Dr Spencer

- Hansard -

Copy Link

- - Excerpts

That information is concerning. I entirely agree with my hon. Friend that information sharing is important when dealing with evolving threats.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for his intervention, which is more for the Minister and the Government Whip’s benefit than mine.

Properly established ISACs will not only increase real-time awareness of cyber-risks and mitigations, but could also alleviate some of the burden on regulators in terms of sector-specific intelligence analysis. Industry feedback and experience from the adoption of the Network and Information Systems Regulations 2018 indicate that sectoral regulators are unlikely to have the capacity to assist with intelligence sharing in relation to real-time cyber-risks.

We know from the sectoral regulators’ oral evidence that building sufficient capacity for effective regulatory oversight is a challenge. Where we have models for sector-led and market-led good practice in hardening cyber-resilience, we should look at how it can be rolled out further. Seeing more of these organisations emerge could even lead to broader adoption beyond NIS-regulated areas to other industries. ISACs have the potential to become integral nodes in improving whole-of-society cyber-resilience, and it is an approach called for by many cyber industry stakeholders. I therefore commend new clause 4.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I beg to move, That the clause be read a Second time.

The National Audit Office’s 2025 report on cyber-resilience highlighted that Government Departments and agencies are among the weakest links in the UK’s cyber-security ecosystem and lack a credible plan to become cyber-resilient in the short to medium term. The Government play a key role in the management of certain critical national industries, but the continuing cyber-security vulnerabilities in the IT systems used to operate CNI expose the UK to the threat of serious attacks that could undermine national security and the economy.

That is not to mention the risk to enormous amounts of highly sensitive data held on Government systems. Dr Sanjana Mehta of ISC2 said in her oral evidence that the Department for Work and Pensions administered £288 billion of benefits over the past year, with more than 23 million people claiming benefits of some kind. That activity involves processing vast amounts of personal, medical and financial data, which presents rich pickings for malicious actors.

The feedback from industry stakeholders, many of whom are being asked by the Government to take on onerous security and reporting obligations under this Bill, echoes those concerns regarding Government cyber-immaturity. There is a strong sentiment that the Government should be leading by example, as Chris Anley of the NCC Group commented in the Committee’s oral evidence sessions.

In view of the growing risk posed to UK cyber-security by hostile state actors, by their affiliates and by criminal gangs, improving Government cyber-security is urgent. It is clear from the NAO’s findings and other recent reports that Government Departments have lacked the clear goals and necessary accountability to incentivise tackling this significant challenge.

In his letter of 19 February to members of the Committee, the Minister said:

“Government will be held to equivalent cyber security requirements that we expect of the essential and digital services in scope of the Cyber Security and Resilience (Network and Information Systems) Bill.”

But as matters stand, there are no effective legal mechanisms for accountability to Parliament on increasing Government cyber-resilience to the standards necessary to meet the intensifying threats facing our Government Departments and agencies.

New clause 5 would compel the Secretary of State to make yearly reports to Parliament setting out the Government’s progress towards meeting the recommendations of the National Audit Office’s 2025 report on Government cyber-resilience and towards meeting the standards they set themselves in their recent cyber action plan. Where necessary, the Secretary of State would have to account for failures to meet deadlines for implementation and issue a new plan to achieve compliance.

In moving this new clause, I am aware of the challenges that successive Governments have faced in driving up cyber-resilience standards. There are serious practical and budgetary obstacles that can impede progress, such as the vast amount of legacy IT equipment that remains in use, which is inherently more vulnerable to attack. Moreover, there is the ongoing problem of recruiting highly skilled cyber-security professionals to work in these roles, given the competition in the recruitment market and constraints on public sector salaries. Illustrative of that challenge is the worrying statistic, cited by Chris Anley of the NCC Group, that

“almost a third of cyber-security posts in Government are presently unfilled”.––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 24, Q29.]

None the less, the Government have now put in place a plan that they consider achievable, and they should be held to account for it. The new clause creates a mechanism for that much-needed accountability.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

My hon. Friend is absolutely right.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank the hon. Member for Brecon, Radnor and Cwm Tawe for his new clause, which seeks to require a consultation on the resourcing and capabilities of regulators and regulated entities, assessment on whether additional Government support is needed, and a report on the findings. I reassure the hon. Gentleman that the Bill was developed in close collaboration with regulators and industry to ensure that regulators have the right information and tools to implement it.

The Bill already requires the Government to produce two regular reports to monitor the effectiveness of the legislation, and those would naturally include reviews of whether resourcing and capability were impacting on the effectiveness of the regime. The first of those is the annual report on regulator activities in relation to the statement of strategic priorities. The second is the report on the operation of the legislation, which must take place at least every five years.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

The hon. Member has made that point a couple of times before. I am happy to write to him about the calculations, so that he is able to understand the survey and the significant uplift on which the figures are based.

In response to the hon. Member for Brecon, Radnor and Cwm Tawe, given that the two reports can already include the topics addressed by his new clause, adding another report would risk confusing their purposes and increasing administrative burdens on those involved unnecessarily. The Government will not hesitate to adapt our support offering based on the findings of those reports. That will include using our flexible mechanisms—for example, updating our guidance to regulators, the statement of strategic priorities and the code of practice. Beyond that, we will continue to engage with regulators as the Bill is implemented, and consider whether any other means of improving regulators’ and regulated entities’ resourcing and capabilities are necessary and proportionate. For those reasons, I ask the hon. Member to withdraw his new clause.

Question put, That the clause be read a Second time.

David Chadwick

- Hansard -

Copy Link

- - Excerpts

I will.

David Chadwick

- Hansard -

Copy Link

- - Excerpts

I think this once more comes down to state capacity and how we see the state’s role. Clearly there needs to be an expansion of the state’s powers—that is why the Bill was introduced—to mandate in writing various requirements of the companies that provide the critical infrastructure upon which our country relies. The hon. Member will remember the numerous witnesses who told us that board accountability was crucial. Some told us that in public and some in private. They are the people who are doing this job, and whom the Government are asking to do this job. That is why we should listen to them and why we will press the new clauses to a vote.

The Chair

- Hansard -

Copy Link

Good morning, everyone. I remind Members to send their speaking notes via email to Hansard and to switch electronic devices to silent. Beverages are not allowed. I ask people to speak clearly and precisely for the benefit of other colleagues and Hansard. Were they to give an early indication that they wish to speak, that would be much appreciated.

The Chair

- Hansard -

Copy Link

I am sure that the Minister will have heard what the hon. Member has said. He may wish to reflect on it, but it is not really a matter for the Chair. Nevertheless, it is on the record.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Having been promoted from a position of mere confidence to faith, I will tackle questions from the hon. Member for Runnymede and Weybridge first and foremost. On the question of thresholds of incident, the Bill sets out the severity of the sorts of incidents that we expect reporting obligations to apply to, and at the same time it ensures that it is proportionate in understanding that sector-specific thresholds ought to be precisely that—sector specific, set closely with relevant entities in that sector, and working with the expertise of the relevant regulators. For that reason, it has not been specified more fully on the face of the Bill.

On information sharing, not only is there provision for the specific sets of purposes for which information sharing ought to take place between regulators, but there is a further check on the proportionality of that, through a particular requirement, to ensure that information that is shared in incident contexts is done precisely for the purposes set out in the Bill, and in a way that is proportionate.

My hon. Friend the Member for Milton Keynes Central raised the question of hardware impacts. While the focus of the Bill is primarily on network and information systems, the test, as I think of it, would look at whether any compromise in network and information systems related to a piece of hardware triggers the severity of the impact, or potential impact, to be reportable. In the event that it is reportable, in its severity and potential impact, it will require notification—to the regulator and, when customers are directly impacted in the way that is set out in the Bill, also to the customers. The test is focused on whether network and information systems are engaged, and whether the impact of any incident is likely to be severe enough, in light of the thresholds set out in the Bill.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I hope this does offer the clarity that the hon. Member seeks. While I will not refer to specific businesses, broadly speaking the sector of food supply is not within the scope of the Bill; the obligations on operators of essential services or direct entities that are within the scope of the Bill will not apply.

However, if—in a hypothetical situation—a managed service provider within the scope of the Bill supplies to that business, the managed service provider would be within the scope of the Bill’s requirements. The customer—in this case, the food supply business—may, if the severity applies, be in receipt of reports from the relevant MSP, in this particular context. They will not be caught up in the full set of obligations in the Bill, but we would expect customers to be notified of incidents where the severity thresholds are met. I hope that gives the hon. Member some clarity.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Under the provisions of this Bill alone, only the entities specified as critical suppliers or operators of essential services—the relevant digital providers and so on—would be caught up in obligations if an event occurred. Assuming neither of those is true of a food supply business, the Bill’s provisions would not apply.

At the same time, in the sort of incident that the hon. Member describes, we would expect the NCSC to be deeply engaged, assuming severity thresholds and wider risks are applied. We would work closely on that operationally and I am sure we would look at how that business could be supported more widely. But the Bill’s provisions are really focused on the sectors, and entities within those sectors, that have an immediate threat to day-to-day operations such as a potential threat to life. There are reasons, which we can get into later, as we have done previously, why we set the sectoral scope in that way.

New clause 6 seeks to clarify that a ransomware attack falls under the definition of “incident” within the NIS regulations. I share the concerns of the shadow Minister and the hon. Member for Bognor Regis and Littlehampton about the significant disruption that ransomware attacks can cause. Indeed, last year we saw the impact of the ransomware attack on Synnovis, a supplier to the NHS, which resulted in the delay of 11,000 out-patient and elective procedure appointments. The hon. Member for Bognor Regis and Littlehampton and the shadow Minister are quite right that this kind of attack should be considered an incident under the NIS regime. Because of the changes to incident reporting introduced by the Bill, I can confirm to the Committee that ransomware attacks will be in scope.

