Freddie van Mierlo

- Hansard -

Copy Link

- - Excerpts

Q I have two questions: one to Jill and one to Dr Mehta. First, what is your view, Jill, on the relative strength of this legislation, compared to what is coming forward in the EU? Do you think that the fact that we are not following the EU will make it harder for your members to interact and trade with individuals and companies in Europe?

Secondly, Dr Mehta, you spoke earlier about what is not in scope in this legislation. I am particularly interested in the fact that local government is not included in it, because it has a critical role in electoral services and in local and national democracy. What do you think are the threats from leaving local government out of scope?

Jill Broom: I think that generally, our members would always call for alignment, where possible, in any kind of legislation that spans the geographies. But we understand that the Bill focuses on a particular sector—the critical national infrastructure in the UK—and we welcome the intent of it.

Dr Sanjana Mehta: On sectoral scope, with the way that the Bill is currently drafted, there is obviously flexibility to introduce new sectors, and to bring in more provisions and guidance through secondary legislation and additional guidance. That being said, our recommendation is certainly to expand the sectoral scope at this stage by bringing in public administration.

There are a number of key reasons for that. First, public administration needs to be role model of good cyber-security to the rest of the economy. I think it was the 2025 state of digital government review that pointed out that the risk of cyber-attacks on Government is critical. You mentioned local government, but there are also central Government Departments that hold and process vast amounts of personal and sensitive information; I think, for example, DWP administered £288 billion of benefits over the past year. More than 23 million people claimed some sort of benefits from DWP and, in responding to those claims, DWP must have processed huge amounts of very sensitive medical and financial information on individuals. We think it is an omission to leave it out, and we recommend that the Government consider bringing it into scope.

Alison Griffiths

- Hansard -

Copy Link

- - Excerpts

I am so sorry. Could you possibly speak into the microphone? I cannot hear you.

Stuart McKean: Sorry. I was saying that the cyber-criminal does not care about lines, geographies or standards. They do not care whether you have an international standard or you follow the legislation of a certain country. They will attack where they see the weak link.

Andrew Cooper (Mid Cheshire) (Lab)

- Hansard -

Copy Link

- - Excerpts

Q I have a question for Jill Broom. You were talking about the incident reporting requirements. Do you think the legislation strikes the right balance to encourage organisations to come forward when they have been attacked, so that the sector can learn from that and vulnerabilities can be patched out in other areas, or is it so stringent that organisations will be concerned about facing penalties if they are fully transparent?

Jill Broom: I think, again, there is something to be said about the devil being in the detail. A lot is coming with the secondary legislation, so we will learn more about the specifics on incident reporting and penalties that will come into play. There needs to be a balance between those in terms of the risk and the impact. In the Bill itself, there probably need to be some greater safeguards or references to frameworks about how those types of decisions will be made.