Asked by: Iqbal Mohamed (Independent - Dewsbury and Batley)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, what assessment he has made of the potential impact of the Government awarding contracts for software and related services to (a) Palantir and (b) any other overseas technology companies on national security.
Answered by Luke Pollard - Minister of State (Ministry of Defence)
The Ministry of Defence has policies and procedures to address the security risk from overseas suppliers, which consider both the nature of the procurement and the potential risks posed by the relevant state. These procedures are in addition to our usual cyber security and resilience controls on all suppliers.
We do not disclose details of security risk policy and procedures as they could be useful to a potential adversary.
Asked by: Neil Duncan-Jordan (Labour - Poole)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, what safeguards have been considered in relation to Meta support for building AI systems for UK national security.
Answered by Luke Pollard - Minister of State (Ministry of Defence)
The Ministry of Defence (MOD) does not use services from Meta to build Artificial Intelligence (AI) systems for United Kingdom (UK) national security purposes.
Broader policy on the governance, assurance and oversight of the UK’s relationships with commercial AI developers, including any safeguarding expectations, sits with the Department for Science, Innovation and Technology (DSIT), which leads for Government on the regulation and safe development of AI technologies.
The MOD’s role is limited to ensuring that any AI technologies we adopt or develop follow our established Defence AI Strategy, our ethical principles for responsible AI in Defence as set out in our ‘Ambitious, Safe, Responsible’ policy document, and the security requirements set out in UK Government security classifications. These include robust technical; security and assurance measures appropriate to the sensitivity of MOD systems.
We continue to work closely with DSIT, the National Cyber Security Centre and other cross-Government partners to ensure any Defence use of AI is safe, secure and compliant with national policy.
Asked by: Max Wilkinson (Liberal Democrat - Cheltenham)
Question to the Home Office:
To ask the Secretary of State for the Home Department, if she will update the Computer Misuse Act 1990 to give greater protection to cyber security professionals.
Answered by Dan Jarvis - Minister of State (Cabinet Office)
The Government is conducting an ongoing review of the Computer Misuse Act.
As part of the review, we are reviewing how we can better support legitimate cybersecurity researchers so they can operate within a clear and supportive legal framework, while maintaining robust safeguards.
Asked by: Lord Taylor of Warwick (Non-affiliated - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government what steps they are taking to ensure the safe, transparent and accountable use of AI in public services under the partnership with Google DeepMind, in particular with regard to (1) the proposed automated materials science laboratory, and (2) collaboration with the AI Security Institute.
Answered by Baroness Lloyd of Effra - Baroness in Waiting (HM Household) (Whip)
Google DeepMind will deepen its work with the UK AI Security Institute (AISI) through enhanced technical information exchange on frontier AI capabilities and their real-world impacts, including indicators of accelerating AI progress, and emerging security risks.
The partnership will advance joint research on AI safety, security and societal resilience, with Google DeepMind providing AISI with priority technical access to its frontier models. Google DeepMind will also collaborate with the UK government to explore AI-enhanced approaches to national cyber resilience, including initiatives to identify and remediate threats at scale.
The automated lab announced alongside the partnership is an independent Google DeepMind initiative and the UK Government is not involved in operation of the lab.
Asked by: Martin Wrigley (Liberal Democrat - Newton Abbot)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, what criteria his Department uses to assess requirements to rebuild underlying data analytics architecture, undertake fresh security accreditation and retrain personnel.
Answered by Luke Pollard - Minister of State (Ministry of Defence)
The Ministry of Defence (MOD) keeps its data analytics infrastructure, security assurance processes and workforce skills under continual review. Decisions to rebuild underlying data analytics architecture are based on whether current systems remain aligned with Defence's enterprise data principles, architectural standards (Exploitable by Design), resilience requirements, and operational needs.
The MOD has replaced accreditation with Secure by Design in line with National Cyber Security Centre guidance on assuring systems and services. The MOD's Cyber Security Design Authority provides a reliable, curated source of standards and policies to enable secure design.
Personnel are retrained when new tools, platforms or security standards are introduced, or when capability reviews identify changing skills requirements across Defence's digital and data workforce.
These processes ensure Defence maintains secure, resilient, and modern data capabilities that can effectively support Defence outcomes.
Asked by: Saqib Bhatti (Conservative - Meriden and Solihull East)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what assessment she has made of the potential impact of the Cyber Security and Resilience (Network and Information Systems) Bill on the cyber resilience of energy infrastructure.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The government's Cyber Security Breaches Survey shows that 43% of UK businesses reported experiencing a cyber breach or attack within the past year. Within the utilities sector this figure is 48%. The survey does not specifically detail cyber attacks on energy infrastructure.
