Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
Debate between Kanishka Narayan and Lincoln JoppThursday 5th February 2026
(4 days, 8 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for tabling amendment 25, which would amend the duties for RDSPs in the NIS regulations. I empathise with the source of his concern about fraud; I think many of us in the House know and feel that concern, through either our personal experience or that of our constituents.
That said, the security duties within NIS require RDSPs to identify and take steps to manage the full spectrum of risks posed to the security of their systems. They must prevent and mitigate relevant incidents, regardless of what the threats are or where they emanate from. That includes taking an all-hazards risk-based approach. Entities must manage risks to cyber-security, physical security and broader operational resilience. “Security” includes the ability to resist any action that may compromise the availability, authenticity, integrity or confidentiality of those systems, including risks that may arise from fraud. I caution against highlighting only one particular vector of risk in the clause; that is unnecessary and would not reflect the full range of risks each RDSP faces.
Further, while the Bill clarifies the high-level duty to manage risks, secondary legislation will give further detail on the security and resilience requirements. Guidance and the code of practice will give further detail still on the types of risks to consider. For that reason, I kindly ask the hon. Gentleman to consider withdrawing the amendment.
The shadow Minister asked about the Government’s treatment of fraud, particularly when it has been found on a platform and the authorities have asked that platform to take it down. The Government made a clear commitment in our manifesto to introduce a new fraud strategy, and the Home Office, as the lead Department, has been working at pace to engage deeply in making that an effective reality.
Alongside that, in my wider role in online safety, I am conscious that fraud is a fundamental area of content in which platforms have to look at where it crosses the border into illegality, as it may well do in the instance the shadow Minister described. That has been a central focus since the illegal content duties came into play last year. I believe that such instances are well covered by the pieces of legislation that I have just mentioned. The Bill is clearly more focused on critical national infrastructure and its exposure to network and information systems.
Lincoln Jopp (Spelthorne) (Con)
Members on both sides of the Committee have referred frequently to the fact that the incident that took Jaguar Land Rover down would not have been covered by the Bill. JLR employs a digital service provider, in the form of Tata Consultancy Services. Would that provider not be covered, meaning that JLR is in scope?
Kanishka Narayan
Although I will not rule a particular provider in or out of scope, if the provider in question met the threshold for RDSP coverage, it would be covered, but the locus of that coverage would be limited to the provider rather than to the end-customer entity. I hope that clarifies that sufficiently.
Let me explain how clause 8 was designed to tackle the risks that Committee members have set out. The clause updates the existing duties for RDSPs in the NIS regulations to ensure that they remain resilient against evolving cyber-threats. It clarifies the requirement for those services, making it clearer that they must secure themselves not just to keep the services they provide running and available but to contribute to wider systems security as a whole.
Lincoln Jopp
Given the scenario we just discussed, it is possible that a digital service provider would have an obligation to report under the Bill, but the parent company employing its services would not. Given the requirements for confidentiality that a client company may put upon a digital managed service provider, how can that conflict be managed?
Kanishka Narayan
I appreciate the hon. Gentleman’s question, and I have two comments to make on that front. First, the relevant digital service provider will have a range of different customers, and my expectation would be that the regulators and the NCSC would seek a deep understanding of the risk exposure across the full breadth of that portfolio, rather than for each particular customer. Of course, that would form part of some analysis.
Secondly—the shadow Minister asked a related question —I am happy to write about the interaction between prompt notification responsibilities and commercial confidentiality duties, on the basis of the engagement we have conducted so far. Especially when questions of major risk exposure are concerned, I would hope there are provisions that allow the relevant digital service provider to notify the NCSC, but I am happy to write to the hon. Member for Spelthorne and the shadow Minister to clarify that point.
Clause 8 also removes a reference to the RDSP’s own network and information system to clarify that the duty is intended to cover all network and information systems that the relevant digital service relies on.
