respond to each of the points raised by hon. Members. First, I very much appreciate the points on competition policy made by the hon. Member for Bromley and Biggin Hill, and shared by the shadow Minister, the hon. Member for Hornchurch and Upminster (Julia Lopez). Of course, I am reluctant to mention any specifics about the interventions, investigations or engagements the CMA is pursuing as an independent regulator. As the shadow Minister acknowledged, the commitments that the CMA has looked at could be quicker than a full conduct requirement process.
The CMA assures the Government that it continues to monitor firm compliance. If Apple and Google fail to meet their commitments, the CMA will consider the use of statutory powers to take further action. I am conscious that it has just finished consulting, as the shadow Minister mentioned, on the first set of remedies and commitments in the light of the designations of Google, in search, and Apple and Google, in mobile platform markets. I expect very soon to hear greater detail, as well as firm timelines, on that particular point.
The virtue of the previous Government’s digital markets regime is that it is flexible and proportionate, and allows for some remedies that are quicker, and others, where this is due, that are more robust. The Government expect that the CMA will act in line with its growth and competition mandate. Those two issues overlap much more than we often give the CMA credit for.
I will briefly take the opportunity to address the shadow Minister’s history of the UK tech sector over the last 14 years. Having been in that sector through part of that time, although I very much value the growth seen in the period, I am also conscious of the particular fact that drove me into politics: over that entire period—one of the most productive periods in global technology markets—no one growing up in this country ever saw a company go from zero to the global top 10; in the United States, in that same period, people saw eight out of those top 10 companies do that. The levels of capital investment and IT in this country were materially below that of the United States. When the shadow Minister talks about the benchmark as being European growth, I fear I have to say, given that it is ambition season among Conservative Front Benchers, that she might consider joining that and raising the ambition to being a global first, not just a European-relative first.
In that period, as the hon. Member for Bromley and Biggin Hill and the shadow Minister noted, power concentrated in the cloud market in particular and right across US big tech. It was clear to me at the time that the Government were much more focused on engagement with US big tech and exactly the trend that the shadow Minister described—the power concentrated in the cloud market.
The shadow Minister’s points on agentic AI are very well made. I will make sure that we think about that deeply and engage with the CMA on the implications for agentic AI, the possibility of bundling and the limited competition that might result.
My hon. Friend the Member for Caerphilly (Chris Evans) raised the virtues of the Welsh ecosystem. It is an ecosystem that I know and deeply value personally. I particularly value my hon. Friend’s advocacy for Academii, in his constituency. His point about clusters anchored by Welsh universities is really well made. As a Government, we have committed over £1.5 billion to the question of how research translates into commercialisation. I would be happy to engage further with him on any particular instances where the Government can do more, in his constituency and beyond.
My hon. Friend the Member for Leeds South West and Morley (Mark Sewards)—the AI MP—who is no longer in his place, made a similar and important point about Leeds’s Nexus hub. I have visited Leeds in this role, and I particularly value the contributions of Leeds’s tech sector to healthcare and financial services innovation.
The hon. Member for Tunbridge Wells (Mike Martin) made a deeply important point about procurement, which was shared by the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted (Victoria Collins). I have a particular interest in defence procurement that I hope to come to more fully in my speech.
The hon. Member for Tiverton and Minehead (Rachel Gilmour), who is no longer in her place, has always been a strong champion for family businesses in the contexts of technology and agriculture. I share her ambition for UK tech businesses to start, scale and stay here.
My hon. Friend the Member for Weston-super-Mare (Dan Aldridge) has deep experience, and is also no longer in his place—despite that experience. I agree with him that although our policy is often in a good place, there is a lot more for us to do to spread awareness of that policy. I would be happy to visit him, and others, to be a small part of spreading that awareness.
I thank my hon. Friend the Member for Paisley and Renfrewshire North (Alison Taylor) for her strong advocacy for the innovation zone, both prior to and subsequent to coming to this House. She has won £38.7 million for travel support in particular and transport support more generally in that innovation zone. I will say how excited I am about the historic growth in AI investment in the wider region, which I hope will create a series of opportunities for investment, and opportunities for young people growing up in and around Glasgow to take part in it.
My hon. Friend’s mention of photonics is deeply important. Photonics is not just a British strength but an increasingly important vector for national security strength globally in the semiconductor context. I am grateful to her for championing that subsector.
In response to the hon. Member for Strangford (Jim Shannon), I note that Northern Ireland is indeed close to my heart. I grew up visiting Northern Ireland and Belfast for lots of debating competitions. He will be glad to hear that, in this role, I was back in Northern Ireland at the artificial intelligence collaboration centre at Ulster University, seeing not just the world-leading cyber capabilities in Belfast and Northern Ireland but the transformational effect that Ulster University’s investments have had on the city by creating opportunities for young people. He will also be glad to hear that just this morning, I spent time with the Secretary of State for Northern Ireland talking about our shared ambition to do even more to support the cyber and AI sectors in Northern Ireland.
The points of the hon. Member for West Dorset (Edward Morello) about energy tech were well made. I feel very strongly that our plans on clean energy are best pursued if they make the most of AI and modern technology. I think that they are pursued with a deeper sense of building public consensus if we are able to show that our clean energy values align with our prosperity aspirations around AI and technology, not just domestically but through Britain’s ability to export lessons and technology to other places, and to move the needle on global climate change.
Edward Morello
Shortly before the debate, the Minister said he would like to visit Weston-super-Mare and other locations. I invite him to beautiful West Dorset to visit the fibre optics company Sintela, which is one of the UK’s biggest success stories.
Kanishka Narayan
I have a 100% record so far of committing to visits when asked. I do not want to set too much of a precedent, but given the numbers in the room, I would be happy to take the hon. Member up on his kind offer as well.
The hon. Member also made an important point about SME representation on trade missions; on the three international visits that I have been on—to the US, South Korea and India—we have been primarily focused on SMEs. If he has recommendations of firms that would benefit from such engagement, I would be keen to take him up on them—perhaps we can discuss that in West Dorset during my visit. On word clouds, which he mentioned—I know a thing or two about word clouds—he is right about the presence of the word “ecosystem”. I would add “deeply thriving” to that, because that is what Britain’s ecosystem is.
I am delighted to hear about the history of entrepreneurship in the family of the Liberal Democrat spokesperson, and I am keen on any lessons from her mother about Twitter engagement. I also share and value her ambition for more entrepreneurship; that dream is shared across the House as well. I will come to her five points, which I think the Government are equally focused on.
I will now set out some of the things that the Government are doing. As I mentioned, we start from a position of considerable global strength. Four of the world’s top 10 universities are in the UK, and we have a proud history of technological innovation, but there is clearly more to be done. That is why, in our modern industrial strategy, we set out the first dedicated plan to support the UK’s digital and technologies sector, alongside a separate plan for life sciences. For digital and technologies, we have focused on six frontier technologies with the greatest potential to drive growth: advanced connectivity, AI, cyber-security, engineering biology, quantum and semiconductors. By 2035, we want the UK to be one of the world’s top three places to create, invest and scale up a fast-growing technology business.
Building on the industrial strategy, we went further still at the 2025 autumn Budget. We set out a package of additional support for founders and innovators to start and scale businesses here in the UK, including reforms to Government procurement, tax and our public finance institutions. As the Chancellor made clear, the Government are backing the next generation of UK tech start-ups and entrepreneurs. These plans are about making sure that we are supporting our tech companies at every stage of their development.
A great tech company starts with an idea. That is why we are making a record public investment in R&D, with spending rising to £22.6 billion by 2029-30. We have one of the most generous R&D tax credit relief systems in the entire world, and I have personally heard testament to that from a series of founders in the UK ecosystem, not least in AI, over the past few weeks.
Through our industrial strategy, we are also making sure that investment is targeted to bring innovation to market, with £7 billion for innovative companies to scale and commercialise technological and scientific breakthroughs. To ensure that the benefits are felt right across the country, we are backing high-potential innovation clusters throughout the UK through programmes such as the local innovation partnerships fund.
Brilliant ideas alone, of course, are not enough to grow a business, so we are taking a whole-of-government approach to ensure that the right conditions are in place for businesses to reach their full potential. We are expanding the British Business Bank to give high-growth tech firms access to long-term scale-up capital. We are upskilling private investors to invest in deep tech through our science and technology venture capital fellowship programme. We are ensuring that firms have access to the best skills and talent through our £187 million TechFirst skills programme and we are hoping to attract the very best minds in the world through the Government’s global talent taskforce, as well as the £54 million global talent fund.
We are not stopping there. Across the board, we are looking at how we can use the Government’s levers to support our technology ecosystem. Part of that is about infrastructure, whether that is connecting people, businesses and universities through initiatives like the Oxford-to-Cambridge growth corridor, or funding the specialist infrastructure that tech companies need through the AI research resource and engineering biology scale-up infrastructure programmes.
It is also about regulations that help, not hinder, new products to reach the market. That is why we have set up the Regulatory Innovation Office, which has invested over £12.5 million already in helping regulators to adopt new tools and approaches. Sometimes it is challenging to bring new technologies to market, so we are also reforming how the Government procure technologies to lead the way and back British SMEs.
In the autumn Budget, we announced an advance market commitment, backed with £100 million of Government funding, to buy products from novel and promising UK chip companies—an important economic as well as national security focus—once they reach a high-performance benchmark. I know that the Ministry of Defence has committed to a significant budget allocation to novel technology procurement and I am keen to ensure that the design and process for that are as compelling as the scale of that ambition.
This debate is about UK-based businesses, but we must also recognise that we are part of a global market, with the huge opportunities that that offers. We are working hard with our international partners to boost collaboration and open new markets for innovative firms globally. We have agreed industrial strategy partnerships with France and Japan, have a Saudi-UK strategic partnership and an India-UK technology security initiative, and are pursuing deeper connections still with other key markets. Last autumn, the top US tech firms, mentioned across this debate, committed to investing £31 billion in the UK.
We are right across the things that matter to start-ups here in relation to capital: the force that is the BBB investing more; the National Wealth Fund investing more; a sovereign AI unit investing earlier; and the Mansion House pension fund reforms that are spurring greater investment. We are bringing capital to the service of British start-ups.
In the context of compute—a critical input for AI—both our AI growth zones programme and our AI research resource programme are ensuring that British companies are at the front of the queue when it comes to adequate compute for AI. When it comes to Government as a customer, the advance market commitment and the reforms that I mentioned in relation to the MOD aspire to that and to ensuring that the Government are the best partner that UK start-ups can benefit from.
When it comes to building a sense of community for talent in this country, the global talent taskforce, the global talent fund and, crucially, the enterprise management incentives scheme—now one of the world’s best tax incentive schemes for early-stage employees to have deep equity participation in start-ups—mean that Britain is at the front of the queue in convening a compelling community of tech talent. When it comes to clarity on regulation, the AI growth lab, the Regulatory Innovation Office reforms that I mentioned and the growth mandates for regulators mean that Britain is regulating dynamically —moving regulation at the pace of technological progress.
At the heart of all this is a culture that prizes innovation and that says to entrepreneurs that their success is our national success, and that their companies are national champions when they create jobs and invest in frontier innovation here. We are radically shifting Britain’s culture to being a culture of agency and innovation.
In that context, I am grateful to all Members across the House for their partnership in that mission. The UK’s exceptional technology sector is a key national asset. The steps that the Government are taking will ensure that UK-based tech companies thrive at every stage of their growth.
Technology Sovereignty
Kanishka Narayan Excerpts(1 week, 6 days ago)
Westminster HallRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
It is such a pleasure to serve under you in the Chair, Ms Vaz. I thank my hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), the Chair of the Science, Innovation and Technology Committee, for securing this debate and bringing to it her deep expertise across engineering, policymaking and leadership in the House on the question of tech sovereignty. I also thank all hon. Members for making very thoughtful points and bringing to the debate a range of experiences—as well as swiftness of speech, given the constraints imposed by time today.
I have long felt that the central question in our politics and for our country is the future of technology in this country. It will be the major driver of prosperity and dignity for people, and the central question is whether Britain gets to shape it or is shaped by it. In Westminster, we sometimes talk about technology sovereignty as an abstract geopolitical goal, but we have to keep in mind that, ultimately, it is the basis for our NHS radiologists to have access to the best tools for detecting cancer, with data here in the UK; for British founders and builders to be able to train and deploy models, rather than depending on foreign APIs and pricing; and for people in their homes and workplaces across the country to know that their everyday AI systems are governed transparently and democratically here in the UK.
My view is that technology sovereignty is a state’s ability to have strategic leverage when it comes to a technology, such that it can ensure ongoing access to critical inputs and ongoing assurance that its wider economic and national security objectives can be met more broadly. It is to take the best tools the world has to offer today, but also to shape the rest, and ultimately to make that which is critical here in Britain.
As I think of it, that strategic leverage is obtained by three steps on a ladder. The first is just to have enough of the critical inputs. Taking AI as an example, we have to have enough chips today to be able to do anything with AI in the first instance. With that in mind, the Government have always been very keen to secure the level of capital investment that means that Britain is at least at the table with critical inputs.
Once we are at the table, the second part of sovereignty is to make sure that we have some diversification in who we procure critical inputs from so that we can bargain effectively. We are the party of labour; we understand that who has power matters as much as what the powers are. In that context, one of the first things I did in my role was to engage with a series of companies in every part of the stack so that we were able to build more diversity into the landscape.
The third rung of the ladder is, ultimately, to build British in order to make sure that we have the full-fat version of sovereign capability here in critical parts of the stack.
Dame Chi Onwurah
I thank the Minister for setting out his sovereignty stack. Just as an example, is an LLM a critical input or another level in the stack—and does it need to be British?
Kanishka Narayan
I valued my hon. Friend’s earlier point that sovereignty has to be seen in the round. We cannot make everything here; we have to look at the entire bundle that we have to offer. In the context of LLMs, there is some uncertainty as to whether all the capability will ultimately accrue in closed proprietary models, or whether open-source, open-weight models might be part of it. To me, as things stand today, it is a pretty important part of the stack. The question then is whether we have enough of it to be able to make the most of it by adopting it for economic and national security usage here, or whether there are aspects in which, at least from a distillation or small-model point of view, we need to develop some capabilities here as well. I do not think there is a binary answer to the overarching question; the answer is much more nuanced. I am happy to discuss that further if it is of interest.
As I said, the third rung of the ladder is, ultimately, to build British and focus on areas in which we can develop our strengths. I have to point out that we made sure that Nscale, one of our neocloud hyperscale providers, was an important part of the supply chain for AI growth zones. I noticed that yesterday Nscale raised the largest ever series-C funding in Europe, in part as a result of the Government’s support and convening in that context. Arm, the leading chip design company globally, is still headquartered in Cambridge, and we have fantastic companies in the AI inference chip part of the stack, Fractile and Olix being two of them. It is an area that I spend a lot of my time on.
When it comes to models, we have huge strengths, not just because a number of the Gemini teams and researchers continue to sit in King’s Cross at DeepMind, but because companies developing foundation models in AI for science and autonomous vehicles, embodied AI, and aspects of world models and computer vision reside here in the UK. Wayve raised £1.5 billion just this year, the largest funding round in Europe to date for that stage. It is a fantastic company that looks in particular at embodied AI and vision. I am proud of those companies. It is right that the Government are supporting them through the lens of tech sovereignty, as that is what both Britain’s and the companies’ best interests dictate.
The sovereign AI unit will be crucial to that. I am glad to see the level of interest in that across the House. It will concentrate efforts on priority areas. There was interest in my specifying those areas. The four areas that are of interest at the outset are novel compute, in particular focusing on the inference chip part of the stack; novel model architecture; AI for science—I point hon. Members to the AI for science strategy published by the Department three or four months ago, which set out particular areas of focus and priority—and embodied AI.
To give a concrete example of early action that the sovereign AI unit has taken, we have already invested £8 million in the OpenBind consortium to accelerate AI-driven drug discovery, and £5 million in the Encode: AI for Science fellowship to support the next generation of world-class talent. The focus of the unit will be on both capital and compute, to incrementally anchor more and more British companies here, but I know that the unit will only be part of the solution. We have a role to look at innovation and market support much more broadly across the tech landscape.
In November, we also announced a significant advance market commitment—a deeply innovative procurement shift—which meant that up to £100 million in Government funding was available to buy products from promising UK chip companies once they reach a high-performance benchmark. That presents UK start-ups with an exciting opportunity to grow and compete right here, building for the world.
AI is of course just one area of Britain’s flourishing tech ecosystem. I point out to my hon. Friends the Members for Milton Keynes Central (Emily Darlington) and for Lichfield (Dave Robertson), who made important points about quantum, that the Government have doubled the rate of investment in quantum, with about £1 billion committed over the next four years. The points on helium made by my hon. Friend the Member for Lichfield have very much been taken into account. The Government are looking at the developing situation on helium supply in the middle east, which is of concern.
Through our national programme, we broadly want to anchor development and access to technological capabilities that are most important to economic growth and national security. That means, in the context of quantum, more companies starting, growing and staying here and, in the context of AI, not just developing capabilities in particular parts of the stack, but in part looking upstream for skills as well.
In that context, I agree totally with my hon. Friends the Members for Cambridge (Daniel Zeichner) and for Southend East and Rochford (Mr Alaba) that the quality and scale of our talent and skills in our universities and schools is the single biggest determinant of where we end up. I am happy to write to my hon. Friend the Member for Cambridge about the UKRI changes that we are making. In answer to my hon. Friend the Member for Southend East and Rochford, IP capitalisation is a deeply important part of what I focus on with the Intellectual Property Office, and I am happy to engage him on the question of Essex University in particular.
Ben Lake (Ceredigion Preseli) (PC)
The Minister knows that the Computer Misuse Act 1990 criminalises a lot of legitimate cyber-resilience and vulnerability research. I think that the Government are minded to introduce a statutory defence for such research, but can he share whether that defence will be introduced as part of the cyber Bill?
Kanishka Narayan
The hon. Member is absolutely right to raise that point about a defence for cyber-security purposes. The Computer Misuse Act is being reviewed at the moment—the Home Office is looking at it—but, as I mentioned in Committee on the Cyber Security and Resilience (Network and Information Systems) Bill, that is not the appropriate vehicle, given its much narrower scope than the broad scope that we would like in the context of a defence. For those reasons, I am keen that we pursue the matter, but elsewhere.
I am conscious of time, so I will proceed at pace. Alongside quantum and AI, semiconductors are another technology that underpins the global economy and is fundamental to our way of life. As part of our industrial strategy, digital and technology sector plan, we are taking measures to foster the growth of that particular sector.
My hon. Friend the Member for Mansfield (Steve Yemm) spoke very thoughtfully about the fact that we should not just rely on venture-focused companies in particular parts of the country, but look at our industrial heritage. That is exactly why I have focused on ensuring that the AI growth zones programme puts data centres in the north-east, alongside the headquarters of our largest listed tech company. A deep heritage of financial services technology innovation in Newcastle and the surrounding area is now able to benefit from good jobs anchored by that data centre.
In south Wales, the data centre planned for the site of the old Ford car manufacturing plant gives hope for jobs in the semiconductor cluster, anchored by that data centre. That is critical. In north Wales, data centres are pulling our nuclear small modular reactor into the future, which is critical to thousands of jobs in that community. In Lanarkshire, the old steelworking community, which lost thousands of jobs and never fully recovered, now has hope from half a billion pounds of community investment as a result of data centres. That is precisely what I believe in.
Anneliese Dodds
In one sentence, will the Minister say something about another geographical issue: collaboration with like-minded countries, especially in the EU?
Kanishka Narayan
I will simply give a note of total affirmation on the importance of that. Having met a series of Ministers from Europe, I know that we have a huge amount in common and a huge amount to do in the future.
I am being tested pretty intensively on time, so I will focus on one final point. Some Members rightly raised the question of mergers, acquisitions and investment controls. As my hon. Friend the Chair of the Select Committee will know from the time that I worked for her on the Bill as it was proceeding through the House, the National Security and Investment Act 2021 is an excellent example of where we are ensuring that investment and sensitive areas maintain the national security interests of Britain now and in the longer term.
In summary, the Government will continue to support our tech sectors as best they can. Only yesterday, Nscale raised the largest series-C funding round in all of Europe. Isambard-AI has raised a £50 million round for embodied AI—manufacturing AI—as well. Those are testaments to the approach that I have set out, which will ensure that British firms and people can seize every opportunity they can in tech-enabled Britain.
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Kanishka Narayan ExcerptsTuesday 24th February 2026
(3 weeks, 6 days ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 24 February 2026 - (24 Feb 2026)
The Chair
I thank the shadow Minister for getting those comments on the record. Would the Minister like to address those points?
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I am happy to write to the hon. Member.
The Chair
The shadow Minister can keep us updated on whether that has happened.
New Clause 2
Register of foreign powers for the purposes of Part 4
“(1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must, by regulations, establish and maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom’s critical network and information systems within six months of the passing of this Act.
(2) Foreign powers designated by the Secretary of State under subsection (1) must include states –
(a) which have been confirmed by GCHQ as having—
(i) perpetrated, or attempted to perpetrate, a cyber-attack in the UK in the preceding seven years,
(ii) targeted, or intended to target, that attack at the network or information systems of one or more operators of an essential service or critical suppliers, or
(iii) carried out, or intended to carry out, that attack through a state department, agency or affiliate group,
(b) which GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.
(3) Regulations under this section are subject to the affirmative resolution procedure.
(4) In this section, ‘foreign power’ means–
(a) the sovereign or other head of a foreign state in their public capacity;
(b) a foreign government, or part of a foreign government;
(c) an agency or authority of a foreign government, or of part of a foreign government;
(d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or
(e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government—
(i) hold those posts as a result of, or in the course of, their membership of the party, or
(ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party.”—(Dr Ben Spencer.)
This new clause would require the Government to maintain a register of state actors posing a threat to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of the Act, which enable the giving of directions in the interests of national security.
Brought up, read the First time, and Question proposed (10 February), That the clause be read a Second time.
Question again proposed.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
In our previous sitting, the hon. Member for Runnymede and Weybridge set out clearly the cyber-threat posed by China, and argued that, through new clause 2, China should be explicitly recognised as a foreign power presenting a significant risk to the United Kingdom. He rightly highlighted the precedent in UK legislation for maintaining registers of hostile or high-risk state actors to protect national security. I agree that Parliament should be unequivocal in recognising the Chinese Communist party as a strategic cyber-threat, particularly given evidence of state-linked cyber-espionage, infrastructure compromise and the targeting of critical national infrastructure.
We have seen data from the Cabinet Office last week indicating that the Government plan to drastically reduce the integrated security fund spending on domestic cyber and tech to counter cyber-attacks. It will be cut from £113.3 million to £95 million by 2028-29, which is a reduction of 16%. Domestic spending to counter Russian threats in the same period will incur a drop of more than 20%. Those reductions leave us dangerously exposed and are in direct opposition to the Government’s promises to support the UK’s national security priorities. New clause 2 offers the chance to identify and monitor state actors that pose a threat to UK cyber-security.