The Bill updates the definition of “incident” so that it applies to any event that has, or is capable of having, an adverse effect on the operation or security of network and information systems. Ransomware attacks already fall well within that definition. Although I welcome the principle and intent behind the new clause, its content is already addressed by the Bill. I hope that assures hon. Members across the Committee.

New clause 7 would require the Government to publish a review of the new incident reporting regime within a year of the Bill’s receiving Royal Assent. It is important that the effectiveness of the NIS regulations, including the reforms to incident reporting introduced by the Bill, should be reviewed periodically. That is why the Bill requires the Government to conduct a review and lay it before Parliament once every five years. That timeframe will enable the new regime to bed in and allow a meaningful period of time to measure change before the Government report on its effectiveness. As my hon. Friend the Member for Stoke-on-Trent South said, notwithstanding her and the shadow Minister’s confidence in me and the Government, to publish a review after only one year would risk giving an incomplete picture, as regulators and regulated entities may still be transitioning to the new processes.

The new clause would also require the Government to publish proposals for a single reporting platform for cyber-incidents, again within a year of the Bill’s passing. We have heard the clear ask from businesses to minimise the time they spend filling in different reporting templates following an attack, to ensure they can prioritise the technical response. I share the concerns of the hon. Member for Bognor Regis and Littlehampton, and we are exploring all options to enable a proportionate and efficient reporting system. That said, setting a fixed time limit of one year to develop proposals does not reflect the inherent complexity of the task and the need to get it absolutely right for the businesses in scope of the Bill, not least because the proposals will need to be rigorously evidenced, consulted on and tested. For those reasons, I am unable to accept the new clause.

Question put and agreed to.

Clause 15 accordingly ordered to stand part of the Bill.

Clause 16 ordered to stand part of the Bill.

Clause 17

Powers to impose charges

Question proposed, That the clause stand part of the Bill.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I am reminded of the hon. Member’s point last week. I am happy to write to him on the basis of the precise figure in the impact assessment, which I understand to be based on not just an extensive survey but the application of subsequent uplifts. I am more than happy to continue that conversation in correspondence.

On factors that ought to be considered in setting up charging schemes, I mentioned some, such as size and turnover, but I will flag that those are suggestive and indicative rather than exhaustive factors that regulators may consider. Regulators ought to be able to set different levels of fee for different types of organisations. There is also provision to exclude organisations from a charging scheme altogether if it would be disproportionate or counterproductive to include them. It is appropriate that regulators and competent authorities can vary their charging schemes in the light of that.

On current regulatory performance and its correlation with charging schemes, I have not observed any direct correlation. What I have seen, simply, is that some regulators are clearly doing well. We heard in evidence from a range of participants that in some cases things are working particularly well and that, in others, there is more scope for improvement. That is precisely why the Bill sets no fundamental lowest common denominator for how regulators ought to approach either charging or their enforcement duties; instead, it ensures that we are conducting oversight of each regulator as robustly as possible. I assure hon. Members that the question of regulatory enforcement is central and that the motivation behind the charging scheme is precisely to ensure that regulators are well resourced to implement the Bill.

Question put and agreed to.

Clause 17 accordingly ordered to stand part of the Bill.

Clause 18

Sharing and use of information under the NIS regulations etc

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Clause 20 grants regulators wide-ranging information-gathering powers, in relation both to regulated entities and to organisations currently outside the scope of the regulations. These new powers will be important to competent authorities in gaining access to the information necessary to consider which businesses should be designated as critical suppliers for their sectors. The Minister will remember that we had a very extensive discussion about the allocation, or otherwise, of critical suppliers. What assurance can he give that requests for information under this new clause will be exercised proportionately? That is especially relevant for SMEs, which might struggle administratively to meet broad requests for information within short deadlines.

I know I will be told off by the Chair if I try to rehash the previous debate on clause 12, but one of the points I made during that debate was that the scope of what could fall under the definition of a critical supplier could, in my view, include any supplier to an operator of an essential service. Potentially, therefore, a request for information under this provision could be incredibly broad. Can the Minister give some reassurance about how this will work in practice, relating to the proportionality of data collection? The concern is that this could become a fishing or dredging exercise, rather than something that is proportionate and targeted on the most high-risk suppliers.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I will take each of those three questions in order. The hon. Member for Bromsgrove raised a very important point—shared, I think, in sentiment across the House—about ensuring that regulators have the capacity to deal with the volume and quality of information they might receive under the provisions of this clause. Precisely for that reason, we have set out a charging scheme possibility here that allows regulators to equip themselves. Of course, that is initially a question of resourcing, rather than the quality or capability of that resourcing. We will therefore continue to ensure, through our oversight of regulators in appropriate ways, that we are pressing home the importance of enforcement quality and regulatory capability.

To the shadow Minister’s point on proportionality, I share the focus on ensuring that designation and information requirements are proportionate, not least for critical suppliers. Like him, I will avoid repeating the previous debate, but the five-step test for the designation of critical suppliers, combined with the fact that the Bill allows for secondary legislation and guidance to specify more proportionate burdens on them, rather than on key regulated entities, alongside the fact that information notices ought to be proportionate and focus primarily on the purposes of the Bill, gives me—and, I hope, him—assurance about the proportionality embedded in the Bill.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I would not want to imply that every organisation has a business continuity plan, but the simple point is that the framework for assessing critical third-party suppliers is established in business and other regulatory regimes, as I have mentioned. The novelty or ambiguity that the shadow Minister suggests simply does not apply. That is not to say that there will not be cases in which new critical third-party suppliers will be designated—that is the point of the provisions of the Bill. The practice will of course need rigour, efficiency and proportionality, but it will be grounded in existing, widely understood frameworks.

I need the hon. Member for Spelthorne to remind me of his question, if I might ask him to do that.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank the hon. Member for asking and repeating the question. The purposes of the provisions on information requirements are focused on ensuring that regulators can conduct their duties as provided by the Bill. I would not expect information notices to require an exhaustive list in every instance, but instead to primarily focus on a more proportionate set of asks relating to risk vectors to the security of the regulated entities and to wider national security and cyber-security.

Question put and agreed to.

Clause 20 accordingly ordered to stand part of the Bill.

Clause 21

Financial penalties

Question proposed, That the clause stand part of the Bill.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank the hon. Member on both fronts. On the penalty bands, clearly defined parameters are set out in the Bill, and my hope is that that increases the effectiveness, the clarity and—at the heart of it, to his question—the consistency of application we expect across regulatory regimes.

As I mentioned, the 4% figure for the maximum penalty in part referenced existing UK regulatory regimes and legislation that were felt to be the most comparable. In part, it was judged to be an appropriate, proportionate maximum, based on relevant concerns around the appropriate level of deterrent effect, the proportionate level of fine, the regulatory precedent and the broader impact on investment and the economy as a whole, notwithstanding the significant cyber-security costs businesses already experience.

The second change in the clause is intended to eliminate the confusion surrounding the definition of a “material contravention” in the current regulations. Finally, the clause ensures that regulators can consider a wider range of factors when determining what constitutes an appropriate penalty. Where mitigating steps have been taken to address a breach, that should be acknowledged, but so too should the impacts of the breach and any history of compliance or non-compliance.

To conclude, an effective regulatory regime must be backed by fair but effective penalties to ensure that it is followed.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Just so that I am clear, not least for future records, I think the case described is one where the client is not in the Bill’s scope but is provided to by an MSP that is in the Bill’s scope, and where the relevant responsible individual is in the client business as an employee or agent of that business. The hon. Gentleman raises an important point. Both the obligations and the defined focus of the Bill are on regulated entities. In this instance, if the individual is not in the regulated entity and the regulated entity has complied with the entirety of the wider cyber-security reporting obligations in the Bill, we would look to other venues of legal action against the individual in question. It would be challenging for a Bill that does not regulate the entire economy to ensure that every individual and firm unregulated by it are brought into its scope as well. But that is not to diminish the significance of requiring other pieces of law to act on individuals elsewhere.

The Chair

- Hansard -

Copy Link

I remind the Committee that with this it will be convenient to discuss the following:

New clause 1—Food supply chain to be regulated as an essential service—

“(1) The NIS Regulations are amended as follows.

(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—

‘Food supply

Food supply chain

The Secretary of State for Environment, Food and Rural Affairs (United Kingdom)’

(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—

‘The food supply chain subsector

11 — (1) This paragraph describes the threshold requirements which apply to essential services in the food supply chain subsector.

(2) For the essential service of the food supply chain in the United Kingdom the threshold requirement is that the person is in the food supply chain and does not qualify as small or a micro-entity (or is excluded) within the meaning of Part 15 of the Companies Act 2006.

(3) after paragraph 10 insert—

(a) a “food supply chain” is a supply chain for providing individuals with items of food or drink for personal consumption, where the items consist of or include, or have been produced to any extent using—

(i) anything grown or otherwise produced in carrying on agriculture, or

(ii) anything taken, grown or otherwise produced in carrying on fishing or aquaculture;

(b) a person is “in” a food supply chain if that person is a producer or an intermediary in a food supply chain.

(4) In paragraph (3)(b)—

(a) “producer” means a person who is carrying on agriculture, fishing or aquaculture;

(b) “intermediary” means a person in the food supply chain between a producer and the individuals referred to in paragraph (3)(a).

(5) In this paragraph—

“agriculture” includes any growing of plants, and any keeping of animals, for the production of food or drink;

“aquaculture” means the breeding, rearing, growing or cultivation of—

(a) any fish or other aquatic animal,

(b) seaweed or any other aquatic plant, or

(c) any other aquatic organism;

“plants” include fungi.

(6) In regulation 8A of the NIS Regulations (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—

(c) provides an essential service of a kind referred to in paragraph 12 of Schedule 2 (food supply chain sector) within the United Kingdom.’”