The cyber-risk landscape is diffuse and multifaceted. Hostile actors can use a range of routes and techniques to attempt to take services offline, as well as to extort, steal and surveil. These changes to the NIS regulations support a holistic approach to tackling cyber-risk. They ensure that important dependencies are covered and that facets of security such as the confidentiality of data and integrity of systems are not set aside.
The clause also requires RDSPs to have regard to any relevant guidance issued by the Information Commission when carrying out its duties. Finally, it removes a requirement for relevant digital service providers to consider specific duties referenced in EU regulations. I urge the Committee to support the clause unamended.
Question put, That the amendment be made.
Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting)
Debate between Kanishka Narayan and Lincoln JoppThursday 5th February 2026
(4 days, 8 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Kanishka Narayan
I agree very much with the hon. Member’s point, and a similar sentiment is expressed elsewhere in the Bill, in that it ensures that the focus is primarily on large and medium-sized MSPs, and that small businesses and microbusinesses are dealt with in a deeply proportionate way. That is an important point to take into account.
Clause 11 defines what it means for a digital or managed service provider to be
“subject to public authority oversight”
under the NIS regulations. Public authority oversight is defined as “management or control” by “UK public authorities” or by a board where the majority of members are appointed by those authorities. Such MSPs are already subject to requirements in the Government cyber-security strategy, which is mandatory for Government organisations. That ensures that cyber-resilience standards remain strong for services linked to public functions, while preventing disproportionate burdens on providers already subject to public authority governance.
In response to points raised by hon. Members in prior Committee sittings, I flag the engagement that we have conducted in coming to the definition of MSPs in question. In particular, beyond the provisions of the 2022 consultation, prior to the introduction of the Bill, we conducted a range of bilateral meetings. We have had multiple conversations with the industry body techUK, roundtables with digital firms, and we engaged through the National Cyber Security Centre-led MSP information exchange with 40 providers in this context, and undertook market research mapping the MSP market. As a consequence, adjustments to the definitions at the heart of this provision have been agreed with incredibly deep and broad engagement across the industry to arrive at a widely-welcomed definition.
Lincoln Jopp (Spelthorne) (Con)
It is a pleasure to serve with you in the Chair, Ms McVey. Small and medium-sized enterprises are defined by the headcount of full-time employees, yet in the world of IT, particularly for managed service providers, data centres and digital service providers, that is not a helpful metric to understand size and scale. Did the Department consider reevaluating the size of digital and managed service providers based on the through-flow of transactions or data rather than headcount? When I worked in the world of tech, there was a ratio for headcount that was totally different from other sorts of businesses.
Kanishka Narayan
The hon. Member raises an important point about the operating leverage of technology businesses. The Bill directly focuses on size as one proxy for risk, but it is not a complete or perfect proxy. That is why, through the critical supplier provisions, it ensures that any smaller providers can be caught in scope as essential services.
Kanishka Narayan
I am happy to proceed and to focus on Crown ownership of data centre provision to others. For those reasons, I continue to commend clauses 9 to 11 to the Committee.
Lincoln Jopp
Will the Minister please clarify whether he thinks that, as page 102 of the impact assessment states, the hourly rate for a lawyer changing a contract is £34?
Kanishka Narayan
I simply point out to the hon. Member that the pricing for law varies materially. I hope that, with the benefit of technology, it continues to be very accessible to all relevant providers.
Lincoln Jopp
I am sorry, but that is nonsense. The footnote on the page that cites £34 an hour for a contract lawyer directs us back to the Office for National Statistics. I hope that the Minister lives in the real world—he has clearly worked in the business world—so he knows that that is nonsense. Does he agree that that pretty well undermines that section of the impact assessment?
Kanishka Narayan
Having closed the debate, I am happy to conclude.
Question put and agreed to.
Clause 9 accordingly ordered to stand part of the Bill.