The National Cyber Security Centre (NCSC) has warned there is a significant and enduring cyber threat faced by the UK’s critical national infrastructure. As part of its routine operations the NCSC works closely with all areas of the UK’s critical national infrastructure to highlight the cyber threat landscape and associated mitigation activities. As noted in its Annual Review (2025) the NCSC has undertaken a wide range of activities to enhance protections for the UK’s energy infrastructure, including delivering technical advice and guidance on cyber security challenges, working directly with key suppliers on cyber security initiatives, and providing additional support to operators of renewable energy assets. The annual review also notes how NCSC has deepened its understanding of cyber maturity in critical national infrastructure, enabling more targeted interventions and strengthening the UK’s ability to identify and eliminate sophisticated threat actors.
The Cyber Security and Resilience (Network and Information Systems) Bill updates the Network and Information Systems Regulations 2018, which includes essential services in the energy sector. The Bill will improve the cyber security of the energy sector and its infrastructure through better resourced regulators to respond to cyber threats, and a stronger mechanism for government to set priority outcomes for regulators to work to.
The incident reporting framework will also be updated through the Bill, including for the energy sector. Under the existing reporting regime, too many significant incidents do not need to be reported, and this creates a gap in the government’s knowledge and ability to protect the UK from harm. A wider range of significant incidents, such as successful ransomware and pre-positioning will need to be reported under the Bill. A light touch, initial notification will also be required within 24 hours of an incident being discovered will enable quicker and more effective support to be provided to organisations.
The Bill will keep pace with an increasingly digitalised and interconnected energy sector by bringing load controllers into scope of the NIS Regulations as a new essential service, where they meet the threshold, ensuring regulation is focused where the risk is greatest.
Asked by: Saqib Bhatti (Conservative - Meriden and Solihull East)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what estimate her Department has made of the number of cyber attacks on energy infrastructure.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The government's Cyber Security Breaches Survey shows that 43% of UK businesses reported experiencing a cyber breach or attack within the past year. Within the utilities sector this figure is 48%. The survey does not specifically detail cyber attacks on energy infrastructure.
The National Cyber Security Centre (NCSC) has warned there is a significant and enduring cyber threat faced by the UK’s critical national infrastructure. As part of its routine operations the NCSC works closely with all areas of the UK’s critical national infrastructure to highlight the cyber threat landscape and associated mitigation activities. As noted in its Annual Review (2025) the NCSC has undertaken a wide range of activities to enhance protections for the UK’s energy infrastructure, including delivering technical advice and guidance on cyber security challenges, working directly with key suppliers on cyber security initiatives, and providing additional support to operators of renewable energy assets. The annual review also notes how NCSC has deepened its understanding of cyber maturity in critical national infrastructure, enabling more targeted interventions and strengthening the UK’s ability to identify and eliminate sophisticated threat actors.
The Cyber Security and Resilience (Network and Information Systems) Bill updates the Network and Information Systems Regulations 2018, which includes essential services in the energy sector. The Bill will improve the cyber security of the energy sector and its infrastructure through better resourced regulators to respond to cyber threats, and a stronger mechanism for government to set priority outcomes for regulators to work to.
The incident reporting framework will also be updated through the Bill, including for the energy sector. Under the existing reporting regime, too many significant incidents do not need to be reported, and this creates a gap in the government’s knowledge and ability to protect the UK from harm. A wider range of significant incidents, such as successful ransomware and pre-positioning will need to be reported under the Bill. A light touch, initial notification will also be required within 24 hours of an incident being discovered will enable quicker and more effective support to be provided to organisations.
The Bill will keep pace with an increasingly digitalised and interconnected energy sector by bringing load controllers into scope of the NIS Regulations as a new essential service, where they meet the threshold, ensuring regulation is focused where the risk is greatest.
Asked by: Saqib Bhatti (Conservative - Meriden and Solihull East)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what assessment her Department has made of the potential merits of creating a cyber incident database with compulsory fixes to be created for energy infrastructure.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The government's Cyber Security Breaches Survey shows that 43% of UK businesses reported experiencing a cyber breach or attack within the past year. Within the utilities sector this figure is 48%. The survey does not specifically detail cyber attacks on energy infrastructure.
The National Cyber Security Centre (NCSC) has warned there is a significant and enduring cyber threat faced by the UK’s critical national infrastructure. As part of its routine operations the NCSC works closely with all areas of the UK’s critical national infrastructure to highlight the cyber threat landscape and associated mitigation activities. As noted in its Annual Review (2025) the NCSC has undertaken a wide range of activities to enhance protections for the UK’s energy infrastructure, including delivering technical advice and guidance on cyber security challenges, working directly with key suppliers on cyber security initiatives, and providing additional support to operators of renewable energy assets. The annual review also notes how NCSC has deepened its understanding of cyber maturity in critical national infrastructure, enabling more targeted interventions and strengthening the UK’s ability to identify and eliminate sophisticated threat actors.