This new clause would designate those in the food supply chain that rely on network and information systems as “operators of essential services” within the meaning of the Network and Information Systems Regulations 2018, thereby placing them under duties to manage risks to those systems and to provide notification regarding any incidents that have an impact on the food supply chain.

New clause 8—Local authorities to be regulated as essential services—

“(1) The NIS Regulations are amended as follows.

(2) In table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert—

‘Local Government

Local Government

The Secretary of State for Housing, Communities and Local Government’

(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—

‘The Local Government Sector

11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector.

(2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register.

(3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records.

(4) In this paragraph “local authority means”—

(a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly;

(b) in Wales, a county council or a county borough council;

(c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994;

(d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.’”

This new clause would bring local authorities within the scope of the NIS Regulations as operators of essential services in relation to their functions managing electoral rolls and social care records. This ensures that public sector bodies holding sensitive data such as electoral rolls and social care records are subject to the same statutory protections as other critical infrastructure.

New clause 9—Critical manufacturing and retail sectors—

“(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities—

(a) the manufacture of critical transport equipment;

(b) the industrial production and processing of food products; and

(c) the retail sale of food and essential goods via large-scale distribution chains.

(2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors.”

This new clause would require the Secretary of State to designate the manufacturing of critical transport equipment and retail of food and essential goods (when part of a large-scale distribution chain) as essential activities, bringing them within the scope of Part 3 of the Bill.

New clause 11—Electoral infrastructure to be regulated as an essential service—

“(1) The NIS Regulations are amended as follows.

(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—

‘Elections

Electoral infrastructure

The Electoral Commission’

(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—

‘The electoral infrastructure subsector

11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector.

(2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to—

(a) maintain a register of electors containing more than 50,000 entries;

(b) issue, receive, or process postal ballots for a parliamentary or local government election; or

(c) count or aggregate votes cast in a parliamentary, mayoral or local government election.

(3) In this paragraph—

“parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom;

“network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026.

(4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—

“(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.”’”

This new clause would designate the administration of elections and maintenance of voter registers as an “essential service” within the meaning of the NIS Regulations.

New clause 12—Political parties to be regulated as an essential service—

“(1) The NIS Regulations are amended as follows.

(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—

‘Government

Political parties

The Secretary of State for Housing, Communities and Local Government’

(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—

‘The political parties subsector

11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector.

(2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons

(3) In this paragraph—

“registered political party” means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000.’”

This new clause would designate political parties as providing essential services for the purposes of cyber security.

The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

- - Excerpts

I will start by addressing the questions raised by hon. Members, including the hon. Member for Spelthorne, who concluded by setting out a general philosophy of how we thought about what is in and out of scope, and then I will address some of the more specific concerns in the new clauses.

The overarching philosophy has not at all been to deny, as the hon. Members for Spelthorne and for Brecon, Radnor and Cwm Tawe argued, that there are a series of services that are absolutely essential. There is a category of critical national infrastructure, and there is a category of essential sectors and services that we identified in the pandemic. Although there is some overlap, a distinct segment for the Bill is operators of essential services such as digital services and managed service providers. The assessment there has been more about the immediacy and severity of the impact, and the availability of alternative provision in a very short time, which has meant that those sectors have been ruled in. I will lay out the logic of our position on the new clauses, which might help clarify this question, although I would be happy to engage further with hon. Members on it.

I am conscious that the hon. Member for Bognor Regis and Littlehampton and the shadow Minister raised very appropriate points about robustness and proportionality in relation to the Secretary of State exercising the powers in the Bill, so I will lay out the process and the role of Parliament.

In terms of the process for bringing new sectors or activities in scope, something must meet a specific, rigorous test to be defined as a new essential activity for the purposes of the Bill. The Secretary of State must be satisfied that the activity is essential to our economy or society. As I have mentioned, that is reserved for the most vital activities to our nation and acts as a high bar for inclusion, on the terms I mentioned to the hon. Member for Spelthorne.

In reaching a decision, the relevant Departments will need to carry out risk assessments and impact assessments and consider whether inclusion of those sectors and activities is proportionate. That is part of the normal policy development process. After that, the proposals will be subject to consultations and the affirmative procedure, ensuring the necessary scrutiny. Parliament will have the final say on the use of any expansive powers, as the vast majority of the changes I mentioned will be made through delegated powers and subject to the affirmative procedure. If a new sector is then brought into scope, we will undertake a phased implementation wherever possible, and organisations will be given adequate time to comply. Alongside that, regulations will be made in a controlled way and include consultations with relevant stakeholders before secondary legislation is laid before Parliament.

I make one final observation on the points that have been made, not least about Jaguar Land Rover. The UK Export Finance export development guarantee is not a bailout. UKEF receives payments for providing its guarantees, ensuring that the Government are appropriately compensated for the risk taken. In that context, a different assessment was made, as I hope to come to shortly.

More broadly, the Committee heard from expert witnesses that although the purpose of the Bill is clear, and its impact is a significant help for our national cyber-security and essential services, it or any other singular move is no silver bullet when it comes to our cyber-security. Different levers are effective in different parts of the economy and must be applied appropriately.

The most stringent lever the Government have at their disposal is legislation. As we have discussed in this and prior sittings, proportionality is key to the exercise of that lever. Regulation creates obligations and requires resources, so the pros of regulating must outweigh the costs. In the context of the Bill, that means protecting our society and economy from unacceptable risks with an immediacy of threat to our day-to-day life, not least our national security. That means things like keeping the lights on, the taps running and the NHS going, where there is little or no alterative provision of such services. We must also avoid creating unnecessary burdens where other measures are available.

In that context, I turn first to new clauses 1 and 9. The Government and the National Cyber Security Centre are clear that all organisations, whether a food supplier, an automotive giant, a supermarket or any other business operating in the UK, should take steps to protect their cyber-security and increase their resilience. That is why in October the Government wrote to FTSE 350 companies urging them to take three actions to strengthen their defences. First, they should make cyber-risk a board-level priority, and I know that that sentiment is shared across the Committee. Secondly, they should require suppliers to have baseline cyber-security through Cyber Essentials. Thirdly, they should sign up to the NCSC’s early-warning service.

The response has been encouraging already. A significant proportion of organisations have responded, with many of those responses coming directly from chief executive officers and chairs, showing the seriousness accorded to this by boards. Following the letter, we have seen increased interest in the Cyber Essentials website, uptake in early-warning registrations, and uptake in registrations for the IASME supplier check tool, which organisations can use to identify suppliers with Cyber Essentials certificates.

Beyond that, Departments and the NCSC deliver sector-specific support for key parts of the economy. On food specifically, the Department for Environment, Food and Rural Affairs and the wider Government have worked with the food and retail sector on cyber-resilience for many years, and we always stand ready to protect the UK food supply chain. During last year’s incidents involving Marks & Spencer and the Co-op, the NCSC and DEFRA worked closely with the affected retailers to support their response, to communicate advice and guidance and to assess the risk to food security. Following the attack, DEFRA Ministers wrote to major retailers to invite further collaboration on cyber-matters. Officials from both the NCSC and DEFRA are working with retailers to understand how we can best support them and the resilience of our food supply chain in the future.

Crucially, the food sector is unique among critical sectors for its high levels of industrial and geographic diversity. There are approximately 20,000 small and medium-sized food manufacturers alone spread across the UK, and many more farms, distribution centres, retailers and other types of businesses that form the UK’s food supply chain. As a result, it is a sector with few single points of failure. Its resilience is further strengthened by the steps that individual operators and suppliers are taking.

Finally, it is worth mentioning that the cyber-attack on Marks & Spencer last year, which hon. Members have raised, specifically involved the social engineering of a third party managed service provider. As the Committee is aware, the Bill brings large and medium-sized managed service providers into scope. That important change delivers downstream benefits across the wider economy, including for food retailers.

I will move on to new clause 8. The Government recognise that a step change in cyber and digital resilience is required across the public sector, including in local authorities. The Government’s cyber action plan is the overarching strategy to improve the cyber-resilience of Government. It will hold the public sector, including local government, to equivalent requirements to organisations regulated by the Bill. At the outset, the hon. Member for Spelthorne raised a question about schools and pupil data; where local authorities are the lead affected departments in that context, they would be expected to maintain very close oversight and compliance with the requirements and asks of the cyber plan, including in schools and the maintenance of pupil data.

Local authorities in England are accountable for their own cyber-security and resilience. The Ministry of Housing, Communities and Local Government, as the lead Government Department, is accountable for the sector-wide resilience of English local government, and is already taking a range of steps to support the sector, strengthen its cyber-resilience and manage its risks more effectively. For example, MHCLG has already provided £23 million of cyber grant funding and technical support to local government. That includes the delivery of clear cyber-security standards through the adoption of the cyber assessment framework—CAF—for local government. It is also aligned with the wider approach taken by organisations already in scope of the network and information systems regulations.

On social care specifically, as the lead Government Department for adult social care, the Department of Health and Social Care is working to ensure that the standards applied by adult social care providers are consistent with those used across Government and the wider public sector. The DHSC is investing a further £21 million over this Parliament to give care providers the support and guidance they need to improve their cyber-resilience and to enhance cyber-security standards to align with the cyber assessment framework. The MHCLG has also launched a local government cyber-incident response service to support English local authorities to respond to severe cyber-incidents, helping to limit the impact these have on data and services.

I now move on to new clauses 11 and 12, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe. The joint election security and preparedness unit—JESP—sits jointly between the MHCLG and the Cabinet Office. It was created by the defending democracy taskforce, a cross-Government unit, and works to protect UK elections and referendums by co-ordinating work across Government to respond to threats, including on cyber-security.

