Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
Lincoln Jopp ExcerptsThursday 5th February 2026
(3 days, 8 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for tabling amendment 25, which would amend the duties for RDSPs in the NIS regulations. I empathise with the source of his concern about fraud; I think many of us in the House know and feel that concern, through either our personal experience or that of our constituents.
That said, the security duties within NIS require RDSPs to identify and take steps to manage the full spectrum of risks posed to the security of their systems. They must prevent and mitigate relevant incidents, regardless of what the threats are or where they emanate from. That includes taking an all-hazards risk-based approach. Entities must manage risks to cyber-security, physical security and broader operational resilience. “Security” includes the ability to resist any action that may compromise the availability, authenticity, integrity or confidentiality of those systems, including risks that may arise from fraud. I caution against highlighting only one particular vector of risk in the clause; that is unnecessary and would not reflect the full range of risks each RDSP faces.
Further, while the Bill clarifies the high-level duty to manage risks, secondary legislation will give further detail on the security and resilience requirements. Guidance and the code of practice will give further detail still on the types of risks to consider. For that reason, I kindly ask the hon. Gentleman to consider withdrawing the amendment.
The shadow Minister asked about the Government’s treatment of fraud, particularly when it has been found on a platform and the authorities have asked that platform to take it down. The Government made a clear commitment in our manifesto to introduce a new fraud strategy, and the Home Office, as the lead Department, has been working at pace to engage deeply in making that an effective reality.
Alongside that, in my wider role in online safety, I am conscious that fraud is a fundamental area of content in which platforms have to look at where it crosses the border into illegality, as it may well do in the instance the shadow Minister described. That has been a central focus since the illegal content duties came into play last year. I believe that such instances are well covered by the pieces of legislation that I have just mentioned. The Bill is clearly more focused on critical national infrastructure and its exposure to network and information systems.
Lincoln Jopp (Spelthorne) (Con)
Members on both sides of the Committee have referred frequently to the fact that the incident that took Jaguar Land Rover down would not have been covered by the Bill. JLR employs a digital service provider, in the form of Tata Consultancy Services. Would that provider not be covered, meaning that JLR is in scope?
Kanishka Narayan
Although I will not rule a particular provider in or out of scope, if the provider in question met the threshold for RDSP coverage, it would be covered, but the locus of that coverage would be limited to the provider rather than to the end-customer entity. I hope that clarifies that sufficiently.
Let me explain how clause 8 was designed to tackle the risks that Committee members have set out. The clause updates the existing duties for RDSPs in the NIS regulations to ensure that they remain resilient against evolving cyber-threats. It clarifies the requirement for those services, making it clearer that they must secure themselves not just to keep the services they provide running and available but to contribute to wider systems security as a whole.
Lincoln Jopp
Given the scenario we just discussed, it is possible that a digital service provider would have an obligation to report under the Bill, but the parent company employing its services would not. Given the requirements for confidentiality that a client company may put upon a digital managed service provider, how can that conflict be managed?
Kanishka Narayan
I appreciate the hon. Gentleman’s question, and I have two comments to make on that front. First, the relevant digital service provider will have a range of different customers, and my expectation would be that the regulators and the NCSC would seek a deep understanding of the risk exposure across the full breadth of that portfolio, rather than for each particular customer. Of course, that would form part of some analysis.
Secondly—the shadow Minister asked a related question —I am happy to write about the interaction between prompt notification responsibilities and commercial confidentiality duties, on the basis of the engagement we have conducted so far. Especially when questions of major risk exposure are concerned, I would hope there are provisions that allow the relevant digital service provider to notify the NCSC, but I am happy to write to the hon. Member for Spelthorne and the shadow Minister to clarify that point.
Clause 8 also removes a reference to the RDSP’s own network and information system to clarify that the duty is intended to cover all network and information systems that the relevant digital service relies on.
The cyber-risk landscape is diffuse and multifaceted. Hostile actors can use a range of routes and techniques to attempt to take services offline, as well as to extort, steal and surveil. These changes to the NIS regulations support a holistic approach to tackling cyber-risk. They ensure that important dependencies are covered and that facets of security such as the confidentiality of data and integrity of systems are not set aside.
The clause also requires RDSPs to have regard to any relevant guidance issued by the Information Commission when carrying out its duties. Finally, it removes a requirement for relevant digital service providers to consider specific duties referenced in EU regulations. I urge the Committee to support the clause unamended.
Question put, That the amendment be made.
Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting)
Lincoln Jopp ExcerptsThursday 5th February 2026
(3 days, 8 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Kanishka Narayan
I agree very much with the hon. Member’s point, and a similar sentiment is expressed elsewhere in the Bill, in that it ensures that the focus is primarily on large and medium-sized MSPs, and that small businesses and microbusinesses are dealt with in a deeply proportionate way. That is an important point to take into account.
Clause 11 defines what it means for a digital or managed service provider to be
“subject to public authority oversight”
under the NIS regulations. Public authority oversight is defined as “management or control” by “UK public authorities” or by a board where the majority of members are appointed by those authorities. Such MSPs are already subject to requirements in the Government cyber-security strategy, which is mandatory for Government organisations. That ensures that cyber-resilience standards remain strong for services linked to public functions, while preventing disproportionate burdens on providers already subject to public authority governance.
In response to points raised by hon. Members in prior Committee sittings, I flag the engagement that we have conducted in coming to the definition of MSPs in question. In particular, beyond the provisions of the 2022 consultation, prior to the introduction of the Bill, we conducted a range of bilateral meetings. We have had multiple conversations with the industry body techUK, roundtables with digital firms, and we engaged through the National Cyber Security Centre-led MSP information exchange with 40 providers in this context, and undertook market research mapping the MSP market. As a consequence, adjustments to the definitions at the heart of this provision have been agreed with incredibly deep and broad engagement across the industry to arrive at a widely-welcomed definition.
Lincoln Jopp (Spelthorne) (Con)
It is a pleasure to serve with you in the Chair, Ms McVey. Small and medium-sized enterprises are defined by the headcount of full-time employees, yet in the world of IT, particularly for managed service providers, data centres and digital service providers, that is not a helpful metric to understand size and scale. Did the Department consider reevaluating the size of digital and managed service providers based on the through-flow of transactions or data rather than headcount? When I worked in the world of tech, there was a ratio for headcount that was totally different from other sorts of businesses.
Kanishka Narayan
The hon. Member raises an important point about the operating leverage of technology businesses. The Bill directly focuses on size as one proxy for risk, but it is not a complete or perfect proxy. That is why, through the critical supplier provisions, it ensures that any smaller providers can be caught in scope as essential services.
Dr Spencer
The scope and breadth of the organisations regulated by these provisions is one of the most important parts of the debate. If the hon. Member can wait a moment, that point will form the bulk of my speech. It was also mentioned by my constituency neighbour, my hon. Friend the Member for Spelthorne.
The previous Government consulted on bringing MSPs within scope of regulation. Feedback on that consultation indicated strong support, with 86% of respondents in favour. As such, there is a sound policy rationale for imposing cyber-security and instant reporting regulations on MSPs over a certain threshold. Those MSPs will need to take appropriate and proportionate measures to manage risks to the security of the networks and information systems on which they rely to provide managed services in the UK.