Kanishka Narayan
First, I will respond to the apt and thoughtful points from the hon. Member for Bognor Regis and Littlehampton on operational technology. I can confirm to her that both vendors and providers of operational technologies will be covered by the provision of the five-step test for critical supplier designation. That is an important aspect when thinking about supply chains and the presence of operational technology where it is of critical interest.
The hon. Member for Spelthorne raised a very accurate point about proportionality in the provisions of the Bill, and in particular the impact assessments, statements, or limited statements on critical supplier impacts. As he will know very well, the Bill takes a very nuanced position on proportionality. When a sector is designated, there will be total clarity on the number of suppliers affected and on the ultimate impact. We will have sight of that.
The provision on critical suppliers was asked for by industry. The reason why the Bill does not specify critical suppliers is that it is simply not for the Government to specify how a business can or cannot continue. It is for businesses and regulators to work that through by understanding the depth of expertise that businesses have. We have started to do that, but that is precisely why the critical suppliers provisions have been delegated to secondary legislation and subsequent guidance.
Kanishka Narayan
I commit to giving way to the hon. Gentleman at the end of my speech. He asked about schools. I am happy to confirm that schools are not in the scope of the Bill.
In response to the shadow Minister, I highlight that the five-step test is cumulative: a business must meet all the conditions to be designated as critical, not just one. I think that answers the series of logical puzzles that he tied himself up in.
I am very happy to confirm to the Committee that it is expected that regulators will use information gathered from their oversight of operators of essential services, relevant managed service providers and relevant digital service providers to identify potential critical suppliers for designation. They can also ask organisations for more information to support their assessments. Future supply chain duties will also require organisations to share supply chain risk assessments with regulators. A supplier can be designated only after the regulator has completed an investigation process, including serving notices and holding a consultation, and confirmed that the criteria are met. Designated suppliers will also have the right to challenge decisions through an independent appeals process.
Kanishka Narayan
I commit to giving way at the end of my speech to the shadow Minister and the hon. Member for Spelthorne.
On the question of consultation, I am happy to confirm that the team in question has set up an implementation-focused effort. We have started to engage with regulators already, and there will be an extensive process of engagement on the Bill with business, as has been conducted historically.
The shadow Minister highlighted a number of logical puzzles. I have worked in a range of businesses and public sector organisations, and most have business continuity services. His hypothetical idea that businesses do not understand alternative provision, and whether they are or are not in a position of exposure, is well solved in the real world. I would give more credit to our expert witnesses from NHS Scotland than he did in recognising that they said that they frequently deal with the question of critical suppliers in co-ordination with competent authorities.
Lincoln Jopp
The Minister came back with an answer on proportionality, saying that it is not for Government to decide what is essential. He missed out the next bit, which is, “We’re just going to regulate critical suppliers and pass laws about them, but we don’t know how many there are, and we don’t know how much the policy is going to cost.” Would he accept that characterisation as the logical conclusion of what he said?
The Minister also said that schools were not covered by the Bill. As far as I am aware, patient data and children’s data are two of the most precious things that we have, so I would like to know why schools are not covered by the Bill.
Kanishka Narayan
On the first point, I am afraid that I do not think that was an appropriate characterisation, because where the sectoral scope is clear and where there is a clear risk of critical national infrastructure and essential services being directly exposed, we have specified that in the Bill. We have looked at the impacts set out in the impact assessment. For the critical suppliers in those sectors—I would expect them to be very limited in number—we have made sure that regulators and businesses have the flexibility to set the requirements directly, rather than them being set here in Parliament.
Life Sciences Innovative Manufacturing Fund
Debate between Kanishka Narayan and Lincoln Jopp(3 months, 2 weeks ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Kanishka Narayan
I want to be in your good books, Madam Deputy Speaker, so I will proceed at pace in answering some of the questions raised.
