The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

-

I will begin by discussing clauses 15 and 16. Clause 15 updates the incident reporting provisions in the Network and Information Systems Regulations 2018. Under the current regulations, organisations are required to report incidents only once they have had a significant impact on service continuity. It is widely recognised that this is too narrow, and results in a range of concerning incidents going unreported and a distorted picture of how secure and resilient the UK’s essential services actually are.

To take two examples: a ransomware attack where confidential data has been exfiltrated from an organisation without an immediate impact on service would not be reportable; nor would a pre-positioning attack, where a hostile actor has hacked into a network and is in a position to cause significant disruption down the line, such as to the provision of drinking water. That cannot be right, and does not reflect the cyber-threats that critical services face.

To ensure such incidents are caught, the clause sets a new, wider definition of incidents that must be reported. The focus is now on incidents that have successfully affected the security or operation of an organisation’s network and are likely to have a significant UK impact, which will ensure that regulators and the National Cyber Security Centre are fully aware of the range of cyber-threats affecting the UK’s essential services.

The Bill sets out the factors that should be considered when assessing whether an incident has had, or is likely to have, a significant impact in the UK—including, crucially, whether the confidentiality, authenticity, integrity and availability of data has been compromised. The Government will provide further clarity in secondary legislation, setting out thresholds for each sector for when an incident is considered to have had, or be likely to have, a significant impact. That will be consulted on before it is introduced. Taken together, it means that only meaningful incidents are reported. Over-reporting has been a concern raised by hon. Members throughout the Bill’s progress, so I stress this point: things such as unsuccessful phishing emails will clearly not be reportable, as they would not be likely to have a significant impact.

Given our economy’s systemic dependence on data centre facilities, for that sector alone we will also ensure that Ofcom and the NCSC receive reports on a wider range of potential incidents and near misses. That ensures that not only immediate disruptions but incidents posing future risks are reported.

Clause 15 also streamlines the reporting process for all NIS sectors. It ensures that incident notifications and reports go to the NCSC at the same time as the regulator. It also sets out what those organisations can do with the information they receive, including how the information can be shared to manage the wider impacts of an incident or prevent future incidents. Finally, the clause introduces faster reporting, so that the NCSC and regulators are informed within 24 hours of entities becoming aware that a reportable incident is taking place.

The 24-hour notification will be light touch, but will enable the NCSC and regulators to offer faster support to minimise the negative impacts of the incident. Fuller details will need to be reported within 72 hours of the entity becoming aware that a reportable incident is happening. The changes will protect the UK’s essential services, ensuring that the NCSC and regulators are able to provide the best support that they can.

Clause 16 sets out requirements for managed service providers, relevant digital service providers, and operators of data centres to inform customers who are likely to have been adversely affected by a reportable incident. Under the current regulations, there is no requirement for any regulated entity to inform its customers if it has been impacted by a reportable incident. That may have made sense when the NIS regulations were more heavily focused on operators of essential services and the primary concern was service disruption, but it would be an inexcusable omission now that the Bill is expanding to include managed service providers and operators of data centres, in addition to the digital service providers already in scope.

These are organisations that, if compromised, could leave their customers’ systems, data or services exposed or inaccessible. In such circumstances, it is vital that their customers are notified, so that they can take whatever steps they need to in order to mitigate those risks.

Kanishka Narayan

- Hansard -

Copy Link

-

I thank the hon. Member for those two thoughtful points. On the first, in terms of retrospective regulatory action on the adequacy of notification, I expect that the regulators will set out—in their guidance and by working closely with the entities in scope—their expectations about the nature and timeliness of the notification. That will be one input into a regulator’s broader assessment of entities’ compliance with the regime. I expect that timely notification will be assessed on an ongoing basis by the regulator, but I would not expect it to be an exclusive or primary aspect.

On the question of customer notifications being proportionate, I share the hon. Member’s concern about ensuring that it is timely and efficient and at the same time meaningful for the relevant customers. I hope that exactly those principles are embodied in the guidance that regulators share about notification requirements.

Customers being notified is all the more important given that in many cases, those customers will themselves be operators of essential services and other critical national infrastructure. The Bill therefore places new transparency requirements on managed service providers, relevant digital service providers and operators of data centres. Similar requirements were introduced under the NIS2 regulations in the European Union.