However, as I said at the outset and as many people said during evidence, the devil really is in the detail as to whether the Bill is effective in protecting the sectors it seeks to regulate. Several industry stakeholders, including officers of MSPs and industry representation bodies, have raised concerns about the broad definition of MSPs in clause 9. As drafted, that definition has the potential to cause confusion among businesses as to whether they are in scope or not. These relevant provisions will be brought into force with secondary legislation before Royal Assent, allowing time for consultation with industry and specific duties. Could the Minister clarify whether his Department will respond to concerns by consulting on a refined definition of what constitutes an MSP, to provide much-needed certainty to businesses operating in the sector?
I will also take this opportunity to speak to amendment 10, which was tabled in the names of many Members, including the right hon. Member for Stone, Great Wyrley and Penkridge (Sir Gavin Williamson), who I know has a keen interest in this area. He represents an area in the west midlands, which, like many parts of the country, has suffered massively from the impact of the problems with Jaguar Land Rover. The amendment relates to legitimate concerns about the compound risk that could occur when MSP systems are accessed by malicious actors, and those MSPs are providing services to a large number of entities within a regulated sector. Clearly, there are many reservations about the desirability of this particular amendment, including its potential to interfere with customer choice and the inconsistency with the approach to freedom of enterprise in other regulated sectors in the Bill.
It is noteworthy that several witnesses who gave evidence to the Committee pointed out the lack of skilled cyber-security professionals available in the UK employment market to help regulated entities with the effective implementation of the Bill. It is conceivable that many regulated businesses, particularly smaller ones, will be forced to look for external expertise to comply with their obligations, and we would not want to artificially restrict access to expertise, even when done with the best of intentions. The point is rightly made that large MSPs and those providing services to the most critical sectors should observe the highest cyber-security standards. A relevant MSP must have regard to any relevant guidance issued by the Information Commissioner when carrying out the duties imposed on it, so will the Minister confirm whether and to what extent the important issues raised by the amendment will be covered in consultation and industry guidance?
The amendment, and some of the debate that we have had, goes to the heart of some of the thresholds and metrics that are being used as gatekeepers in the Bill when an entity is or is not being regulated. As I mentioned this morning, at least 70% of Government cloud procurement goes to the three big US tech actors. Those are clearly huge operators, but when it comes to the criticality of an MSP, as my hon. Friend the Member for Spelthorne mentioned, size does not in itself necessarily indicate its essentialness in the system.
One can imagine that if a particular unique type of service was being offered, such as a cyber-security service, by a big company—Cloudflare and Salesforce, for example, had a substantial impact on the sector—not merely the size of an organisation, but what they provide, could be relevant in terms of producing systemic risks to our economy as a whole.
Lincoln Jopp
Having read the Bill, does my hon. Friend understand that if a managed service provider provides services to, say, a hospital—so it would be covered by the regulations—and a reportable event happens to the managed service provider, there is any obligation for the hospital trust to report it as well, or is it just the managed service provider that has the responsibility? If he is not clear on that, would he ask the Minister?
Dr Spencer
I thank my hon. Friend for the “get out of jail free” card that he gave me at the end of his question; indeed, I pass that question on to the Minister. The point is well made in terms of trying to dissect the interacting and relevant duties in the Bill. The Bill tries to chop up different actors in the digital ecosystem, as well as public an non-public organisations, although a commercial threshold is being used. The Bill also introduces confusion: it rightly tries to make a carve-out for Crown data centres, but what exactly is a Crown data centre? One could argue that a Crown service is something provided by the state. Is a data centre serving a hospital therefore a Crown data centre?
There are so many different components within the Bill. Not only are there 14 regulators, or however many are operating—earlier this week, Amazon told us in evidence that it is regulated by four regulators—there is also confidential information going through, as my hon. Friend the Member for Spelthorne pointed out. It gets even worse in the clause on critical supply networks. It is just incredibly confusing. The Committee—and, dare I say, the Government—should not ignore the evidence we have received from managed service providers time and again saying that although MSPs should be in scope and these regulations help, we need clarity on what exactly that means.
Dr Spencer
Irrespective of their size, whatever definition or metric we use, businesses operate on fine margins for the majority of the time. Regulatory burdens not only impact their ability to operate; they are yet another cost, which means that the cost of services increases. That has a deleterious effect on our economy more generally. Burdens on businesses are passed on to consumers. That makes it more expensive to do business unless there are customers to receive it.
Global business competitiveness, which we have not spoken about yet, is critical. I am very concerned about UK competitiveness in the digital and tech sector. It saddens me to say that we are dwarfed by US big tech in many areas. I want our digital and IT sector to be bigger and better than that of our competitors, but we need a framework to support it. Even for bigger businesses, the regulatory burden is critical, especially as they can choose, to a certain extent, where they incorporate and focus on doing business. We want to ensure that the UK has the best regulations, but the best regulations are often the ones that are least burdensome but that still provide certainty to allow businesses to operate. This is a highly competitive market.
Lincoln Jopp
I thank the shadow Minister for his reply to my hon. Friend the Member for Bognor Regis and Littlehampton. Is he as surprised as I am to read in the impact assessment that the hourly rate for a contract lawyer is to be £34 an hour rather than £300 to £500 an hour, which in my experience is the market rate?
Dr Spencer
I thank my hon. Friend for pointing out that discrepancy in the costings. It goes back to the key principle that business and business modelling are best left to businesspeople, not to Government. The Government have a facilitatory role, but fundamentally their role is to get out of the way of business so that it can succeed and our economy can thrive. We need to ensure, for the good of our economy as a whole, that the critical elements of it are regulated in that way.
Given the interconnected operation of MSPs in our digital sector, any burden that we put on business will limit the growth that we all need and will limit competitiveness. In this footloose market especially, that could result in organisations and companies operating in other sectors, notwithstanding the fact that they will have to comply with UK jurisdictional rules. As a general point, regulations will cause footloose industries to move and operate in different sectors, which will mean less taxation revenue and more costs for clients, making it more difficult to do business.
We need to make sure that our economy is as nimble and free as possible, both for those trading as an MSP and more generally. I cannot labour the point enough: the costs that we impose on businesses under the Bill, in particular in the cyber-security and tech sector, will be felt by our economy as a whole. We will have to pay for that through increased inflation in food, energy or anything else that our critical suppliers provide. Even our NHS provision costs will increase as a consequence of the regulatory burden on businesses as disparate and distant from the NHS as those that we see in the Bill.
Kanishka Narayan
I am happy to proceed and to focus on Crown ownership of data centre provision to others. For those reasons, I continue to commend clauses 9 to 11 to the Committee.
Lincoln Jopp
Will the Minister please clarify whether he thinks that, as page 102 of the impact assessment states, the hourly rate for a lawyer changing a contract is £34?
Kanishka Narayan
I simply point out to the hon. Member that the pricing for law varies materially. I hope that, with the benefit of technology, it continues to be very accessible to all relevant providers.
Lincoln Jopp
I am sorry, but that is nonsense. The footnote on the page that cites £34 an hour for a contract lawyer directs us back to the Office for National Statistics. I hope that the Minister lives in the real world—he has clearly worked in the business world—so he knows that that is nonsense. Does he agree that that pretty well undermines that section of the impact assessment?
Kanishka Narayan
Having closed the debate, I am happy to conclude.
Question put and agreed to.
Clause 9 accordingly ordered to stand part of the Bill.
Alison Griffiths
The clause merits close scrutiny, because it is the point in the Bill where risk is supposed to be addressed beyond the individual operator and into the supply chain. In plain terms, clause 12 will allow the regulator to designate a supplier as critical where disruption to that supplier would have a significant impact on the delivery of an essential or digital service. The trigger is impact, not size or sector. That approach is sensible, but I want to stress-test how it works in the context of operational technology.
