Network and Information Systems (EU Exit) (Amendment) Regulations 2021 Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport

Network and Information Systems (EU Exit) (Amendment) Regulations 2021

Lord Bassam of Brighton Excerpts
Tuesday 30th November 2021

(2 years, 11 months ago)

Grand Committee
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
The amendments are small, but nonetheless important to the functioning of our legislative framework. They ensure that the intended objective is achieved, that the policy is better implemented and that regulators have the tools to protect key digital services across our economy. As a result of these changes, the effectiveness of the network and information systems legislation to protect digital service providers will be retained. I commend these regulations to the Grand Committee.
Lord Bassam of Brighton Portrait Lord Bassam of Brighton (Lab)
- Hansard - -

My Lords—well, my Lord—the Minister will be pleased to know that I do not have a lot that I want to say. As I understand it, this SI makes a couple of small changes, as the Minister has said, to retained EU law regulating the security of network and information systems of core UK service providers to reflect that fact that we are no longer part of the pan-EU regulatory regime.

I have just one or two questions. Why, given that the transition period ended almost a year ago, are we debating these changes only at the end of November 2021? While this may not have been day-one critical, one would have hoped that these kinds of cybersecurity issues would have been a priority for the DCMS.

The Government are lowering the reporting thresholds when relevant cyber incidents occur in an attempt to ensure that the Information Commissioner is sighted on them. Can the Minister confirm whether DCMS knows of any incidents occurring earlier in the year that did not meet the current threshold that would have met the revised one had it been in place?

When we discussed amendments to EU-derived regulations for video-on-demand providers in the past, the department conceded that our departure from the EU meant that we had no formal jurisdiction over most of the main players, which were generally registered on the continent. Is there a similar situation with some of the digital service providers or is this not a concern currently?

The Explanatory Memorandum, which I found very clear and helpful, shows that most of the costs associated with the change will fall on the Information Commissioner’s Office. Our understanding is that the Information Commissioner is working well as a regulator, but of course with expanded responsibilities comes the need for greater resourcing. Is DCMS comfortable that the commissioner has enough staff and wider resource to complete these duties?

I turn to my final point. Is alignment with EU practices an issue at all, and do we have a continuing relationship with the EU regulator and regulation? Do we have to work within a commonly accepted framework, even though we are now outside the EU and obviously have to have our own system for regulation, appropriate to the size of our market?

Lord Parkinson of Whitley Bay Portrait Lord Parkinson of Whitley Bay (Con)
- Hansard - - - Excerpts

My Lords, I am grateful to the noble Lord for his questions and helpful comments on the impact assessment. He asked why we are doing this now and not sooner. The issue that I outlined at the beginning was not identified as a deficiency until last year, when the Information Commissioner raised concerns over incident thresholds with DCMS—that is why we have brought forward the statutory instrument at her recommendation and in consultation with the ICO.

The noble Lord asked about the ICO’s resources. We are confident that it has the resources, but we will maintain close dialogue with her to keep that under review. We have a continuing relationship with the EU. The matters here obviously cross international boundaries and, despite leaving the European Union, we continue to work with our European neighbours and other international partners on issues such as this. But obviously we have no obligation to implement the new directive that the EU is bringing forward. We are monitoring developments in the EU to assess any impacts that those changes might have.

I am afraid I missed the noble Lord’s second question, but the note I have been handed reminds me that it was on digital service providers. There is now a requirement for non-UK digital service providers to register with the Information Commissioner. As I say, there will be a divergence from EU regulations, but we will continue to follow a similar approach. I hope that answers the questions that he outlined and, on that basis, I commend the regulations to the Committee.