The register must also reflect the evolving nature of cyber-risk. Threats do not arise solely from formally hostile states, but also from jurisdictions where hostile cyber-actors operate at scale, using digital infrastructure to target UK systems and citizens. We have seen that in countries such as India and Nigeria, where organised cyber-criminal networks have run sophisticated international operations against the UK, exploiting cloud services and telecommunications infrastructure. In India, law enforcement has dismantled major cyber-crime hubs linked to international targeting, including operations specifically affecting large numbers of British victims.
In 2025, the National Crime Agency worked in partnership with India’s Central Bureau of Investigation to raid an organised crime group in Uttar Pradesh, which had targeted more than 100 UK citizens with pop-ups stating that their devices had been compromised, losing them more than £390,000. That is not only an unacceptable financial loss for our citizens, but a significant waste of resources. In Nigeria, long-established cyber-criminal networks continue to conduct large-scale digital fraud campaigns aimed at overseas targets including the United Kingdom. Interpol’s Operation Serengeti in 2025 tackled high-impact cyber-crimes in Nigeria and 17 other nations, arresting 1,209 suspects and recovering nearly $100 million that had been stolen through cyber-fraud.
Although these states might not be hostile in a geopolitical sense, hostile cyber-actors operating within their borders are none the less inflicting sustained harm and placing heavy burdens on our cyber-defence and law enforcement resources. I support the aims of new clause 2, but urge Ministers to ensure that the framework is flexible enough to capture not only hostile states but jurisdictions that consistently serve as bases for large-scale hostile cyber-activity. Data from the Cabinet Office shows that integrated security fund spending on Russia is set to fall over 20% between 2026 and 2029, which shows that the Government are not taking threats from Russia, or other hostile nations, seriously enough.
Kanishka Narayan
It is a pleasure to serve with you in the Chair, Ms McVey.
I thank the shadow Minister, the hon. Member for Runnymede and Weybridge, for the new clauses in his name, which would require the Secretary of State to create a register of foreign powers that pose a threat to UK cyber-security, to review that register, and to lay a report before Parliament. This is intended to inform the use of powers granted under part 4 of the Bill. I empathise with the shadow Minister’s concerns that hostile foreign actors could target the network and information systems of operators of essential services or critical supplies. That is a clear risk, and one that we are addressing through the Bill.
As drafted, the Bill grants the Secretary of State new powers to issue national security directions to regulated entities or regulators where their compromise poses a national security risk. So long as those tests are met, the powers may be used by the Secretary of State irrespective of the actor that is causing the national security incident or threat.
New clause 2 would require the creation of a register of foreign states that pose a risk to the UK based on GCHQ advice. I reassure the shadow Minister that regardless of the proposed new clause, any decision to use the powers in this part of the Bill will be informed by expert national security advice from GCHQ. As a result, it is unclear what additional support the proposed register would provide to the Secretary of State when, for example, deciding whether to issue a direction to a regulated entity.
Additionally, the report required by new clause 3 would effectively be a list of the vulnerabilities of the network and information systems of our essential services, and would therefore be an asset to malicious actors. That would be counterproductive to national security. The new clause would allow the Secretary of State not to publish part or all of the report, if publishing would be contrary to the interests of national security. However, it is unclear how even part of the report could be published without harming national security, given its intended content.
Drafting a report of vulnerabilities that cannot be disclosed to Parliament without harming national security would simply duplicate existing assessments, and run the risk of distracting Government from more effective measures to protect from hostile foreign actors. That is not to say that we shirk transparency about these kinds of risk. The Government are already able to communicate with Parliament and the public about such cyber-security risks where it is appropriate to do so, through things such as the National Cyber Security Centre’s annual report and advisories. I therefore kindly ask that the shadow Minister withdraw the new clause.
I thank the hon. Member for Henley and Thame for the Liberal Democrat new clauses in his name, which would require the Secretary of State to publish a statement of how the Government intend to address risks posed by foreign actors to UK network and information systems, and to assess how many entities regulated by the NIS regime are owned in part or in full by foreign states.
Let me reassure the hon. Member that the Government take the risks posed by foreign interference seriously. The NCSC’s annual reviews continue to highlight cyber-risks to the UK from foreign actors, as well as measures to mitigate those risks. We have robust processes for assessing such threats, drawing on the expertise of the intelligence community, including the National Cyber Security Centre and the National Protective Security Authority.
The measures introduced by the Bill will boost the security and resilience of network and information systems across essential services, managed services and relevant digital services, protecting them from the risks of foreign interference. Where that is not enough, the Bill provides a backstop: the new direction powers in the Bill will enable the Government to protect our critical services from exactly those kinds of national security risks. We will be able to require a regulated entity to undertake any action that is necessary and proportionate for national security in response to the threat of a compromise. Conducting assessments of the ownership structures of the many thousands of in-scope entities within six months would be disproportionately resource intensive, distracting Government from more effective measures to protect our services.
Publishing a review identifying national security risks caused by foreign state ownership, or assessing whether our powers are adequate, as the Opposition’s new clause 3 would require, would provide valuable insight to our adversaries. As I have previously set out, there is a clear pathway for Government to communicate with Parliament and the public about such cyber-risks where it is appropriate to do so, but where we identify specific concerns, it is right that we retain the ability to assess and respond without disclosing our conclusions to those who might exploit them.
Finally, it is worth pointing out that, as drafted, new clause 13 is not aligned with the intended scope of the Bill. The Bill is solely concerned with entities that are currently, or could one day be, regulated under the NIS regulations. This new clause would require a statement on the risks posed to all UK network and information systems, which is a significant broadening of the scope of NIS-regulated entities and sectors. Similarly, the focus on Government procurement seems outside that scope, given that Government network and information systems are not wholly regulated by the Bill. For those reasons, I ask that the hon. Member for Henley and Thame kindly consider not pressing his amendment.
Dr Spencer
I am grateful to the Minister for his response, but we have seen over the past six months, especially with the alleged spying incidents in Parliament, the Government’s resistance to recognising the Chinese Communist party as a threat. When it comes to our new clause 3 and concerns over transparency, we have also seen, in the last few weeks, that there are mechanisms—for example, the Intelligence and Security Committee—to ensure the disclosure of documents, while preserving national security. I would therefore like to press new clauses 2 and 3 to a vote.
Question put, That the clause be read a Second time.
Dr Spencer
I thank my hon. Friend for his intervention, which is more for the Minister and the Government Whip’s benefit than mine.
Properly established ISACs will not only increase real-time awareness of cyber-risks and mitigations, but could also alleviate some of the burden on regulators in terms of sector-specific intelligence analysis. Industry feedback and experience from the adoption of the Network and Information Systems Regulations 2018 indicate that sectoral regulators are unlikely to have the capacity to assist with intelligence sharing in relation to real-time cyber-risks.
We know from the sectoral regulators’ oral evidence that building sufficient capacity for effective regulatory oversight is a challenge. Where we have models for sector-led and market-led good practice in hardening cyber-resilience, we should look at how it can be rolled out further. Seeing more of these organisations emerge could even lead to broader adoption beyond NIS-regulated areas to other industries. ISACs have the potential to become integral nodes in improving whole-of-society cyber-resilience, and it is an approach called for by many cyber industry stakeholders. I therefore commend new clause 4.
Kanishka Narayan
I thank the shadow Minister for this amendment, which would require the Secretary of State to review how information sharing and analysis centres support the functioning of the NIS regime and what steps the Government can take to improve them.
I recognise the intent of this new clause. These centres play a key role in promoting collaboration and co-ordination in the cyber-security space, allowing organisations to share information, intelligence and best practice. In fact, the UK already benefits from a range of such initiatives, many of which are facilitated by the National Cyber Security Centre. In its latest annual report, the NCSC noted that more than 200 companies now meet regularly in trust groups to exchange intelligence and best practice, and to support each other in incident response. NIS regulators also support organisations to share information with each other in sector-specific groups.
However, while I fully endorse the value of those initiatives, I do not believe it is the Government’s role to review how they operate or to mandate how or where they are established. Such centres are meant to be a forum in which organisations can voluntarily engage in the exchange of information. As such, they operate most effectively where the initiative for participation comes from the organisations themselves or from technical authorities such as the NCSC.
The Government are, of course, committed to ensuring that the information-sharing provisions within the Bill are effective, and that will be assessed through the formal review of the legislation already required under clause 40. I kindly ask the shadow Minister to withdraw the new clause.
Dr Spencer
In response to the Minister’s comments, clause 40 is about a review; it does not provide any direction, other than for the Secretary of State to do their job in reviewing this area. I will press new clause 4 to a vote.
Question put, That the clause be read a Second time.
Dr Spencer
I agree about the importance of putting things on the record. Since the hon. Member obviously has not been listening to my speech, he can check it out on the record. I acknowledged the challenges in this area—[Interruption.] Does the Government Whip want to intervene, or was she just chuntering? I will continue.
Given that the Bill puts quite a burden on the private sector, as we discussed over several sittings before the parliamentary recess, I think it is important that the Government recognise, as my hon. Friend the Member for Spelthorne said, it would be pretty shameless not to vote for accountability for themselves while putting it on other people. Let us see how the vote goes. I commend new clause 5 to the Committee.
Kanishka Narayan
I thank the shadow Minister for moving new clause 5, which seeks to require annual reporting on progress towards meeting the recommendations of the National Audit Office’s report on Government cyber-resilience and meeting the implementation milestones of the Government’s cyber action plan.
We recognise the value of accessing the expertise of Parliament to hold the Government accountable for the changes required for our cyber-resilience. That is why, notwithstanding the hon. Member for Spelthorne acknowledging the embarrassment of the Conservative party owning its hypocrisy, this Government have already strongly welcomed the recent reports from the Public Accounts Committee and the National Audit Office on Government cyber-resilience.
Chris Vince (Harlow) (Lab/Co-op)
I declare an interest as a member of the Public Accounts Commission, which regularly scrutinises the National Audit Office. Can the Minister give some reassurance to Labour Members, who are being accused of hypocrisy, that we do make sure that the highest levels of cyber-security are met?
Kanishka Narayan
My hon. Friend is right. Where the Conservative party did absolutely nothing and continues with its hypocrisy, I am glad to inform hon. Members that this Government have already adopted a duty to provide biannual reporting on progress against the recommendations of these two reports.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
New clause 5 simply asks the Government to commit to reporting back on meeting the milestones they have set themselves for increasing cyber-security standards. Is the Minister confident in the Government’s ability to deliver on their cyber strategy, or is the document not worth the paper it is written on?
Kanishka Narayan
I simply repeat my prior sentence: this Government have already adopted a duty to provide biannual reporting on progress against the recommendations of these two reports.
In addition, the Government’s cyber action plan was published in January this year. It sets out how the Government will rapidly improve the cyber-security and resilience of public services to deliver a step change in cyber and digital resilience across the public sector. The plan sets out clear accountability structures to ensure that cyber-risks at all levels of Government are actively owned and effectively managed, with those responsible held to account.
Alison Griffiths
The continued use of legacy IT equipment is a particular vulnerability across the Government estate. That will take some time to address entirely, but is there a strategy in place to prioritise the upgrading of this legacy equipment, given that it is one of the greatest areas of exposure?
Kanishka Narayan
The hon. Member makes a very important point. We have heard of two major sources of risk from a cyber point of view: legacy technology and technology debt, and frontier AI attacks. The Government’s cyber action plan is not technology-specific, but both those sources of risk are very much on my mind, and I will make sure they are also on the mind of those implementing the Government’s cyber action plan.
I assure Members that we will continue to work with Parliament to support oversight of the plan’s implementation and to explore additional avenues for scrutiny of the Government’s cyber-resilience to guarantee the right level of accountability. I therefore kindly ask the shadow Minister to withdraw his new clause.
Question put, That the clause be read a Second time.
Dr Spencer
This new clause, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe, would require the Secretary of State to consult and report within one year on whether regulatory authorities and regulated persons have sufficient resources and capabilities to meet their statutory obligations. Historical levels of regulatory oversight and enforcement in relation to the NIS regulations 2018 have fallen short of what is necessary to achieve meaningful cyber-resilience across regulated sectors. The second post-implementation review of the NIS regs 2018, conducted in 2022, found that incident reporting on the part of regulated entities was very low, with only 13, 12 and 22 NIS incidents reported in 2019, 2020 and 2021 respectively.
A review conducted by the Worshipful Company of Information Technologists identified a near total absence of formal financial sanctions under the NIS regulations, with zero confirmed major penalties from 2021 to 2024. The model has not been conducive to effective discharge of regulatory responsibilities, with knock-on effects for cyber-resilience and regulated industries, yet regulators will be expected to oversee a far larger pool of regulated bodies and process a far larger number of incident reports under the Bill’s provisions. It is therefore right for us to scrutinise carefully whether regulators are in a position to meet these obligations.
In the evidence sessions, many of my questions to witnesses, including those from Ofgem, Ofcom and the Information Commissioner’s Office, focused on their preparations to meet the demands of their expanded roles. It was clear from feedback that although regulators understand what they need to do to prepare, the practical challenges associated with securing sufficient resource are far from resolved. I would therefore be grateful if the Minister could clarify his plans to review regulators’ progress and what the key milestones will be to ensure that regulators can discharge their new duties alongside their existing ones when these provisions come into effect.
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for his new clause, which seeks to require a consultation on the resourcing and capabilities of regulators and regulated entities, assessment on whether additional Government support is needed, and a report on the findings. I reassure the hon. Gentleman that the Bill was developed in close collaboration with regulators and industry to ensure that regulators have the right information and tools to implement it.
The Bill already requires the Government to produce two regular reports to monitor the effectiveness of the legislation, and those would naturally include reviews of whether resourcing and capability were impacting on the effectiveness of the regime. The first of those is the annual report on regulator activities in relation to the statement of strategic priorities. The second is the report on the operation of the legislation, which must take place at least every five years.
Lincoln Jopp
While we are talking about resources and the application of the Bill, I raise with the Minister that, on page 102 of the impact assessment, it states that the going rate for a contract lawyer is £34 an hour. To my mind, that is out by a factor of probably 10. In the 10 days since our last sitting, has the Minister had a chance to re-examine the impact assessment and discover whether that was a genuine error? That number gets multiplied many times in the impact assessment. Has he had a chance to look into that?
Kanishka Narayan
The hon. Member has made that point a couple of times before. I am happy to write to him about the calculations, so that he is able to understand the survey and the significant uplift on which the figures are based.
In response to the hon. Member for Brecon, Radnor and Cwm Tawe, given that the two reports can already include the topics addressed by his new clause, adding another report would risk confusing their purposes and increasing administrative burdens on those involved unnecessarily. The Government will not hesitate to adapt our support offering based on the findings of those reports. That will include using our flexible mechanisms—for example, updating our guidance to regulators, the statement of strategic priorities and the code of practice. Beyond that, we will continue to engage with regulators as the Bill is implemented, and consider whether any other means of improving regulators’ and regulated entities’ resourcing and capabilities are necessary and proportionate. For those reasons, I ask the hon. Member to withdraw his new clause.
Question put, That the clause be read a Second time.
Kanishka Narayan
New clause 14 would require the Government to establish a dedicated support service for small and medium-sized enterprises that are operators of essential services, relevant digital service providers, relevant managed service providers or critical suppliers. That would include provision of advice, technical assistance and recovery guidance following a cyber-incident. It is worth noting that the Bill exempts small and micro enterprises from the regulations as relevant digital service providers or relevant managed service providers. Although regulators can designate a small or micro entity as a critical supplier, very few are expected to meet the threshold for criticality in practice. Similarly, there are limited examples of small or micro operators of essential services.
Improving the cyber-security of our nation’s small and medium-sized businesses is important for the resilience of our wider economy. That is why the Government have developed a wide range of free tools, guidance and training to help those businesses implement cyber-security measures. Such tools include the recently launched cyber action toolkit, which provides small and medium-sized businesses with tailored advice and the offer of free 30-minute consultations with NCSC-certified cyber advisers. Report Fraud, a reporting service for cyber-crime and fraud, runs a 24/7 cyber business incident reporting line, with regional cyber-resilience centres across England and Wales also providing support for small and medium-sized businesses, including incident response and business continuity advice in line with NCSC standards.
I hope that reassures the hon. Member for Henley and Thame that there is already considerable support available for small and medium-sized entities. Considering that, a new dedicated service is unnecessary, and it could divert resources from existing Government and NCSC schemes and impact our efficacy. For those reasons, I hope he will withdraw the new clause.
Question put, That the clause be read a Second time.
Dr Spencer
New clause 16 would require active board oversight of security and resilience measures and accountability for board members where they fail in those oversight duties, whereas new clause 17 would require regulated entities to carry out proportionate, periodic testing of the security and resilience of their network and information systems, and provide the results to regulatory bodies upon request.
On board accountability, as we have already discussed in this Committee, the existing regulatory model under NIS regulations has not been sufficiently effective in driving up cyber-resilience standards to meet emerging threats. Board engagement is a key part of that, but the stat I quoted previously in this Committee indicates that engagement is going in the wrong direction. What assessment has the Minister made of the potential advantages and disadvantages of direct accountability in the adoption of effective cyber-resilience measures, based on a roll-out of the NIS2 regulations?
Proportionate testing of systems may be a useful tool in detecting and managing cyber-security risk. What consideration has the Minister’s Department given to how that topic should be approached in the Secretary of State’s code of practice?
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for his new clauses. I will speak first to new clause 16, which seeks to require boards or equivalent management bodies of operators of essential services, relevant digital service providers, relevant managed service providers and critical suppliers to take specific measures to oversee the security and resilience of their network and information systems.
Board-level engagement is a necessary part of proactively and effectively managing cyber-risks. That is why we published the cyber governance code of practice last spring, as part of a wider package of action to support boards in more effectively governing digital risks to enhance their organisation’s cyber-resilience. More recently, the Secretary of State, together with the Chancellor, the Business Secretary, the Security Minister, and leaders of the NCSC and NSA, wrote to the CEOs and chairs of the UK’s leading organisations, asking them to make cyber-risk a board level priority.
I agree with the hon. Member that going further on board-level responsibility is necessary. That is why we will introduce security and resilience requirements in secondary legislation, following consultation. We will consult on proposals that are consistent with the NCSC’s cyber assessment framework, as we confirmed in our policy statement last year. The cyber assessment framework includes comprehensive measures on good cyber governance, including clear board level responsibility. It is important that industry is consulted on those measures, that they form part of a holistic package on security and resilience, and that they can be updated flexibly over time. We intend to consult on proposals for security and resilience requirements and wider implementation plans later this year.
New clause 17 seeks to require all organisations in scope of the Bill to test the security and resilience of their network and information systems. We agree that proportionate cyber-security testing is critical to identifying and mitigating vulnerabilities in systems and networks. Organisations in scope need to take appropriate and proportionate measures to manage risks to network and information systems on which they rely, and that can include testing of network and information systems. In particular, relevant digital service providers are already required to account for testing as part of their overarching security duty. Additionally, all regulators can use their powers to mandate testing by an inspector, or by the regulated entity, to verify compliance or investigate potential failures.
I reassure the hon. Member that we are going further. We will be updating and providing more detail on the measures that regulated entities need to take, as well as setting strategic objectives for regulators. As I have said before, our proposals for the security and resilience requirements in secondary legislation will be consistent with the NCSC’s cyber assessment framework, which includes measures on appropriate testing.
David Chadwick
Is the Minister aware that the financial services industry is required to conduct regular testing of its systems, and that sectors like aviation and nuclear have designated individuals in their security organisations who are responsible for overseeing those sorts of practices?
Kanishka Narayan
I thank the hon. Member for his point. I am also aware that the National Cyber Security Centre’s cyber assessment framework has very specific measures on appropriate testing as well. It already exists, and we want to make sure that it is an important part of specific security and resilience requirements in secondary legislation.
It is crucial that industry is consulted on the nature of any requirements related to testing. As mentioned, we intend to consult on the proposals later in the year. We will also issue a statement of strategic priorities for regulators, and will explore whether that is an appropriate vehicle for driving consistency in the behaviours of regulators in respect of their approach to testing for their sector.
Overall, any approach to going further on proportionate and regular testing must be developed alongside the full set of security and resilience requirements, and co-ordinated and communicated with a wider package of implementing measures. That will allow the impact of options to be assessed, and provide the industry with clarity on the overall approach, including how the components fit together.
The shadow Minister asked about the consideration of NIS2 requirements. We have looked at NIS2 provisions, and variability in member states’ implementation of it, as part of a wider set of considerations on which we will be consulting regarding secondary legislation on governance.
My hon. Friend the Member for Milton Keynes Central made an incredibly important point about security by design, which I very much take into account. The Government Digital Service is already working on a secure by design standard. We want to make sure that it is as robust as possible, and extend it across not just the public sector but parts of the private sector. I will make sure that security by design remains at the heart of the Government’s cyber action plan, as well as that of the private sector.
Emily Darlington
I thank the Minister for that commitment. Would he consider setting up a meeting between GDS and those MPs who have expertise in this area, so that we can share our expertise and reassure ourselves that this is going in the right direction and at the speed that is necessary?
Kanishka Narayan
My hon. Friend has extensive expertise, from which I benefit extensively. I will be keen to make sure that the Government Digital Service does so too.
In the light of those commitments, I kindly ask the hon. Member for Brecon, Radnor and Cwm Tawe not to press the new clauses.
David Chadwick
During the evidence sessions, numerous very knowledgeable witnesses called for these new clauses, so I will push them both to a vote.
Question put, That the clause be read a Second time.
Dr Spencer
I am a bit unclear about the hon. Gentleman’s intervention. The point I was making was that there is legitimate concern that people doing research into this area and doing threat assessments risk prosecution, so, across the whole of our society, that work is not being done. We have heard quite a lot of evidence from cyber campaigns about the benefits that changes to this law would make to the system, which is why we tabled the new clause. I commend new clause 19 to the Committee. I hope the Minister agrees that now is the time to address the issue.
I suspect that this will be my last, or penultimate, time speaking to the Committee, so I would like to finish by thanking Members on both sides of the Committee for a fun and, at times, robust debate over the past month. I thank the Chairs, the Clerks and all the teams working on the Bill—and Sophie Thorley from my office, who has done incredible research on the Bill.
Kanishka Narayan
I thank hon. Members for their new clauses; I recognise the strong feeling and thoughtful contributions about reforming the Computer Misuse Act.
I speak first to new clause 18, which seeks to place a duty on the Secretary of State to review whether amendments to the Computer Misuse Act could support the security and resilience of network and information systems used for carrying out essential activities. I assure the hon. Member for Runnymede and Weybridge that the Government remain committed to ensuring that the Act remains up to date and effective.
The Home Office is already conducting a review of the Computer Misuse Act, and is developing proposals that arise from its findings. That includes careful consideration of proposals to introduce a statutory defence that would allow researchers to spot and share vulnerabilities. It will provide an update as soon as the proposals are finalised. However, limiting a defence to only the sectors covered by the NIS regime would be impractical. Any package of workable defence would need to be broad enough to apply economy-wide.
New clause 19 raises the introduction of a statutory defence to the Computer Misuse Act. I acknowledge the strong sentiment regarding reform of the CMA. There is no doubt that UK cyber-security professionals play a significant role in maintaining the country’s overall security and resilience. Supporting them is vital.