Across power, telecoms, transport, water and industry, many essential services rely on the same family of industrial control equipment. Substations, signalling systems and industrial plants may look different, but they often run on identical controlled devices and firmware supplied by a very small number of manufacturers.
The risk is not hypothetical. A single vulnerability in widely deployed OT equipment can create a common mode failure across multiple sectors at the same time, even where each operator is individually compliant with its duties. At the moment, the Bill places obligations squarely on operators of essential services, but in OT environments, operators do not control the design of equipment, the firmware, the vulnerability disclosure process or the remote access arrangements that vendors often require as a condition of support.
As Rik Ferguson highlighted in written evidence to this Committee, uncertainty about how and when suppliers might be brought into scope can lead to defensive behaviour and late engagement. The risk is amplified in OT, where suppliers may discover vulnerabilities before operators do, and where one operator may report an issue, while others in different sectors, using identical equipment, remain unaware.
There is also a traceability problem. OT equipment is frequently sold through integrators and distributors. Manufacturers may not have a clear picture of where the equipment is ultimately deployed. Without that visibility, national-scale vulnerability notification and co-ordinated response become very difficult.
UK Finance has also drawn attention to the complexity of multi-tier supply chains and the need for clear accountability when regulatory reach extends upstream. The clause recognises that reality, but its effectiveness will depend on how consistently and predictably designation decisions are made across sectors.
My concern is not about the existence of the power. It is about whether, in practice, the power will be used early enough and clearly enough to address shared OT risks before they become cross-sector incidents. Operational resilience today depends less on individual sites and more on the security practices of a relatively small— I would say very small—number of OT suppliers that sit behind them. The clause has the potential to address that, but only if its application is focused on genuine systemic risk and supported by clear signals to suppliers and operators alike. For those reasons, the clause warrants careful consideration as the Bill progresses.
Lincoln Jopp
To understand the impact of what we are discussing, we obviously look at the impact assessment. We in this place are often accused of simply making rules and passing laws with no real sense of the impact downstream, particularly on small businesses. Having worked in the tech sector for 10 years, with data centres and managed service providers, and worked to try to grow many small and medium-sized enterprises, I am acutely conscious of the need not to overburden them. It is clearly hugely important that the Government take account of the impact of the measures they are taking and the burdens they are imposing on small and medium-sized enterprises.
To understand the impact of this measure, it is important to know two things: first, how many companies will be impacted and, secondly, how much it is going to cost. While I am sure that the Minister will say that this provision on critical suppliers is great, and all very clear, it cannot really be that clear. Page 110 of the impact assessment states:
“DSIT is not able to estimate at this stage the number of SMEs or SME DSPs that will be designated as critical suppliers”;
so we cannot tell how many there are. The same page also states:
“Specific duties will be set through secondary legislation so the exact cost of security measures is not possible to estimate.”
We do not know how many there are or how much the measure is going to cost, but Government Members will be whipped to say, “That’s okay—that can be done by someone else at another time.” We do not really have a strong sense of the impact on real-world businesses of what we are doing here. We also talked about the legal costs in an earlier sitting. I look forward to hearing the Minister’s reassuring words about how very clear the clause is and how it is not just a blank cheque, even though we do not know how many people it will affect or how much it will cost them.
Dr Spencer
This clause is one of the provisions that has given rise to widespread industry concern regarding its scope and implications. Business supply chains, particularly for large operators of essential services and multinational companies, are becoming ever more complex. The increased digitisation of service provision across the board means that the delivery of essential services can be vulnerable to severe disruption when the systems of critical supply chain entities are interrupted by cyber-attacks.
The Government have pointed to the 2024 cyber-attack on Synnovis, a pathology lab provider serving several London hospitals, as an example of the severe consequences that can flow from a cyber-attack on a key supply chain provider. In that case, the suspension of Synnovis services caused disruption to more than 11,000 appointments and operations. The attack caused at least two cases of serious harm to patients and, tragically, one patient’s death was attributed to the long wait for blood test results. Estimated financial losses from the attack exceeded £30 million.
The previous Government were conscious of intensifying supply chain risk, and consulted on measures to enable regulators to designate individual suppliers as critical if they provided an IT service on which an OES or RDSP was dependent for the provision of its essential service. The response to that consultation showed overwhelming support for the proposal, but stakeholders argued that the designation process would need to be transparent and based on engagement with industry. It is those vital elements of transparency and engagement, or rather the current lack of them, that are causing high levels of concern among supply chain entities that stand to be brought within scope of regulation when these provisions come into effect.
To break that down, preserving agility for the Secretary of State and regulators to respond to emerging risks has been recognised as both a strength and a weakness of the Bill. However, lack of certainty is a particular concern in a context of critical supplier designation, especially as this part of the Bill has the potential to bring in large numbers of small and even microbusinesses within the scope of regulation, potentially by multiple regulators. That is a daunting prospect for smaller companies, even taking into account the caveated duty on competent authorities to co-ordinate in the approach to regulation of critical suppliers in the proposed new paragraph 14L of the NIS regulations.
Several witnesses in oral evidence, including techUK and ISC2, made strong arguments that SMEs often lack the financial and human resources to develop cyber-security expertise and comply with regulation. Those organisations will need additional time to prepare, and a better indication of the criteria that might be used by regulators to determine which supply chain providers are critical. Industry bodies have called on the Government to ensure meaningful consultation on secondary legislation and guidance, to ensure that the measures are fit for purpose and capable of practical implementation. As part of the planned consultation, will the Minister commit to considering whether there are alternative approaches to regulation for increasing cyber-resilience in companies below a certain size?
Lincoln Jopp
I do not want to add spurious hypotheticals, so I will talk about the real world. I visited the Maypole special school in my constituency the other day. It has 20 members of staff and 18 pupils. It has people coming from as far away as Wandsworth. It books the transport, and the transport is paid for by the local education authority in which the pupil lives. It is clearly critical that children get to the school—just as it would be for a hospital. Would it be up to members of staff at the Maypole school to find out whether Addison Lee used a managed service provider or a data centre? That seems quite a tricky thing to know about and then to fulfil.
Dr Spencer
I really appreciate my hon. Friend’s intervention. It goes incisively to the heart of the concern about how these provisions are currently drafted. I really struggle to see how an OES that is providing a service to another OES could effectively argue that it is not within the full scope of these regulations. We have a lot of OESs in this country. It may be the Minister’s and the Government’s intention to essentially have a proxy regulatory framework for suppliers to OESs going forward—it is being kept very loose, because there is some flexibility in that, but that in itself will be a problem.
I worry that a lot of providers are going to think to themselves, “Why should we provide to an OES when we might be at risk of being designated as a national critical supplier?” Surely that is a concern that will have a chilling effect on organisations supplying to OESs, because of the risk of being found within the scope of this additional regulatory burden.
Don’t get me wrong; as I have said, companies should be taking cyber-security seriously, as should everyone. However, not everyone should be subject to the various regulations and data-sharing requirements that this Bill provides for. I suspect that many organisations will be very concerned. If there is a risk of designation as a critical supplier, companies will already be instructing lawyers and other organisations to manage that corporate risk.