I know that the shadow Minister takes a keen interest in these questions on the run-up to elections, and he raised some important points. JESP works closely with the NCSC, which produces guidance for organisations involved in delivering elections, including local authorities. That includes advice to help IT practitioners implement security measures that will help prevent common cyber-attacks, as well as offers for direct NCSC support, including the NCSC’s active cyber-defence services.

The MHCLG as a whole is responsible for centrally managed digital electoral services covering voter registration, a postal or proxy vote, or a voter authority certificate. All systems and suppliers involved in developing and maintaining digital electoral services must meet strict cyber-security requirements, not least the MHCLG cyber-security assurance framework.

I will move on to political parties. JESP and the NCSC regularly engage with political party representatives to understand their requirements, monitor any cyber-infrastructure vulnerabilities and raise awareness about Government cyber-defence services. The NCSC’s active cyber-defence programme provides free security tools to help UK organisations, including political parties and local authorities, reduce exposure to common cyber- threats. The NCSC encourages all political parties to sign up to these, and offers individual candidate briefings to parties that wish to take them up.

Everything I have said reflects the Government’s current assessment of where regulation is needed to protect the core of our society and economy. Of course, we have seen that what is considered an essential service can change, and we also know that cyber-threats are constantly evolving. That is why the Bill will enable the Government to bring more essential activities and services into scope in future, and to take swift action if UK national security is at risk, in scenarios where the evidence suggests the pros outweigh the costs. However, at this stage we do not think that that is the case for new sectors. I therefore ask hon. Members not to press their new clauses.

Question put and agreed to.

Clause 24 accordingly ordered to stand part of the Bill.

Clause 25

Statement of strategic priorities etc

Question proposed, That the clause stand part of the Bill.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

To return to the point made by my hon. Friend the Member for Milton Keynes Central about the Bill’s provisions, the Bill looks at particular risks posed by hostile states, related actors and a wide range of other actors. Network and information systems for essential services and the identity of risk sources may be one consideration for organisations and regulators as well as the NCSC. The Bill does not look at specific actors but the outcome of the risk. Of course, hostile actors are an important part of that. I am happy to write to my hon. Friend about wider initiatives outside the Bill, particularly in the public sector, which I know is an important concern for her in relation to hostile state actors. There are a range of initiatives that the Government are taking forward in that context.

Clause 43 grants the Secretary of State the power to direct an NIS-regulated entity to take necessary and proportionate actions in response to national security threats. The power can be used where the entity’s network and information systems have been compromised or there is a threat of such compromise. The clause sets out the sorts of action that a direction could require. A direction could, for example, require an energy provider to take action to remove a hostile actor’s presence from their networks, in response to intelligence that a hostile state actor was pre-positioned for an attack.

Cyber-attacks on NIS sectors represent a serious and growing threat to the UK’s national security. High-capability actors and hostile states can mount increasingly targeted and sophisticated attacks. At present, however, the Government lack powers to require regulated entities to take necessary action in response. That gap could be exploited with increasing frequency and impact. The clause will remedy that, ensuring that the Government have the necessary powers to act quickly to protect our national security.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

This group of clauses concerns the enforcement of directions issued by the Secretary of State. I shall speak to them in turn.

Clause 48 grants the Secretary of State the power to issue a notice of contravention where they believe an entity is failing or has failed to comply with requirements relating to a direction. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will also be able to issue a notification of contravention relating to an information notice or inspection issued by the regulator. It would not be appropriate for a regulator to judge compliance with a direction issued under clause 43 or any other requirement imposed by the Secretary of State.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I am reluctant to engage in the specifics of incidents without knowing the full range, but I would expect there to be an initial period of engagement to get to a position of agreement. Where the Secretary of State’s directions are not complied with in the context of a disagreement of the sort that the hon. Gentleman points out, penalties for non-compliance will be available to the Secretary of State. They will have to be justified both in the moment and subsequently, in the light of the particular provisions of the Bill.

The clause sets out the circumstances in which the Secretary of State and relevant regulators can issue a notice of contravention and the details that such a notice should contain, including the steps that an entity should take to rectify or remedy an act of non-compliance and the penalties that are being considered. The ability to issue a notice of contravention is an important procedural mechanism. It gives directed entities the opportunity to address non-compliance before penalties are imposed through a final confirmation decision, and increases the likelihood that the requirements of a direction will be met. That is vital, given the national security risks that a direction is intended to address.

Clause 49 empowers the Secretary of State to determine appropriate and proportionate penalties for non-compliance with a direction. It sets an upper threshold on what the penalties can be. For non-compliance with a direction, penalties are fixed at the greater of £17 million or 10% of turnover for undertakings, subject to turnover and undertaking being defined in regulations, and £17 million for non-undertakings. For requirements concerning the provision of information or inspections, the maximum penalty for non-compliance is set at £10 million.

Clause 49 also provides for daily penalties to be issued. These are set at £100,000 a day for non-compliance with a direction and £50,000 a day for related requirements. They will continue in force until the entity has complied with the relevant requirement. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will be able to issue penalties for non-compliance with an information notice or inspection issued by the regulator.

These provisions have been designed to reflect the gravity of non-compliance with a national security direction and the necessity of ensuring that directed entities comply with the requirements that directions impose. It is also why the maximum penalties have been set at a significantly higher level than they have for the updated NIS enforcement regulations in clause 21. The better comparison in that context is the penalty threshold for national security powers in the Telecommunications (Security) Act 2021, which align with the provisions in clause 49.

Clause 50 grants the Secretary of State and, where relevant, regulators the power to issue a final confirmation notice for non-compliance with a direction or related requirements. The clause specifies that the Secretary of State or regulator can issue a confirmation notice where they have previously notified an entity of suspected non-compliance, and where they are now satisfied that non-compliance has occurred. The notice of confirmation is the mechanism through which the Secretary of State or regulator can issue their final determination about the actions an entity needs to undertake to correct or remedy a contravention, and the penalties it will need to pay, in accordance with the provisions in clause 49.

A confirmation decision can be issued only after a directed entity has had the opportunity to make representations about an earlier notice of contravention. Once it has been issued, the directed entity must comply with it, and this duty can be enforced through civil proceedings. In short, clause 50 ensures that a direction can be enforced effectively and appropriate action taken to penalise non-compliance.

Clause 51 sets out how penalties will be recoverable across the nations of the UK in the event of non-payment. Clause 52 grants the Secretary of State the power to enforce non-disclosure requirements imposed in relation to the issuing of a direction, notice of contravention or final confirmation notice. Failure to respect these requirements could harm national security, for example by exposing vulnerabilities in the UK’s essential services or the security mitigations being put in place to protect their network and information systems. As a result, it is crucial that the Secretary of State has adequate powers to enforce non-disclosure requirements. Clause 52 largely replicates the enforcement process for non-compliance with other requirements of directions issued by the Secretary of State. The maximum penalties will be £10 million or £50,000 per day.

I ask the Committee to support the clauses in order to enable the effective enforcement of directions issued by the Secretary of State to protect the UK’s national security.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank the hon. Member for Brecon, Radnor and Cwm Tawe for tabling amendment 25, which would amend the duties for RDSPs in the NIS regulations. I empathise with the source of his concern about fraud; I think many of us in the House know and feel that concern, through either our personal experience or that of our constituents.

That said, the security duties within NIS require RDSPs to identify and take steps to manage the full spectrum of risks posed to the security of their systems. They must prevent and mitigate relevant incidents, regardless of what the threats are or where they emanate from. That includes taking an all-hazards risk-based approach. Entities must manage risks to cyber-security, physical security and broader operational resilience. “Security” includes the ability to resist any action that may compromise the availability, authenticity, integrity or confidentiality of those systems, including risks that may arise from fraud. I caution against highlighting only one particular vector of risk in the clause; that is unnecessary and would not reflect the full range of risks each RDSP faces.

Further, while the Bill clarifies the high-level duty to manage risks, secondary legislation will give further detail on the security and resilience requirements. Guidance and the code of practice will give further detail still on the types of risks to consider. For that reason, I kindly ask the hon. Gentleman to consider withdrawing the amendment.

The shadow Minister asked about the Government’s treatment of fraud, particularly when it has been found on a platform and the authorities have asked that platform to take it down. The Government made a clear commitment in our manifesto to introduce a new fraud strategy, and the Home Office, as the lead Department, has been working at pace to engage deeply in making that an effective reality.

Alongside that, in my wider role in online safety, I am conscious that fraud is a fundamental area of content in which platforms have to look at where it crosses the border into illegality, as it may well do in the instance the shadow Minister described. That has been a central focus since the illegal content duties came into play last year. I believe that such instances are well covered by the pieces of legislation that I have just mentioned. The Bill is clearly more focused on critical national infrastructure and its exposure to network and information systems.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Although I will not rule a particular provider in or out of scope, if the provider in question met the threshold for RDSP coverage, it would be covered, but the locus of that coverage would be limited to the provider rather than to the end-customer entity. I hope that clarifies that sufficiently.

Let me explain how clause 8 was designed to tackle the risks that Committee members have set out. The clause updates the existing duties for RDSPs in the NIS regulations to ensure that they remain resilient against evolving cyber-threats. It clarifies the requirement for those services, making it clearer that they must secure themselves not just to keep the services they provide running and available but to contribute to wider systems security as a whole.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I appreciate the hon. Gentleman’s question, and I have two comments to make on that front. First, the relevant digital service provider will have a range of different customers, and my expectation would be that the regulators and the NCSC would seek a deep understanding of the risk exposure across the full breadth of that portfolio, rather than for each particular customer. Of course, that would form part of some analysis.

Secondly—the shadow Minister asked a related question —I am happy to write about the interaction between prompt notification responsibilities and commercial confidentiality duties, on the basis of the engagement we have conducted so far. Especially when questions of major risk exposure are concerned, I would hope there are provisions that allow the relevant digital service provider to notify the NCSC, but I am happy to write to the hon. Member for Spelthorne and the shadow Minister to clarify that point.