Clause 16 requires those regulated entities to take steps to establish which of their customers, if any, are likely to be adversely affected by a reported incident. It then sets out the information that the entity must share with those identified customers. These new requirements will support the overall resilience of the UK’s essential services and economy, which depend so heavily on these services, and reduce the overall impact of disruptive cyber-attacks.

Kanishka Narayan

- Hansard -

Copy Link

-

Clause 17 introduces new charging powers for NIS regulators, enabling them to recover the full costs of their regulatory functions under the NIS regime. This is an important reform that will help to ensure that regulators are effectively funded as they take on their expanded responsibilities under the Bill. It will allow them to move away from a funding model that relies on ad hoc invoicing or Government grants, and to approach their duties with greater confidence and certainty.

The clause sets out detailed procedural requirements that determine how and when the charging powers can be used. These will ensure that regulated organisations know what to expect from regulators; fees will be set proportionately and regulators will provide satisfactory accounting for the sums they have charged.

The first requirement is that regulators consult and publish a charging scheme. It must specify what functions the fees are covering, the amount of fees being charged or how those fees will be calculated, and the charging period they cover. Crucially, regulators will be able to set different levels of fee for different types of organisations—for example, varying charges according to size or turnover, or excluding organisations from the charging scheme if it would be disproportionate or counter-productive to include them.

Kanishka Narayan

- Hansard -

Copy Link

-

I thank the hon. Member for those thoughtful points. On the first question, the charging scheme applies to relevant costs, which are costs that regulators incur precisely when they carry out functions under the NIS regulations relating to cyber-security specifically. Those can include the cost of audits, inspections, handling incident reports or enforcement action, as well as other aspects, such as assessments of cyber-security and the provision of advice. It is important to acknowledge that regulators can decide to recover costs in relation to specific functions or their costs relating in particular to the Bill’s provisions. I hope to have assured the hon. Member that the charging scheme has a clear, tight scope that is related to cyber-security functions.

On the second question, regulators probably ought to look at turnover in a way that is sector-specific, in part because there are already a range of ways in which other regulatory regimes define turnover in particular sectors, so the appropriate definitions for their sectors will be familiar to both regulators and regulated entities. At a later date, secondary legislation may be used if it is found necessary to set out factors that regulators ought to consider in setting up charging schemes, including the possibility of nuanced definitions of turnover. Any future regulations for this purpose will be subject to consultation requirements and the affirmative procedure. I would very much expect, at a sector level, a clear and proportionate definition and charging structure in relation to turnover.

The second requirement is to set out, transparently and clearly, what fees have been paid, what fees are still due, and what costs have been incurred in a given charging period. On Second Reading, many hon. Members discussed the need for properly resourced regulators to successfully implement the Bill. I share that concern, and this clause seeks to achieve exactly that, in a way that is fair and proportionate to regulated organisations.

I commend the clause to the Committee.

Kanishka Narayan

- Hansard -

Copy Link

-

Clause 20 introduces important updates to the information-gathering powers that regulators have under the NIS regime. It ensures that regulators are able to collect any information that they might reasonably require to exercise, or to decide whether to exercise, their functions under the regulations.

While the clause sets out some of the purposes for which a regulator might particularly wish to collect information—for example, to determine whether an organisation should be designated as a critical supplier—this is an explicitly non-exhaustive list. The clause also allows regulators to collect information through the issuing of an information notice. It sets out the details that must be included in such a notice, and the form that it may take. An information notice must, for example, explain why the information is being sought and the form in which it must be provided.

New regulation 15A, as introduced by the clause, makes clear that an information notice can be given to an organisation based outside the UK and can apply to information held outside the UK. An information notice may require the obtaining, generating, collecting or retaining of information or documents. Those changes are critical in ensuring that regulators can access the information they need properly to enforce the NIS regulations. I commend this clause to the Committee.

Kanishka Narayan

- Hansard -

Copy Link

-

Clause 21 reforms the enforcement regime for the NIS regulations. It seeks to ensure that providers of the UK’s most essential services are complying with their obligations under those regulations. Where they are not, it will allow for more meaningful penalties that reflect the risks they introduce to our society and economy as a whole. To do that, the clause makes a number of critical changes.