If an organisation starts supplying to a hospital trust, or to whoever it may be, it might think, “Actually, we’re likely at risk of being designated, so we need to start doing some work and investment, either to challenge that designation or begin doing the preparatory work.” Maybe that is the intention: to effectively regulate the entire sector providing to OESs without actually lifting a finger in terms of regulation through this Bill. If that is the case, I am sort of sad, because I think it is better to be clear-cut about it. I would be grateful if the Minister answered that point directly.
Finally, in terms of OESs, we have already mentioned the fact that Government and local authority IT infrastructure and services are among the biggest risks in our system. I was really struck by the evidence from the NHS on Tuesday, in which our witnesses described data-sharing operations with adult social care, which is of course provided by local authorities.
It seems quite perverse, if I may say so, that a GP surgery, which is a private organisation, could be deemed a critical supplier to a hospital in terms of patient information sharing. Quite frankly, I would like the Minister to answer the question specifically: does he envisage primary care GPs being in scope because of data sharing of hospital records with NHS trusts? GPs could fall within scope as critical suppliers, while social care records, which are provided by local authorities, would not. There are all these weird situations that could emerge because of the scope and the looseness of these provisions, with all the consequent harms and problems. I look forward to hearing the Minister’s responses to my points.
Kanishka Narayan
First, I will respond to the apt and thoughtful points from the hon. Member for Bognor Regis and Littlehampton on operational technology. I can confirm to her that both vendors and providers of operational technologies will be covered by the provision of the five-step test for critical supplier designation. That is an important aspect when thinking about supply chains and the presence of operational technology where it is of critical interest.
The hon. Member for Spelthorne raised a very accurate point about proportionality in the provisions of the Bill, and in particular the impact assessments, statements, or limited statements on critical supplier impacts. As he will know very well, the Bill takes a very nuanced position on proportionality. When a sector is designated, there will be total clarity on the number of suppliers affected and on the ultimate impact. We will have sight of that.
The provision on critical suppliers was asked for by industry. The reason why the Bill does not specify critical suppliers is that it is simply not for the Government to specify how a business can or cannot continue. It is for businesses and regulators to work that through by understanding the depth of expertise that businesses have. We have started to do that, but that is precisely why the critical suppliers provisions have been delegated to secondary legislation and subsequent guidance.
Kanishka Narayan
I commit to giving way to the hon. Gentleman at the end of my speech. He asked about schools. I am happy to confirm that schools are not in the scope of the Bill.
In response to the shadow Minister, I highlight that the five-step test is cumulative: a business must meet all the conditions to be designated as critical, not just one. I think that answers the series of logical puzzles that he tied himself up in.
I am very happy to confirm to the Committee that it is expected that regulators will use information gathered from their oversight of operators of essential services, relevant managed service providers and relevant digital service providers to identify potential critical suppliers for designation. They can also ask organisations for more information to support their assessments. Future supply chain duties will also require organisations to share supply chain risk assessments with regulators. A supplier can be designated only after the regulator has completed an investigation process, including serving notices and holding a consultation, and confirmed that the criteria are met. Designated suppliers will also have the right to challenge decisions through an independent appeals process.
Kanishka Narayan
I commit to giving way at the end of my speech to the shadow Minister and the hon. Member for Spelthorne.
On the question of consultation, I am happy to confirm that the team in question has set up an implementation-focused effort. We have started to engage with regulators already, and there will be an extensive process of engagement on the Bill with business, as has been conducted historically.
The shadow Minister highlighted a number of logical puzzles. I have worked in a range of businesses and public sector organisations, and most have business continuity services. His hypothetical idea that businesses do not understand alternative provision, and whether they are or are not in a position of exposure, is well solved in the real world. I would give more credit to our expert witnesses from NHS Scotland than he did in recognising that they said that they frequently deal with the question of critical suppliers in co-ordination with competent authorities.
Lincoln Jopp
The Minister came back with an answer on proportionality, saying that it is not for Government to decide what is essential. He missed out the next bit, which is, “We’re just going to regulate critical suppliers and pass laws about them, but we don’t know how many there are, and we don’t know how much the policy is going to cost.” Would he accept that characterisation as the logical conclusion of what he said?
The Minister also said that schools were not covered by the Bill. As far as I am aware, patient data and children’s data are two of the most precious things that we have, so I would like to know why schools are not covered by the Bill.
Kanishka Narayan
On the first point, I am afraid that I do not think that was an appropriate characterisation, because where the sectoral scope is clear and where there is a clear risk of critical national infrastructure and essential services being directly exposed, we have specified that in the Bill. We have looked at the impacts set out in the impact assessment. For the critical suppliers in those sectors—I would expect them to be very limited in number—we have made sure that regulators and businesses have the flexibility to set the requirements directly, rather than them being set here in Parliament.
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Lincoln Jopp ExcerptsTuesday 3rd February 2026
(5 days, 8 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Freddie van Mierlo
Q
Secondly, Dr Mehta, you spoke earlier about what is not in scope in this legislation. I am particularly interested in the fact that local government is not included in it, because it has a critical role in electoral services and in local and national democracy. What do you think are the threats from leaving local government out of scope?
Jill Broom: I think that generally, our members would always call for alignment, where possible, in any kind of legislation that spans the geographies. But we understand that the Bill focuses on a particular sector—the critical national infrastructure in the UK—and we welcome the intent of it.
Dr Sanjana Mehta: On sectoral scope, with the way that the Bill is currently drafted, there is obviously flexibility to introduce new sectors, and to bring in more provisions and guidance through secondary legislation and additional guidance. That being said, our recommendation is certainly to expand the sectoral scope at this stage by bringing in public administration.
There are a number of key reasons for that. First, public administration needs to be role model of good cyber-security to the rest of the economy. I think it was the 2025 state of digital government review that pointed out that the risk of cyber-attacks on Government is critical. You mentioned local government, but there are also central Government Departments that hold and process vast amounts of personal and sensitive information; I think, for example, DWP administered £288 billion of benefits over the past year. More than 23 million people claimed some sort of benefits from DWP and, in responding to those claims, DWP must have processed huge amounts of very sensitive medical and financial information on individuals. We think it is an omission to leave it out, and we recommend that the Government consider bringing it into scope.
Lincoln Jopp (Spelthorne) (Con)
Q
Stuart McKean: I do not think the cyber-criminal really cares, to be blunt. They will attack anywhere. You can, of course—
Alison Griffiths
I am so sorry. Could you possibly speak into the microphone? I cannot hear you.
Stuart McKean: Sorry. I was saying that the cyber-criminal does not care about lines, geographies or standards. They do not care whether you have an international standard or you follow the legislation of a certain country. They will attack where they see the weak link.
Lincoln Jopp
Q
Stuart McKean: It is probably across all three, to be quite honest with you. It is very dependent on what they want to achieve, whether it be an economic attack or a targeted attack on a corporate entity. I do not think it has those boundaries—I genuinely think it is across the whole industry and the whole globe. The reality is that cyber-attacks everybody. We are being attacked every day. I do not see it as an international boundary, or a UK thing or a US thing. It is generally across the globe.
Lincoln Jopp
Do either of the other witnesses have anything to say on that?
Jill Broom indicated dissent.
Dr Sanjana Mehta indicated dissent.
Andrew Cooper (Mid Cheshire) (Lab)
Q
Jill Broom: I think, again, there is something to be said about the devil being in the detail. A lot is coming with the secondary legislation, so we will learn more about the specifics on incident reporting and penalties that will come into play. There needs to be a balance between those in terms of the risk and the impact. In the Bill itself, there probably need to be some greater safeguards or references to frameworks about how those types of decisions will be made.