Clause 8 also removes a reference to the RDSP’s own network and information system to clarify that the duty is intended to cover all network and information systems that the relevant digital service relies on.

The cyber-risk landscape is diffuse and multifaceted. Hostile actors can use a range of routes and techniques to attempt to take services offline, as well as to extort, steal and surveil. These changes to the NIS regulations support a holistic approach to tackling cyber-risk. They ensure that important dependencies are covered and that facets of security such as the confidentiality of data and integrity of systems are not set aside.

The clause also requires RDSPs to have regard to any relevant guidance issued by the Information Commission when carrying out its duties. Finally, it removes a requirement for relevant digital service providers to consider specific duties referenced in EU regulations. I urge the Committee to support the clause unamended.

Question put, That the amendment be made.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I agree very much with the hon. Member’s point, and a similar sentiment is expressed elsewhere in the Bill, in that it ensures that the focus is primarily on large and medium-sized MSPs, and that small businesses and microbusinesses are dealt with in a deeply proportionate way. That is an important point to take into account.

Clause 11 defines what it means for a digital or managed service provider to be

“subject to public authority oversight”

under the NIS regulations. Public authority oversight is defined as “management or control” by “UK public authorities” or by a board where the majority of members are appointed by those authorities. Such MSPs are already subject to requirements in the Government cyber-security strategy, which is mandatory for Government organisations. That ensures that cyber-resilience standards remain strong for services linked to public functions, while preventing disproportionate burdens on providers already subject to public authority governance.

In response to points raised by hon. Members in prior Committee sittings, I flag the engagement that we have conducted in coming to the definition of MSPs in question. In particular, beyond the provisions of the 2022 consultation, prior to the introduction of the Bill, we conducted a range of bilateral meetings. We have had multiple conversations with the industry body techUK, roundtables with digital firms, and we engaged through the National Cyber Security Centre-led MSP information exchange with 40 providers in this context, and undertook market research mapping the MSP market. As a consequence, adjustments to the definitions at the heart of this provision have been agreed with incredibly deep and broad engagement across the industry to arrive at a widely-welcomed definition.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

The hon. Member raises an important point about the operating leverage of technology businesses. The Bill directly focuses on size as one proxy for risk, but it is not a complete or perfect proxy. That is why, through the critical supplier provisions, it ensures that any smaller providers can be caught in scope as essential services.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

The scope and breadth of the organisations regulated by these provisions is one of the most important parts of the debate. If the hon. Member can wait a moment, that point will form the bulk of my speech. It was also mentioned by my constituency neighbour, my hon. Friend the Member for Spelthorne.

The previous Government consulted on bringing MSPs within scope of regulation. Feedback on that consultation indicated strong support, with 86% of respondents in favour. As such, there is a sound policy rationale for imposing cyber-security and instant reporting regulations on MSPs over a certain threshold. Those MSPs will need to take appropriate and proportionate measures to manage risks to the security of the networks and information systems on which they rely to provide managed services in the UK.

However, as I said at the outset and as many people said during evidence, the devil really is in the detail as to whether the Bill is effective in protecting the sectors it seeks to regulate. Several industry stakeholders, including officers of MSPs and industry representation bodies, have raised concerns about the broad definition of MSPs in clause 9. As drafted, that definition has the potential to cause confusion among businesses as to whether they are in scope or not. These relevant provisions will be brought into force with secondary legislation before Royal Assent, allowing time for consultation with industry and specific duties. Could the Minister clarify whether his Department will respond to concerns by consulting on a refined definition of what constitutes an MSP, to provide much-needed certainty to businesses operating in the sector?

I will also take this opportunity to speak to amendment 10, which was tabled in the names of many Members, including the right hon. Member for Stone, Great Wyrley and Penkridge (Sir Gavin Williamson), who I know has a keen interest in this area. He represents an area in the west midlands, which, like many parts of the country, has suffered massively from the impact of the problems with Jaguar Land Rover. The amendment relates to legitimate concerns about the compound risk that could occur when MSP systems are accessed by malicious actors, and those MSPs are providing services to a large number of entities within a regulated sector. Clearly, there are many reservations about the desirability of this particular amendment, including its potential to interfere with customer choice and the inconsistency with the approach to freedom of enterprise in other regulated sectors in the Bill.

It is noteworthy that several witnesses who gave evidence to the Committee pointed out the lack of skilled cyber-security professionals available in the UK employment market to help regulated entities with the effective implementation of the Bill. It is conceivable that many regulated businesses, particularly smaller ones, will be forced to look for external expertise to comply with their obligations, and we would not want to artificially restrict access to expertise, even when done with the best of intentions. The point is rightly made that large MSPs and those providing services to the most critical sectors should observe the highest cyber-security standards. A relevant MSP must have regard to any relevant guidance issued by the Information Commissioner when carrying out the duties imposed on it, so will the Minister confirm whether and to what extent the important issues raised by the amendment will be covered in consultation and industry guidance?

The amendment, and some of the debate that we have had, goes to the heart of some of the thresholds and metrics that are being used as gatekeepers in the Bill when an entity is or is not being regulated. As I mentioned this morning, at least 70% of Government cloud procurement goes to the three big US tech actors. Those are clearly huge operators, but when it comes to the criticality of an MSP, as my hon. Friend the Member for Spelthorne mentioned, size does not in itself necessarily indicate its essentialness in the system.

One can imagine that if a particular unique type of service was being offered, such as a cyber-security service, by a big company—Cloudflare and Salesforce, for example, had a substantial impact on the sector—not merely the size of an organisation, but what they provide, could be relevant in terms of producing systemic risks to our economy as a whole.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for the “get out of jail free” card that he gave me at the end of his question; indeed, I pass that question on to the Minister. The point is well made in terms of trying to dissect the interacting and relevant duties in the Bill. The Bill tries to chop up different actors in the digital ecosystem, as well as public an non-public organisations, although a commercial threshold is being used. The Bill also introduces confusion: it rightly tries to make a carve-out for Crown data centres, but what exactly is a Crown data centre? One could argue that a Crown service is something provided by the state. Is a data centre serving a hospital therefore a Crown data centre?

There are so many different components within the Bill. Not only are there 14 regulators, or however many are operating—earlier this week, Amazon told us in evidence that it is regulated by four regulators—there is also confidential information going through, as my hon. Friend the Member for Spelthorne pointed out. It gets even worse in the clause on critical supply networks. It is just incredibly confusing. The Committee—and, dare I say, the Government—should not ignore the evidence we have received from managed service providers time and again saying that although MSPs should be in scope and these regulations help, we need clarity on what exactly that means.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Irrespective of their size, whatever definition or metric we use, businesses operate on fine margins for the majority of the time. Regulatory burdens not only impact their ability to operate; they are yet another cost, which means that the cost of services increases. That has a deleterious effect on our economy more generally. Burdens on businesses are passed on to consumers. That makes it more expensive to do business unless there are customers to receive it.

Global business competitiveness, which we have not spoken about yet, is critical. I am very concerned about UK competitiveness in the digital and tech sector. It saddens me to say that we are dwarfed by US big tech in many areas. I want our digital and IT sector to be bigger and better than that of our competitors, but we need a framework to support it. Even for bigger businesses, the regulatory burden is critical, especially as they can choose, to a certain extent, where they incorporate and focus on doing business. We want to ensure that the UK has the best regulations, but the best regulations are often the ones that are least burdensome but that still provide certainty to allow businesses to operate. This is a highly competitive market.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for pointing out that discrepancy in the costings. It goes back to the key principle that business and business modelling are best left to businesspeople, not to Government. The Government have a facilitatory role, but fundamentally their role is to get out of the way of business so that it can succeed and our economy can thrive. We need to ensure, for the good of our economy as a whole, that the critical elements of it are regulated in that way.

Given the interconnected operation of MSPs in our digital sector, any burden that we put on business will limit the growth that we all need and will limit competitiveness. In this footloose market especially, that could result in organisations and companies operating in other sectors, notwithstanding the fact that they will have to comply with UK jurisdictional rules. As a general point, regulations will cause footloose industries to move and operate in different sectors, which will mean less taxation revenue and more costs for clients, making it more difficult to do business.

We need to make sure that our economy is as nimble and free as possible, both for those trading as an MSP and more generally. I cannot labour the point enough: the costs that we impose on businesses under the Bill, in particular in the cyber-security and tech sector, will be felt by our economy as a whole. We will have to pay for that through increased inflation in food, energy or anything else that our critical suppliers provide. Even our NHS provision costs will increase as a consequence of the regulatory burden on businesses as disparate and distant from the NHS as those that we see in the Bill.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I am happy to proceed and to focus on Crown ownership of data centre provision to others. For those reasons, I continue to commend clauses 9 to 11 to the Committee.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I simply point out to the hon. Member that the pricing for law varies materially. I hope that, with the benefit of technology, it continues to be very accessible to all relevant providers.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

Having closed the debate, I am happy to conclude.

Question put and agreed to.

Clause 9 accordingly ordered to stand part of the Bill.

Alison Griffiths

- Hansard -

Copy Link

- - Excerpts

The clause merits close scrutiny, because it is the point in the Bill where risk is supposed to be addressed beyond the individual operator and into the supply chain. In plain terms, clause 12 will allow the regulator to designate a supplier as critical where disruption to that supplier would have a significant impact on the delivery of an essential or digital service. The trigger is impact, not size or sector. That approach is sensible, but I want to stress-test how it works in the context of operational technology.

Across power, telecoms, transport, water and industry, many essential services rely on the same family of industrial control equipment. Substations, signalling systems and industrial plants may look different, but they often run on identical controlled devices and firmware supplied by a very small number of manufacturers.