I agree with the principle behind the new clause: that a defence to section 1 of the Computer Misuse Act could strengthen the resilience of network and information systems by allowing researchers to spot and share vulnerabilities. The Government are already conducting a review of the Computer Misuse Act, and we have made significant progress in developing a proposal for a limited defence to the offence provided for in section 1 of the Computer Misuse Act.
Andrew Cooper (Mid Cheshire) (Lab)
Many of us, on both sides of the House, are sympathetic to both new clauses. We heard very clearly in evidence sessions that the Computer Misuse Act, as it is today, has a chilling effect on the operation of the cyber-security industry in this country and on whether such companies want to locate here as opposed to other countries.
I absolutely hear what the Minister says about the Home Office developing proposals. I wonder whether he can set out a timescale for when those proposals are likely to be brought forward—whether he expects that to be in this parliamentary Session or the next one. The issue is clearly holding back the cyber-security industry in this country, and we would all like to see it resolved.
Kanishka Narayan
My hon. Friend is absolutely right to recognise the shared sense on the principle of reforming the Computer Misuse Act. Although I am not in a position to give him a specific timeline, I absolutely take into account his recognition that the work needs to proceed at pace. Having held an industry engagement recently on specific proposals, with more than 75 attendees from a range of cyber-security organisations, the Home Office is now reviewing specific feedback as a particular proposal. The question is not whether we will reform the Computer Misuse Act, but simply how.
Freddie van Mierlo
I am grateful to the Minister for his reassurances on the ongoing review of the Computer Misuse Act. On that basis, I would like to say that I will withdraw the new clause.
David Chadwick
Will the Minister clarify what he thinks ethical vulnerability research actually constitutes?
Kanishka Narayan
Sure. I would not wish to define it technically, but my understanding is that it is research aimed at ethical hacking. It is effectively trying to find vulnerabilities through simulated attack systems, which can broaden our understanding of risks and vulnerabilities and allow us to mitigate them accordingly.
I return to new clause 19. Limiting a defence to just the sectors covered by the NIS regime would be impractical; any proposal for a workable defence needs to be broad enough to apply across the economy. That is why we are making sure that, through the Home Office, we are working as promptly as possible to ensure a proposal that is strong in its safeguards to prevent misuse. Engagement, including with the cyber-security industry, is already under way to refine our approach.
Dr Spencer
We are a responsible Opposition and we are pleased to hear about the work that the Minister and his Department have been doing and about the shared purpose in getting this done and getting it right. Would he give us a bit more detail of the timescales and plans for public consultation? I understand that he has been doing some personal consultation in private, but will there be a public consultation? Given that the reform crosses two Departments, which Department will be taking it forward? What I am really looking for from him is a confirmation at the Dispatch Box that he is personally committed to getting this piece of work over the line during this parliamentary term.
Kanishka Narayan
I thank the shadow Minister for his recognition of our shared approach on this question. Reform of the Computer Misuse Act is led by the Home Office. I have given my personal commitment to ensuring that reform, but I will also write to him and members of the Committee with as much detail as possible on the timeline to ensure that we are moving fast on it.
In that spirit, I thank hon. Members for their work on this question of the amendment to the Computer Misuse Act and use this opportunity to thank you, Ms McVey, the entire Committee staff and hon. Members for their expertise and perhaps for their sense of fun as well. I thank all staff members, in particular the Bill team in the Department, which has been fabulous throughout the entire process.
Freddie van Mierlo
I beg to ask leave to withdraw the clause.
Clause, by leave, withdrawn.
Bill, as amended, to be reported.
Online Harm: Child Protection
Kanishka Narayan Excerpts(3 weeks, 6 days ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
It is a pleasure to respond to this debate, not least to further my education in my personal passion area of parliamentary procedure.
Let me begin by responding to the motion, and then I will turn to the substance of the debate. The hon. Member for Twickenham (Munira Wilson) will accept that no Government could accept a motion such as that proposed by the Liberal Democrats. The motion goes against the Standing Orders of the House, which state that the Government as elected by the people control the Order Paper, apart from specific exemptions such as Opposition days. The motion would give the Liberal Democrats free rein to schedule the business on 9 March. Today they introduced a Bill. It is still not available to Members across the House, yet they are asking the House to hand them control of business to complete all stages of the Bill within a day. That is no way to make complex changes to the law in this area.
This is not just a procedural outrage; more than that I am sorry to see the Liberal Democrats join the Conservative party yet again in their usual coalition of putting political desperation on this question ahead of the interests of British children and families. I urge the Liberal Democrats to forget this approach, and to take part in the Government’s consultation, which is a true attempt at engaging across parties and across the country, so that we find the right solution for children and parents. This Government have already set out a way forward that considers those vital issues in a responsible way, and allows for swift action in response. That is how we will give children the childhood that they deserve and prepare them for the future.
Wera Hobhouse
I do not know where the Minister has been, but my inbox has been inundated by families and parents who are calling for action. We are responding to the request of our constituents to take action. Do the Government not see the urgency with which we need to take action?
Kanishka Narayan
The Government are seeing both urgency and responsibility in the correspondence that we are receiving and the consultation we are engaging with, not the desperate lurch to a specific answer that the Liberal Democrats are exemplifying in this instance. I want to take this opportunity to set out our approach.
Victoria Collins (Harpenden and Berkhamsted) (LD)
I say gently to the Minister that if he were to look at the Liberal Democrat’s track record over the past few years, he will see that we have worked really hard to put forward concrete proposals about putting online safety first.
Victoria Collins
No, but we have tried to push that agenda. It is not as if social media came into existence yesterday—Facebook was launched 22 years ago—and the Government brought forward the consultation after pressure from across the House. So I say gently to the Minister that we are trying to work together and that we want to continue to work together in that vein.
Kanishka Narayan
I take the hon. Member’s point about wanting to work together. The Government are committed to doing exactly that. It is not a question of whether we act, but how we implement specific changes to secure our children’s future. I encourage her and the entire Liberal Democrat party to engage with the consultation.
Caroline Voaden (South Devon) (LD)
On that point, will the Minister give way?
Kanishka Narayan
I will make a little progress having already given way twice to Liberal Democrat Members in short succession.
To be clear, it is crucial that we allow for a short, sharp consultation to allow the different parts of the debate to be heard, including crucially the voices of children themselves, who are too often under-represented in the debate. This is a complex area and it is vital that we get it right.
We have already announced that we will act both with speed and appropriate scrutiny to legislate based on the outcome of the consultation. Last month, the Secretary of State set out to the House that technology has huge potential for good: to create goods, to drive growth, to transform our public services and so much more. However, we have also been clear that in order to harness the potential benefits, parents need to have confidence that their children can benefit from the opportunities that the online world offers, ensuring that technology enriches, not harms, children’s lives.
Most children report benefits from being online, such as interacting with their peers, finding useful information or learning a new skill. But we also know that there are concerns about children’s online experience. This Government have always been clear that the protection of children online is our top priority. The Online Safety Act 2023 introduced one of the most robust systems globally for protecting children from harm online.
Anna Dixon
I thank the Minister for his remarks, and I hope that part of the consultation will involve looking at research. The Born in Bradford study is a huge cohort study that has recently looked at social media use by 12 to 15-year-olds in the Bradford district. It found that they are using social media for 3.36 hours per day and that there are associated increases in anxiety and depression. Will the Minister ensure that the harms from social media that we already know about, including that research, will be factored in as he makes decisions, following the consultation, to act swiftly to protect our children from harm?
Kanishka Narayan
I commend my hon. Friend on her consistent commitment to evidence-based policy making in this place, and beyond it too. I commit to her that both the Born in Bradford study, which she mentioned, and wider research will be in the front of the Government’s mind.
Caroline Voaden
Will the Minister tell the House when the consultation will be launched?
Kanishka Narayan
We will be very glad to come to the House as soon as the consultation is launched. It will be very soon indeed. As we have said, Members will expect not just a consultation—[Interruption.] I have not committed to debate the consultation today, prior to having published it. Perhaps the Liberal Democrats will take a lesson from that and follow appropriate procedure in this place.
The illegal content and child safety duties came into effect last year. Those duties represent a major milestone in protecting children from illegal and harmful content online, as well as helping them to have age-appropriate online experiences.
Carla Lockhart (Upper Bann) (DUP)
Consultation and timeframe is key, because while we procrastinate, online harm is continuing and our children are being put at risk. The statistics around online pornography show that up to 50% of boys aged 11 to 13 have already viewed pornography, and it is influencing their minds on a daily basis with regard to relationships and how they conduct their business. Will the Minister give the House an assurance that the consultation will come to this place very soon? Can he give timeframes thereafter, following the consultation, as to when we will see legislation brought before this House?
Kanishka Narayan
I can confirm to the hon. Member that the Government have committed to act robustly by the summer, which is about as short and sharp as a consultation can get. Instead of procrastinating on this question, I encourage her to engage intensively with the process of consultation and the national conversation.
I mentioned illegal content duties, as well as child safety duties. Under those duties, services must now conduct highly effective age assurance, precisely addressing the point raised by the hon. Member for Upper Bann (Carla Lockhart), to prevent children in the UK from encountering pornography, as well as content that encourages, promotes or provides instructions for self-harm, suicide or eating disorders. Platforms are also now legally required to put in place measures to protect children from other types of harmful content. That includes abusive or hateful content, bullying content and violent content.
Natasha Irons (Croydon East) (Lab)
I thank the Minister for the decisive action that he took over the recent Grok incident. Given the scope of the consultation and the fact that we are talking about online harms, I want to flag the issue we have around content on YouTube, which is a video-sharing platform, not necessarily a social media platform. The type of content that our children are consuming on there is a quick succession of images, which is not very good for a child’s development, rather than the slow-paced stuff we get when we watch a broadcaster. Will the consultation look at the quality of content on these platforms? Not all screentime is equal; some screentime can be quite dangerous for a child’s development in general.
Kanishka Narayan
Both of my hon. Friend’s points—on the scope of how we look at particular platforms and at their functionalities—are not just considered by the consultation, but deeply important. I engaged with the Australian Minister on this issue just last week, trying to understand their experiences of this and the uncertainty of getting those two things right. That is exactly why the consultation has been an appropriate approach in this context.
Where services fail to comply with their duties in the Act, Ofcom’s enforcement powers include fines of up to £18 million or 10% of qualifying worldwide revenue. Ofcom has indicated that it has issued financial penalties to six companies under the Online Safety Act amounting to more than £3 million. I can confirm to the House that just yesterday, Ofcom announced that it has fined a porn company £1.35 million for failing to introduce proper age verification on its websites—the largest fine levied so far under the Act. I welcome this strong action to protect children online.
We have always been clear that while the Online Safety Act provides the foundations, there is more to do to ensure that children live enriching online lives. Like all regulatory regimes, it must remain agile. That is all the more critical given that we are dealing with fast-moving technology. That is why this Government have already taken a number of decisive steps to build on these protections.
The first act of my right hon. Friend the Secretary of State was to make online content that promotes self-harm and suicide a priority offence under the Online Safety Act. That means that platforms must take proactive steps to stop users seeing this content in the first place. If it does appear, platforms must minimise the time that it is online. As well as that, both intimate image abuse and cyber-flashing are now priority offences under the Online Safety Act.
Last month, my right hon. Friend the Secretary of State stood in this Chamber and made it clear that the creation of non-consensual deepfakes on X is shocking, despicable and abhorrent. She confirmed that we would expedite legislation to criminalise the creation of non-consensual intimate images, and I am pleased to confirm to the House that that came into effect earlier this month. That will also be designated as a priority offence under the Online Safety Act, and it complements the existing criminal offence of sharing or threatening to share a deepfake intimate image without consent.
Alongside that, it was announced that we will legislate to criminalise nudification tools to make it illegal for companies to supply tools to be used as generators of non-consensual intimate images. Last week, we went further still and announced that we will introduce a legal duty requiring tech companies to remove non-consensual intimate images within 48 hours of them being reported. These measures will provide real protection for women and girls online.
However, we recognise the strength of feeling up and down the country and right across this House—not least in this debate. We share the concern of many parents about the wider impact of social media and technology on children’s wellbeing. The rapid growth of grassroots campaigns such as Smartphone Free Childhood highlights how concerned parents are about the pull of these technologies and what it means for their children. That includes the potential impacts on mental health, sleep and self-esteem.
We have set out our commitment to supporting parents and children with these issues. We want to find solutions that genuinely support the wellbeing of our children and to give parents the help that they need as they guide children through online spaces safely.
Dr Chowns
I have received contact from hundreds of parents in my constituency and from some young people sharing their huge concern about online harm caused by engagement with social media, so I fully understand the sense of urgency in the Chamber and the desire for quick action. The Government said in January that they would consult. They reiterated that they would consult, and they reiterated that commitment 10 days ago. I understand that the consultation is due to start in March, and the Minister has talked about bringing measures through before the summer. Can he commit to acting with real urgency and bring that consultation forward? What is the delay? Will he commit to bringing legislation—
Madam Deputy Speaker (Caroline Nokes)
Order. The hon. Lady has repeatedly made very long interventions. It was always open to her to attend the opening of the debate and to speak in it.
Kanishka Narayan
I totally agree with the hon. Member’s call for urgency. I assure her that first, the Government will act by the summer in robustly responding to the consultation. Secondly, we have been focused on getting the consultation right, and not just for the wider public; we are ensuring that it is designed for young people’s engagement, which requires particular design features. Thirdly, we are not waiting for the launch of the consultation to have the national conversation. I have been in schools and met parents, as have the Secretary of State and Ministers from across Government, so the conversation has very much started, and I am sure that the consultation is also imminent.
While there is consensus that problems remain, there is not yet consensus on the best way to address them. That is why the Government announced last month that we will be launching our short, sharp consultation and national conversation on further measures. We recognise that while some people support age restrictions on social media for children, there are diverse views on both the “what” and the “how”. Prominent voices in this debate, including the Molly Rose Foundation and the National Society for the Prevention of Cruelty to Children, are concerned that blunt age limits might not be the right approach and risk doing more harm than good. Even among those who support age limits, there are differing views on how to apply them, including which services restrictions should apply to. Those views are worthy of consideration, but we need to consider them properly and responsibly—we owe that to our children.
That is why the consultation approach is the responsible path forward for looking at these issues, considering in a swift and evidence-based way the full range of implications and the most effective way of protecting children and enhancing their lives online. We will consult with parents, the organisations representing children and bereaved families, tech companies and—crucially—children and young people themselves. None of that would be allowed under the motion we are considering today. This consultation, backed by the national conversation, will identify the next steps in our plan to boost and protect children’s wellbeing online. The consultation will include exploring the option of banning social media for children below a certain age, as well as a range of other measures. This will include gathering views and evidence on options such as restricting access to addictive functionalities and understanding what we can do better to support parents in navigating their children’s digital lives. We will also explore whether we should raise the digital age of consent, to give parents more control over how their children’s data is used, and how existing laws on age verification could be better enforced.
John Milne (Horsham) (LD)
The Minister is making lots of observations about the consultation that is going to go ahead—what is going to be in it, and how long it is going to take. What we do not know is when he will commit to bringing legislation before this House to act against social media.
Kanishka Narayan
I am happy to repeat to the hon. Member this Government’s commitment, which is that we will act by the summer. That is about as short and sharp as a consultation period gets. The Online Safety Act took seven years; we are simply asking for one quarter to make sure that young people, parents and families across the country are properly heard from.
John Milne
I understand the consultation, but what about actual legislation?
Kanishka Narayan
I will simply repeat the point I have made, which is that we are going to act by the summer. We have already sought permissive powers to ensure that the Government are able to act on the outcome of the consultation through rapid legislation. I hope the combination of those two commitments gives the hon. Member some assurance.
The engagement and consultation will take place alongside work with counterparts. We will be monitoring developments in Australia on its social media ban for under-16s to share learnings and best practice. We are steadfast in our belief that the right way to deliver the next steps to protect our children online is to be led by the evidence through our short, sharp three-month consultation.
Kirsty Blackman
The Minister has just said that the Government have already sought permissive powers. I understand that they are going to move an amendment in lieu to the Children’s Wellbeing and Schools Bill, but I am not aware that that amendment has been published yet, much less agreement sought from the House. When will that be published, so that we can see what those permissive powers are supposed to be?
Kanishka Narayan
I thank the hon. Member for that point, and commit to her that we are going to try to do that as soon as possible. She will be aware that the legislative process is already very tight, so I will come back to her and the House with the wording of the motion as soon as possible.
Last week, as I have mentioned, the Secretary of State confirmed that we will take new legal powers to allow us to act quickly on the outcomes of the consultation, delivering on our promises to parents. We will make sure that the wording is presented to the House at the earliest opportunity. We also recognise the importance of parliamentary scrutiny and the expertise that parliamentarians in both Houses provide, and have already committed that when regulations are brought forward, they will be debated on the Floor of the House and there will be a vote in both Houses, ensuring proper scrutiny. We are clear that the question is not whether we will act, but what type of action we will take. We will ensure that we do so effectively, in lockstep with our children and in the interests of British families.
Madam Deputy Speaker (Caroline Nokes)
I call the shadow Secretary of State.
Rural Mobile Connectivity
Kanishka Narayan Excerpts(1 month, 1 week ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
First and foremost, can I start by thanking the hon. Member for North Shropshire (Helen Morgan) for securing this debate on mobile connectivity in rural areas? I thank all hon. Members for their insightful contributions.
While I am here speaking in place of my noble Friend in the other place, the Minister for Digital Economy, I feel the pain described by many hon. Members personally, as I too represent a rural constituency. In that context, I particularly thank my hon. Friends the Members for Stafford (Leigh Ingham) and for Truro and Falmouth (Jayne Kirkham) and the hon. Members for Berwickshire, Roxburgh and Selkirk (John Lamont) and for Caerfyrddin (Ann Davies) for their representations on behalf of farmers and agricultural communities, whom I know face a particular challenge.
I also thank the hon. Members for Bromsgrove (Bradley Thomas), for Chester South and Eddisbury (Aphra Brandreth) and for Lewes (James MacCleary) for talking about not only maintaining bucolic beauty but parity and economic opportunity. I thank the Liberal Democrat spokesperson, the hon. Member for Frome and East Somerset (Anna Sabine), who raised a very concerning case about coercive control through the use of connectivity. I encourage her to write to the Department about that, as I would be keen to follow up on that particular issue. The constituency of my hon. Friend the Member for Camborne and Redruth (Perran Moon) has features of rurality and remoteness, and has coastal communities, and from my constituency I personally understand those features too.
The all-party parliamentary group on digital communities, which the hon. Member for North Shropshire is a member of, along with the other Members, published in January a detailed report on this topic. It provided valuable insights and recommendations.
It is well understood across the House that access to high-quality, reliable and secure digital connectivity is essential to day-to-day life, with many services now requiring an online presence. It is important not only for consumers, but for the businesses in every sector of the UK economy that depend increasingly on fixed and mobile networks in some way. From taking card payments to managing businesses online, digital connectivity is central.
The focus of this debate is on mobile connectivity. The Government have an ambition for all populated areas, including rural communities, to have access to higher quality stand-alone 5G by 2030. Although stand-alone 5G is already available outside 83% of premises across the UK, I acknowledge that we need to go much further.
Operators are starting to align investment and delivery plans with the ambition that the Government have set out. VodafoneThree has committed to investing £11 billion in its 5G network over the 10-year period following completion of its merger; progress against that commitment will be monitored at regular intervals by Ofcom. BT and Virgin Media O2 have set out similarly significant investment plans into their networks, both aligning with the Government’s stand-alone 5G coverage ambition.
John Lamont
Does the Minister acknowledge that there are issues with the data that has been provided both by the telecoms companies and by Ofcom? We have all shared experiences across the Chamber today in which maps produced by Vodafone, EE or whoever appear to demonstrate good coverage in our constituencies, but the coverage on the ground is just not there. Is the Minister challenging the providers on their data?
Kanishka Narayan
I thank the hon. Member for raising that point. I will come to that question, because I recognise the gap between the aggregate picture and the experience felt on the ground.
Let me return to aggregate investment. To ensure that investment delivers coverage improvements for communities right across the UK, including in rural areas, we continue working to identify and address barriers to deployment where it is practical to do so. I may not share the significant expertise and experience of my hon. Friend the Member for Carlisle (Ms Minns) with matters of spectrum, but I certainly share her enthusiasm. When I was an undergraduate student, the global example of the last Labour Government on auction design and the 3G spectrum was very much a part of my curriculum. In that spirit, I hope to take her advice and continue the spirit of Labour, not that of the last Conservative Government or of the Liberal Democrats, who were complicit in the auction challenges of that Government.
The focus on investment includes implementing the remaining provisions of the Product Security and Telecommunications Infrastructure Act 2022. I can confirm to my hon. Friend that the Government are considering where planning rules could be relaxed to support the deployment of mobile infrastructure.
The shadow Minister mentioned the call for evidence, which is due to close on 26 February. In the usual spirit, I can confirm to him that we will make a prompt statement to the House, but I am afraid I cannot give him a specific date on this occasion.
On the reporting of mobile coverage, Members across the House are totally right to highlight the issues with its accuracy in some cases. I feel very personally the depth of their frustration; although I cannot condone the semi-kidnapping experience described by the hon. Member for East Grinstead and Uckfield (Mims Davies), she has my particular sympathies for her pre-Valentine’s break-up with Vodafone. Accurate coverage data is essential for consumers: it allows more informed decisions as to which operator provides the best level of service for life, work and travel.
Mims Davies
The way for someone to report poor signal in their area is to go to ofcom.org.uk, enter a postcode, select a provider and then provide coverage feedback—if they can get a signal. That is the irony for many of us who have to drive around rural areas trying to give feedback, hence Vodafone’s parliamentary affairs person very kindly allowing himself to be actively kidnapped to drive around and see the reality.
Kanishka Narayan
I confirm to the hon. Member that there is no sense of judgment on the Government Benches on the conduct of her cause.
The Government continue to work with Ofcom to improve the accuracy of reported mobile coverage, building on the launch of its Map Your Mobile tool in June last year. I am glad that hon. Members recognise that that is reflected in the draft statement of strategic priorities for telecoms, spectrum and post, which the Government laid before Parliament yesterday. It will remain a firm priority for the Government, and I will make sure to represent to my noble Friend the Minister for Digital Economy the concerns that have been raised today.
More accurate coverage data also allows us to understand coverage gaps. Addressing these gaps requires investment by the mobile network operators. The Government recognise that the investment climate has been difficult for the mobile sector over recent years. We are committed to working with industry to support its investment in our networks. That is why we are undertaking a mobile market review to understand the factors impacting the sector’s ability to invest, and I know that the recent digital communities APPG report calls for an independent review of the digital connectivity landscape. The mobile market review and the accompanying call for evidence, launched on Tuesday, will enable the Government to consider what we can do to support the sector too. Through the call for evidence, we are looking to gather views on the quality of mobile service and level of coverage required to harness the full benefits of stand-alone 5G, as well as where our ambitions on stand-alone 5G should go further still.