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Lincoln Jopp ExcerptsTuesday 3rd February 2026
(5 days, 8 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Emily Darlington (Milton Keynes Central) (Lab)
Q
Ian Hulme: We need to think about this as essentially two different regimes. The requirements under data protection legislation to report a data breach are well established, and we have teams, systems and processes that manage all that. There are some notable cases that have been in the public domain in recent months where we have levied fines against organisations for data breaches.
The first thing to realise is that we are still talking about only quite a small sub-sector—digital service providers, including cloud computing service providers, online marketplaces, search engines and, when they are eventually brought into scope, MSPs. A lot of MSPs will provide services for a lot of data controllers so, as I explained, if you have the resilience and security of information networks, that should help to make data more secure in the future.
Lincoln Jopp (Spelthorne) (Con)
Q
I have dealt with the ICO before. Maybe it was the company that I worked in and led, but there was a culture there that, if you had a data breach, you told the ICO. There was no question about it. How are you going to develop your reactions and the behaviours you reward in order to encourage a set of behaviours and cultures of openness within the corporate sector, bearing in mind that, as was said this morning, by opening that door, companies could be opening themselves up to a hefty fine?
Stuart Okin: In the energy sector, we have that culture. It is one of safety and security, and the chief executives and the heads of security really lean into it and understand that particular space. There are many different forums where they communicate and share that type of information with each other and with us. Incident response is really the purview of DESNZ rather than us, but they will speak to us about that from a regulatory perspective.
Ian Hulme: From the ICO’s perspective, we receive hundreds of data-breach reports. The vast majority of those are dealt with through information and guidance to the impacted organisation. It is only a very small number that go through to enforcement activity, and it is in only the most egregious cases—where failures are so egregious that, from a regulatory perspective, it would be a failure on our part not to take action.
I anticipate that is the approach we will take in the future when dealing with the instant reporting regime that the Bill sets out. Our first instinct would be to collaborate with organisations. Only in the most egregious cases would I imagine that we would look to exercise the full range of our powers.
Natalie Black: From Ofcom’s point of view, we have a long history, particularly in the telecoms sector, of dealing with a whole range of incidents, but I certainly hear your point about the victim. When I have personally dealt with some of these incidents, often you are dealing with a chief executive who has woken up that morning to the fact that they might lose their job and they have very stressed-out teams around them. It is always hard to trust the initial information that is coming out because no one really knows what is going on, certainly for the first few hours, so it is the maturity and experience that we would want to bring to this expanded role when it comes to data centres.
Ultimately the best regulatory relationships I have seen is where there is a lot of trust and openness that a regulator is not going to overreact. They are really going to understand what is going on and are very purposeful about what they are trying to achieve. From Ofcom’s point of view it is always about protecting consumers and citizens, particularly with one eye on security, resilience and economic growth. The experience we have had over the years means that we can come to those conversations with a lot of history, a lot of perspective, and, to be honest, a bit of sympathy because sometimes those moments are very difficult for everyone involved.
The Chair
We have only five minutes left for this session, so if we can have concise questions and answers we might get everyone in.
Dr Gardner
Q
Brian Miller: That is a great question. I will touch on some different parts, because I might have slightly different information from some of the information you have heard previously. On reporting—Stewart will deal with the data protection element for reporting into the Information Commissioner’s Office—we report to the Scottish Health Competent Authority. It is important that we have an excellent relationship with the people there. To put that in context, I was speaking to them yesterday regarding our transition to the CAF, as part of our new compliance for NHS Greater Glasgow and Clyde. If there was a reportable incident, we would report into the SHCA. The thresholds are really well defined against the confidentiality, integrity and availability triad—it will be patient impact and stuff like that.
Organisationally, we report up the chain to our director of digital services, and we have an information governance steering group. Our senior information risk officer is the director of digital, and the chief information security officer role sits with our director of digital. We report nationally, and we work really closely with National Services Scotland’s Cyber Security Centre of Excellence, which does a lot of our threat protection and secure operations, 24/7, 365 days a year. We work with the Scottish Government through the Scottish Cyber Co-ordination Centre and what are called CREW—cyber resilience early warning—notices for a lot of threat intelligence. If something met the threshold, we would report to the SHCA. Stewart, do you want to come in on the data protection officer?
Stewart Whyte: We would report to the Information Commissioner, and within 72 hours we also report to the Scottish Government information governance and data protection team. We would risk assess the breaches and determine whether they meet the threshold for reporting. Not every data breach is required to be reported.
From the reporting perspective, it would be helpful to report into one individual organisation. I noticed that in the reporting requirements we are looking at doing it within 24 hours, which could be quite difficult, because sometimes we do not know everything about the breach within that time. We might need more information to be able to risk assess it appropriately. Making regulators aware of the breach as soon as possible is always going to be a good thing.
Lincoln Jopp
Q
Brian Miller: We would work with the Scottish Health Competent Authority as our regulator; I cannot speak for other regulators and what that might look like. We are doing work on what assurance for critical suppliers outside the Bill looks like just now, and we are working across the boards in Scotland on identifying critical suppliers. Outside of that, for any suppliers or any new services, we will assess the risk individually, based on the services they are providing.
The Bill is really valuable for me, particularly when it comes to managed service provision. One of the questions I was looking at is: what has changed since 2018? The biggest change for me is that identity has went to the cloud, because of video conferencing and stuff like that. When identity went to the cloud, it then involved managed service providers and data centres. We have put additional controls around that, because the network perimeter extended out into the cloud. We might want to take advantage of those controls for new things that come online, integrating with national identity, but we need to be assured that the companies integrating with national identity are safe. For me, the Bill will be a terrific bit of legislation that will help me with that—if that makes sense.
Lincoln Jopp
Q
Brian Miller: I think we would work with the regulator, but we are looking for more detail in any secondary legislation that comes along. We have read what the designation of critical suppliers would be. I would look to work with the Scottish Health Competent Authority and colleagues in National Services Scotland on what that would look like.
Stewart Whyte: On how we would make that decision, from our perspective we are looking at what the supplier is providing and what sort of data they are processing on our behalf. From the NHS perspective, 90% of the data that we process will be special category, very sensitive information. It could be that, from our side, a lot of the people in the supply chain would fall into that designation, but for some other sectors it might not be so critical. We have a unique challenge in the NHS because of the service we provide, the effect that cyber-crime would have on our organisations, and the sensitivity of the data we process.
Dr Spencer
Q
Stewart Whyte: For me, it would be a slightly different assessment from Brian’s. We would be looking at anything where there is no processing of personal data. For me, that would not be a critical supplier from a data protection perspective. But there might be some other integration with NHS board systems that Brian might have concerns about. There is a crossover in terms of what we do, but my role is to look at how we manage data within the NHS. If there are suppliers where there is no involvement with identifiable data of either staff or patients, I would not see them as a critical supplier under this piece of legislation.
Lincoln Jopp
Q
Brian Miller: I do not want to step out of my lane. There will be clinical stuff that absolutely would be essential. I would not be able to speak in any depth on that part of it; I purely look at the cyber element of it. As an organisation, we would be identifying those kinds of aspects.
In terms of suppliers, you are absolutely right. We have suppliers that supply some sort of IT services to us. If we are procuring anything, we will do a risk assessment—that might be a basic risk assessment because it is relatively low risk, it might be a rapid risk assessment, or it may be a really in-depth assessment for someone that would be a critical supplier or we could deem essential—but there are absolutely suppliers that would not fall under any of that criteria for the board. The board is large in scale, with 40,000 users. It is the largest health board in the country.