First, the clause introduces a new penalty maximum based on turnover. The current maximum penalty is £17 million, which can appear disproportionately large for smaller organisations, but could also easily be absorbed by larger ones as the “cost of doing business.” The clause therefore increases the penalty limits from £17 million to a maximum of £17 million or 4% of annual turnover, whichever is higher. I am confident that that strikes the right balance within the UK regulatory context. It brings the regime in line with other UK legislation that regulates cyber-security, such as part 1 of the Product Security and Telecommunications Infrastructure Act 2022, without rushing uncritically to the more severe penalties we see in other CNI regulation.

The second change is to create a simple two-band penalty structure that will provide much-needed clarity to regulators and industry about the penalty tiers for specific acts of non-compliance.

Kanishka Narayan

- Hansard -

Copy Link

-

I thank the hon. Member for that thoughtful point. One assurance I will offer her is that the direct definition of data centres in scope here rely on capacity as a proxy for their essential independent nature, but when data centres below the capacity threshold but high on the criticality threshold are suppliers to essential services, they would be covered in part by the critical suppliers framework in the Bill. I take her point into account.

Kanishka Narayan

- Hansard -

Copy Link

-

In the course of engaging with firms we have considered what the timeline for reporting ought to be. It is critical that the initial notification requirement, which is a much lower requirement than the full notification requirement, at least gives the NCSC and other enforcement authorities the ability to counter national security and wider-impact risks. I believe that specification to be proportionate in the Bill, but it is of course a matter for implementation that we will keep a close eye on.

An attack on a data centre can have significant impacts beyond the facility itself. As data centres underpin digital services across multiple sectors, disruption or compromise can cascade through essential services, businesses and public services. Incidents may also pose national security and economic risks, given the concentration of sensitive and critical data. Bringing qualifying data centre services into scope of the NIS framework helps ensure these risks are managed proportionately and incidents are reported promptly. 

As per Government amendments 11 and 12, we propose that Ofcom is the regulator.   Medium and large third party data centres and very large enterprise centres will be required to manage risks and report to Ofcom. Their thresholds have been carefully calibrated to capture data centres whose disruption could have the greatest impact, while avoiding unnecessary burdens on smaller operators. This will strengthen the cyber-security and resilience of data centres, align with international regulations, and introduce structured oversight, notification, and incident reporting to strengthen national security and economic stability.

Kanishka Narayan

- Hansard -

Copy Link

-

With your permission, Mr Stringer, I will restrict my comments to clauses in question—in particular, clauses 5 and 6—and the relevant Government amendments. The shadow Minister has auditioned for roles at the Department for Business and Trade in talking about the philosophy of regulation, at the Department of Health and Social Care in talking about his medical background, and at the Treasury in talking about taxation. I will try to restrict myself to none of those and simply speak to the clauses and address three points in response to his comments.

The first relates to the skills and resourcing of our regulators. On that, I welcome the shadow Minister’s prior engagement with me directly and his questions now. The last Government completely gutted our regulators. Having done so, they achieved neither growth nor regulatory quality, which Opposition Members now talk about. As a consequence, it falls to us to make sure that our regulators are fit for purpose and resourced in the way they need to be. This Bill gives them the powers to secure initial and full notifications in a timely way, the powers to share information in an appropriate way and, fundamentally, the ability of cost recovery, to resource themselves in an appropriate way. Alongside that, our wider initiatives on skills in the cyber-sector and technology more broadly are fundamental to achieving our aspirations, not least through the CyberFirst programme, which I mentioned in a witness session.

Kanishka Narayan

- Hansard -

Copy Link

-

I might just make a slight bit of progress. As I mentioned in a previous session, the programme reached 415,000 students, and it has now been evolved into the wider TechFirst scheme as well.

The shadow Minister, as well as the hon. Member for Bromsgrove, made a very important point about resilience in particular and sovereign capability. Particularly for those reasons, I am really proud of two things. One is that the Bill includes suppliers that may not be resident in the UK but provide essential services in the UK. This is a critical means through which we can secure our capabilities here. The second, which is close to my particular interests in the data centre and compute world, is that, through our initiatives on sovereign AI, and having launched a very innovative advance market commitment in the chips part of the stack, which ends up crowding in wider demand—not least through companies such as Nscale, a fundamental part of our AI growth zone in the north-east—this Government are finally rectifying the errors and omissions of the last Government, in making sure that Britain does not do what it did in the last commercial cloud context, but instead, in this AI compute world, has some actual chips on the table.