The Cyber Security and Resilience (Network and Information Systems) Bill updates the Network and Information Systems Regulations 2018, which includes essential services in the energy sector. The Bill will improve the cyber security of the energy sector and its infrastructure through better resourced regulators to respond to cyber threats, and a stronger mechanism for government to set priority outcomes for regulators to work to.
The incident reporting framework will also be updated through the Bill, including for the energy sector. Under the existing reporting regime, too many significant incidents do not need to be reported, and this creates a gap in the government’s knowledge and ability to protect the UK from harm. A wider range of significant incidents, such as successful ransomware and pre-positioning will need to be reported under the Bill. A light touch, initial notification will also be required within 24 hours of an incident being discovered will enable quicker and more effective support to be provided to organisations.
The Bill will keep pace with an increasingly digitalised and interconnected energy sector by bringing load controllers into scope of the NIS Regulations as a new essential service, where they meet the threshold, ensuring regulation is focused where the risk is greatest.
Asked by: Saqib Bhatti (Conservative - Meriden and Solihull East)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what assessment her Department has made of the risk of cyber attacks on energy infrastructure.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The government's Cyber Security Breaches Survey shows that 43% of UK businesses reported experiencing a cyber breach or attack within the past year. Within the utilities sector this figure is 48%. The survey does not specifically detail cyber attacks on energy infrastructure.
The National Cyber Security Centre (NCSC) has warned there is a significant and enduring cyber threat faced by the UK’s critical national infrastructure. As part of its routine operations the NCSC works closely with all areas of the UK’s critical national infrastructure to highlight the cyber threat landscape and associated mitigation activities. As noted in its Annual Review (2025) the NCSC has undertaken a wide range of activities to enhance protections for the UK’s energy infrastructure, including delivering technical advice and guidance on cyber security challenges, working directly with key suppliers on cyber security initiatives, and providing additional support to operators of renewable energy assets. The annual review also notes how NCSC has deepened its understanding of cyber maturity in critical national infrastructure, enabling more targeted interventions and strengthening the UK’s ability to identify and eliminate sophisticated threat actors.
The Cyber Security and Resilience (Network and Information Systems) Bill updates the Network and Information Systems Regulations 2018, which includes essential services in the energy sector. The Bill will improve the cyber security of the energy sector and its infrastructure through better resourced regulators to respond to cyber threats, and a stronger mechanism for government to set priority outcomes for regulators to work to.
The incident reporting framework will also be updated through the Bill, including for the energy sector. Under the existing reporting regime, too many significant incidents do not need to be reported, and this creates a gap in the government’s knowledge and ability to protect the UK from harm. A wider range of significant incidents, such as successful ransomware and pre-positioning will need to be reported under the Bill. A light touch, initial notification will also be required within 24 hours of an incident being discovered will enable quicker and more effective support to be provided to organisations.
The Bill will keep pace with an increasingly digitalised and interconnected energy sector by bringing load controllers into scope of the NIS Regulations as a new essential service, where they meet the threshold, ensuring regulation is focused where the risk is greatest.
Asked by: Lee Anderson (Reform UK - Ashfield)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, what recent assessment he has made about the readiness of the NHS to tackle co-ordinated cyber attacks.
Answered by Zubir Ahmed - Parliamentary Under-Secretary (Department of Health and Social Care)
In the past year, we have invested £37.6 million across health and social care, building on the £338 million invested since 2017. Through our ambitious Cyber Improvement Programme, we are tackling the changing cyber risk head-on, expanding protection and services to better protect the health and care system.
NHS England’s Cyber Operations team provides 24/7 monitoring and expert support to National Health Service organisations who have been impacted by cyber-attacks. This includes specialist, on the ground, certified incident response services free of charge to NHS organisations who have been severely impacted by cyber incidents as well as technical and operational support to contain, investigate, and remediate incidents. Furthermore, we have developed guidance for leaders involved in cyber incidents to ensure there is a clear policy and process for how to respond across all elements of incidents.
We have a process in place to identify lessons and implement improvements following cyber incidents. Following the Synnovis cyber-attack in 2024, the Department and NHS England have made improvements to critical communications processes, added additional measures to improve resilience in the supply chain, and have set out clearer roles and responsibilities in incident management.
In 2023, a Health and Care Cyber Security Strategy was launched. Pillar 5 of the strategy focuses on exemplary response and recovery, as set out in the strategy health and care organisations should run annual cyber exercises to ensure there is a well-practiced and rapid response when incidents do occur.