The risk is not hypothetical. A single vulnerability in widely deployed OT equipment can create a common mode failure across multiple sectors at the same time, even where each operator is individually compliant with its duties. At the moment, the Bill places obligations squarely on operators of essential services, but in OT environments, operators do not control the design of equipment, the firmware, the vulnerability disclosure process or the remote access arrangements that vendors often require as a condition of support.

As Rik Ferguson highlighted in written evidence to this Committee, uncertainty about how and when suppliers might be brought into scope can lead to defensive behaviour and late engagement. The risk is amplified in OT, where suppliers may discover vulnerabilities before operators do, and where one operator may report an issue, while others in different sectors, using identical equipment, remain unaware.

There is also a traceability problem. OT equipment is frequently sold through integrators and distributors. Manufacturers may not have a clear picture of where the equipment is ultimately deployed. Without that visibility, national-scale vulnerability notification and co-ordinated response become very difficult.

UK Finance has also drawn attention to the complexity of multi-tier supply chains and the need for clear accountability when regulatory reach extends upstream. The clause recognises that reality, but its effectiveness will depend on how consistently and predictably designation decisions are made across sectors.

My concern is not about the existence of the power. It is about whether, in practice, the power will be used early enough and clearly enough to address shared OT risks before they become cross-sector incidents. Operational resilience today depends less on individual sites and more on the security practices of a relatively small— I would say very small—number of OT suppliers that sit behind them. The clause has the potential to address that, but only if its application is focused on genuine systemic risk and supported by clear signals to suppliers and operators alike. For those reasons, the clause warrants careful consideration as the Bill progresses.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

This clause is one of the provisions that has given rise to widespread industry concern regarding its scope and implications. Business supply chains, particularly for large operators of essential services and multinational companies, are becoming ever more complex. The increased digitisation of service provision across the board means that the delivery of essential services can be vulnerable to severe disruption when the systems of critical supply chain entities are interrupted by cyber-attacks.

The Government have pointed to the 2024 cyber-attack on Synnovis, a pathology lab provider serving several London hospitals, as an example of the severe consequences that can flow from a cyber-attack on a key supply chain provider. In that case, the suspension of Synnovis services caused disruption to more than 11,000 appointments and operations. The attack caused at least two cases of serious harm to patients and, tragically, one patient’s death was attributed to the long wait for blood test results. Estimated financial losses from the attack exceeded £30 million.

The previous Government were conscious of intensifying supply chain risk, and consulted on measures to enable regulators to designate individual suppliers as critical if they provided an IT service on which an OES or RDSP was dependent for the provision of its essential service. The response to that consultation showed overwhelming support for the proposal, but stakeholders argued that the designation process would need to be transparent and based on engagement with industry. It is those vital elements of transparency and engagement, or rather the current lack of them, that are causing high levels of concern among supply chain entities that stand to be brought within scope of regulation when these provisions come into effect.

To break that down, preserving agility for the Secretary of State and regulators to respond to emerging risks has been recognised as both a strength and a weakness of the Bill. However, lack of certainty is a particular concern in a context of critical supplier designation, especially as this part of the Bill has the potential to bring in large numbers of small and even microbusinesses within the scope of regulation, potentially by multiple regulators. That is a daunting prospect for smaller companies, even taking into account the caveated duty on competent authorities to co-ordinate in the approach to regulation of critical suppliers in the proposed new paragraph 14L of the NIS regulations.

Several witnesses in oral evidence, including techUK and ISC2, made strong arguments that SMEs often lack the financial and human resources to develop cyber-security expertise and comply with regulation. Those organisations will need additional time to prepare, and a better indication of the criteria that might be used by regulators to determine which supply chain providers are critical. Industry bodies have called on the Government to ensure meaningful consultation on secondary legislation and guidance, to ensure that the measures are fit for purpose and capable of practical implementation. As part of the planned consultation, will the Minister commit to considering whether there are alternative approaches to regulation for increasing cyber-resilience in companies below a certain size?

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I really appreciate my hon. Friend’s intervention. It goes incisively to the heart of the concern about how these provisions are currently drafted. I really struggle to see how an OES that is providing a service to another OES could effectively argue that it is not within the full scope of these regulations. We have a lot of OESs in this country. It may be the Minister’s and the Government’s intention to essentially have a proxy regulatory framework for suppliers to OESs going forward—it is being kept very loose, because there is some flexibility in that, but that in itself will be a problem.

I worry that a lot of providers are going to think to themselves, “Why should we provide to an OES when we might be at risk of being designated as a national critical supplier?” Surely that is a concern that will have a chilling effect on organisations supplying to OESs, because of the risk of being found within the scope of this additional regulatory burden.

Don’t get me wrong; as I have said, companies should be taking cyber-security seriously, as should everyone. However, not everyone should be subject to the various regulations and data-sharing requirements that this Bill provides for. I suspect that many organisations will be very concerned. If there is a risk of designation as a critical supplier, companies will already be instructing lawyers and other organisations to manage that corporate risk.

If an organisation starts supplying to a hospital trust, or to whoever it may be, it might think, “Actually, we’re likely at risk of being designated, so we need to start doing some work and investment, either to challenge that designation or begin doing the preparatory work.” Maybe that is the intention: to effectively regulate the entire sector providing to OESs without actually lifting a finger in terms of regulation through this Bill. If that is the case, I am sort of sad, because I think it is better to be clear-cut about it. I would be grateful if the Minister answered that point directly.

Finally, in terms of OESs, we have already mentioned the fact that Government and local authority IT infrastructure and services are among the biggest risks in our system. I was really struck by the evidence from the NHS on Tuesday, in which our witnesses described data-sharing operations with adult social care, which is of course provided by local authorities.

It seems quite perverse, if I may say so, that a GP surgery, which is a private organisation, could be deemed a critical supplier to a hospital in terms of patient information sharing. Quite frankly, I would like the Minister to answer the question specifically: does he envisage primary care GPs being in scope because of data sharing of hospital records with NHS trusts? GPs could fall within scope as critical suppliers, while social care records, which are provided by local authorities, would not. There are all these weird situations that could emerge because of the scope and the looseness of these provisions, with all the consequent harms and problems. I look forward to hearing the Minister’s responses to my points.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

First, I will respond to the apt and thoughtful points from the hon. Member for Bognor Regis and Littlehampton on operational technology. I can confirm to her that both vendors and providers of operational technologies will be covered by the provision of the five-step test for critical supplier designation. That is an important aspect when thinking about supply chains and the presence of operational technology where it is of critical interest.

The hon. Member for Spelthorne raised a very accurate point about proportionality in the provisions of the Bill, and in particular the impact assessments, statements, or limited statements on critical supplier impacts. As he will know very well, the Bill takes a very nuanced position on proportionality. When a sector is designated, there will be total clarity on the number of suppliers affected and on the ultimate impact. We will have sight of that.

The provision on critical suppliers was asked for by industry. The reason why the Bill does not specify critical suppliers is that it is simply not for the Government to specify how a business can or cannot continue. It is for businesses and regulators to work that through by understanding the depth of expertise that businesses have. We have started to do that, but that is precisely why the critical suppliers provisions have been delegated to secondary legislation and subsequent guidance.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I commit to giving way to the hon. Gentleman at the end of my speech. He asked about schools. I am happy to confirm that schools are not in the scope of the Bill.

In response to the shadow Minister, I highlight that the five-step test is cumulative: a business must meet all the conditions to be designated as critical, not just one. I think that answers the series of logical puzzles that he tied himself up in.

I am very happy to confirm to the Committee that it is expected that regulators will use information gathered from their oversight of operators of essential services, relevant managed service providers and relevant digital service providers to identify potential critical suppliers for designation. They can also ask organisations for more information to support their assessments. Future supply chain duties will also require organisations to share supply chain risk assessments with regulators. A supplier can be designated only after the regulator has completed an investigation process, including serving notices and holding a consultation, and confirmed that the criteria are met. Designated suppliers will also have the right to challenge decisions through an independent appeals process.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I commit to giving way at the end of my speech to the shadow Minister and the hon. Member for Spelthorne.

On the question of consultation, I am happy to confirm that the team in question has set up an implementation-focused effort. We have started to engage with regulators already, and there will be an extensive process of engagement on the Bill with business, as has been conducted historically.

The shadow Minister highlighted a number of logical puzzles. I have worked in a range of businesses and public sector organisations, and most have business continuity services. His hypothetical idea that businesses do not understand alternative provision, and whether they are or are not in a position of exposure, is well solved in the real world. I would give more credit to our expert witnesses from NHS Scotland than he did in recognising that they said that they frequently deal with the question of critical suppliers in co-ordination with competent authorities.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

On the first point, I am afraid that I do not think that was an appropriate characterisation, because where the sectoral scope is clear and where there is a clear risk of critical national infrastructure and essential services being directly exposed, we have specified that in the Bill. We have looked at the impacts set out in the impact assessment. For the critical suppliers in those sectors—I would expect them to be very limited in number—we have made sure that regulators and businesses have the flexibility to set the requirements directly, rather than them being set here in Parliament.

Freddie van Mierlo

- Hansard -

Copy Link

- - Excerpts

Q I have two questions: one to Jill and one to Dr Mehta. First, what is your view, Jill, on the relative strength of this legislation, compared to what is coming forward in the EU? Do you think that the fact that we are not following the EU will make it harder for your members to interact and trade with individuals and companies in Europe?

Secondly, Dr Mehta, you spoke earlier about what is not in scope in this legislation. I am particularly interested in the fact that local government is not included in it, because it has a critical role in electoral services and in local and national democracy. What do you think are the threats from leaving local government out of scope?

Jill Broom: I think that generally, our members would always call for alignment, where possible, in any kind of legislation that spans the geographies. But we understand that the Bill focuses on a particular sector—the critical national infrastructure in the UK—and we welcome the intent of it.