As Members will be aware, as part of our work with industry, the Chancellor and the Secretary of State chaired a roundtable yesterday with CEOs of major UK telecoms firms to discuss investment challenges, as well as agreeing to a telecoms consumer charter, which looks to strengthen transparency to empower consumers, as well as to improve support for those struggling to pay. On the provision of reliable 4G connectivity, I know it is essential to many. At the spending review in 2025, the Government committed to continuing to deliver 4G coverage in areas with little or no coverage. The shared rural network has helped to deliver 4G mobile coverage to 96% of the UK land mass from at least one operator and to 81% from all four. The publicly funded elements of the shared rural network will continue to deliver improved coverage up to January 2027, with over 100 masts already delivering new coverage across the UK.
Where there is no mobile coverage, we are starting to see some positive developments in the satellite direct-to-device market. To the point made by the hon. Member for Caerfyrddin, I also share her enthusiasm and hope for cost reductions as we have greater competition in that market. The UK is taking a pioneering step in enabling direct-to-device connectivity, moving ahead of European counterparts to unlock connectivity as well as growth across remote parts of the UK. Those developments have the potential to increase the resilience of our services and provide a back-up for crucial ones should territorial networks face disruption.
Having coverage alone is clearly not important enough by itself. As Members have raised very clearly, there needs to be confidence that mobile networks will be available in the most difficult of times and that they are secure against threats. Though the Telecommunications (Security) Act 2021 introduced a world-leading regime for the protection and security of such contexts, I know that there is more work to do. In particular, I appreciate the points made right across the House on the resilience of mobile services to power cuts. We welcome that Ofcom is completing a detailed regulatory review on that question. I will make sure that the points raised today are represented as part of Ofcom’s considerations, and in particular I will be sure to convey the concerns of my hon. Friend the Member for Carlisle around possible ways of ensuring duration of support as backstops. We will ensure that the guidance for public telecommunications providers reflects evolving technologies and emerging threats, taking into account input from industry and expert advice from the National Cyber Security Centre.
Before I finish, I will address specific points raised by Members. To the hon. Member for East Grinstead and Uckfield, I would be happy to make sure that the Minister for Digital Economy meets her as part of her recurring surgeries. To my hon. Friend the Member for Camborne and Redruth, I know that he is a strong cross-Government champion for Cornwall on all matters and I will continue to make sure that we play our part in supporting the strength of his advocacy. To the hon. Member for Caerfyrddin, there are three Home Office masts in her patch and two are already activated as part of the shared rural network. I will be happy to engage with her through correspondence on her particular concerns about those masts, should she wish to raise that. To the hon. Member for Berwickshire, Roxburgh and Selkirk who, with my hon. Friend the Member for Carlisle, raised the point on 2G and 3G switch-off, though the expectation is that operators will provide broadly equivalent levels of coverage after switching off 2G, I have heard his concerns and will make sure that both the Minister and, as a consequence, the regulator are focused on the complete delivery of that aspiration.
Finally, I am conscious that the hon. Member for Berwickshire, Roxburgh and Selkirk also asked about smart meters, as did the hon. Member for East Grinstead and Uckfield. The Data Communications Company is obligated, under the conditions of its licence, to provide smart meter network coverage to at least 99.25% of premises across Great Britain. One solution for those who do not currently have smart meter wider area network coverage, which the DCC and Government have decided to focus on, involves harnessing customers’ broadband connections to also carry out smart metering communications. We are looking at how we can use modified smart meter communications hubs, as well as additional devices, to plug the gap. That is not to say that we will not continue to focus on how we can ensure mobile connectivity plays its part in that context as well.
I am sure you wish for me to come to a prompt conclusion, Madam Deputy Speaker. First and foremost, I thank the hon. Member for North Shropshire, as I do all hon. Members for their contributions. I will continue, with them, to champion mobile connectivity across our rural communities.
Telecommunications, Radio Spectrum Management and Postal Services: Strategic Priorities
Kanishka Narayan Excerpts(1 month, 1 week ago)
Written StatementsRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I am repeating the following written ministerial statement made today in the other place by my noble Friend, the Parliamentary Under-Secretary of State for Digital Economy, Baroness Lloyd of EFFRA.
I am today laying before Parliament the Government’s draft statement of strategic priorities for telecommunications, the management of radio spectrum, and postal services.
Digital connectivity is at the foundation of our economy and society and underpins almost every part of daily life. The strength, security, and resilience of our digital infrastructure matters deeply to people, business and the economy in the UK.
This statement builds a vision for the UK’s digital future that is enabled by high- quality, secure, reliable and affordable connectivity. It outlines the Government’s strategic priorities and desired outcomes across a number of areas, including: fixed and mobile telecoms, digital inclusion through empowered and confident consumers, telecoms modernisation, the management of radio spectrum, telecoms security and resilience and the postal services.
The statement follows a statutory consultation that ran between 21 July 2025 and 18 September 2025. Around 70 stakeholders with interest and expertise across the policy areas covered by the statement responded to the consultation, including telecoms companies, trade bodies, local authorities and consumer groups. I would like to thank all respondents for taking the time and effort to respond.
These strategic priorities have been designed to support this Government’s ambitions for growth and for agile, responsive regulation that encourages innovation to support these growth goals. They have also been designed to deliver our vision for an inclusive digital society, where consumers are empowered and confident when engaging with the market.
As the independent regulator, Ofcom must have regard to the priorities set out within the statement when exercising its functions. We are committed to working with Ofcom and industry to drive forward progress against these priorities to build a UK that will have the connectivity it needs, whatever the future holds.
I intend to designate the statement for the purposes of section 2A of the Communications Act 2003 after the end of the statutory “40-day period”—as defined in section 2C of the Act—unless either House of Parliament resolves not to approve it within that period.
[HCWS1325]
Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting)
Kanishka Narayan ExcerptsTuesday 10th February 2026
(1 month, 1 week ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
The Chair
With this it will be convenient to discuss:
Clause 16 stand part.
New clause 6—Inclusion of ransomware attacks in the NIS Regulations—
“In regulation 1(2) (interpretation) of the NIS Regulations—
(a) in the definition of ‘incident’, after ‘systems’ insert ‘or a ransomware attack which is targeted at the security of network and information systems’;
(b) after the definition of ‘online search engine’ insert—
‘ransomware attack’ means a cyber-attack involving a type of malicious software that infects a victim's computer systems, can prevent the victim from accessing systems or data, impairs the use of systems or data or facilitate theft of data, and in relation to which a ransom is demanded for access to be restored or for data not to be published.”
This new clause would include ransomware attacks in the definition of “incident” in the NIS Regulations.
New clause 7—Impact of reporting requirements on relevant bodies—
“(1) The Secretary of State must, within 12 months of the passing of this Act, publish and lay before Parliament—
(a) a review of the impact, on relevant bodies, of—
(i) the requirements relating to the notification of incidents in Parts 3 and 4 of the NIS Regulations (as amended by this Act); and
(ii) any additional incident notification requirements made by regulations under this Act; and
(b) proposals for the creation of a single cyber incident reporting channel for relevant bodies.
(2) A review under this section must consider –
(a) the costs of requirements on relevant bodies; and
(b) interactions with other incident reporting regimes.
(3) In this section, ‘relevant bodies’ means operators of essential services, critical suppliers or digital service providers, as defined by the NIS Regulations.”
This new clause would require the Secretary of State to review the impact of incident reporting requirements on relevant bodies, and to set out proposals for a single incident reporting channel.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I will begin by discussing clauses 15 and 16. Clause 15 updates the incident reporting provisions in the Network and Information Systems Regulations 2018. Under the current regulations, organisations are required to report incidents only once they have had a significant impact on service continuity. It is widely recognised that this is too narrow, and results in a range of concerning incidents going unreported and a distorted picture of how secure and resilient the UK’s essential services actually are.
To take two examples: a ransomware attack where confidential data has been exfiltrated from an organisation without an immediate impact on service would not be reportable; nor would a pre-positioning attack, where a hostile actor has hacked into a network and is in a position to cause significant disruption down the line, such as to the provision of drinking water. That cannot be right, and does not reflect the cyber-threats that critical services face.
To ensure such incidents are caught, the clause sets a new, wider definition of incidents that must be reported. The focus is now on incidents that have successfully affected the security or operation of an organisation’s network and are likely to have a significant UK impact, which will ensure that regulators and the National Cyber Security Centre are fully aware of the range of cyber-threats affecting the UK’s essential services.
The Bill sets out the factors that should be considered when assessing whether an incident has had, or is likely to have, a significant impact in the UK—including, crucially, whether the confidentiality, authenticity, integrity and availability of data has been compromised. The Government will provide further clarity in secondary legislation, setting out thresholds for each sector for when an incident is considered to have had, or be likely to have, a significant impact. That will be consulted on before it is introduced. Taken together, it means that only meaningful incidents are reported. Over-reporting has been a concern raised by hon. Members throughout the Bill’s progress, so I stress this point: things such as unsuccessful phishing emails will clearly not be reportable, as they would not be likely to have a significant impact.
Given our economy’s systemic dependence on data centre facilities, for that sector alone we will also ensure that Ofcom and the NCSC receive reports on a wider range of potential incidents and near misses. That ensures that not only immediate disruptions but incidents posing future risks are reported.
Clause 15 also streamlines the reporting process for all NIS sectors. It ensures that incident notifications and reports go to the NCSC at the same time as the regulator. It also sets out what those organisations can do with the information they receive, including how the information can be shared to manage the wider impacts of an incident or prevent future incidents. Finally, the clause introduces faster reporting, so that the NCSC and regulators are informed within 24 hours of entities becoming aware that a reportable incident is taking place.
The 24-hour notification will be light touch, but will enable the NCSC and regulators to offer faster support to minimise the negative impacts of the incident. Fuller details will need to be reported within 72 hours of the entity becoming aware that a reportable incident is happening. The changes will protect the UK’s essential services, ensuring that the NCSC and regulators are able to provide the best support that they can.
Clause 16 sets out requirements for managed service providers, relevant digital service providers, and operators of data centres to inform customers who are likely to have been adversely affected by a reportable incident. Under the current regulations, there is no requirement for any regulated entity to inform its customers if it has been impacted by a reportable incident. That may have made sense when the NIS regulations were more heavily focused on operators of essential services and the primary concern was service disruption, but it would be an inexcusable omission now that the Bill is expanding to include managed service providers and operators of data centres, in addition to the digital service providers already in scope.
These are organisations that, if compromised, could leave their customers’ systems, data or services exposed or inaccessible. In such circumstances, it is vital that their customers are notified, so that they can take whatever steps they need to in order to mitigate those risks.
Bradley Thomas (Bromsgrove) (Con)
I have two points for the Minister to address. First, could he clarify whether an organisation would face repercussions if a regulator believed in retrospect that notification should have been provided sooner? Secondly, on customer notification, can the Minister address the concern around striking the right balance between informing the customer and ensuring that the update that they receive is meaningful and not so vague that it causes further distress or worry?
Kanishka Narayan
I thank the hon. Member for those two thoughtful points. On the first, in terms of retrospective regulatory action on the adequacy of notification, I expect that the regulators will set out—in their guidance and by working closely with the entities in scope—their expectations about the nature and timeliness of the notification. That will be one input into a regulator’s broader assessment of entities’ compliance with the regime. I expect that timely notification will be assessed on an ongoing basis by the regulator, but I would not expect it to be an exclusive or primary aspect.
On the question of customer notifications being proportionate, I share the hon. Member’s concern about ensuring that it is timely and efficient and at the same time meaningful for the relevant customers. I hope that exactly those principles are embodied in the guidance that regulators share about notification requirements.
Customers being notified is all the more important given that in many cases, those customers will themselves be operators of essential services and other critical national infrastructure. The Bill therefore places new transparency requirements on managed service providers, relevant digital service providers and operators of data centres. Similar requirements were introduced under the NIS2 regulations in the European Union.
Clause 16 requires those regulated entities to take steps to establish which of their customers, if any, are likely to be adversely affected by a reported incident. It then sets out the information that the entity must share with those identified customers. These new requirements will support the overall resilience of the UK’s essential services and economy, which depend so heavily on these services, and reduce the overall impact of disruptive cyber-attacks.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
New clauses 6 and 7 sit together and are linked by the same practical concern regarding clarity and workability when an incident is unfolding.
I will start with new clause 6. Ransomware is no longer an occasional or unusual cyber-event; it is now one of the most common and disruptive threats facing essential services, digital providers and their supply chains. Written evidence to this Committee was clear that ransomware incidents are now routine, high-impact events, and that uncertainty at the outset of an attack often makes the consequences worse. The Bill rightly broadens the definition of an incident to capture events that are capable of causing harm, not just those that already have. That is the right direction of travel, but when organisations are under pressure, particularly in the first 24 hours of an incident, uncertainty slows action. Time is lost debating definitions rather than focusing on containment, escalation and reporting.
New clause 6 addresses that problem directly. It makes it explicit that a ransomware attack is an incident for the purposes of the NIS regulations, and sets out clearly what is meant by ransomware attack. It would not create a new duty; it would remove doubt from an existing one. Clear definitions support better behaviour when organisations are operating under real pressure.
New clause 7 follows naturally from that point. If we want faster and clearer reporting, the system into which organisations are reporting has to work in practice, not just on paper. The Bill expands reporting requirements and introduces new notification duties. That is understandable, but UK Finance told the Committee that many firms already support cyber-incidents under multiple regulatory regimes and that additional reporting layers risk duplication rather than resilience. When an incident is live, that duplication causes friction, slows the response and increases costs. It can reduce the quality of information being shared because teams are stretched across parallel processes rather than focused on managing the incident itself.
We do not seek in new clause 7 to reopen the policy intent of the Bill; the new clause would require a review, once these changes are in force, of how the reporting requirements are working in practice. That review would consider costs and interactions with other reporting frameworks. The new clause would also require that proposals for a single cyber-incident reporting channel be published. That is not a bureaucratic exercise; it reflects concerns raised in evidence that resilience is undermined, not strengthened, when reporting becomes fragmented at moments of stress.
Taken together, new clauses 6 and 7 are about making the system clearer at the front end and more usable overall. Clear definitions encourage timely reporting and coherent reporting channels make that reporting effective. I hope that the Committee will give serious consideration to both new clauses.
Emily Darlington (Milton Keynes Central) (Lab)
I have a few questions for the Minister. I appreciate the clarity that the Bill brings to many of the services in its scope. I would like to understand how the definition of “incidents” will relate to hardware vulnerabilities that are discovered within a company, as we heard from some of the people who gave evidence to the Committee. It is unclear in the Bill. Perhaps it will be further defined in secondary legislation.
I want to understand how an incident in which someone discovers a vulnerability in hardware—such as in a system-in-package—is reported, and how that information is then delivered by the regulator to other companies in the sector that may have similar technology, and to the other regulators, which may also want to flag that technology as a particular vulnerability. Is that defined as an “incident” or is it defined somewhere else in the Bill? I am a bit confused and am looking for some clarity.
Kanishka Narayan
Having been promoted from a position of mere confidence to faith, I will tackle questions from the hon. Member for Runnymede and Weybridge first and foremost. On the question of thresholds of incident, the Bill sets out the severity of the sorts of incidents that we expect reporting obligations to apply to, and at the same time it ensures that it is proportionate in understanding that sector-specific thresholds ought to be precisely that—sector specific, set closely with relevant entities in that sector, and working with the expertise of the relevant regulators. For that reason, it has not been specified more fully on the face of the Bill.
On information sharing, not only is there provision for the specific sets of purposes for which information sharing ought to take place between regulators, but there is a further check on the proportionality of that, through a particular requirement, to ensure that information that is shared in incident contexts is done precisely for the purposes set out in the Bill, and in a way that is proportionate.
My hon. Friend the Member for Milton Keynes Central raised the question of hardware impacts. While the focus of the Bill is primarily on network and information systems, the test, as I think of it, would look at whether any compromise in network and information systems related to a piece of hardware triggers the severity of the impact, or potential impact, to be reportable. In the event that it is reportable, in its severity and potential impact, it will require notification—to the regulator and, when customers are directly impacted in the way that is set out in the Bill, also to the customers. The test is focused on whether network and information systems are engaged, and whether the impact of any incident is likely to be severe enough, in light of the thresholds set out in the Bill.
Lincoln Jopp
My hon. Friend the Member for Bromsgrove raised the case of M&S, which would clearly be out of the scope of the Bill. However, it has a managed service provider, so it is a bit like the JLR case. I am still looking for some certainty as to whether JLR and M&S would come within the scope of the Bill by dint of the fact that they have managed service providers, which are within the scope. I am still not 100% clear on the answer to that question. I would be grateful for greater clarity from the Minister.
Kanishka Narayan
I hope this does offer the clarity that the hon. Member seeks. While I will not refer to specific businesses, broadly speaking the sector of food supply is not within the scope of the Bill; the obligations on operators of essential services or direct entities that are within the scope of the Bill will not apply.
However, if—in a hypothetical situation—a managed service provider within the scope of the Bill supplies to that business, the managed service provider would be within the scope of the Bill’s requirements. The customer—in this case, the food supply business—may, if the severity applies, be in receipt of reports from the relevant MSP, in this particular context. They will not be caught up in the full set of obligations in the Bill, but we would expect customers to be notified of incidents where the severity thresholds are met. I hope that gives the hon. Member some clarity.
Lincoln Jopp
I am grateful to the Minister for giving way a second time. I understand his answer, but, to be clear, if an incident that meets the severity threshold is reported to a client who is out of scope, would that bring any obligation to report in the normal way?
Kanishka Narayan
Under the provisions of this Bill alone, only the entities specified as critical suppliers or operators of essential services—the relevant digital providers and so on—would be caught up in obligations if an event occurred. Assuming neither of those is true of a food supply business, the Bill’s provisions would not apply.
At the same time, in the sort of incident that the hon. Member describes, we would expect the NCSC to be deeply engaged, assuming severity thresholds and wider risks are applied. We would work closely on that operationally and I am sure we would look at how that business could be supported more widely. But the Bill’s provisions are really focused on the sectors, and entities within those sectors, that have an immediate threat to day-to-day operations such as a potential threat to life. There are reasons, which we can get into later, as we have done previously, why we set the sectoral scope in that way.
New clause 6 seeks to clarify that a ransomware attack falls under the definition of “incident” within the NIS regulations. I share the concerns of the shadow Minister and the hon. Member for Bognor Regis and Littlehampton about the significant disruption that ransomware attacks can cause. Indeed, last year we saw the impact of the ransomware attack on Synnovis, a supplier to the NHS, which resulted in the delay of 11,000 out-patient and elective procedure appointments. The hon. Member for Bognor Regis and Littlehampton and the shadow Minister are quite right that this kind of attack should be considered an incident under the NIS regime. Because of the changes to incident reporting introduced by the Bill, I can confirm to the Committee that ransomware attacks will be in scope.
The Bill updates the definition of “incident” so that it applies to any event that has, or is capable of having, an adverse effect on the operation or security of network and information systems. Ransomware attacks already fall well within that definition. Although I welcome the principle and intent behind the new clause, its content is already addressed by the Bill. I hope that assures hon. Members across the Committee.
New clause 7 would require the Government to publish a review of the new incident reporting regime within a year of the Bill’s receiving Royal Assent. It is important that the effectiveness of the NIS regulations, including the reforms to incident reporting introduced by the Bill, should be reviewed periodically. That is why the Bill requires the Government to conduct a review and lay it before Parliament once every five years. That timeframe will enable the new regime to bed in and allow a meaningful period of time to measure change before the Government report on its effectiveness. As my hon. Friend the Member for Stoke-on-Trent South said, notwithstanding her and the shadow Minister’s confidence in me and the Government, to publish a review after only one year would risk giving an incomplete picture, as regulators and regulated entities may still be transitioning to the new processes.
The new clause would also require the Government to publish proposals for a single reporting platform for cyber-incidents, again within a year of the Bill’s passing. We have heard the clear ask from businesses to minimise the time they spend filling in different reporting templates following an attack, to ensure they can prioritise the technical response. I share the concerns of the hon. Member for Bognor Regis and Littlehampton, and we are exploring all options to enable a proportionate and efficient reporting system. That said, setting a fixed time limit of one year to develop proposals does not reflect the inherent complexity of the task and the need to get it absolutely right for the businesses in scope of the Bill, not least because the proposals will need to be rigorously evidenced, consulted on and tested. For those reasons, I am unable to accept the new clause.
Question put and agreed to.
Clause 15 accordingly ordered to stand part of the Bill.
Clause 16 ordered to stand part of the Bill.
Clause 17
Powers to impose charges
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 17 introduces new charging powers for NIS regulators, enabling them to recover the full costs of their regulatory functions under the NIS regime. This is an important reform that will help to ensure that regulators are effectively funded as they take on their expanded responsibilities under the Bill. It will allow them to move away from a funding model that relies on ad hoc invoicing or Government grants, and to approach their duties with greater confidence and certainty.
The clause sets out detailed procedural requirements that determine how and when the charging powers can be used. These will ensure that regulated organisations know what to expect from regulators; fees will be set proportionately and regulators will provide satisfactory accounting for the sums they have charged.
The first requirement is that regulators consult and publish a charging scheme. It must specify what functions the fees are covering, the amount of fees being charged or how those fees will be calculated, and the charging period they cover. Crucially, regulators will be able to set different levels of fee for different types of organisations—for example, varying charges according to size or turnover, or excluding organisations from the charging scheme if it would be disproportionate or counter-productive to include them.
Bradley Thomas
I have two points for the Minister to address. First, can he address concerns around whether funds raised will be directly reinvested into improving cyber-security, rather than covering administrative overheads? Secondly, there is no specific reference to turnover thresholds, so how can the Minister be sure that a one-size-fits-all approach will not be used, causing many similar organisations to suffer financially?
Kanishka Narayan
I thank the hon. Member for those thoughtful points. On the first question, the charging scheme applies to relevant costs, which are costs that regulators incur precisely when they carry out functions under the NIS regulations relating to cyber-security specifically. Those can include the cost of audits, inspections, handling incident reports or enforcement action, as well as other aspects, such as assessments of cyber-security and the provision of advice. It is important to acknowledge that regulators can decide to recover costs in relation to specific functions or their costs relating in particular to the Bill’s provisions. I hope to have assured the hon. Member that the charging scheme has a clear, tight scope that is related to cyber-security functions.
On the second question, regulators probably ought to look at turnover in a way that is sector-specific, in part because there are already a range of ways in which other regulatory regimes define turnover in particular sectors, so the appropriate definitions for their sectors will be familiar to both regulators and regulated entities. At a later date, secondary legislation may be used if it is found necessary to set out factors that regulators ought to consider in setting up charging schemes, including the possibility of nuanced definitions of turnover. Any future regulations for this purpose will be subject to consultation requirements and the affirmative procedure. I would very much expect, at a sector level, a clear and proportionate definition and charging structure in relation to turnover.
The second requirement is to set out, transparently and clearly, what fees have been paid, what fees are still due, and what costs have been incurred in a given charging period. On Second Reading, many hon. Members discussed the need for properly resourced regulators to successfully implement the Bill. I share that concern, and this clause seeks to achieve exactly that, in a way that is fair and proportionate to regulated organisations.