Dr Spencer
Q
Stewart Whyte: Yes. There is a lot of information sharing between acute services and primary care via integrated systems. We send discharge letters and information directly to GP practices that then goes straight into the patient record with the GP. There is a lot of integration there, yes.
Dr Gardner
Q
Chris Parker: That is a harder question. There is precedent here—of course, we can think back to the precedents that this great building has set on allowing things such as, post-Clapham train disaster, the Corporate Manslaughter and Corporate Homicide Act 2007 putting it very firmly on boards, evolving from the Health and Safety at Work etc. Act 1974. We are not there yet, but do not forget that we are starting to legislate, as is everyone else in Europe and America who are on this journey.
I believe that we will see a requirement at some point in the future. We all hope that the requirement is not driven by something terrible, but is driven by sensible, wise methodology through which we can find out how we can ensure that people are liable and accept their liability. We have seen statements stood up on health and safety from CEOs at every office in this country, for good reason, and that sort of evolution may well be the next phase.
Carla and I talk about this a lot, but we have to be careful about how much we put into this Bill. We have to get the important bit about critical national infrastructure under way, and then we can address it all collaboratively at the next stage to deal with very important issues such as that.
Lincoln Jopp
Q
Chris Parker: I was referring to strategic and critical suppliers, which is a list of Government suppliers. We are advocating that the level of governance and regulatory requirement inside an organisation is difficult, and it really is. It requires quite a lot of work and resource, and if we are putting that on to too small a supplier, on the basis that we think it is on the critical path, I would advocate a different system for risk management of that organisation, rather than it being in the regulatory scope of a cyber-resilience Bill. The critical suppliers should be the larger companies. If we start that way in legislation and then work down—the Bill is designed to be flexible, which is excellent—we can try to get that way.
As a last point on flexibility—this is perhaps very obvious to us but less so to people who are less aware of the Bill—there is a huge dynamic going on here where you have a continuum, a line, at one end of which you have the need for clarity, which comes from business. At the other you have a need for flexibility, which quite rightly comes from the Government, who want to adjust and adapt quite quickly to secure the population, society and the economy against a changing threat. That continuum has an opposing dynamic, so the CRB has a big challenge. We must therefore not be too hard on ourselves in finding exactly where to be on that line. Some things will go well, and some will just need to be looked at after a few years of practice—I really believe that. We are not going to get it all right, because of the complexities and different dynamics along that line.
Carla Baker: This debate about whether SMEs should be involved or regulated in this space has been around since we were discussing GDPR back in 2018. It comes down to the systemic nature of the supplier. You can look at the designation of critical dependencies. I am sure you have talked about this, but for example, an SME software company selling to an energy company could be deemed a critical supplier by a regulator, and it is then brought into scope. However, I think it should be the SMEs that are relevant to the whole sector, not just to one organisation. If they are systemic and integral to a number of different sectors, or a number of different organisations within a sector, it is fair enough that they are potentially brought into scope.
It is that risk-based approach again. But if it is just one supplier, one SME, that is selling to one energy company up in the north of England, is it risk-based and proportionate that they are brought into scope? I think that is debatable.
Andrew Cooper (Mid Cheshire) (Lab)
Q
I can imagine that the legislation has been worded as it is to try to capture that situation where activity might occur, but not have an impact. Would you accept that that is important, and how would that fit in with the tiered approach that you described?
Carla Baker: I completely get your point. We have looked at that; my legal colleagues have looked at things such as spyware, where you have malware in the system that is not doing anything but is living there, for example, or pre-emptive, where they are waiting to launch an attack, and we think this amendment would still cover those scenarios. It is not necessarily cause and impact: the lights have not gone out, but if there is, for example, a nation state actor in your network, we think the amendment would still cover that.
Tim Roca
Q
Kanishka Narayan: That is a great question. Broadly, the Bill takes a risk-based and outcomes-focused approach, rather than a technology-specific one. I think that is the right way to go about it. As we have heard today and beyond, there are some areas where frontier technology—new technology such as AI and quantum, which we talked about earlier today—will pose specific risks. There are other areas where the prevalence of legacy systems and legacy database architectures will present particular risks as well.
The Bill effectively says that the sum total of those systems, in their ultimate impact on the risk exposure of an organisation, is the singular focus where regulators should place their emphasis. I would expect that individual regulators will pay heed to the particular prevalence of legacy systems and technical debt as a source of risk in their particular sectors, and as a result to the mitigations that ought to be placed. I think that being technology agnostic is the right approach in this context.
Lincoln Jopp
Q
Kanishka Narayan: Do you mean operators of essential services, or critical suppliers, as in the third party element?
Lincoln Jopp
I meant operators of essential services.
Kanishka Narayan: The Bill effectively specifies operators of essential services as large participants in the essential services sectors. I think that that definition is very straightforward. The hospital in this question would be an operator of an essential service. If the question extends to critical third party suppliers—
Lincoln Jopp
Q
Kanishka Narayan: There are two things to say on this. There is at least a four-step test on the face of the Bill for what would qualify as a critical supplier. First, a critical supplier has to supply to an operator of an essential service, in this case the hospital. Secondly, the supplier itself must engage with important network and information systems. Thirdly, the disruption to that third party supplier would have to cause a material disruption to the operator in question—in this case, if the third party supplier falls over from a cyber-security point of view, there would be material and business continuity disruption to the hospital. Fourthly, not only that, but that disruption would have to be sufficiently severe in its impact to be in scope. That is one set of things. Underlying that is a further test in the Bill, whereby alternative provision of that third party supply could not be secured in a practicable way. The combination of those tests means that the scope set out for the critical third party suppliers is extremely tight and robust.
Then there is still the question, having gone through that five-step test, of the particular burden placed on relevant suppliers in scope. My expectation and hope would be that regulators take a much more proportionate approach there than to set the precise same conditions on those suppliers as they do on the operator in question; in particular, that the burden on them is placed specifically in sight of the directional risk that they pose to the operator, rather than the risk in sum for that third party supplier.
The first thing is therefore that the Bill clearly specifies a very tight scope. The second is that it does not seem to me, as a relative novice to both the medical world and cyber-security, unusual to have a specification of this nature in a Bill. Given my professional context, I am particularly conscious of the very clear and critical third party comparable requirement in the Financial Services and Markets Act 2000, which focuses on both cyber-security and supply chain risks. That has worked relatively proficiently in that context, so I hope that there are some good lessons to learn from that.
Lincoln Jopp
Q
Kanishka Narayan: The way in which I would envisage it is that each individual regulator assesses the critical nature of the risk posed to its regulated operators. If a hospital has a third party supplier, and the presence and nature of its supply means that there is a critical risk exposure for the hospital, that would be in scope for some degree of regulation in the Bill. To your question, if there is a comparable but separate hospital in a part of England that is separately regulated, but has the same third party supplier, there is obviously a question of whether that third party supplier would end up being regulated twice if the criticality threshold is met. In that instance, and in other similar instances of multiple regulators covering the same third party supplier, I would expect a high degree of co-ordination. In fact, the provisions in the Bill, as well as my hopes for subsequent guidance, are focused on our efficiency and proportionality when there are multiple regulators. However, I think the assessment has to be undertaken by each regulator on a separate basis, because the question being assessed is not the nature, the sum risk, of the third party supplier in itself, but the risk posed by its relationship to the operator it is providing to—if that makes sense.
