Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government what assessment they have made of the adequacy of current statutory cyber and digital risk reporting requirements.

Reporting of cyber and digital risks and incidents is critical to the UK’s cyber resilience, supporting our ability to monitor, mitigate, and respond to threats to our economy and society. Reporting is also important in helping businesses and organisations adequately understand the broader threat and assess the risks to their own operations.

Statutory incident reporting requirements vary across sectors, depending on the applicable legislation. For example, organisations which process personal data for general purposes must comply with the breach reporting requirements in the UK GDPR. In the telecoms sector, the Telecommunications (Security) Act introduced a new telecoms security framework, and includes detailed requirements for public telecoms providers to identify and reduce the risks of security compromises, including cyber attacks.

Organisations which provide services that are critical for the provision of essential services (such as transport, energy, water, health, and digital infrastructure services) must comply with the Network and Information Systems (NIS) Regulations 2018. In November 2022 the government also announced its intention to strengthen the NIS Regulations, including requiring essential and digital services to report a wider range of cyber incidents to regulators.