Dr Sanjana Mehta: On sectoral scope, with the way that the Bill is currently drafted, there is obviously flexibility to introduce new sectors, and to bring in more provisions and guidance through secondary legislation and additional guidance. That being said, our recommendation is certainly to expand the sectoral scope at this stage by bringing in public administration.

There are a number of key reasons for that. First, public administration needs to be role model of good cyber-security to the rest of the economy. I think it was the 2025 state of digital government review that pointed out that the risk of cyber-attacks on Government is critical. You mentioned local government, but there are also central Government Departments that hold and process vast amounts of personal and sensitive information; I think, for example, DWP administered £288 billion of benefits over the past year. More than 23 million people claimed some sort of benefits from DWP and, in responding to those claims, DWP must have processed huge amounts of very sensitive medical and financial information on individuals. We think it is an omission to leave it out, and we recommend that the Government consider bringing it into scope.

Alison Griffiths

- Hansard -

Copy Link

- - Excerpts

I am so sorry. Could you possibly speak into the microphone? I cannot hear you.

Stuart McKean: Sorry. I was saying that the cyber-criminal does not care about lines, geographies or standards. They do not care whether you have an international standard or you follow the legislation of a certain country. They will attack where they see the weak link.

Andrew Cooper (Mid Cheshire) (Lab)

- Hansard -

Copy Link

- - Excerpts

Q I have a question for Jill Broom. You were talking about the incident reporting requirements. Do you think the legislation strikes the right balance to encourage organisations to come forward when they have been attacked, so that the sector can learn from that and vulnerabilities can be patched out in other areas, or is it so stringent that organisations will be concerned about facing penalties if they are fully transparent?

Jill Broom: I think, again, there is something to be said about the devil being in the detail. A lot is coming with the secondary legislation, so we will learn more about the specifics on incident reporting and penalties that will come into play. There needs to be a balance between those in terms of the risk and the impact. In the Bill itself, there probably need to be some greater safeguards or references to frameworks about how those types of decisions will be made.

Emily Darlington (Milton Keynes Central) (Lab)

- Hansard -

Copy Link

- - Excerpts

Q I have a question for Ian Hulme. In your role at the ICO, you are clearly looking at data security. Data is obviously one of the main goals of cyber-attacks. Data issues cut across every sector, and you are looking at a really broad sector of data, from individual identifiers to names, addresses, bank accounts or whatever it might be. This could happen in any sector. How does the Bill give you additional powers to take action, particularly on those co-ordinated through AI or foreign actors, and do you think it is sufficient for what you feel we will be facing in the next five years?

Ian Hulme: We need to think about this as essentially two different regimes. The requirements under data protection legislation to report a data breach are well established, and we have teams, systems and processes that manage all that. There are some notable cases that have been in the public domain in recent months where we have levied fines against organisations for data breaches.

The first thing to realise is that we are still talking about only quite a small sub-sector—digital service providers, including cloud computing service providers, online marketplaces, search engines and, when they are eventually brought into scope, MSPs. A lot of MSPs will provide services for a lot of data controllers so, as I explained, if you have the resilience and security of information networks, that should help to make data more secure in the future.

The Chair

- Hansard -

Copy Link

We have only five minutes left for this session, so if we can have concise questions and answers we might get everyone in.

Dr Gardner

- Hansard -

Copy Link

- - Excerpts

Q I am interested in who you report to should you identify a cyber-incident. I am talking about not just data breaches but wider ones that can affect operational systems. Which regulators do you deal with? If it is multiple regulators, do you feel there is a case for having one distinct regulator to cover cyber-resilience and manage that quite difficult landscape?

Brian Miller: That is a great question. I will touch on some different parts, because I might have slightly different information from some of the information you have heard previously. On reporting—Stewart will deal with the data protection element for reporting into the Information Commissioner’s Office—we report to the Scottish Health Competent Authority. It is important that we have an excellent relationship with the people there. To put that in context, I was speaking to them yesterday regarding our transition to the CAF, as part of our new compliance for NHS Greater Glasgow and Clyde. If there was a reportable incident, we would report into the SHCA. The thresholds are really well defined against the confidentiality, integrity and availability triad—it will be patient impact and stuff like that.

Organisationally, we report up the chain to our director of digital services, and we have an information governance steering group. Our senior information risk officer is the director of digital, and the chief information security officer role sits with our director of digital. We report nationally, and we work really closely with National Services Scotland’s Cyber Security Centre of Excellence, which does a lot of our threat protection and secure operations, 24/7, 365 days a year. We work with the Scottish Government through the Scottish Cyber Co-ordination Centre and what are called CREW—cyber resilience early warning—notices for a lot of threat intelligence. If something met the threshold, we would report to the SHCA. Stewart, do you want to come in on the data protection officer?

Stewart Whyte: We would report to the Information Commissioner, and within 72 hours we also report to the Scottish Government information governance and data protection team. We would risk assess the breaches and determine whether they meet the threshold for reporting. Not every data breach is required to be reported.

From the reporting perspective, it would be helpful to report into one individual organisation. I noticed that in the reporting requirements we are looking at doing it within 24 hours, which could be quite difficult, because sometimes we do not know everything about the breach within that time. We might need more information to be able to risk assess it appropriately. Making regulators aware of the breach as soon as possible is always going to be a good thing.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Q Your evidence is really helpful. To help with my understanding, if you look across all the suppliers in your service, are there any that you would not consider to be critical, such that if you clicked your fingers now and one of them disappeared, it would not have a material impact on your ability to maintain patient safety and deliver healthcare? Irrespective of the debate about size, what suppliers do you not determine to be critical?

Stewart Whyte: For me, it would be a slightly different assessment from Brian’s. We would be looking at anything where there is no processing of personal data. For me, that would not be a critical supplier from a data protection perspective. But there might be some other integration with NHS board systems that Brian might have concerns about. There is a crossover in terms of what we do, but my role is to look at how we manage data within the NHS. If there are suppliers where there is no involvement with identifiable data of either staff or patients, I would not see them as a critical supplier under this piece of legislation.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Q Do you have integration with your local primary care IT systems? For example, GPs have the old EMIS system and so on; is that integrated into your network? From your perspective, would that be a critical supplier that would need to be regulated?

Stewart Whyte: Yes. There is a lot of information sharing between acute services and primary care via integrated systems. We send discharge letters and information directly to GP practices that then goes straight into the patient record with the GP. There is a lot of integration there, yes.

Dr Gardner

- Hansard -

Copy Link

- - Excerpts

Q Very quickly—I apologise if I am taking too much time—accountability is slightly different from liability. In the case of a cyber-breach that has caused harm, where would you see the liability lying?

Chris Parker: That is a harder question. There is precedent here—of course, we can think back to the precedents that this great building has set on allowing things such as, post-Clapham train disaster, the Corporate Manslaughter and Corporate Homicide Act 2007 putting it very firmly on boards, evolving from the Health and Safety at Work etc. Act 1974. We are not there yet, but do not forget that we are starting to legislate, as is everyone else in Europe and America who are on this journey.

I believe that we will see a requirement at some point in the future. We all hope that the requirement is not driven by something terrible, but is driven by sensible, wise methodology through which we can find out how we can ensure that people are liable and accept their liability. We have seen statements stood up on health and safety from CEOs at every office in this country, for good reason, and that sort of evolution may well be the next phase.

Carla and I talk about this a lot, but we have to be careful about how much we put into this Bill. We have to get the important bit about critical national infrastructure under way, and then we can address it all collaboratively at the next stage to deal with very important issues such as that.

Andrew Cooper (Mid Cheshire) (Lab)

- Hansard -

Copy Link

- - Excerpts

Q Carla, I want to come back on the potential for unnecessary over-reporting of incidents. I cannot speak for the Minister, but I am sure it is not his intention that every phishing email is reported. I was listening carefully to what you said about your proposed tiered approach, and I can imagine, say, a situation where you are United Utilities and you intercept somebody trying to put a pre-emptive virus on to one of your industrial control systems. There has been no impact on customers or your infrastructure, because you have caught it. However, I would argue that it is quite important that United Utilities share that information with the regulator and that that information is disseminated to Severn Trent, Thames Water and whoever else needs to know, so they can patch their systems, look out for the virus or find out whether they have been infected already.

I can imagine that the legislation has been worded as it is to try to capture that situation where activity might occur, but not have an impact. Would you accept that that is important, and how would that fit in with the tiered approach that you described?

Carla Baker: I completely get your point. We have looked at that; my legal colleagues have looked at things such as spyware, where you have malware in the system that is not doing anything but is living there, for example, or pre-emptive, where they are waiting to launch an attack, and we think this amendment would still cover those scenarios. It is not necessarily cause and impact: the lights have not gone out, but if there is, for example, a nation state actor in your network, we think the amendment would still cover that.

Tim Roca

- Hansard -

Copy Link

- - Excerpts

Q The Committee heard this morning about the public sector’s level of technical debt. This Bill is important in terms of safeguarding essential services, but we heard that an important factor—notwithstanding this Bill—is tackling the enormous number of legacy systems. How do you see us running the two in parallel?

Kanishka Narayan: That is a great question. Broadly, the Bill takes a risk-based and outcomes-focused approach, rather than a technology-specific one. I think that is the right way to go about it. As we have heard today and beyond, there are some areas where frontier technology—new technology such as AI and quantum, which we talked about earlier today—will pose specific risks. There are other areas where the prevalence of legacy systems and legacy database architectures will present particular risks as well.

The Bill effectively says that the sum total of those systems, in their ultimate impact on the risk exposure of an organisation, is the singular focus where regulators should place their emphasis. I would expect that individual regulators will pay heed to the particular prevalence of legacy systems and technical debt as a source of risk in their particular sectors, and as a result to the mitigations that ought to be placed. I think that being technology agnostic is the right approach in this context.