Lincoln Jopp
Q
Kanishka Narayan: Yes, I guess, added together in the sense that they would be separately regulated, but they would all come within the scope of the regulations. Where there is an overlap in the party being regulated, my hope is that the Bill provides for individual regulation, but is very much open to the prospect of a lead regulator engaging in a softer way with the other regulators, as long as each regulator feels that that has assured them of the risk.
Andrew Cooper
Q
We have heard quite a bit about how important it will be, if taking a sectoral approach, to make sure that sharing information between regulators works smoothly, and that there are no information silos. The witness from Ofcom talked about an annual report to the National Cyber Security Centre. That sent chills down my spine, though I am sure she did not mean it quite in that way. How will you ensure that there is an adequate flow of information between regulators in a timely manner? They might not realise that there is cross-sectoral relevance, but when that information is provided to another regulator, it might turn out that there is. How do you address the importance of a single point of reporting that we heard about time and again from witnesses today?
Kanishka Narayan: Those are really important points. In terms of supporting the quality, frequency and depth of information sharing, first, the Bill provides the legal possibility of doing that in a deeper way. It gives the permission and the ability to do that across regulators.
Secondly, in the light of the implicit expectation of that information sharing, the National Cyber Security Centre already brings together all the relevant regulators for deeper conversation and engagement on areas of overlap, best practice sharing, and particularly the sharing of information related to incidents and wider risk as a result. I hope that will continue to be systematic.
On the question of a single reporting avenue, the National Cyber Security Centre, from an incident and operational point of view, is clearly the primary and appropriate location during the implementation of the Bill. From my conversations with the centre and its conversations with the regulators, I know there has been engagement to ensure that it remains a prompt venue for regulators to feed in their information.
Life Sciences Innovative Manufacturing Fund
Lincoln Jopp Excerpts(3 months, 2 weeks ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Dame Chi Onwurah
Let me thank the hon. Member for that intervention, which pre-empts something I will say in a few minutes. She is absolutely right: Northern Ireland already plays an important role in the life sciences sector and life sciences manufacturing, and it will have an important role to play in the future.
It is an incredibly exciting time to be involved in life sciences. I often think that if I were a young engineer now—I studied electrical engineering—I would be fascinated by the life sciences and, in particular, synthetic biology, which offers so many potential opportunities for growth and wellbeing. It is an enabling technology across so many different sectors.
In Newcastle, including in my constituency of Newcastle upon Tyne Central and West, the life sciences contribute £1.7 billion and employ over 8,000 people across more than 200 companies. We are home to the National Innovation Centre for Ageing, Newcastle Helix and The Biosphere. Our city is one star in a constellation of excellent life sciences clusters across the north of England.
I really welcome the ambition of the innovation manufacturing fund. I ask the Minister in his response for more clarity in three particular areas. First, in regard to the size of the fund, in the face of increased competition, and as the shadow Secretary of State described—this will be in less sensationalist terms—we are seeing some reduction in investment in the UK. Is £520 million enough to ensure that the UK is an attractive prospect for internationally mobile businesses? By contrast, a manufacturing plant such as Moderna’s recently opened vaccine centre in Oxfordshire might cost in the region of £150 million to £200 million. Is the fund the right size?
Secondly, the Select Committee recently held a one-off session on life sciences investment, which was of such interest that we have decided to hold another one-off session next week on the same subject. We heard evidence from the pharma sector, including significant support for the life sciences sector plan and for the Government’s approach, but I think it is fair to say that we were told that, although NHS pricing is not the only factor in investment decisions, it is a significant one. We heard evidence that the UK spends less proportionately on medicines than other comparable countries and that that reduces the pull-through for innovative medicines. It would clearly be a difficult decision to spend more on medicines, as that would mean spending less elsewhere in our NHS.
Does the Minister see the manufacturing fund as support in some way for investment decisions in the absence of progress on the NHS pricing discussions? Could he tell us whether the Secretary of State is involved in discussions between the Health Secretary and the pharma sector with regard to NHS pricing? I understand that discussions are ongoing, and I see the Under-Secretary of State for Health and Social Care, my hon. Friend the Member for Glasgow South West (Dr Ahmed), conferring with him. Perhaps he can confirm that those discussions are ongoing.
Lincoln Jopp (Spelthorne) (Con)
When the Committee held its one-off session on investment in life sciences, did it unearth the reasons why Sanofi, Eli Lilly and Merck have recently chosen to disinvest in life sciences in the UK?
Dame Chi Onwurah
I thank the hon. Member for that intervention. The Committee’s work is fascinating, so I certainly recommend he read the transcript. To summarise, we were looking specifically at the reasons for investment being pulled and, as I said, we asked the question in a number of different ways. The message that came back was significant support for the life sciences sector plan and the Government approach, but lack of certainty and clarity over NHS pricing and dismay about some aspects of NHS pricing and National Institute for Health and Care Excellence decisions. The hon. Gentleman is therefore right to point out that there was concern over the current and likely future pricing of innovative medicines, but that was not the only factor in those investment decisions. I ask the Minister to give us an update on those negotiations to the extent that he is able to do so, and to say whether this manufacturing fund is seen as potential compensation for investment in medicines and pricing as part of the NHS future plan.
Kanishka Narayan
I want to be in your good books, Madam Deputy Speaker, so I will proceed at pace in answering some of the questions raised.
I first thank the Members on the shadow Front Benches and in particular the hon. Member for Hornchurch and Upminster (Julia Lopez). I was sad that her generous welcome to me was not extended to this particular announcement. In particular, I was sad that she did not welcome the fact that out of their Tory fiscal wreckage we have managed to get £520 million for the British life sciences sector, that out of the economic damage they did to this country we have still managed to secure over £1 billion in investment from Moderna in the British life sciences sector, and that out of what we inherited from the Tory context we have managed to secure over £1 billion from BioNTech. Right across the board, there is a picture of stability, good jobs in the life sciences and broader technology sectors, optimism and, above all, an energy shared across Government, the private sector and academia.
Kanishka Narayan
I must proceed because, as I said, I need to be in Madam Deputy Speaker’s good books.
A particular concern has been raised about VPAG, another part of a longer-standing legacy from a Tory Chancellor’s austerity rampage for the life sciences sector in this country. The Government’s position is very clear: we will always put patients and taxpayers first. This Government are open to working collaboratively with the pharmaceutical industry, which is exactly why we have put forward a generous and unprecedented offer worth approximately £1 billion over three years as part of a review of VPAG, which ultimately industry did not take a vote on.
We remain confident in the life sciences as a driver of both economic growth and better health outcomes and our door remains open to future engagement. I know that regular conversations go on and while I will not update Members on the shadow Front Benches on every single meeting the Secretary of State takes, I can assure them that she is involved in both the particular conversations around VPAG and more general engagement with the life sciences sector.
I particularly thank my hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), whose depth of experience in engineering prior to this House and extensive experience in this House, in particular through leadership of the Science and Technology Committee, is one that I take considerable inspiration from.
Kanishka Narayan
I will make some progress for now. My hon. Friend raised a particular point around synthetic biology, which is very close to my heart because I think that Britain has a particular opportunity in the convergence of engineering, AI and life sciences, and we are keen on seizing that to its fullest extent.