I commend the clause to the Committee.
Dr Spencer
Clause 17 will amend the NIS regulations to provide a framework for regulators to impose charges on regulated entities to recover the costs incurred by them in carrying out their supervision and enforcement functions. The Government’s explanatory factsheet supporting the Bill suggests that those changes are needed to ensure that regulators are
“better resourced to carry out their responsibilities.”
We have heard at length from witnesses in oral evidence sessions that resourcing is a key consideration for regulators in meeting their new and expanded obligations under the Bill. The concept of our regulators’ being better funded is good. However, as with much of the Bill, the lack of detail around the regulator charging model is causing uncertainty among regulated entities that would be liable to meet the associated costs.
Kanishka Narayan
The shadow Minister raised two main points that I am keen to address. The first was about ensuring that I committed to next steps on potential guidance for the charging scheme. I can confirm that the Government will issue guidance for competent authorities. That will include general directions on how the fee regime ought to be implemented. At the same time, we do not intend to be prescriptive as to how competent authorities should recover costs to benefit from their experience and practice in setting up these regimes. It is important that each regulator is able to tailor their fee regime in a way that is consistent with and complementary to the state of their sector.
Lincoln Jopp
On the subject of charging and money, has the Minister had the opportunity to revisit his own impact assessment on the basis that there might be a glitch in the matrix? It says on multiple occasions that the hourly salary for a contract lawyer is £34 an hour. When we discussed it last week, I contended that this was totally unrealistic, probably to a factor of 10.
Kanishka Narayan
I am reminded of the hon. Member’s point last week. I am happy to write to him on the basis of the precise figure in the impact assessment, which I understand to be based on not just an extensive survey but the application of subsequent uplifts. I am more than happy to continue that conversation in correspondence.
On factors that ought to be considered in setting up charging schemes, I mentioned some, such as size and turnover, but I will flag that those are suggestive and indicative rather than exhaustive factors that regulators may consider. Regulators ought to be able to set different levels of fee for different types of organisations. There is also provision to exclude organisations from a charging scheme altogether if it would be disproportionate or counterproductive to include them. It is appropriate that regulators and competent authorities can vary their charging schemes in the light of that.
On current regulatory performance and its correlation with charging schemes, I have not observed any direct correlation. What I have seen, simply, is that some regulators are clearly doing well. We heard in evidence from a range of participants that in some cases things are working particularly well and that, in others, there is more scope for improvement. That is precisely why the Bill sets no fundamental lowest common denominator for how regulators ought to approach either charging or their enforcement duties; instead, it ensures that we are conducting oversight of each regulator as robustly as possible. I assure hon. Members that the question of regulatory enforcement is central and that the motivation behind the charging scheme is precisely to ensure that regulators are well resourced to implement the Bill.
Question put and agreed to.
Clause 17 accordingly ordered to stand part of the Bill.
Clause 18
Sharing and use of information under the NIS regulations etc
Kanishka Narayan
I beg to move amendment 14, in clause 18, page 38, line 31, at end insert—
“(aa) otherwise in connection with—
(i) the security and resilience of network and information systems, or
(ii) any other matter relating to cyber security and resilience,”.
This amendment would allow NIS enforcement authorities to share information with persons listed in regulation 6(2) (inserted by clause 18), and such persons to share information with NIS enforcement authorities, for purposes relating to the security and resilience of network and information systems or cyber security and resilience.
The Chair
With this it will be convenient to discuss the following:
Government amendments 15 to 18
Clause stand part.
Kanishka Narayan
The clause introduces vital reforms to how information can be shared in the context of the NIS framework. Right now, as we have heard again and again from both hon. Members across the Committee and witnesses, the NIS regulations have limitations that restrict how and with whom information can be shared. That has serious implications for the effectiveness and efficiency of the regime including business burdens as well as the ability of the UK’s authorities to act on national security or criminal intelligence.
One important limitation in the current regulations is the inability of regulators to share information with many public authorities in the UK and vice versa. For example, NIS regulators currently cannot share information to support the evaluation of the NIS framework or policy development relating to cyber-resilience and national security. The clause addresses those concerns by enabling information to be shared between NIS regulators and UK public authorities, including the Government. That will be done for the purposes of supporting the NIS regulations as well as wider objectives alike, reducing business burdens and for national security and crime purposes.
The clause also imposes strict requirements and safeguards on how the information can be further shared. The net effect of the changes will be fewer burdens on business, better and more informed regulatory decision making, joined-up incident response and improved security for the United Kingdom.
Government amendment 14 makes targeted but important changes to the clause. It proposes a further ground for sharing information focused on wider cyber-security and resilience outside the context of the NIS regulations and NIS sectors. In practice, it means that NIS regulators will be able to share information with regulators who are responsible for overseeing the cyber-security and resilience of other vital sectors under different regulatory frameworks and vice versa.
The amendment is a crucial addition to the Bill. It means that the UK’s regulators can think holistically about the risks that their sectors are facing, the interventions they propose to take and the obligations they are placing on business. That in turn will mean better outcomes, more effective and informed incident response, more co-ordinated oversight and lower business burdens.
The amendment will be particularly important in supporting co-ordination with the financial regulators responsible for the critical third parties regime, which could be used to designate organisations already in scope of the NIS regulations such as cloud service providers. It also anticipates the need for co-ordination for other sectors, such as civil nuclear and space, in the future. In short, the amendment is necessary to ensure that UK regulators can take a more co-ordinated approach to protecting the UK’s most essential services.
Government amendments 15 to 18 are consequential on amendment 14. I urge the Committee to support the amendments, and I commend clause 18 to the Committee.
Dr Spencer
Clause 18, which the Government seek to modify through amendments 14 to 18, creates new pathways for information sharing between regulators, public authorities and Government Departments. It also creates a power for NIS enforcement authorities to share information with relevant overseas authorities for specified purposes. The new regime is intended to remove gaps and ambiguities in the existing framework governing the sharing of information obtained in the course of competent authorities and the oversight role of NCSC, and to create legal certainty in this domain.
In turn, it is anticipated that greater information sharing will assist with the detection of crime, enforcement activity and awareness of emerging cyber-risks and with ascertaining the effectiveness of the NIS regulations in building UK cyber-resilience. In particular, the Bill creates a new gateway to ensure that NIS regulators can share information with UK public authorities, and vice versa, as well as sharing and receiving information from organisations outside of the NIS framework, for example other regulators or bodies such as Companies House.
The Bill strengthens safeguards on how information can be used once it has been shared under the NIS regulations by restricting onward disclosure. More effective information sharing will be vital for competent authorities to keep up to date with emerging risks and building resilience in their sectors, and the new measures were broadly welcomed by regulators in our oral evidence session.
However, industry bodies such as techUK have called for further detail on the new information-sharing regime. What steps are the Government taking to ensure that regulators share responsibility for protecting sensitive data, and that information-sharing processes are coherent, proportionate and secure? Could the Minister elaborate on the discussions he has had with regulators on those matters, and on how secure information sharing will work in practice?
Finally, on the detail of the text in Government amendment 14, proposed new paragraph (aa)(ii) refers to persons
“otherwise in connection with…any other matter relating to cyber security and resilience,”.
Given that this is an information-sharing power, that seems a remarkably broad “any other matter” provision. What disclosures that are not already covered in the Bill does the Minister conceive will come up in that scope? What guidance or consultation will the Minister produce to make sure that such powers are proportionate and not at risk of abuse?
Emily Darlington
Again, I welcome the Government amendments and clause 18; they are important to enabling us to share our vulnerabilities in an appropriate way with those people who may be involved. However, some of the aspects of those vulnerabilities that security services—GCHQ, His Majesty’s Government Communications Centre and others—raised with us relate particularly to not only foreign interference, but the potential for interference through technology embedded in our networks. How does the Minister see the measures working within our co-operation with different foreign nations, particularly during these volatile times?
Kanishka Narayan
In response to the shadow Minister’s first question about ensuring sensitive handling of shared information and proportionality, all information handled by regulators ought to be treated carefully and with awareness of its importance. The regulators have to act reasonably, and the NIS regulations specifically require information obtained from inspections to be held securely. Of course, data protection laws apply to regulators as well. Alongside that, regulators will be required to consider the relevance and proportionality of sharing their information to the purposes set out in the Bill; as I have mentioned, the Bill includes specific purposes for why information might be shared.
Kanishka Narayan
Clause 19 sets out that regulators must provide guidance on specific issues, including security requirements and incident reporting notifications. Guidance already plays an important role in supporting the implementation of the NIS regime. We have, however, identified some areas where regulated entities would benefit from additional clarity. The clause ensures that every regulated sector has the guidance they need from their sectoral regulators to help them to comply. To ensure consistency across regulators, the clause also requires regulators to co-ordinate with each other when preparing guidance relating to designating critical suppliers. The clause also requires regulators to consider guidance published by the Secretary of State such as the code of practice when preparing guidance on the security and resilience requirements. That will ensure that regulators consider good practice recommendations and take more consistent approaches to preparing guidance.
Dr Spencer
Clause 19 amends the NIS regulations and will require regulators to publish guidance on the security and instant reporting requirements of regulated sectors. In formulating their guidance, regulators are under a duty to co-ordinate and consult with other regulators to ensure consistency as far as is reasonably possible. Relevant provisions in the code of practice, to be issued by the Secretary of State under clause 36, must also be taken into account. Newly regulated entities will, no doubt, welcome proportionate guidance on meeting obligations, and existing regulated entities will appreciate any streamlining that comes from consultation between regulators and their approach. Can the Minister provide further details about whether consultation between regulators and the Secretary of State is under way on a consistent approach to regulation?
Kanishka Narayan
As I have mentioned to the shadow Minister, the Minister for Digital Economy, the Secretary of State and I have engaged with a number of the regulators in scope here. Both those conversations, and the broader framework of this Bill, are intended to drive consistency across sectors through common security requirements, clear guidance and a statement of strategic priorities, which will set objectives that regulators must seek to achieve. I hope that is sufficient assurance not only that those conversations have started, but that they will be a fundamental focus as we ensure consistent regulation across the board.
Question put and agreed to.
Clause 19 accordingly ordered to stand part of the Bill.
Clause 20
Powers to require information
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 20 introduces important updates to the information-gathering powers that regulators have under the NIS regime. It ensures that regulators are able to collect any information that they might reasonably require to exercise, or to decide whether to exercise, their functions under the regulations.
While the clause sets out some of the purposes for which a regulator might particularly wish to collect information—for example, to determine whether an organisation should be designated as a critical supplier—this is an explicitly non-exhaustive list. The clause also allows regulators to collect information through the issuing of an information notice. It sets out the details that must be included in such a notice, and the form that it may take. An information notice must, for example, explain why the information is being sought and the form in which it must be provided.
New regulation 15A, as introduced by the clause, makes clear that an information notice can be given to an organisation based outside the UK and can apply to information held outside the UK. An information notice may require the obtaining, generating, collecting or retaining of information or documents. Those changes are critical in ensuring that regulators can access the information they need properly to enforce the NIS regulations. I commend this clause to the Committee.
Bradley Thomas
Can the Minister elaborate on how he will ensure that regulators have the capacity to cope with large-scale data reports?
Lincoln Jopp
In terms of scope, could the Minister give us some sense, when it comes to managed service providers, whether the purpose behind this clause is to enable regulators to find out their entire client list? I would be grateful for some clarity on that point.
Kanishka Narayan
I will take each of those three questions in order. The hon. Member for Bromsgrove raised a very important point—shared, I think, in sentiment across the House—about ensuring that regulators have the capacity to deal with the volume and quality of information they might receive under the provisions of this clause. Precisely for that reason, we have set out a charging scheme possibility here that allows regulators to equip themselves. Of course, that is initially a question of resourcing, rather than the quality or capability of that resourcing. We will therefore continue to ensure, through our oversight of regulators in appropriate ways, that we are pressing home the importance of enforcement quality and regulatory capability.
To the shadow Minister’s point on proportionality, I share the focus on ensuring that designation and information requirements are proportionate, not least for critical suppliers. Like him, I will avoid repeating the previous debate, but the five-step test for the designation of critical suppliers, combined with the fact that the Bill allows for secondary legislation and guidance to specify more proportionate burdens on them, rather than on key regulated entities, alongside the fact that information notices ought to be proportionate and focus primarily on the purposes of the Bill, gives me—and, I hope, him—assurance about the proportionality embedded in the Bill.
Dr Spencer
Will the Minister talk through what the data exchange flow chart will look like? How will it work in practice? Will the OES proactively contact the regulator and say, “We have all these suppliers—go play”? Will the regulator contact the OES and say, “Give us a list of all your suppliers, and then we are going to start an investigation programme and decide what data we need”? What is the direction of communication in practice? Or—perhaps even worse—will the burden be on suppliers to an OES to contact the regulator and say, “Could we possibly be in scope?” How will it shake out in practice?
Kanishka Narayan
Although I will not specify prescriptively what the activity and flow ought to be, I can share from my experience that many large-scale businesses—and indeed many medium and small-sized businesses—have a very clear business continuity plan mapping their critical suppliers. In this case, I would expect the regulator and the regulated entities to engage. Who sends the email first is an open question, and I would not want to specify it in the Bill, but I would expect each regulator and their regulated entities to work very closely to understand the critical suppliers that meet the tests specified in the Bill, and to engage with those critical suppliers as a consequence.
Dr Spencer
The Minister has mentioned business continuity plans a second time as a justification for not going into detail on this, but the whole reason for the Government bringing in the powers in clause 12, and the designation of critical suppliers, is that there was no business continuity plan in place in the example of Synnovis. I do not see how that argument gets away from the need for clarity, for organisations that could be at risk of being in scope of being assessed and designated as a critical supplier, about what actions they have to take in response to regulation, proactively or otherwise, and the burdens on them. We have just discussed the cost of enforcement, which risks essentially becoming a cyber-security tax.
Kanishka Narayan
I would not want to imply that every organisation has a business continuity plan, but the simple point is that the framework for assessing critical third-party suppliers is established in business and other regulatory regimes, as I have mentioned. The novelty or ambiguity that the shadow Minister suggests simply does not apply. That is not to say that there will not be cases in which new critical third-party suppliers will be designated—that is the point of the provisions of the Bill. The practice will of course need rigour, efficiency and proportionality, but it will be grounded in existing, widely understood frameworks.
I need the hon. Member for Spelthorne to remind me of his question, if I might ask him to do that.
Lincoln Jopp
I might have to remind myself. I asked the Minister whether the purpose of this clause is for a regulator to be able to ask a managed service provider what their entire client list is, in order to make various assessments.
Kanishka Narayan
I thank the hon. Member for asking and repeating the question. The purposes of the provisions on information requirements are focused on ensuring that regulators can conduct their duties as provided by the Bill. I would not expect information notices to require an exhaustive list in every instance, but instead to primarily focus on a more proportionate set of asks relating to risk vectors to the security of the regulated entities and to wider national security and cyber-security.
Question put and agreed to.
Clause 20 accordingly ordered to stand part of the Bill.
Clause 21
Financial penalties
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 21 reforms the enforcement regime for the NIS regulations. It seeks to ensure that providers of the UK’s most essential services are complying with their obligations under those regulations. Where they are not, it will allow for more meaningful penalties that reflect the risks they introduce to our society and economy as a whole. To do that, the clause makes a number of critical changes.
First, the clause introduces a new penalty maximum based on turnover. The current maximum penalty is £17 million, which can appear disproportionately large for smaller organisations, but could also easily be absorbed by larger ones as the “cost of doing business.” The clause therefore increases the penalty limits from £17 million to a maximum of £17 million or 4% of annual turnover, whichever is higher. I am confident that that strikes the right balance within the UK regulatory context. It brings the regime in line with other UK legislation that regulates cyber-security, such as part 1 of the Product Security and Telecommunications Infrastructure Act 2022, without rushing uncritically to the more severe penalties we see in other CNI regulation.
The second change is to create a simple two-band penalty structure that will provide much-needed clarity to regulators and industry about the penalty tiers for specific acts of non-compliance.
Bradley Thomas
On the point about banding, can the Minister assure us that there will be consistency applied across regulators so that different events are not differentially penalised depending on the regulatory body? On the question of turnover and the financial penalty, can the Minister elaborate on how the figure was derived?
Kanishka Narayan
I thank the hon. Member on both fronts. On the penalty bands, clearly defined parameters are set out in the Bill, and my hope is that that increases the effectiveness, the clarity and—at the heart of it, to his question—the consistency of application we expect across regulatory regimes.
As I mentioned, the 4% figure for the maximum penalty in part referenced existing UK regulatory regimes and legislation that were felt to be the most comparable. In part, it was judged to be an appropriate, proportionate maximum, based on relevant concerns around the appropriate level of deterrent effect, the proportionate level of fine, the regulatory precedent and the broader impact on investment and the economy as a whole, notwithstanding the significant cyber-security costs businesses already experience.
The second change in the clause is intended to eliminate the confusion surrounding the definition of a “material contravention” in the current regulations. Finally, the clause ensures that regulators can consider a wider range of factors when determining what constitutes an appropriate penalty. Where mitigating steps have been taken to address a breach, that should be acknowledged, but so too should the impacts of the breach and any history of compliance or non-compliance.
To conclude, an effective regulatory regime must be backed by fair but effective penalties to ensure that it is followed.
Lincoln Jopp
This is really where the regulatory rubber hits the road. Earlier, we described cases involving a client who is not in the Bill’s scope but who employs a managed service provider that is, and that is therefore vulnerable to these charges. What happens when there is an interface between a client employee operating an IT system and what the managed service provider does? For example, someone could bring in a data stick, shove it in the side of a computer and break the rules, eliciting some form of ransomware. How will it work when the regulator goes to the managed service provider and says, “Here’s your £10 million fine,” and the client says, “That is down to you”? It is going to be a lawyer-fest, isn’t it? Even lawyers who get paid more than £34 an hour are going to make quite a lot of money.
Kanishka Narayan
Just so that I am clear, not least for future records, I think the case described is one where the client is not in the Bill’s scope but is provided to by an MSP that is in the Bill’s scope, and where the relevant responsible individual is in the client business as an employee or agent of that business. The hon. Gentleman raises an important point. Both the obligations and the defined focus of the Bill are on regulated entities. In this instance, if the individual is not in the regulated entity and the regulated entity has complied with the entirety of the wider cyber-security reporting obligations in the Bill, we would look to other venues of legal action against the individual in question. It would be challenging for a Bill that does not regulate the entire economy to ensure that every individual and firm unregulated by it are brought into its scope as well. But that is not to diminish the significance of requiring other pieces of law to act on individuals elsewhere.
Dr Spencer
I will come to my speech, but as we are having a debate on this point, but does the Minister’s answer not risk a gilded defensive posture being set up by MSPs? If they list terms and conditions for the use of their services that essentially bar everything, they can say that any liability—if there is ransomware or they get hacked—is completely on the client, as opposed to themselves. Does the Minister’s explanation not risk MSPs taking a very defensive posture to ensure that the client is liable for any problem? Given that the clients are usually not regulated entities, this provision effectively becomes meaningless.
Kanishka Narayan
I can see the shadow Minister’s hypothetical point, but I assure him that if there is some universal, consistent practice on the part of an MSP to avoid liability, where liability should reside with them, that should be in scope of how the regulator assesses the performance of that MSP. Secondly, I assure him that there remains a degree of competition in the MSP market, given the attractiveness of the UK customer and end user market for MSPs. I would therefore very much expect any MSP that adopts a falsely defensive posture of the sort that the shadow Minister describes not only to be assessed as doing so by the regulator, but to fall foul of the competitive market context that we have and want in the UK.
To conclude, an effective regulatory regime must be backed by fair but effective penalties to ensure that it is followed. The clause ensures that that is the case for NIS regulations, and for that reason I commend it to the Bill.
Dr Spencer
I think I will follow up in writing on my intervention to try to dig down into the explanation of how liability will be laid down when the client is not a regulated entity but is receiving services from regulated entities. That is an important point, because these are quite hefty fines. As my hon. Friend the Member for Spelthorne pointed out, even with £34 an hour lawyers, there will be a lot of industry activity to try to avoid liability in the context of a substantial cyber breach, which can be significant.
More generally, the clause makes significant changes to enforcement practices under the NIS regulations, including to increase the financial penalties regulators can impose for infringement of the regulations, and to set out a clearer system of tiered penalties, based on the severity of infringements. The Government’s impact assessment states that these changes have been made because of concerns reported by regulators that
“enforcement under the NIS Regulations has been constrained by unclear band structures and a maximum penalty which is insufficient to deter non-compliance across all NIS sectors”,
which goes back to my previous point. Enforcement activity under the NIS regulations has been sparse, inconsistent and insufficiently effective to increase cyber-resilience to the levels necessary to meet the proliferating cyber-security risks to our most critical sectors.
Fundamentally, the existing approach to enforcement has not achieved the necessary change in attitude to cyber-risk at the highest levels of regulated entities. It is concerning that board level responsibility for cyber-security has steadily declined among businesses since 2021, with 38% of businesses having a board member responsible for cyber-security in 2021, compared with 27% in 2025.
The enforcement model clearly needs to be more effective, and increasing fines is only one part of that. Regulatory capacity to undertake supervision and enforcement remains a concern, as does perceived reticence on the part of regulators to impose fines on critical infrastructure providers, due to the risk of destabilising essential services and increasing costs for consumers. In our oral evidence sessions, many witnesses, including Richard Starnes of the Worshipful Company of Information Technologists, raised the issue of greater responsibility at the highest levels of management for cyber-resilience. What assessment has the Secretary of State undertaken of whether changes to the penalty regime are likely to influence board-level attitudes towards cyber-security?
Kanishka Narayan
The shadow Minister makes a really important point: cyber-security must be taken seriously at the highest level—at board level. It is part of the cyber assessment framework, which the Government have put at the heart of how we think about assessing cyber-security in firms as well as public sector organisations. It is also part of the guidance we are looking at in the cyber action plan and our wider cyber-security strategy. I take those very seriously. In terms of making sure that businesses have a razor sharp focus, the intent of the fine regime is to ensure that there is a deterrent effect and that it is felt at decision-making levels, which must include boards.
Question put and agreed to.
Clause 21 accordingly ordered to stand part of the Bill.
Clause 22
Enforcement and appeals
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Government amendment 19.
Schedule 1.
Kanishka Narayan
Clause 22 sets out, through schedule 1, consequential changes to the regulations in relation to enforcement and appeals. That is to ensure that the regulations work effectively in relation to the new entities brought into scope, such as managed service providers, data centres and large load controllers, so that the enforcement and appeal systems work as intended. Government amendment 19 makes a minor drafting correction. I commend clause 22 and schedule 1 to the Committee.
Question put and agreed to.
Clause 22 accordingly ordered to stand part of the Bill.
Schedule 1
Enforcement and appeals
Amendment made: 19, in schedule 1, page 86, line 33, at end insert—
“(ea) in sub-paragraph (da), after ‘14A;’ insert ‘or’;”.—(Kanishka Narayan.)
This amendment would make a minor drafting correction.
Schedule 1, as amended, agreed to.