Thirdly, I will not try to settle the thrilling debate between the shadow Minister and my hon. Friend the Member for Lichfield on the philosophy of regulation. I will simply make the humble suggestion that in this context we have arrived at, not a full-fat compendium, as the shadow Minister described it, but a very targeted Bill, which has been the result of extensive industry engagement—indeed, some of it was carried out by the prior Government—that aligned on the sectors in question and the inclusion of critical suppliers in scope.

On the shadow Minister’s question about the thresholds and definitional specificity of large load controllers in the Bill, I will of course remain very open to ensuring that the secondary powers, which are intended precisely to enable us to move flexibly as the clean power industry moves, give us the flexibility to move with it. At the same time, the threshold of 300 MW reflected the point at which a large load controller could pose an unacceptable risk to the electricity system and our CNI. This threshold was set very clearly in partnership with technical experts, including the National Energy System Operator. Of course, as the market grows, the potential for cyber-incidents will grow, and we will keep that under close review.

The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

-

Q One of the things that we have heard over the course of the day is that the Bill is just one of a range of different ways in which public authorities engage with companies on cyber-security and resilience. I am interested in hearing about the impact the Police CyberAlarm programme has had on the cyber-security and resilience of organisations. What would you like to see going forward?

DCS Andrew Gould: I love the fact that you have heard of it. One of the things that we struggle with is promoting a lot of these initiatives. Successive Governments actually deserve a lot of credit for the range of services that are provided. We aspire to be a global cyber-power, and in many ways we are. When you look at the range of services, tools, advice and guidance that organisations or the public can get, there is quite a positive story to tell there. I think we struggle to bring that into one single narrative and promote it, which is a real challenge. People just do not know that those services are there.

For those who are not familiar with Police CyberAlarm, it is a Home Office-funded policing tool focused on small and medium-sized organisations that probably do not have the skills or understanding to protect themselves as effectively. They can download that piece of software, and it will sit on their external networks and monitor for attacks. For the first time, it helps us in policing to build a domestic threat picture for small and medium-sized organisations, because everybody has a different piece of the puzzle. GCHQ has great insight into what is coming into the UK infrastructure, but it obviously cannot monitor domestically. Big organisations that provide cyber-security services and monitoring know what is impacting their clients or their organisation, but not everybody else. At policing, we get what is reported, which is a tiny piece of the puzzle. So everyone has a different bit of the jigsaw, and none of it fits together, and, even if it did, there would still be gaps. For SMEs, that is a particular gap.

For us, we get the threat intelligence to drive our operational activity, which has been quite successful for us. The benefit for member organisations—we are up to about 12,000 organisations at the moment, which are mostly schools, because we know that they are the most vulnerable to attack for a variety of reasons—is that, having the free tool available, it can do the monthly vulnerability scans and assessments. So they are getting a report from the police that tells them what they need to fix and what they need to patch.

We do not publicly offer a lifetime monitoring service, because we would not want the liability and responsibility, and we do not have the infrastructure to run that scale of security operation centre. But, in effect, that is actually what we have been doing for a long time—maybe not 24/7, but most of the time—because we have been able to identify precursor activity to ransomware attacks on schools or other organisations, and have been able to step in and prevent it from happening. There have been instances where officers have literally got in cars and gone on a blue light to organisations to say, “You need to shut some stuff off now, because you are about to lose control of your whole organisation.”

To that extent, it has been really impactful, but the challenge for us is how to scale. How do you scale so that people understand that it is there? How do you make it easier for organisations to install? That is one of the things that we are working on at the moment, so that everybody can benefit from the scans and the threat reporting, and we can benefit from a bigger understanding of what is going on.

The flip side of the SME offer from our point of view is our cyber-resilience centres. By working with some of the top student talent in the country, we can scale to offer our member organisations across the country the latest advice and guidance, help them understand what the NCSC advice and guidance is, and then help them to get the right level of security policies, patch their systems and all that kind of thing. It helps them to take the first steps on their cyber-resilience journey, and hopefully be more mature consumers of cyber-security industry services going forward. We are helping to create a market for growth, but also helping those organisations to understand their specific vulnerabilities and improve from a very base level.

Kanishka Narayan

- Hansard -

Copy Link

-

The hon. Member talks of cutting one’s cloth. Perhaps he can tell the 14 million people employed by family businesses how he would cut the public services they rely on to fund the unfunded tax cuts he is talking about making.