Andrew Cooper

- Hansard -

Copy Link

- - Excerpts

Q We have heard evidence today about the appropriateness of individual sectoral regulators being responsible for this, versus a single regulator. Perhaps unsurprisingly, the sectoral regulators were in favour of a sectoral approach, and we heard differing views from other people. The hon. Member for Bromsgrove already covered the point about whether there are sufficient skills available to staff up all the sectoral regulators to the appropriate level to adequately cover this function.

We have heard quite a bit about how important it will be, if taking a sectoral approach, to make sure that sharing information between regulators works smoothly, and that there are no information silos. The witness from Ofcom talked about an annual report to the National Cyber Security Centre. That sent chills down my spine, though I am sure she did not mean it quite in that way. How will you ensure that there is an adequate flow of information between regulators in a timely manner? They might not realise that there is cross-sectoral relevance, but when that information is provided to another regulator, it might turn out that there is. How do you address the importance of a single point of reporting that we heard about time and again from witnesses today?

Kanishka Narayan: Those are really important points. In terms of supporting the quality, frequency and depth of information sharing, first, the Bill provides the legal possibility of doing that in a deeper way. It gives the permission and the ability to do that across regulators.

Secondly, in the light of the implicit expectation of that information sharing, the National Cyber Security Centre already brings together all the relevant regulators for deeper conversation and engagement on areas of overlap, best practice sharing, and particularly the sharing of information related to incidents and wider risk as a result. I hope that will continue to be systematic.

On the question of a single reporting avenue, the National Cyber Security Centre, from an incident and operational point of view, is clearly the primary and appropriate location during the implementation of the Bill. From my conversations with the centre and its conversations with the regulators, I know there has been engagement to ensure that it remains a prompt venue for regulators to feed in their information.

Dame Chi Onwurah

- Hansard -

Copy Link

- - Excerpts

Let me thank the hon. Member for that intervention, which pre-empts something I will say in a few minutes. She is absolutely right: Northern Ireland already plays an important role in the life sciences sector and life sciences manufacturing, and it will have an important role to play in the future.

It is an incredibly exciting time to be involved in life sciences. I often think that if I were a young engineer now—I studied electrical engineering—I would be fascinated by the life sciences and, in particular, synthetic biology, which offers so many potential opportunities for growth and wellbeing. It is an enabling technology across so many different sectors.

In Newcastle, including in my constituency of Newcastle upon Tyne Central and West, the life sciences contribute £1.7 billion and employ over 8,000 people across more than 200 companies. We are home to the National Innovation Centre for Ageing, Newcastle Helix and The Biosphere. Our city is one star in a constellation of excellent life sciences clusters across the north of England.

I really welcome the ambition of the innovation manufacturing fund. I ask the Minister in his response for more clarity in three particular areas. First, in regard to the size of the fund, in the face of increased competition, and as the shadow Secretary of State described—this will be in less sensationalist terms—we are seeing some reduction in investment in the UK. Is £520 million enough to ensure that the UK is an attractive prospect for internationally mobile businesses? By contrast, a manufacturing plant such as Moderna’s recently opened vaccine centre in Oxfordshire might cost in the region of £150 million to £200 million. Is the fund the right size?

Secondly, the Select Committee recently held a one-off session on life sciences investment, which was of such interest that we have decided to hold another one-off session next week on the same subject. We heard evidence from the pharma sector, including significant support for the life sciences sector plan and for the Government’s approach, but I think it is fair to say that we were told that, although NHS pricing is not the only factor in investment decisions, it is a significant one. We heard evidence that the UK spends less proportionately on medicines than other comparable countries and that that reduces the pull-through for innovative medicines. It would clearly be a difficult decision to spend more on medicines, as that would mean spending less elsewhere in our NHS.

Does the Minister see the manufacturing fund as support in some way for investment decisions in the absence of progress on the NHS pricing discussions? Could he tell us whether the Secretary of State is involved in discussions between the Health Secretary and the pharma sector with regard to NHS pricing? I understand that discussions are ongoing, and I see the Under-Secretary of State for Health and Social Care, my hon. Friend the Member for Glasgow South West (Dr Ahmed), conferring with him. Perhaps he can confirm that those discussions are ongoing.

Dame Chi Onwurah

- Hansard -

Copy Link

- - Excerpts

I thank the hon. Member for that intervention. The Committee’s work is fascinating, so I certainly recommend he read the transcript. To summarise, we were looking specifically at the reasons for investment being pulled and, as I said, we asked the question in a number of different ways. The message that came back was significant support for the life sciences sector plan and the Government approach, but lack of certainty and clarity over NHS pricing and dismay about some aspects of NHS pricing and National Institute for Health and Care Excellence decisions. The hon. Gentleman is therefore right to point out that there was concern over the current and likely future pricing of innovative medicines, but that was not the only factor in those investment decisions. I ask the Minister to give us an update on those negotiations to the extent that he is able to do so, and to say whether this manufacturing fund is seen as potential compensation for investment in medicines and pricing as part of the NHS future plan.

Kanishka Narayan

- View Speech - Hansard -

Copy Link

- - Excerpts

I want to be in your good books, Madam Deputy Speaker, so I will proceed at pace in answering some of the questions raised.

I first thank the Members on the shadow Front Benches and in particular the hon. Member for Hornchurch and Upminster (Julia Lopez). I was sad that her generous welcome to me was not extended to this particular announcement. In particular, I was sad that she did not welcome the fact that out of their Tory fiscal wreckage we have managed to get £520 million for the British life sciences sector, that out of the economic damage they did to this country we have still managed to secure over £1 billion in investment from Moderna in the British life sciences sector, and that out of what we inherited from the Tory context we have managed to secure over £1 billion from BioNTech. Right across the board, there is a picture of stability, good jobs in the life sciences and broader technology sectors, optimism and, above all, an energy shared across Government, the private sector and academia.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I must proceed because, as I said, I need to be in Madam Deputy Speaker’s good books.

A particular concern has been raised about VPAG, another part of a longer-standing legacy from a Tory Chancellor’s austerity rampage for the life sciences sector in this country. The Government’s position is very clear: we will always put patients and taxpayers first. This Government are open to working collaboratively with the pharmaceutical industry, which is exactly why we have put forward a generous and unprecedented offer worth approximately £1 billion over three years as part of a review of VPAG, which ultimately industry did not take a vote on.

We remain confident in the life sciences as a driver of both economic growth and better health outcomes and our door remains open to future engagement. I know that regular conversations go on and while I will not update Members on the shadow Front Benches on every single meeting the Secretary of State takes, I can assure them that she is involved in both the particular conversations around VPAG and more general engagement with the life sciences sector.

I particularly thank my hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), whose depth of experience in engineering prior to this House and extensive experience in this House, in particular through leadership of the Science and Technology Committee, is one that I take considerable inspiration from.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I will make some progress for now. My hon. Friend raised a particular point around synthetic biology, which is very close to my heart because I think that Britain has a particular opportunity in the convergence of engineering, AI and life sciences, and we are keen on seizing that to its fullest extent.

On the three particular questions from my hon. Friend the Member for Newcastle upon Tyne Central and West, foremost of which was about the size of the funding available, I will say a couple of things: first, that this is the largest fund of this nature announced in the history of the UK Government, to my understanding, with capital grants worth £520 million altogether; and secondly, that it is but one part of the overall funding package across Government if one considers the investments across Innovate UK, UKRI, the British Business Bank and beyond. I hope that some of the assurances around VPAG have answered the particular question posed there, and on regional impact, I point out that the first two grants from the scheme were made out to firms in Birmingham and Keele. I hope that is a starting indicator of my long-term hope; we will certainly monitor it.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I am afraid I will not; I believe I have been relatively generous in welcoming contributions from across the House. On the point of regional impact, in addition to the midlands, may I join the shadow Front Benchers in welcoming—they do so with laughter and amusement—the collective efforts of our entire Northern Irish contingent? I will take away the strong point about Northern Ireland’s strengths in the life sciences sector; it will be embedded on my mind.

I thank the hon. Member for South Cambridgeshire (Pippa Heylings) for South Cambridgeshire for talking about investments. The only thing I will say on some of the announcements is that they have to be taken in the context of the wider global context for those firms, MSD in particular.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

If the Member listens, he may feel that his point is addressed in my claims. In at least one of those cases, a pause, rather than a cancellation, was announced and in the other, there have been a series of announcements globally regarding thousands of jobs, not only in the UK but beyond. As I said, I hope that the two announcements I mentioned, by Moderna and BioNTech, will give us some assurance that the life sciences sector in the British context is firing on all cylinders with Government support.

Finally, I note with thanks the important point on national security and IP made by the hon. Member for Lagan Valley (Sorcha Eastwood). It is top of mind for me in ensuring that we are not just powering economic growth and not just jobs and good health for people across this country, but doing the first job of Government to protect our national security.

Question put and agreed to.

Resolved,

That this House authorises the Secretary of State to undertake payments, by way of financial assistance under section 8 of the Industrial Development Act 1982, in excess of £30 million to any successful applicant to the Life Sciences Innovative Manufacturing Fund, launched on 30 October 2024, up to a cumulative total of £520 million.

Chris Bryant

- View Speech - Hansard -

Copy Link

- - Excerpts

The right hon. Gentleman makes a good point. I have already had discussions on other matters relating to the creative industries with Members of the Executive in Northern Ireland, and I think I have another call next week, so I will of course make sure they are consulted. He makes a very good point about tourism. An awful lot of tourists who come to the UK want to see the places where some of their favourite movies and television series were made. That is one of the things that VisitBritain is capitalising on at the moment with its “Starring GREAT Britain” campaign.

Mr Speaker

- Hansard -

Copy Link

- - Excerpts

Another “Lawrence of Arabia” question.