Clause 23
Minor and consequential amendments etc
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Government amendments 20 to 22.
Schedule 2.
Kanishka Narayan
Clause 23, through schedule 2, introduces a number of minor and consequential amendments to the NIS regulations, necessitated by the more substantive changes introduced by the Bill. Among other technical changes, the schedule revokes assimilated EU legislation, removes the requirement for an NIS national strategy to be published once a statement of strategic priorities has been designed in its place, and updates references in the regulations to reflect the new clause numbering. Government amendments 20 and 21 make minor drafting corrections.
Government amendment 22 aligns the process for issuing documents, notices and directions under the NIS regulations with the Bill. As it stands, regulators will be required to follow two different procedures for issuing documents, notices and directions under the NIS regulations and under the national security powers in part 4 of the Bill, which is unnecessarily confusing for regulators and regulated entities. Amendment 22 resolves the issue by aligning regulation 24 with clause 57, as amended by Government amendments 23 and 24. I commend amendments 20 to 22, clause 23 and schedule 2 to the Committee.
Question put and agreed to.
Clause 23 accordingly ordered to stand part of the Bill.
Schedule 2
Minor and consequential amendments etc
Amendments made: 20, in schedule 2, page 89, line 35, at end insert—
“(ia) omit the ‘and’ at the end of the definition of ‘relevant law-enforcement authority’;”.
This amendment would make a minor drafting correction to regulation 1(2) of the Network and Information Systems Regulations 2018.
Amendment 21, in schedule 2, page 89, line 37, at end insert—
“(iia) omit the ‘and’ at the end of the definition of ‘representative’;”.
This amendment would make a minor drafting correction to regulation 1(2) of the Network and Information Systems Regulations 2018.
Amendment 22, in schedule 2, page 91, line 4, at end insert—
“11A (1) Regulation 24 (service of documents) is amended as follows.
(2) In paragraph (1)—
(a) in the words before sub-paragraph (a)—
(i) for ‘or notice’ substitute ‘, notice or direction’;
(ii) after ‘served on’ insert ‘or given to’;
(iii) after ‘served’, in the second place it occurs, insert ‘or given’;
(b) omit the ‘or’ at the end of sub-paragraph (b);
(c) for sub-paragraph (c) substitute—
‘(c) sending it by post to the person’s proper address or by email to the person’s email address.’
(3) In each of paragraphs (2) and (3)—
(a) after ‘document’ insert ‘, notice or direction’;
(b) after ‘served on’ insert ‘or given to’.
(4) In paragraph (4), for ‘service’ substitute ‘documents, notices and directions’.
(5) For paragraph (5) substitute—
‘(5) For the purposes of this regulation, a person’s “proper address” is—
(a) in a case where the person is a body corporate with a registered office in the United Kingdom, that office;
(b) in a case where paragraph (a) does not apply and the person is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office;
(c) in any other case, an address in the United Kingdom at which the person serving or giving the document, notice or direction believes, on reasonable grounds, that it will come to the attention of the person on whom it is to be served or to whom it is to be given.
(5A) For the purposes of this regulation, a person’s email address is—
(a) an email address provided to a NIS enforcement authority as an address for contacting that person,
(b) an email address published for the time being by that person as an address for contacting that person, or
(c) if no email address has been so provided or published, an email address by means of which the person serving or giving the document, notice or direction believes, on reasonable grounds, that it will come to the attention of that person.’
(6) After paragraph (5A) (inserted by sub-paragraph (5)) insert—
‘(5B) A document, notice or direction sent to a person by email is, unless the contrary is proved, to be treated as having been served or given at 9am on the working day immediately following the day on which it was sent.
(5C) In paragraph (5B) “working day” means a day other than a Saturday, a Sunday, Christmas Day, Good Friday or a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom.’”—(Kanishka Narayan.)
This amendment would align regulation 24 of the NIS Regulations with the provisions about giving of directions and notices in clause 57 of the Bill, as amended by Amendments 23 and 24.
Schedule 2, as amended, agreed to.
Clause 24
Key definitions in Part 3
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following: ‘Food supply Food supply chain The Secretary of State for Environment, Food and Rural Affairs (United Kingdom)’ ‘Local Government Local Government The Secretary of State for Housing, Communities and Local Government’ ‘Elections Electoral infrastructure The Electoral Commission’ ‘Government Political parties The Secretary of State for Housing, Communities and Local Government’
New clause 1—Food supply chain to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The food supply chain subsector
11 — (1) This paragraph describes the threshold requirements which apply to essential services in the food supply chain subsector.
(2) For the essential service of the food supply chain in the United Kingdom the threshold requirement is that the person is in the food supply chain and does not qualify as small or a micro-entity (or is excluded) within the meaning of Part 15 of the Companies Act 2006.
(3) after paragraph 10 insert—
(a) a “food supply chain” is a supply chain for providing individuals with items of food or drink for personal consumption, where the items consist of or include, or have been produced to any extent using—
(i) anything grown or otherwise produced in carrying on agriculture, or
(ii) anything taken, grown or otherwise produced in carrying on fishing or aquaculture;
(b) a person is “in” a food supply chain if that person is a producer or an intermediary in a food supply chain.
(4) In paragraph (3)(b)—
(a) “producer” means a person who is carrying on agriculture, fishing or aquaculture;
(b) “intermediary” means a person in the food supply chain between a producer and the individuals referred to in paragraph (3)(a).
(5) In this paragraph—
“agriculture” includes any growing of plants, and any keeping of animals, for the production of food or drink;
“aquaculture” means the breeding, rearing, growing or cultivation of—
(a) any fish or other aquatic animal,
(b) seaweed or any other aquatic plant, or
(c) any other aquatic organism;
“plants” include fungi.
(6) In regulation 8A of the NIS Regulations (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
(c) provides an essential service of a kind referred to in paragraph 12 of Schedule 2 (food supply chain sector) within the United Kingdom.’”
This new clause would designate those in the food supply chain that rely on network and information systems as “operators of essential services” within the meaning of the Network and Information Systems Regulations 2018, thereby placing them under duties to manage risks to those systems and to provide notification regarding any incidents that have an impact on the food supply chain.
New clause 8—Local authorities to be regulated as essential services—
“(1) The NIS Regulations are amended as follows.
(2) In table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The Local Government Sector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector.
(2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register.
(3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records.
(4) In this paragraph “local authority means”—
(a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly;
(b) in Wales, a county council or a county borough council;
(c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994;
(d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.’”
This new clause would bring local authorities within the scope of the NIS Regulations as operators of essential services in relation to their functions managing electoral rolls and social care records. This ensures that public sector bodies holding sensitive data such as electoral rolls and social care records are subject to the same statutory protections as other critical infrastructure.
New clause 9—Critical manufacturing and retail sectors—
“(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities—
(a) the manufacture of critical transport equipment;
(b) the industrial production and processing of food products; and
(c) the retail sale of food and essential goods via large-scale distribution chains.
(2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors.”
This new clause would require the Secretary of State to designate the manufacturing of critical transport equipment and retail of food and essential goods (when part of a large-scale distribution chain) as essential activities, bringing them within the scope of Part 3 of the Bill.
New clause 11—Electoral infrastructure to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The electoral infrastructure subsector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector.
(2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to—
(a) maintain a register of electors containing more than 50,000 entries;
(b) issue, receive, or process postal ballots for a parliamentary or local government election; or
(c) count or aggregate votes cast in a parliamentary, mayoral or local government election.
(3) In this paragraph—
“parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom;
“network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026.
(4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
“(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.”’”
This new clause would designate the administration of elections and maintenance of voter registers as an “essential service” within the meaning of the NIS Regulations.
New clause 12—Political parties to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The political parties subsector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector.
(2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons
(3) In this paragraph—
“registered political party” means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000.’”
This new clause would designate political parties as providing essential services for the purposes of cyber security.
Kanishka Narayan
Clause 24 defines key terms for this part of the Bill, and in doing so introduces two delegated powers. Those powers enable the Government to bring new sectors into the scope of the NIS regime and to designate regulators to oversee them. The power will be used only in relation to activities that are truly essential to our society and economy—in other words, where disruption could pose risks to life or the economic stability of the UK.
The powers are essential in the rapidly changing world we occupy. As we have seen with data centres and managed service providers, our society and economy can quickly become reliant on new services that are acutely vulnerable to cyber-attacks and system outages. Our legislation must be able to keep up with those changes and protect the services that matter most to our country.
Alison Griffiths
I want to use new clause 1 as a lens to view a wider question that sits underneath clause 24, rather than as a verdict on the clause itself. That question is how we decide, in a disciplined and credible way, which activities are sufficiently critical to be brought into the scope of the regime, and how that judgment is applied consistently over time.
New clause 1 would bring much of the food supply chain directly into scope through primary legislation. I understand the instinct behind that. Food supply is fundamental to public confidence, and disruption would be felt very quickly. However, if the underlying test for inclusion is systemic impact, food is not the only sector that raises these questions. I am vice-Chair of the Business and Trade Committee, and over the past year we have taken evidence on economic security from major UK firms that have experienced serious cyber-incidents. One example everyone here will be familiar with is Jaguar Land Rover. Evidence to our Committee indicated that the cyber-incident there contributed to UK GDP being around 0.1% lower than expected in the third quarter last year, which was not a marginal effect. That reflected disruption to tightly integrated manufacturing systems, with production lines brought to a halt and knock-on impacts across just-in-time supply chains and regional economies.
I make that point to underline something simple: cyber-risk presents simultaneously as operational, financial and reputational risk, and in combination those effects can be felt economy-wide. If that is the rationale for bringing food into scope early, it inevitably raises questions about other high-value sectors where a single incident can have national economic consequences.
That brings us back to clause 24 and the role of the Secretary of State. The Bill is clearly designed to allow scope for provisions to evolve through secondary legislation as risks change. That flexibility is sensible, but flexibility works only if the criteria for widening scope are clear, predictable and capable of being explained to industry, regulators and Parliament. If decisions appear to be reactive or driven by the most recent or most visible incident, confidence in the regime will suffer rather than strengthen.
That concern is reflected in the written evidence we have received. The Association of British Insurers, for example, supports higher standards of cyber-resilience, but it also emphasises the importance of clear definitions and coherence between regimes, particularly where firms are already subject to overlapping regulatory requirements. Its point is not about resisting regulation, but about avoiding uncertainty and duplication, which do not improve resilience.
My questions are ones of principle rather than position. First, what is the settled test that the Secretary of State will apply when deciding to bring a sector into scope under the clause 24 powers, and how will that judgment be made transparent to Parliament? Secondly, if Parliament were to require rapid expansion of scope, how confident are the Government that regulators would have the capacity to supervise a much larger and more diverse population without diluting oversight elsewhere?
I am not seeking to land a conclusion on new clause 1 today—I understand why it has been tabled and I recognise the seriousness of the issues that it highlights—but if we are going to widen scope, to food or otherwise, the Committee is entitled to press the Government on the discipline and guardrails that will sit behind those decisions. This needs to remain a targeted and credible regime, rather than one that expands without a clear and consistent logic.
Cyber Security and Resilience (Network and Information Systems) Bill (Sixth sitting)
Kanishka Narayan ExcerptsTuesday 10th February 2026
(1 month, 1 week ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
Lincoln Jopp (Spelthorne) (Con)
It is a pleasure to serve under your chairship, Mr Stringer. When we left off, we were considering the powers of the Secretary of State to bring new organisations within scope. I am a Conservative, and my view is that the best form of regulation is usually competition, so I am not actually volunteering these sectors for the guards. However, I want to understand the underlying logic as to why certain things have been included and certain things have not.
We have a fairly good guide as to what is essential. The reason we do is that we went through a global pandemic, and the following groups and organisations were designated as absolutely essential for the running of the state: health and social care, which is included; education and childcare, which is not; anything to do with the justice system; religious staff; public service broadcasters; local and national Government, which again is not in the Bill; food and other goods, which, as we discussed, are also not in the Bill, although they are in the new clauses; public safety and national security; transport; utilities; communications; financial services; and postal services.
That is the analogue I am putting to the Minister: we found out which things we really needed, we designated them as essential and we allowed them to continue during the covid pandemic. None of us particularly relishes being reminded of that time, but we owe it to the people who will be subject to the Bill to ask the Minister exactly what has been argued in and what has been argued out of scope, to understand how vulnerable the blank cheque we are issuing to the Secretary of State is to their including more and more in it, come the day of the races.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I will start by addressing the questions raised by hon. Members, including the hon. Member for Spelthorne, who concluded by setting out a general philosophy of how we thought about what is in and out of scope, and then I will address some of the more specific concerns in the new clauses.
The overarching philosophy has not at all been to deny, as the hon. Members for Spelthorne and for Brecon, Radnor and Cwm Tawe argued, that there are a series of services that are absolutely essential. There is a category of critical national infrastructure, and there is a category of essential sectors and services that we identified in the pandemic. Although there is some overlap, a distinct segment for the Bill is operators of essential services such as digital services and managed service providers. The assessment there has been more about the immediacy and severity of the impact, and the availability of alternative provision in a very short time, which has meant that those sectors have been ruled in. I will lay out the logic of our position on the new clauses, which might help clarify this question, although I would be happy to engage further with hon. Members on it.
I am conscious that the hon. Member for Bognor Regis and Littlehampton and the shadow Minister raised very appropriate points about robustness and proportionality in relation to the Secretary of State exercising the powers in the Bill, so I will lay out the process and the role of Parliament.
In terms of the process for bringing new sectors or activities in scope, something must meet a specific, rigorous test to be defined as a new essential activity for the purposes of the Bill. The Secretary of State must be satisfied that the activity is essential to our economy or society. As I have mentioned, that is reserved for the most vital activities to our nation and acts as a high bar for inclusion, on the terms I mentioned to the hon. Member for Spelthorne.
In reaching a decision, the relevant Departments will need to carry out risk assessments and impact assessments and consider whether inclusion of those sectors and activities is proportionate. That is part of the normal policy development process. After that, the proposals will be subject to consultations and the affirmative procedure, ensuring the necessary scrutiny. Parliament will have the final say on the use of any expansive powers, as the vast majority of the changes I mentioned will be made through delegated powers and subject to the affirmative procedure. If a new sector is then brought into scope, we will undertake a phased implementation wherever possible, and organisations will be given adequate time to comply. Alongside that, regulations will be made in a controlled way and include consultations with relevant stakeholders before secondary legislation is laid before Parliament.
I make one final observation on the points that have been made, not least about Jaguar Land Rover. The UK Export Finance export development guarantee is not a bailout. UKEF receives payments for providing its guarantees, ensuring that the Government are appropriately compensated for the risk taken. In that context, a different assessment was made, as I hope to come to shortly.
More broadly, the Committee heard from expert witnesses that although the purpose of the Bill is clear, and its impact is a significant help for our national cyber-security and essential services, it or any other singular move is no silver bullet when it comes to our cyber-security. Different levers are effective in different parts of the economy and must be applied appropriately.
The most stringent lever the Government have at their disposal is legislation. As we have discussed in this and prior sittings, proportionality is key to the exercise of that lever. Regulation creates obligations and requires resources, so the pros of regulating must outweigh the costs. In the context of the Bill, that means protecting our society and economy from unacceptable risks with an immediacy of threat to our day-to-day life, not least our national security. That means things like keeping the lights on, the taps running and the NHS going, where there is little or no alterative provision of such services. We must also avoid creating unnecessary burdens where other measures are available.
In that context, I turn first to new clauses 1 and 9. The Government and the National Cyber Security Centre are clear that all organisations, whether a food supplier, an automotive giant, a supermarket or any other business operating in the UK, should take steps to protect their cyber-security and increase their resilience. That is why in October the Government wrote to FTSE 350 companies urging them to take three actions to strengthen their defences. First, they should make cyber-risk a board-level priority, and I know that that sentiment is shared across the Committee. Secondly, they should require suppliers to have baseline cyber-security through Cyber Essentials. Thirdly, they should sign up to the NCSC’s early-warning service.
The response has been encouraging already. A significant proportion of organisations have responded, with many of those responses coming directly from chief executive officers and chairs, showing the seriousness accorded to this by boards. Following the letter, we have seen increased interest in the Cyber Essentials website, uptake in early-warning registrations, and uptake in registrations for the IASME supplier check tool, which organisations can use to identify suppliers with Cyber Essentials certificates.
Beyond that, Departments and the NCSC deliver sector-specific support for key parts of the economy. On food specifically, the Department for Environment, Food and Rural Affairs and the wider Government have worked with the food and retail sector on cyber-resilience for many years, and we always stand ready to protect the UK food supply chain. During last year’s incidents involving Marks & Spencer and the Co-op, the NCSC and DEFRA worked closely with the affected retailers to support their response, to communicate advice and guidance and to assess the risk to food security. Following the attack, DEFRA Ministers wrote to major retailers to invite further collaboration on cyber-matters. Officials from both the NCSC and DEFRA are working with retailers to understand how we can best support them and the resilience of our food supply chain in the future.
Crucially, the food sector is unique among critical sectors for its high levels of industrial and geographic diversity. There are approximately 20,000 small and medium-sized food manufacturers alone spread across the UK, and many more farms, distribution centres, retailers and other types of businesses that form the UK’s food supply chain. As a result, it is a sector with few single points of failure. Its resilience is further strengthened by the steps that individual operators and suppliers are taking.
Finally, it is worth mentioning that the cyber-attack on Marks & Spencer last year, which hon. Members have raised, specifically involved the social engineering of a third party managed service provider. As the Committee is aware, the Bill brings large and medium-sized managed service providers into scope. That important change delivers downstream benefits across the wider economy, including for food retailers.
I will move on to new clause 8. The Government recognise that a step change in cyber and digital resilience is required across the public sector, including in local authorities. The Government’s cyber action plan is the overarching strategy to improve the cyber-resilience of Government. It will hold the public sector, including local government, to equivalent requirements to organisations regulated by the Bill. At the outset, the hon. Member for Spelthorne raised a question about schools and pupil data; where local authorities are the lead affected departments in that context, they would be expected to maintain very close oversight and compliance with the requirements and asks of the cyber plan, including in schools and the maintenance of pupil data.
Local authorities in England are accountable for their own cyber-security and resilience. The Ministry of Housing, Communities and Local Government, as the lead Government Department, is accountable for the sector-wide resilience of English local government, and is already taking a range of steps to support the sector, strengthen its cyber-resilience and manage its risks more effectively. For example, MHCLG has already provided £23 million of cyber grant funding and technical support to local government. That includes the delivery of clear cyber-security standards through the adoption of the cyber assessment framework—CAF—for local government. It is also aligned with the wider approach taken by organisations already in scope of the network and information systems regulations.
On social care specifically, as the lead Government Department for adult social care, the Department of Health and Social Care is working to ensure that the standards applied by adult social care providers are consistent with those used across Government and the wider public sector. The DHSC is investing a further £21 million over this Parliament to give care providers the support and guidance they need to improve their cyber-resilience and to enhance cyber-security standards to align with the cyber assessment framework. The MHCLG has also launched a local government cyber-incident response service to support English local authorities to respond to severe cyber-incidents, helping to limit the impact these have on data and services.
I now move on to new clauses 11 and 12, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe. The joint election security and preparedness unit—JESP—sits jointly between the MHCLG and the Cabinet Office. It was created by the defending democracy taskforce, a cross-Government unit, and works to protect UK elections and referendums by co-ordinating work across Government to respond to threats, including on cyber-security.
I know that the shadow Minister takes a keen interest in these questions on the run-up to elections, and he raised some important points. JESP works closely with the NCSC, which produces guidance for organisations involved in delivering elections, including local authorities. That includes advice to help IT practitioners implement security measures that will help prevent common cyber-attacks, as well as offers for direct NCSC support, including the NCSC’s active cyber-defence services.
The MHCLG as a whole is responsible for centrally managed digital electoral services covering voter registration, a postal or proxy vote, or a voter authority certificate. All systems and suppliers involved in developing and maintaining digital electoral services must meet strict cyber-security requirements, not least the MHCLG cyber-security assurance framework.
I will move on to political parties. JESP and the NCSC regularly engage with political party representatives to understand their requirements, monitor any cyber-infrastructure vulnerabilities and raise awareness about Government cyber-defence services. The NCSC’s active cyber-defence programme provides free security tools to help UK organisations, including political parties and local authorities, reduce exposure to common cyber- threats. The NCSC encourages all political parties to sign up to these, and offers individual candidate briefings to parties that wish to take them up.
Everything I have said reflects the Government’s current assessment of where regulation is needed to protect the core of our society and economy. Of course, we have seen that what is considered an essential service can change, and we also know that cyber-threats are constantly evolving. That is why the Bill will enable the Government to bring more essential activities and services into scope in future, and to take swift action if UK national security is at risk, in scenarios where the evidence suggests the pros outweigh the costs. However, at this stage we do not think that that is the case for new sectors. I therefore ask hon. Members not to press their new clauses.
Question put and agreed to.
Clause 24 accordingly ordered to stand part of the Bill.
Clause 25
Statement of strategic priorities etc
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 25 introduces a power for the Secretary of State to designate a statement of strategic priorities for the implementation of the NIS regulations. The NIS regulations are enforced by 12 different sectoral regulators. Although that allows each regulator to apply its sectoral expertise, it also means that at times they have taken divergent approaches to their regulatory responsibilities. Clause 25 addresses that by allowing the Secretary of State to set overarching objectives for regulators in the wider context of a statement of strategic priorities. The statement will replace the NIS national strategy, which the Government were previously required to produce under the NIS regulations. It will set out the Government’s priorities for the security and resilience of essential services.
To ensure that the objectives remain stable enough to enable regulators to plan their work, the clause will prevent a statement from being withdrawn or amended within three years of its designation. However, that three-year rule will not apply if there has been a general election, or a significant change in the threat landscape or in Government policy. That will allow for flexibility where appropriate. In sum, clause 25 empowers the Government to drive a more effective and consistent application of the NIS regulations.
Clause 26 establishes the process through which a statement of strategic priorities can be designated. It requires that there must be consultation with regulators, and that the statement be laid before Parliament, where it will be subject to the negative procedure. It establishes that the Government must share a draft of a proposed statement with the NIS regulators, and that the regulators must be given at least 40 days to provide comments to the Government on that draft statement. The Government must consider whether it is appropriate to make any changes to the draft statement in the light of that consultation. Once any changes have been made, they must lay the statement before Parliament, where it will be subject to the negative procedure. Following that, the Secretary of State may designate the statement.
Clause 27 establishes the legal duties that regulators will have in relation to a statement of strategic priorities. It sets out that regulators must
“have regard to the statement”
when carrying out their NIS functions, as introduced by parts 3 and 4 of the Bill. It also introduces a requirement for regulators to “seek to achieve” the objectives included in the statement.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
As we heard in written evidence from the ABI, clarity about roles really matters. Can the Minister confirm that the statement of strategic priorities is not intended to operate as indirect instruction, and that regulators will retain clear discretion where sector evidence points in a different direction?