On the three particular questions from my hon. Friend the Member for Newcastle upon Tyne Central and West, foremost of which was about the size of the funding available, I will say a couple of things: first, that this is the largest fund of this nature announced in the history of the UK Government, to my understanding, with capital grants worth £520 million altogether; and secondly, that it is but one part of the overall funding package across Government if one considers the investments across Innovate UK, UKRI, the British Business Bank and beyond. I hope that some of the assurances around VPAG have answered the particular question posed there, and on regional impact, I point out that the first two grants from the scheme were made out to firms in Birmingham and Keele. I hope that is a starting indicator of my long-term hope; we will certainly monitor it.
Kanishka Narayan
I am afraid I will not; I believe I have been relatively generous in welcoming contributions from across the House. On the point of regional impact, in addition to the midlands, may I join the shadow Front Benchers in welcoming—they do so with laughter and amusement—the collective efforts of our entire Northern Irish contingent? I will take away the strong point about Northern Ireland’s strengths in the life sciences sector; it will be embedded on my mind.
I thank the hon. Member for South Cambridgeshire (Pippa Heylings) for South Cambridgeshire for talking about investments. The only thing I will say on some of the announcements is that they have to be taken in the context of the wider global context for those firms, MSD in particular.
Kanishka Narayan
If the Member listens, he may feel that his point is addressed in my claims. In at least one of those cases, a pause, rather than a cancellation, was announced and in the other, there have been a series of announcements globally regarding thousands of jobs, not only in the UK but beyond. As I said, I hope that the two announcements I mentioned, by Moderna and BioNTech, will give us some assurance that the life sciences sector in the British context is firing on all cylinders with Government support.
Finally, I note with thanks the important point on national security and IP made by the hon. Member for Lagan Valley (Sorcha Eastwood). It is top of mind for me in ensuring that we are not just powering economic growth and not just jobs and good health for people across this country, but doing the first job of Government to protect our national security.
Question put and agreed to.
Resolved,
That this House authorises the Secretary of State to undertake payments, by way of financial assistance under section 8 of the Industrial Development Act 1982, in excess of £30 million to any successful applicant to the Life Sciences Innovative Manufacturing Fund, launched on 30 October 2024, up to a cumulative total of £520 million.
United States Film Tariff
Lincoln Jopp Excerpts(9 months ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Urgent Questions are proposed each morning by backbench MPs, and up to two may be selected each day by the Speaker. Chosen Urgent Questions are announced 30 minutes before Parliament sits each day.
Each Urgent Question requires a Government Minister to give a response on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
Chris Bryant
The right hon. Gentleman makes a good point. I have already had discussions on other matters relating to the creative industries with Members of the Executive in Northern Ireland, and I think I have another call next week, so I will of course make sure they are consulted. He makes a very good point about tourism. An awful lot of tourists who come to the UK want to see the places where some of their favourite movies and television series were made. That is one of the things that VisitBritain is capitalising on at the moment with its “Starring GREAT Britain” campaign.
Lincoln Jopp (Spelthorne) (Con)
I very much enjoy discussing the British film industry, because Members across the House stand up and say that they have the Hollywood of Hertfordshire or Bedfordshire and everywhere else. I am blessed in Spelthorne to have Europe’s biggest film studios and the second biggest in the world in Shepperton—interestingly, it is second not to Hollywood but to China. There is a certain amount of nervousness in Spelthorne as a result of the posting on Truth Social that the Minister has come here to talk about. I agree with him that it is incredibly difficult logistically and technically to unpick the US-UK intellectual property in a film, and I think it will prove to be so. I therefore commend him for his considered run at this; I think it is the right thing to do.
A couple of weeks ago I visited Cineco, one of our many British film support companies, which makes sets and props. One point it made on skills is that the apprenticeship model does not work terribly well for industries that have so many freelancers and such lumpy work schedules. As a sidebar to the Minister’s meeting with industry leaders tomorrow, would he please raise and discuss that with industry leaders?
Listed Places of Worship Scheme
Lincoln Jopp Excerpts(1 year ago)
Westminster HallRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
Lincoln Jopp (Spelthorne) (Con)
I congratulate my hon. Friend the Member for Bromsgrove (Bradley Thomas) on securing this debate. I am time constrained, but I want to mention St Mary’s in Stanwell, a grade I listed 12th-century Norman church. An overseas visitor remarked to me recently how odd it was that the Normans chose to build such a beautiful church right by Heathrow airport—I think they slightly missed the point. We also have St Peter’s in Staines, St Nicholas’s in Shepperton and All Saints in Laleham, all of which have benefited from the listed places of worship scheme.
When churches fall into disrepair, our generation lets our communities down, and when churches crumble, the fabric of society itself crumbles. The Minister is clearly not motivated by self-interest, so I point out that my own church, St Mary’s in Sunbury, a beautiful grade II listed church built in 1752 down by the River Thames, is due to be visited by Mr Speaker on 4 March, where he will conduct a conversation with the congregation. Should the Minister wish to make himself a hero and ensure that the Speaker gets a warm welcome from the people of St Mary’s in Sunbury, I am sure he will see sense, listen to the mood of this Chamber—indeed, the mood of the country—and extend this scheme.
Artificial Intelligence Opportunities Action Plan
Lincoln Jopp Excerpts(1 year ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Peter Kyle
My hon. Friend is absolutely right. The thing about AI is that it is not a singular technology; it is a general purpose technology. Just in health alone, AI is already being used in hospitals’ radiography departments, such as in Huddersfield, to make sure that scanning is more precise. We can detect early patterns quicker, so we get to disease quicker, and productivity is increasing—in Huddersfield’s case, from 700 to 1,000 scans a week. Simultaneously, AI is ensuring that doctors’ time is used more wisely in the test pilots that we are running. We are using digital technology to create a more human experience, because doctors can spend more time with patients. That is what happens when we use AI and digital technology wisely. It is why we, unlike the previous Government, will not sit on the sidelines and let the market do business as it sees fit. We will use the power of Government, and the agency that comes with it, to ensure that this technology is used for the benefit of all.
Lincoln Jopp (Spelthorne) (Con)
I do not know whether the Secretary of State has had a moment to read The Times this morning, but it reports that the Chancellor is using a new AI tool to answer her emails. It is 70% accurate and is
“performing as good or better than existing processes”,
which does not say a great deal for the ability of the Chancellor to answer her own emails. Be that as it may, could the Secretary of State please reassure us that any AI tool being used across Government will ensure that any statement brought to the Dispatch Box by the Chancellor is 100% accurate?
Peter Kyle
I can assure the hon. Gentleman that we are piloting, developing and hoping to deploy AI across Government to drive efficiencies and effectiveness, and to serve the people of this country better than ever before—and certainly better, more efficiently and more effectively than they experienced during the previous 14 years.
Oral Answers to Questions
Lincoln Jopp Excerpts(1 year, 2 months ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Deputy Prime Minister
I thank my hon. Friend for raising this case. My thoughts are with Harshita’s family in this horrifying set of circumstances, where Harshita should have been protected and felt protected. The Government are committed to halving violence against women and girls. We continue to do our work, hopefully across the House, to make sure that we can end the circumstances Harshita faced and we can stop this kind of barbaric action.
Lincoln Jopp (Spelthorne) (Con)
The Deputy Prime Minister
Mr Speaker, what can I say? I absolutely agree with the hon. Gentleman—may I say my hon. Friend?—about the Spelthorne Litter Pickers. Those who come together to volunteer and help, in particular young people who do a lot of this, play an important role in all our constituencies. I think across the whole House we congratulate the Spelthorne Litter Pickers on their award, and all those who do voluntary work to support our communities.