I first thank the Members on the shadow Front Benches and in particular the hon. Member for Hornchurch and Upminster (Julia Lopez). I was sad that her generous welcome to me was not extended to this particular announcement. In particular, I was sad that she did not welcome the fact that out of their Tory fiscal wreckage we have managed to get £520 million for the British life sciences sector, that out of the economic damage they did to this country we have still managed to secure over £1 billion in investment from Moderna in the British life sciences sector, and that out of what we inherited from the Tory context we have managed to secure over £1 billion from BioNTech. Right across the board, there is a picture of stability, good jobs in the life sciences and broader technology sectors, optimism and, above all, an energy shared across Government, the private sector and academia.
Kanishka Narayan
I must proceed because, as I said, I need to be in Madam Deputy Speaker’s good books.
A particular concern has been raised about VPAG, another part of a longer-standing legacy from a Tory Chancellor’s austerity rampage for the life sciences sector in this country. The Government’s position is very clear: we will always put patients and taxpayers first. This Government are open to working collaboratively with the pharmaceutical industry, which is exactly why we have put forward a generous and unprecedented offer worth approximately £1 billion over three years as part of a review of VPAG, which ultimately industry did not take a vote on.
We remain confident in the life sciences as a driver of both economic growth and better health outcomes and our door remains open to future engagement. I know that regular conversations go on and while I will not update Members on the shadow Front Benches on every single meeting the Secretary of State takes, I can assure them that she is involved in both the particular conversations around VPAG and more general engagement with the life sciences sector.
I particularly thank my hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), whose depth of experience in engineering prior to this House and extensive experience in this House, in particular through leadership of the Science and Technology Committee, is one that I take considerable inspiration from.
Kanishka Narayan
I will make some progress for now. My hon. Friend raised a particular point around synthetic biology, which is very close to my heart because I think that Britain has a particular opportunity in the convergence of engineering, AI and life sciences, and we are keen on seizing that to its fullest extent.
On the three particular questions from my hon. Friend the Member for Newcastle upon Tyne Central and West, foremost of which was about the size of the funding available, I will say a couple of things: first, that this is the largest fund of this nature announced in the history of the UK Government, to my understanding, with capital grants worth £520 million altogether; and secondly, that it is but one part of the overall funding package across Government if one considers the investments across Innovate UK, UKRI, the British Business Bank and beyond. I hope that some of the assurances around VPAG have answered the particular question posed there, and on regional impact, I point out that the first two grants from the scheme were made out to firms in Birmingham and Keele. I hope that is a starting indicator of my long-term hope; we will certainly monitor it.
Kanishka Narayan
I am afraid I will not; I believe I have been relatively generous in welcoming contributions from across the House. On the point of regional impact, in addition to the midlands, may I join the shadow Front Benchers in welcoming—they do so with laughter and amusement—the collective efforts of our entire Northern Irish contingent? I will take away the strong point about Northern Ireland’s strengths in the life sciences sector; it will be embedded on my mind.
I thank the hon. Member for South Cambridgeshire (Pippa Heylings) for South Cambridgeshire for talking about investments. The only thing I will say on some of the announcements is that they have to be taken in the context of the wider global context for those firms, MSD in particular.
Kanishka Narayan
If the Member listens, he may feel that his point is addressed in my claims. In at least one of those cases, a pause, rather than a cancellation, was announced and in the other, there have been a series of announcements globally regarding thousands of jobs, not only in the UK but beyond. As I said, I hope that the two announcements I mentioned, by Moderna and BioNTech, will give us some assurance that the life sciences sector in the British context is firing on all cylinders with Government support.
Finally, I note with thanks the important point on national security and IP made by the hon. Member for Lagan Valley (Sorcha Eastwood). It is top of mind for me in ensuring that we are not just powering economic growth and not just jobs and good health for people across this country, but doing the first job of Government to protect our national security.
Question put and agreed to.
Resolved,
That this House authorises the Secretary of State to undertake payments, by way of financial assistance under section 8 of the Industrial Development Act 1982, in excess of £30 million to any successful applicant to the Life Sciences Innovative Manufacturing Fund, launched on 30 October 2024, up to a cumulative total of £520 million.