Kanishka Narayan
I thank the hon. Member for her point. Perhaps I can give a flavour of the objectives I might expect in a statement and assure her of the independence of sector regulators. Subject to consultation, which we would expect in the build-up to any such statement, a statement might include objectives such as encouraging regulators to seek to ensure that their sectors have plans in place to increase security, or focusing on regulatory activity in areas of greatest horizontal risk. To the hon. Member’s point about sector-specific expertise and the independence of regulators, the statement is intended to set objectives to be achieved within the parameters of regulators’ existing statutory duties, and what the overarching risks are. Of course, regulators will be free to do that in the ways they think most appropriate for their sectors, in the light of their own expertise and experience. I hope that gives the hon. Member some assurance.
Clause 28 requires the Secretary of State to publish an annual report setting out, in general terms, how NIS regulators have complied with their duties in relation to a statement of strategic priorities over the previous 12 months, and how they intend to meet their duties in the following 12 months.
Alison Griffiths
As the Minister is saying, clause 28 is meant to help Parliament understand how regulators are responding to the statement of strategic priorities. Can he say a little about how substantive that reporting will be, and whether it will genuinely allow Parliament to assess how those duties are being exercised in practice?
Kanishka Narayan
The hon. Member raises a very important point. We want Parliament to play an important role in the scrutiny of the overarching regime as a whole, but particularly in the operation of the statement. Perhaps I can break it into two parts: scrutiny of the statement in the first instance, and scrutiny of regulators’ compliance with the statement. Once a draft statement has been consulted on, the Government will be required to lay it before Parliament, and that will be subject to the negative procedure. Parliament will have 40 days to scrutinise the proposed statement and express disagreement with it, which is very similar to the procedure for statements of strategic priorities in other areas—not least online safety. In terms of confidence in Parliament about actions that regulators have taken, the Secretary of State will be required to publish an annual report setting out, in general terms, the activity undertaken by regulators in the prior 12 months, alongside activity planned for the following 12 months. My expectation is that, very similarly, Parliament will have sight of that, and have the ability to scrutinise it and ask questions of the Secretary of State in the usual way.
Kanishka Narayan
I am grateful to my hon. Friend the Member for Harlow for his affirmation of that important point of parliamentary scrutiny.
As I mentioned, the report in question will set out how NIS regulators have sought and will seek to achieve the objectives in the statement through the exercise of their regulatory functions. The clause requires the Secretary of State to lay the annual report before Parliament, as well as to publish it in an appropriate manner. Clause 28 also introduces information-gathering powers for the Secretary of State so that they can collect the necessary information from regulators to draft the report. I commend the clauses to the Committee.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Stringer.
Clause 25 introduces a power for the Secretary of State to issue a statement of the Government’s strategic priorities in relation to the security and resilience of network and information systems with regard to essential activities. The statement will set out the responsibilities of regulators and specify objectives to secure the Government’s priorities. Competent authorities must be consulted in the drafting of the statement, and the Secretary of State must issue a report in every 12-month period on regulators’ compliance with meeting the objectives within it.
The changes aim to address important challenges around consistency in the approach to regulation that were identified by the previous Government’s second post-implementation review of the NIS regulations. Importantly, the measures also provide for a regular review of competent authorities’ approach to discharging their regulatory obligations. That measure is necessary given the inconsistent approach to oversight and enforcement of the NIS regulations so far.
We know that there are existing challenges relating to the capacity of competent authorities and there is the ongoing issue of securing sufficient cyber-security professionals to staff the teams. It is all well and good making statements, but they need to be followed. What strategies does the Minister anticipate will be needed and used to support—and, where necessary, drive up—standards of regulatory oversight when competent authorities fall short of the aims set out in the statement?
Kanishka Narayan
I thank the shadow Minister for raising an important point. His broader question is one of the most important in this context: Bills are only as good as the ultimate enforcement capability, capacity and framework in which regulators enforce them. Particular aspects of the Bill are focused on that question. One ensures that regulators have not just the resource through the cost recovery and charging schemes that the Bill allows for, but the information through the information-gathering powers—and not just the information, but a statement of strategic priorities as new horizontal risks emerge across sectors. So regulators are armed with resource, information and strategic priorities that emerge from time to time.
Alongside all those resources, data and information powers, regulators need also to have accountability, of course. In that context, the statement of strategic priorities is intended to be one vehicle through which regulators’ compliance with overarching objectives of the Bill will be looked at as well, alongside ongoing oversight of each of the regulators through the usual departmental channels.
Alison Griffiths
Having worked in business, I know that the words we use to ensure that the capabilities are there are easy to say but not always easy to deliver. How will the Minister ensure that when we have a multi-sector issue, which could easily come up—particularly, as we have already discussed, around OT and the use of IEDs across multiple sectors—the National Cyber Security Centre and other regulators will have access to the skills, people and resources necessary to manage what could be a catastrophic incident? We already know that cyber-skills are in short supply as it is, even in the commercial sector.
Kanishka Narayan
The hon. Member raises an important point. Two or three things are really important channels of impact when it comes to skills. First, the NCSC as a convening body across regulatory areas will be able to make sure that different regulators come together and learn by being able to share information not just between themselves, but through the NCSC itself as the convening body for sharing good and prompt understanding of emerging risks.
Secondly, on broader skills, the cost recovery schemes allowed under the Bill create a way for regulators to ensure they are resourced up and have the ultimate financial firepower to be able to enforce the requirements of the Bill.
Alison Griffiths
I thank the Minister for his patience. He mentions a specific example of where he will ensure that the NCSC is resourced up. Do we have specific examples that have happened already of those powers having been put in place successfully? From conversations with the NCSC, I understand that it is reliant on its accredited bodies across the country, but we have not yet—I am touching the wood of my desk, as I speak—had to respond to a complex multi-sector issue. I challenge the Minister on whether he is confident about our capability to respond to one.
Kanishka Narayan
I share the hon. Member’s recognition and her gratitude that we have not experienced the sort of incident that she described. The NCSC has told her, me and other Committee members that it brings regulators together and has done so on a number of occasions in the past to share cross-sectorally an understanding of emerging risks as well as incident-specific impacts. I take no sense of complacency from that precedent, but I do take some confidence from it. As the Minister in charge, I will ensure that the Department keeps a close eye on the ongoing implementation of the co-ordination powers under the Bill.
Dr Spencer
The Minister is being generous with his time during this important debate. I was just thinking through his earlier response to the point made by my hon. Friend the Member for Bognor Regis and Littlehampton about using the cost reclaims to employ cyber-security professionals. That goes to the heart of the concerns about the Bill and its approach to regulation.
We have heard that the industry, including regulators, is struggling to recruit cyber-security professionals. What gives the Minister confidence that, just because some money will be sloshing around in the regulators, there will be the ability to recruit cyber-security professionals, who are going to be essential to the implementation of the Bill?
Kanishka Narayan
First, I will provide some context for agreement. We want more people to be trained in cyber-security so that they can serve in the public and private sectors. Through the Bill, as well as a range of other initiatives, we are making sure that at every stage of the pipeline, there is resourcing, confidence and a demand signal that so more people can benefit from cyber-skills and serve in the industry.
There is a clear financing path for regulators to at least start to hire. Earlier in the pipeline, we are looking at a series of cyber-skills programmes all the way from schools through CyberFirst—I think about 415,000 students have gone through that programme. Ultimately, we want to create a long-term pipeline so that regulators and private companies can make the most of those skills.
Chris Vince
I am going to mention Harlow, because Harlow has young people with amazing potential. The point that the shadow Minister and other Opposition Members have made is really important. We need to make sure that this and the next generation of young people are trained up in these skills, because this is an emerging threat. I encourage the Minister to promote the Bill and what the Government are doing in cyber-security, because it is important that the wider public know that these important skills and jobs are available.
Kanishka Narayan
I am, of course, very happy to take on my hon. Friend’s recommendation that I be the promoter and ambassador for the Bill across the country. I am only sad not to have been invited to visit his constituency in the act of promoting said Bill, but I take his point seriously.
On the broader point about skills, I entirely agree with both my hon. Friend and the Opposition in recognising that skills are central to the enforcement of the programme. I hope that the funding and the earlier focus on skills across the life cycle give some assurance that the Government are committed to that.
Question put and agreed to.
Clause 25 accordingly ordered to stand part of the Bill.
Clauses 26 to 28 ordered to stand part of the Bill.
Clause 29
Regulations relating to security and resilience of network and information systems
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 29 is the key pillar of the Bill’s future-proofing powers. It allows the Secretary of State to update, amend or replace the NIS regulatory framework by creating new regulations. This is a critical provision. Due to the way in which the NIS regulations were transposed into UK law, the Government lack a way of updating the framework other than through primary legislation. As a result, our regulations have remained static amid a rapidly evolving threat landscape, leaving our essential and digital services vulnerable to attack and our resilience falling behind the EU. The clause is an important response to that problem. It will ensure that the Government can take swift action so that our cyber regulations remain relevant. It is a more proportionate and effective approach than always relying on primary legislation.
I know the use of delegated powers can be a source of concern, so I will be clear that the clause is not a carte blanche—or a blank cheque, which the hon. Member for Spelthorne might be worried about—to smuggle in anything and everything under the guise of cyber-security. It is tightly constrained to ensure that any new regulations align with the original purposes of the NIS regulations. New regulations can be made only for the purposes of strengthening the cyber-security and resilience of the UK’s most critical activities, and only where they are genuinely essential to the functioning of the UK’s society and economy. Cyber-criminals will always find ways around regulations, but with this power we can stop them in their tracks.
I have already explained the critical role that clause 29 plays in enabling new regulations to be made for the purposes of cyber-security and resilience. However, I want to be clear about how those regulations will be used and reassure the Committee of their checks and balances. Clauses 30 to 35 set out what the regulations can do.
Clause 30 enables the Secretary of State to use the regulation-making powers to impose requirements on regulated persons. It clarifies who can be made subject to requirements and the types of requirement that can be imposed on them.
Alison Griffiths
My question relates to clause 29 but also clause 30. As the Minister says, the powers are deliberately wide. The Institution of Engineering and Technology noted in evidence that predictability matters more than compliance. Will the Minister explain exactly how the Government will judge when risks require new statutory duties rather than updated guidance, so that businesses are not left guessing?
Kanishka Narayan
Any legislation made under clause 29 will need to align with the Bill’s clearly specified purposes to protect the systems that underpin our vital services. In any case, secondary legislation will require deep consultation to ensure that businesses have the sense of clarity that they require. There is a specific bar to pass for the scope of any further provisions, and it is a high bar given the definition of the sectors and the activities covered in the Bill.
Clause 30 has been designed with some clear use cases in mind. It will enable the security duties on regulated organisations to be updated with appropriate technical details. It will also ensure that more detailed thresholds for incident reporting can be set, and it is the mechanism through which we will set out the regulatory requirements for designated critical suppliers. In other words, the clause will help us to operationalise the provisions of the Bill and update the technical details of regulatory requirements in response to new risks or technology.
Clause 31 enables the Secretary of State to confer functions on regulators through the Bill’s regulation-making powers. These may be existing NIS regulators or newly appointed regulators. The types of functions that can be conferred are those concerned with compliance: monitoring and securing compliance, and investigating and managing non-compliance. To carry out such functions effectively, regulators must be able to impose penalties. Clause 31 also provides for that while putting in place important safeguards so that regulated organisations have a means of appealing penalties. The clause is essential for future-proofing the regulatory regime. It ensures that regulators can be equipped with the functions and powers they need to ensure the compliance and security of the UK’s most essential services.
Clause 32 sets out details and safeguards for how the regulation-making powers can be used when they impose or amend financial penalties. Crucially, it establishes upper limits on what the penalties can be—the greater of £17 million or 10% of turnover for an undertaking, or £17 million for a non-undertaking, or £17 million for an undertaking adjusted as needed to account for inflation. The 10% threshold has been chosen as a defensible outer limit for a regulatory regime concerned with national resilience and security. It aligns with penalties for non-compliance in legislation regulating critical national infrastructure and with the Bill’s own national security powers.
The clause further clarifies that regulations can define “turnover” and “undertaking”, where needed, to calculate a penalty. Together, these provisions create important safeguards and flexibility. They establish proportionate and transparent parameters within which penalty amounts can be set. They also enable the Secretary of State to define and consult on terms that are essential for operationalising the Bill’s new turnover-based penalties.
Like clause 31, clause 33 enables the Secretary of State to make regulations conferring functions on regulators. The functions specified in clause 33 complement the core compliance functions outlined in clause 31. They relate to the disclosure of information, issuing of guidance, record-keeping, preparation of reports, undertaking of reviews, and co-operation. The clause also enables the Secretary of State to impose functions on organisations that are not regulators but that play a public role related to the cyber-security and resilience of essential services. GCHQ, in its capacity as the UK’s computer security incident response team and technical authority, is the most important. Like clause 31, this clause is essential for future-proofing NIS regulations. It allows organisations that oversee and facilitate the cyber-security and resilience of essential services to be equipped with the tools and functions they need.
Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs using the powers under clause 29(1). These are the costs incurred through their functions under the NIS regulations or other obligations imposed through parts 3 and 4 of the Bill.
In practice, the clause ensures that the Secretary of State can make changes and updates to the way that regulators carry out their cost recovery function under the NIS regime. It could, for example, be used to specify further factors that regulators need to consider when establishing approaches for charging fees in the charging schemes, in addition to those already set out in clause 17. That might be needed to deliver greater consistency in how the cost recovery measures are being applied and is something that the Government will keep under review.
Alison Griffiths
As the Association of British Insurers has highlighted in its written evidence, the way cost recovery operates will shape behaviour on the ground. Can the Minister reassure the Committee that changes made under clause 34 will be transparent and proportionate and will not inadvertently discourage investment in cyber-resilience, particularly for smaller firms in supply chains?
On a personal point, could I ask him to speak more slowly? I am really struggling to hear him.
Kanishka Narayan
I apologise for the pace of my speech; I will try to make sure I am speaking more slowly.
On the particular point on transparency and ensuring that any amendments to cost recovery are both transparent and grounded in specific provisions, I can set out the sorts of expectations we have had for circumstances in which amendments might be made. In particular, the Bill’s powers will enable regulators to set up charging schemes, but it is not prescriptive—
Kanishka Narayan
The Bill’s new powers enable regulators to set up charging schemes, but it is not prescriptive about how it should do that beyond certain baseline requirements. More specific requirements, as provided for in the Bill, could become clear, such as if cost recovery mechanisms are not working effectively or if regulators are diverging unhelpfully.
All regulators must consult on charging schemes. In doing so, the industry should have ample opportunity to scrutinise the approach that regulators are taking and, importantly, Parliament should be able to add to that scrutiny as well. Like clause 31, clause 34 is essential for the future-proofing of NIS regulations.
Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs; I have mentioned examples of the sorts of factors we might specify in that context. Together with clauses 29 to 33, 35 and 41, clause 34 is necessary to ensure that the Secretary of State can update and amend the functions of regulators as needed in the future, and is an integral part of the Bill’s future-proofing powers.
Clause 35 is the final clause that clarifies the limits and prospective uses of the regulation-making power in clause 29. It confirms that the regulations may confer functions and allow certain functions to be delegated to others—for example, it could enable a regulator to delegate functions to inspectors. It also clarifies that regulations can be made to require a person to have regard to guidance or codes of practice, or that make provision by reference to another document or piece of guidance. In short, the clause provides helpful clarity about how the regulations could be applied.
Sarah Russell (Congleton) (Lab)
On a point of order, Mr Stringer. I am not sure whether this strictly meets the criteria for a point of order, but it is clear that some people in the room cannot hear what is happening. I know the convention is that only the Whips and Ministers sit on the front row, but if those who are struggling to hear wish to sit closer, could we abandon that convention? It would be a reasonable adjustment so that everyone can participate properly, because this is discriminatory.
Kanishka Narayan
No.
Question put and agreed to.
Clause 29 accordingly ordered to stand part of the Bill.
Clauses 30 to 35 ordered to stand part of the Bill.
Clause 36
Code of practice
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 36 sets out that the Secretary of State may issue a code of practice for regulated entities. The code will describe recommended steps to help these entities to comply with their duties and requirements under the NIS regulations and any new regulations made under the Bill. This will make it simpler for regulated persons to understand what is expected of them, thereby driving consistency and complementing sector-specific guidance from regulators.
The clause will also make enforcement clearer and more effective, as regulators must take the code into account when they assess compliance. The code is designed to be flexible: it can be updated as threats and technology change, and can be tailored to different types of organisations, ensuring that guidance is current, relevant and practical for all.
Given the importance of the measure in providing practical recommendations to regulated entities, it must be consulted on before it is prepared or revised, and this process is set out in clause 37. Before the code can be brought into force, a draft must be laid before Parliament, providing ample opportunity to scrutinise and, if necessary, reject it within a 40 day period. If either House objects, the Secretary of State cannot proceed with that version and may prepare a new draft. If the draft is approved by Parliament, the Secretary of State may issue it and must publish it, and it then comes into effect immediately, unless otherwise specified. The clause also clarifies how the 40-day period is calculated, to ensure consistency and transparency in the process.
As we know too well, cyber-threats continue to evolve as new tactics and technologies are deployed, which is why the clause includes a power for the Secretary of State to amend the procedure for issuing the code. The Secretary of State may, for example, wish to add or amend consultation requirements or extend the 40-day period.
Clause 38 establishes how the code of practice will be used and treated in legal and regulatory settings, to ensure it has the intended effect. For regulated persons, the code of practice is intended to be formal guidance, with recommendations on how to comply with their duties, but not to be legally binding itself.
As we know, there can be more than one way for businesses to meet their obligations and ensure that they have in place appropriate and proportionate security and resilience measures. It is therefore important that there is a degree of flexibility in how they do this, to accommodate sector-specific nuances and business needs. None the less, it is crucial that the code has sufficient legal status and that the good practice it contains is not simply ignored. That is why the code can be admissible as evidence in court when deciding whether legal obligations have been met, and why the courts and regulators must consider it as evidence when assessing compliance.
Clause 39 establishes a formal process for the withdrawal of the code of practice, in case that is ever needed.
Dr Spencer
Clause 36 provides that the Secretary of State may issue a code of practice for regulated entities to set out measures that they should take to demonstrate compliance with their duties under the NIS regulations, or any requirements imposed by the Secretary of State under clause 29. If done well, the code could be a repository of best practice, setting proportionate, consistent and effective standards for regulated industries. That will require constructive and open consultation with regulated sectors to identify the challenges facing those sectors and how best to address them.
One issue that came up in oral evidence was the question of the lag between regulation making and industry adoption. David Cook of DLA Piper commented that, after laws come into effect, the process of businesses understanding where they need to get to
“often requires a multi-year programme of reform.”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 5, Q1.]
The code of practice is not envisaged to be legally binding, in the sense that a failure to comply is not of itself evidence of a failure to meet obligations under the NIS regulations or the Bill. However, clause 38 states that it would be admissible as evidence in legal proceedings so, in that sense, the code is binding in all but name. In view of that, and the fact that codes can be revoked and reissued, can the Minister provide reassurance to regulated industries that a lead-in time will be built into any requirements to allow businesses to prepare to achieve full compliance?
Kanishka Narayan
First, to ensure that the shadow Minister and I are representing the intent behind the code clearly, in legal terms it is not the case that an organisation that fails to follow the code of practice is automatically a regulated organisation that has broken the law. Clause 38 makes it clear that not following the code does not by itself constitute a breach of duty or mean that an organisation is automatically liable to legal action. Organisations can take different approaches to complying with security duties, but if they adopt an approach that is not within the code, they may need to explain why their approach still meets the required standards set out in the regulations, and regulators will be required to take the code into account when preparing guidance.
On the shadow Minister’s question about ensuring appropriate timing and preparation for companies, I would very much expect that the regulators in question would be closely regulated entities to ensure the proportionate implementation of codes.
Alison Griffiths
We heard from the Information Systems Audit and Control Association that codes work best when they reflect operational reality. Given their evidential status, can the Minister reassure the Committee that codes will remain practical and iterative and not quietly harden into rigid compliance rules?
Kanishka Narayan
I am very happy to give the broad assurance that we will keep codes under review from time to time, and that any changes to the code will require deep consultation with regulators and businesses to ensure that the codes keep in touch with moving technology.
Dr Spencer
For the sake of clarity on the legal status of the codes, I entirely agree with the Minister that it is important to get this right, and my understanding of codes of practice in a different area—statutory codes of practice relating to the Mental Health Act—is that case law says that deviation from the code of practice should be done only for cogent reasons. That is a pretty high bar to pass in terms of deviations. I should declare an interest as a former consultant psychiatrist and someone who operated subject to that particular code of practice.
For absolute certainty, will the Minister write to the Committee and make the status very clear, along with reference to relevant case law in terms of other codes of practice? Does the clause override that jurisprudence or not? That would settle the question as the Bill goes through Parliament.
The Chair
Order. Interventions are getting a bit out of control again. I remind hon. Members that they should be brief.
Kanishka Narayan
I agree with the shadow Minister. The Bill’s focus is on the assessment of compliance with ultimate security duties. The codes of practice will set out approaches to do so, but they will not be the only approaches. I would be happy to write to the shadow Minister and the Committee on the particular legal interpretation, and any relevant case law that might apply.
Question put and agreed to.
Clause 36 accordingly ordered to stand part of the Bill.
Clauses 37 to 39 ordered to stand part of the Bill.
Clause 40
Report on network and information systems legislation
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
I beg to move amendment 26, in clause 40, page 63, line 7, leave out “5” and insert “3”.
This amendment would increase the frequency of the reports that must be published under Clause 40, from every five years to every three years.
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for moving amendment 26, in the name of the hon. Member for Henley and Thame. It seeks to reduce the period for publishing a report on the operation of the legislation from at least every five years to at least every three. I reassure him that the Government recognise the importance of regular assessments of the regime to ensure that it is as effective as possible. The legislation sets five years as the minimum period. That is an appropriate and proportionate timeframe in which to meaningfully assess the progress, at a regular frequency, of the entire regime set out in the Bill, following the approach set by existing legislation such as the Online Safety Act 2023.
Kanishka Narayan
Clause 41 gives further detail on the sorts of provisions that can be included in regulations made under clause 24 and chapter 3 as a whole. It confirms that regulations can make different provisions for different purposes, different categories of person or different areas; can make provisions for how those regulations apply to the Crown or UK territorial waters; and can include consequential, supplementary, incidental, transitional or saving provisions. The clause also defines how certain terms used in regulations should be interpreted, such as “relevant UK waters” or “primary legislation”. In summary, the clause provides important points of clarification about how the regulation-making powers in the Bill can operate. I propose that clause 41 stand part of the Bill.
Clause 42 sets out the consultation requirements and parliamentary procedure that apply where regulations are used to designate new essential services or regulators, to impose regulatory requirements or change regulator functions, or to amend requirements for the five-yearly legislative review.
Alison Griffiths
These procedures are standard, but the powers they apply to are significant. Where regulations under part 3 would materially expand duties or bring new actors into scope, have the Government considered whether those should receive deeper scrutiny in practice, even if the formal procedure remains the usual one?
Kanishka Narayan
I thank the hon. Member for that important point. The expectation is that the powers used here are scrutinised appropriately. If it helps, I can set out which uses of the power, particularly under clause 42, will trigger consultation requirements and the affirmative procedure, which will perhaps give her the assurance she seeks.
In essence, all changes that may have considerable impact on how the NIS regime operates will be subject to consultation and the affirmative procedure. In practice, this means that regulations concerning the designation of essential services, as well as changes to the duties of regulated entities and functions of regulators, will be subject to both consultation and affirmative procedure requirements.
In each of the cases I mentioned, clause 42 requires the Secretary of State to undertake consultation with appropriate persons before any regulations can be made. It also specifies that regulations of this kind can be approved only through the affirmative parliamentary procedure. These provisions ensure that any substantive regulations made through the Bill’s future-proofing powers will be properly tested. They provide the necessary checks and balances that such wide-ranging powers require, and they will ensure the credibility and legitimacy of future regulations made using these powers. For those reasons, I propose that clause 42 stand part of the Bill.
Dr Spencer
I have two questions for the Minister. Given the impact on devolved legislation, can he confirm that the consultation will extend to devolved authorities should it impact on them? My second question is more generally on the theme of devolved authorities. Can he confirm that, as part of the publicised “reset” negotiations with the European Union, bringing Northern Ireland into scope of NIS2 regulations is totally off the table?
Kanishka Narayan
On the broader point about application to the devolved Administrations, changes in UK legislation may indeed need to be reflected in devolved legislation, such as where it refers to and references the name of UK legislation. In those contexts, it is important that consequential provision can be made to ensure coherence. We will continue to engage with our devolved colleagues on the implementation. I am very happy to write to the hon. Gentleman and the Committee, particularly on the Northern Ireland point.
Question put and agreed to.
Clause 41 accordingly ordered to stand part of the Bill.
Clause 42 ordered to stand part of the Bill.
Clause 43
Directions to regulated persons
David Chadwick
I beg to move amendment 27, in clause 43, page 66, line 11, at end insert—
“(fa) a requirement to remove, disable or modify hardware, software or other facilities;”
This amendment would enable the Secretary of State to issue directions to remove, disable or modify hardware, software or other facilities for national security purposes.
Emily Darlington (Milton Keynes Central) (Lab)
As the Minister will be aware, I have spoken consistently of my concern about our reliance on hardware and tech that comes from potentially non-favourable state actors abroad. That also relates to Government procurement, which I have raised before, as the Minister will know.
The Committee has already discussed how local government and Government Departments are not covered by this legislation, and how there is a separate strategy and document. Can the Minister expand on how protections against a reliance on foreign tech within critical infrastructure, in either the private or the public sector, are being dealt with in the Bill or in the strategy that has been published for the public sector? How will that be continually reviewed as our global geopolitical situation remains unstable?
Kanishka Narayan
I will start by addressing amendment 27, moved by the hon. Member for Brecon, Radnor and Cwm Tawe, which would add to the non-exhaustive list of requirements that could be included in a national security direction. It specifies that a direction could include requirements to
“remove, disable or modify hardware, software or other facilities”.
I reassure him that the Bill, as currently drafted, allows the Secretary of State to impose those types of requirements. Clause 43(3)(f) specifies that a direction may include
“a requirement relating to removing, disabling or modifying goods or facilities or modifying services”.
That already encompasses the types of requirements specified in amendment 27.
Furthermore, clause 43(3) lists the requirements that may “in particular” be included in a direction. The list is therefore not exhaustive, and for good reason. It is not possible or desirable to specify every action that might be needed to address a national security risk. That would restrict the Government’s potential avenues to address urgent national security threats, and would risk the legislation being too narrow to address novel threats to the UK’s national security.
Dr Spencer
I really do not understand the Minister’s answer. If it has not been published on national security grounds, how will we know that it has been laid? The whole thing could be entirely secret. Surely it has to go to the ISC as an accountability mechanism.
Kanishka Narayan
The Bill currently provides for clear parliamentary scrutiny. The Secretary of State is responsible for coming to Parliament, although some information may not be able to be presented in public. I am happy to write to the shadow Minister about the mechanisms that other similar regimes have used to ensure that Parliament’s scrutiny is informed in those cases, whether in Committee or otherwise. The primary mechanism is the one we use for constant parliamentary scrutiny, and it would be unfair for any of us to suggest that most of those channels would not be appropriate for the sort of scrutiny we are looking at.
Dr Spencer
I think the Minister is saying that there will be a parliamentary scrutiny mechanism under these powers. Is that what he is saying?
Kanishka Narayan
To repeat, exactly as I said: once a direction is issued, it will be laid before Parliament for scrutiny. If there is any misunderstanding, I am happy for the shadow Minister to write to me so that I can confirm it.
Dr Spencer
I really think we should be very critical about this. What we are doing now is parliamentary scrutiny. There will be directions in future, which we expect to be laid, and they will also be subject to parliamentary scrutiny. Even where they are redacted because of national security concerns, somebody, or some mechanism of Parliament, will be able to scrutinise them. Can the Minister confirm that?
Kanishka Narayan
To return to the point made by my hon. Friend the Member for Milton Keynes Central about the Bill’s provisions, the Bill looks at particular risks posed by hostile states, related actors and a wide range of other actors. Network and information systems for essential services and the identity of risk sources may be one consideration for organisations and regulators as well as the NCSC. The Bill does not look at specific actors but the outcome of the risk. Of course, hostile actors are an important part of that. I am happy to write to my hon. Friend about wider initiatives outside the Bill, particularly in the public sector, which I know is an important concern for her in relation to hostile state actors. There are a range of initiatives that the Government are taking forward in that context.
Clause 43 grants the Secretary of State the power to direct an NIS-regulated entity to take necessary and proportionate actions in response to national security threats. The power can be used where the entity’s network and information systems have been compromised or there is a threat of such compromise. The clause sets out the sorts of action that a direction could require. A direction could, for example, require an energy provider to take action to remove a hostile actor’s presence from their networks, in response to intelligence that a hostile state actor was pre-positioned for an attack.
Cyber-attacks on NIS sectors represent a serious and growing threat to the UK’s national security. High-capability actors and hostile states can mount increasingly targeted and sophisticated attacks. At present, however, the Government lack powers to require regulated entities to take necessary action in response. That gap could be exploited with increasing frequency and impact. The clause will remedy that, ensuring that the Government have the necessary powers to act quickly to protect our national security.
Lincoln Jopp
To take this a little bit beyond the theoretical, is the Minister suggesting that, where it is discovered that, for example, a major offshore wind power generation facility was fitted with remotely triggerable kill switches, triggerable by a foreign state or sub-state actor, the Secretary of State could require that energy company to remove whatever piece of hardware or software was producing that threat?
Kanishka Narayan
I could not judge a specific situation but, broadly speaking, that is the sort of situation, especially if it is an NIS-regulated entity, and in particular where the exercise of the power is focused on the entity’s network and information systems, that I would expect to come in scope of the powers specified here.
Under clause 44, a direction can be issued only when necessary for national security. It is possible that, in some circumstances, what is needed to protect UK national security could conflict with standard regulatory duties. For example, a direction might relate to a particularly sensitive national security risk, where only those involved in addressing the risk should be aware of it. That is to minimise the risk of hostile actors becoming aware of a vulnerability. A direction could therefore require an entity not to report that national security risk for the period in which the risk was being remedied. They may ordinarily have had to report that national security risk to comply with standard reporting requirements. The clause will resolve that conflict and provide certainty to recipients of directions about what they must do to ensure that the national security risks in a direction are addressed.
David Chadwick
Given the reassurances from the Minister, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 43 ordered to stand part of the Bill.
Clause 44 ordered to stand part of the Bill.
Clause 45
Monitoring by regulatory authorities
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
This group of clauses concerns how compliance with national security directions will be monitored. Clause 45 enables the Secretary of State to delegate the task of monitoring compliance with the direction issued under clause 43 to a NIS regulator. Regulators have valuable sectoral expertise and existing relationships with the entities they regulate. As such, it may be effective to delegate monitoring of compliance to the relevant regulator. The Secretary of State will retain the sole ability to make judgments about whether non-compliance has occurred, or if any penalty is appropriate. The regulator would be required to obtain information relating to compliance, to be shared with the Secretary of State. The Secretary of State would then determine how they would like to receive this information—for example, in reports or at regular intervals.
Clause 46 grants information-gathering powers to the Secretary of State and to regulators that are subject to a monitoring direction or request. In order to determine whether an incident or threat meets the bar for issuing a direction, or whether a regulated entity is complying with the direction, the Secretary of State will need information from that entity and potentially other parties. The clause establishes the power for the Secretary of State to request that information. As the monitoring of compliance with the direction may be delegated to NIS regulators, the clause also equips those regulators with the power to request information needed for their monitoring functions.
Clause 47 grants the Secretary of State the power to carry out or delegate inspections needed to assess compliance with a direction, or with a confirmation decision specifying actions to be taken in the event of non-compliance. The Secretary of State is responsible for judging whether a regulated entity is complying with a direction, and therefore needs access to relevant information that the regulated entity holds. In some cases, this may not be possible to verify without physical attendance. To ensure the effective use of time and resources, the Secretary of State will have the power to appoint a person to carry out an inspection on their behalf, or to direct the recipient of a direction to appoint an approved inspector. The clause also grants these powers to regulators, where the regulator has been directed or requested to monitor compliance on behalf of the Secretary of State. This will ensure that they can provide the Secretary of State with the most accurate information. I commend the clauses to the Committee.
Dr Spencer
Clause 45 gives the Secretary of State powers to require regulatory authorities to monitor and report on regulated entities’ compliance with directions given under clause 43 for reasons of national security. Clause 46 provides the Secretary of State with extensive information-gathering powers through the use of information notices to facilitate the giving of directions and monitoring of compliance with directions under clause 45(4). Clause 47 empowers the Secretary of State to conduct inspections to assess whether a regulated entity is complying with directions issued under clause 45(4). The Secretary of State may appoint a third party to conduct the inspection, and require the regulated entity to meet the costs associated with this.
I reiterate the point that these powers are necessary; however, given the potential for significant cost and administrative burden for businesses, they should be subject to contemporaneous or near-contemporaneous oversight by parliamentary authorities, observing the necessary confidentiality protocols. I also make the point that these information-gathering powers apply extraterritorially and may lead to conflict with regulated entities’ data privacy obligations in other jurisdictions. What discussions has the Secretary of State conducted with industry and law enforcement counterparts in other countries about the approach to information sharing for this purpose, and the implications for companies operating services on a cross-border basis?
Kanishka Narayan
I am grateful to the hon. Gentleman for his points about proportionality and scrutiny. I want to give him assurances about that, as I did in our earlier conversation.
On cross-border compliance, the hon. Gentleman rightly points out that relevant information can be requested, regardless of whether it is held the UK. I am very happy to write to him with further detail on our ongoing engagement with counterparts elsewhere. During this process, we have engaged more broadly to understand other regulatory regimes and ensure compliance with them.
Question put and agreed to.
Clause 45 accordingly ordered to stand part of the Bill.
Clauses 46 and 47 ordered to stand part of the Bill.
Clause 48
Notification of contravention
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
This group of clauses concerns the enforcement of directions issued by the Secretary of State. I shall speak to them in turn.
Clause 48 grants the Secretary of State the power to issue a notice of contravention where they believe an entity is failing or has failed to comply with requirements relating to a direction. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will also be able to issue a notification of contravention relating to an information notice or inspection issued by the regulator. It would not be appropriate for a regulator to judge compliance with a direction issued under clause 43 or any other requirement imposed by the Secretary of State.
Lincoln Jopp
What happens when the Secretary of State, via his various proxies—the regulator or whomsoever—gives a direction to a company to do something in the interests of national security, and the entity disagrees and says, “That simply won’t work, and it won’t solve the problem that you are seeking to address”?
Kanishka Narayan
I am reluctant to engage in the specifics of incidents without knowing the full range, but I would expect there to be an initial period of engagement to get to a position of agreement. Where the Secretary of State’s directions are not complied with in the context of a disagreement of the sort that the hon. Gentleman points out, penalties for non-compliance will be available to the Secretary of State. They will have to be justified both in the moment and subsequently, in the light of the particular provisions of the Bill.
The clause sets out the circumstances in which the Secretary of State and relevant regulators can issue a notice of contravention and the details that such a notice should contain, including the steps that an entity should take to rectify or remedy an act of non-compliance and the penalties that are being considered. The ability to issue a notice of contravention is an important procedural mechanism. It gives directed entities the opportunity to address non-compliance before penalties are imposed through a final confirmation decision, and increases the likelihood that the requirements of a direction will be met. That is vital, given the national security risks that a direction is intended to address.
Clause 49 empowers the Secretary of State to determine appropriate and proportionate penalties for non-compliance with a direction. It sets an upper threshold on what the penalties can be. For non-compliance with a direction, penalties are fixed at the greater of £17 million or 10% of turnover for undertakings, subject to turnover and undertaking being defined in regulations, and £17 million for non-undertakings. For requirements concerning the provision of information or inspections, the maximum penalty for non-compliance is set at £10 million.
Clause 49 also provides for daily penalties to be issued. These are set at £100,000 a day for non-compliance with a direction and £50,000 a day for related requirements. They will continue in force until the entity has complied with the relevant requirement. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will be able to issue penalties for non-compliance with an information notice or inspection issued by the regulator.
These provisions have been designed to reflect the gravity of non-compliance with a national security direction and the necessity of ensuring that directed entities comply with the requirements that directions impose. It is also why the maximum penalties have been set at a significantly higher level than they have for the updated NIS enforcement regulations in clause 21. The better comparison in that context is the penalty threshold for national security powers in the Telecommunications (Security) Act 2021, which align with the provisions in clause 49.
Clause 50 grants the Secretary of State and, where relevant, regulators the power to issue a final confirmation notice for non-compliance with a direction or related requirements. The clause specifies that the Secretary of State or regulator can issue a confirmation notice where they have previously notified an entity of suspected non-compliance, and where they are now satisfied that non-compliance has occurred. The notice of confirmation is the mechanism through which the Secretary of State or regulator can issue their final determination about the actions an entity needs to undertake to correct or remedy a contravention, and the penalties it will need to pay, in accordance with the provisions in clause 49.
A confirmation decision can be issued only after a directed entity has had the opportunity to make representations about an earlier notice of contravention. Once it has been issued, the directed entity must comply with it, and this duty can be enforced through civil proceedings. In short, clause 50 ensures that a direction can be enforced effectively and appropriate action taken to penalise non-compliance.
Clause 51 sets out how penalties will be recoverable across the nations of the UK in the event of non-payment. Clause 52 grants the Secretary of State the power to enforce non-disclosure requirements imposed in relation to the issuing of a direction, notice of contravention or final confirmation notice. Failure to respect these requirements could harm national security, for example by exposing vulnerabilities in the UK’s essential services or the security mitigations being put in place to protect their network and information systems. As a result, it is crucial that the Secretary of State has adequate powers to enforce non-disclosure requirements. Clause 52 largely replicates the enforcement process for non-compliance with other requirements of directions issued by the Secretary of State. The maximum penalties will be £10 million or £50,000 per day.
I ask the Committee to support the clauses in order to enable the effective enforcement of directions issued by the Secretary of State to protect the UK’s national security.
Dr Spencer
Clauses 48 to 52 deal with notifications and financial penalties where a regulated entity is deemed not to be compliant with directions issued by the Secretary of State under part 4. In particular, clause 48 would grant enforcement authorities powers to issue a contravention notice if they believe a person has failed to comply with a requirement under part 4. The notice must set out details of remedial steps to address the failure, as well as the financial penalty that the enforcement authority intends to impose.
Clause 49 would require penalties to be set at a level that is appropriate and proportionate, with the maximum penalty being £17 million or 10% of turnover. A maximum daily penalty of £100,000 applies to ongoing breaches. The maximum fines for failing to comply with an information notice or an inspection would be set at £10 million.
Kanishka Narayan
I have two points to make to the shadow Minister on defining turnover. As he will be well aware, “turnover” is a technical term that is best defined in secondary legislation, to keep up to date with accounting principles that at times vary from sector to sector. He asked for factors that might contribute to definitions. The specific determination of turnover will be set out secondary legislation, but we intend to establish a presumption that only the turnover of the regulated entity that breaches the direction will be considered for determining penalties on this point.
Question put and agreed to.
Clause 48 accordingly ordered to stand part of the Bill.
Clauses 49 to 52 ordered to stand part of the Bill.
Clause 53
Power to direct regulatory authorities
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to consider the following:
Clauses 54 to 56 stand part.
Government amendments 23 and 24.
Clauses 57 and 58 stand part.
Kanishka Narayan
This group concerns the power for the Secretary of State to issue directions to the NIS regulators, as well as general provisions relating to the power and the power to direct regulated entities. That includes the procedure for reviewing, varying or revoking directions, the procedure whereby Parliament can scrutinise these directions, how information concerning directions can be shared, the means by which directions can be issued and the clarifications of key terms concerning part 4 of the Bill. I shall speak to each clause in turn.
Clause 53 grants the Secretary of State the power to direct NIS regulators in the exercise of their NIS functions, where it is necessary and proportionate in the interests of national security. The current system requires regulated entities to undertake “appropriate and proportionate” measures to secure themselves against cyber-threats. Regulators issue guidance to their sectors to help them to interpret that duty. However, geopolitical or technological developments could lead to rapid, unexpected increases in the cyber-threat that quickly leave whole sectors vulnerable and create a national security risk.
In such circumstances, it is essential that the Secretary of State can leverage the expertise and powers of NIS regulators to drive the implementation of enhanced security procedures and practices. For example, they may need to direct a regulator to issue an urgent advisory to its sector regarding new cyber-threats or to update guidance on what measures are “appropriate and proportionate” for them to take. This power will not extend to other Government Departments or devolved Governments, for which any actions to mitigate significant national security threats will be agreed through engagement.
Given the changing nature of national security threats, there may be times at which a national security direction needs to be varied or revoked. Clause 54 introduces powers for the Secretary of State to change the content of a direction, or revoke it altogether, where it is necessary and proportionate to do so in the interests of national security. The Secretary of State will be able to vary a direction to add new requirements, or to simplify directions by removing requirements that are no longer needed. To ensure that regulated entities are able to make representations, the Secretary of State is required to consult them before a direction is varied, where practicable. This requirement does not apply if consultation would be detrimental to the interests of national security.
Dr Spencer
Clause 53 would grant the Secretary of State powers to issue directions to regulators where this is necessary for national security reasons, and to allow a reasonable period for the regulator to comply with that direction. Clause 54 provides that directions may be amended or revoked by the Secretary of State. Under clause 55, directions to regulated entities or regulators must be laid before Parliament unless that
“would be contrary to the interests of national security.”
I repeat my earlier question about the ISC’s role regarding scrutiny. Clause 56 would permit the Secretary of State and regulatory authorities to share any information obtained under part 4 with each other and the NCSC. The provision also allows for the sharing of information with other UK or overseas public authorities with equivalent cyber-security or national security functions. Government amendments 23 and 24 seek to amend that clause to provide for directions and notices issued under this part to be sent by email to relevant persons who provided those contact details to regulatory authorities.
Some reassurance on the extent of information sharing for businesses is delivered through provisions specifying that disclosures of information should be limited to that which is relevant and proportionate. However, those are high-level and subjective terms, open to interpretation by the authority sharing the information. Can the Minister provide any update on the development of protocols between authorities to ensure that information shared is limited to that which is necessary for effective oversight and enforcement in relation to national security risks?
Kanishka Narayan
On the shadow Minister’s first point, I repeat what I said earlier and, of course, acknowledge his concern. I assure him that, while a direction can only be issued out of necessity for national security, it does not follow that public knowledge of that direction or its contents would compromise national security. I would expect a pretty extensive scope of such directions and, therefore, an appropriate channel of scrutiny in Parliament.
On his question of protocols to ensure information shared is not just proportionate in general, but specific to the purpose of national security specified, I am happy to give him the assurance that the Bill contains it and that, in the process of working out implementation, we will make sure that regulators are focused on developing those protocols.
Question put and agreed to.
Clause 53 accordingly ordered to stand part of the Bill.
Clauses 54 to 56 ordered to stand part of the Bill.
Clause 57
Means of giving directions and notices
Amendments made: 23, in clause 57, page 83, line 8, at end insert—
“(za) an email address provided to a regulatory authority as an address for contacting that person,”
This amendment would ensure that a direction or notice can be given to a person using an email address which has been provided to a regulatory authority as a contact email address.
Amendment 24, in clause 57, page 83, line 11, leave out
“there is no such published address”
and insert—
“no email address has been so provided or published”.—(Kanishka Narayan.)
This amendment is consequential on Amendment 23.
Clause 57, as amended, ordered to stand part of the Bill.
Clause 58 ordered to stand part of the Bill.
Clause 59
Extent
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
I will speak to clauses 59, 60 and 61 in turn. Clause 59 clarifies that the Bill’s provisions apply to England and Wales, Scotland and Northern Ireland. That is consistent with the Network and Information Systems Regulations 2018.
Effective implementation is key to a successful regime. Clause 60 outlines the phased commencement timings of the provisions, ensuring that they commence at an appropriate time. Some of the provisions will commence upon Royal Assent, or two months after Royal Assent, allowing the Government to begin implementing the regime without delay. That includes powers for the Secretary of State to lay important secondary legislation required to operationalise some measures in the Bill upon Royal Assent, and the power to publish a statement of strategic priorities at month two. All remaining measures will be brought into force via regulations, allowing the Secretary of State to sequence implementation in a way that is practical and proportionate, allowing for transitional arrangements and business adjustments. That also allows sufficient time for the implementing regulations to be made and scrutinised, and is required to make operational and implement the new, stronger framework.
Clause 61 clarifies that the Bill can be referred to as the Cyber Security and Resilience (Network and Information Systems) Act 2026 once passed.
Question put and agreed to.
Clause 59 accordingly ordered to stand part of the Bill.
Clauses 60 and 61 ordered to stand part of the Bill.
New Clause 2
Register of foreign powers for the purposes of Part 4
“(1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must, by regulations, establish and maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom’s critical network and information systems within six months of the passing of this Act.
(2) Foreign powers designated by the Secretary of State under subsection (1) must include states –
(a) which have been confirmed by GCHQ as having—
(i) perpetrated, or attempted to perpetrate, a cyber-attack in the UK in the preceding seven years,
(ii) targeted, or intended to target, that attack at the network or information systems of one or more operators of an essential service or critical suppliers, or
(iii) carried out, or intended to carry out, that attack through a state department, agency or affiliate group,
(b) which GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.
(3) Regulations under this section are subject to the affirmative resolution procedure.
(4) In this section, “foreign power" means–
(a) the sovereign or other head of a foreign state in their public capacity;
(b) a foreign government, or part of a foreign government;
(c) an agency or authority of a foreign government, or of part of a foreign government;
(d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or
(e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government—
(i) hold those posts as a result of, or in the course of, their membership of the party, or
(ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party.”
This new clause would require the Government to maintain a register of state actors posing a threat to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of the Act, which enable the giving of directions in the interests of national security.—(Dr Spencer.)
Brought up, and read the First time.