Draft Network and Information Systems (EU Exit) (Amendment) Regulations 2021
(Limited Text - Ministerial Extracts only)
Read Full debate
The Minister for Media, Data and Digital Infrastructure (Julia Lopez)
I beg to move,
That the Committee has considered the draft Network and Information Systems (EU Exit) (Amendment) Regulations 2021.
The regulations were laid in draft before the House on 26 October. This short but very important statutory instrument makes technical corrections to the UK’s network and information systems legislation, which arose as a result of the UK leaving the EU. These corrections will allow the Information Commissioner, in her role as the regulator for digital services providers, to be informed of important cyber incidents affecting online marketplaces, online search engines and cloud computing services in our country.
Before moving on to the amendment at hand, it is important that we first consider the context that we find ourselves in. The NIS regulations were introduced in the UK in 2018, implementing the EU’s 2016 directive on security of network and information systems. The regulations provide a legal framework to protect the network and information systems of essential and digital services. They do this by directing operators of essential services and digital service providers to take steps to protect—against cyber-attack and physical fault—the security of those systems that their services rely on.
Beyond ensuring the security of their network and information systems, these organisations have other duties as well. One of the most significant, and the most relevant for this statutory instrument, is the duty to report to their regulator incidents that have a substantial impact on their services. Such reports are critical to the regulator’s ability to react and to implement the NIS legislation. The regulator can then provide advice, report the incident to the national technical authority—in this case the National Cyber Security Centre—or take enforcement action if appropriate.
Michael Fabricant (Lichfield) (Con)
Does my hon. Friend think that these changes not only fill a gap from our leaving the EU but create an environment whereby we can perform better than if we had remained in the EU?
Julia Lopez
I would like to provide my hon. Friend with a very positive story about Brexit through these regulations, but this is quite a technical and narrow change. When it comes to his ambitions, we have a much more ambitious agenda in the coming year or so.
Without the information required, the regulator is not aware of the incident, and citizens and businesses relying on that service are affected for longer. The threshold for what qualifies as a reportable incident for the majority of the six sectors is set in statutory guidance by the relevant regulators. Only one sector—digital service providers, which are regulated by the Information Commissioner—has its set in legislation. All other regulators are able to react to the changing circumstances and amend the thresholds as necessary.
The Information Commissioner is limited by that retained EU law. That is due to how the NIS directive was established. In the EU, digital service providers are regulated at Union level, rather than at individual country level. For that reason, the thresholds that establish whether an incident has had a substantial impact on the security of a network and information system were not left to individual member states to establish, as is the case with all other sectors. These were set out in a Commission implementing regulation, which harmonised the rules across the whole EU. Following our withdrawal, it remained embedded in the UK statute book by virtue of the European Union (Withdrawal) Act 2018. Therefore, the thresholds remain at the level suitable for the EU, which has a population of 500 million, not for the just under 70 million of our own population. That means that they are unable to be changed to reflect our new position as an independent country outside the EU.
Parameters such as the amount of users impacted or user hours lost from an incident are set far too high currently for the UK, and considerations relating to impacts on EU citizens are not appropriate for our own NIS legislation. The Information Commissioner has received only one report since we left the EU. That is not surprising if an incident must have a noticeable impact on an economy the size of the EU in order to be reported in the UK. Without incident reporting, the commissioner will not have an understanding of the threats to and impacts on the sector, and will not be able to identify threats, provide guidance or take enforcement action if appropriate. For the NIS regulations to remain effective in protecting the essential services provided, we have to be able to set the reporting thresholds at a suitable level for our own country. This statutory instrument is designed to resolve that issue by removing those deficient provisions in retained EU law and allowing the Information Commissioner to set the thresholds to a level that effectively reflects our position and size.
The enabling provisions under section 8 of the 2018 Act allow changes to be made to rectify EU exit-related deficiencies only. I am content that the amendments made in this statutory instrument do not introduce new policy, although we have ambitions in that regard; rather, they are meant to ensure that the original policy objective is achieved. The Information Commissioner has already carried out a consultation on the level of thresholds to be set to represent the UK market, and the practice of setting appropriate thresholds for reporting is already in place for every other competent authority. This statutory instrument will bring digital service providers in line with all other operators of essential services in the UK.
Additional amendments in the statutory instrument cover textual changes as a consequence of the UK’s withdrawal from the EU. This includes a requirement for digital services providers to consider the geographic impact of an incident in relation to the UK rather than across the UK. The NIS regulations form part of the Government’s toolkit to protect digital services, which citizens rely on in their day-to-day lives, and help to support the functioning of the digital and physical economies. That is why it is essential that we maintain the framework for protecting our essential services and deter those who seek to act in a subversive manner towards them. For those who do unfortunately fall victim, it is necessary to provide support in guidance. To do this, competent authorities have to be informed of such incidents.
This statutory instrument incorporates much-needed amendments to the NIS legislative framework, which will lead to increased security of digital service providers and their network and information systems. Although the amendments are minor and technical in nature, they are none the less critical for maintaining the effectiveness of the NIS legislation and for providing the Information Commissioner with the right information to support digital services in the UK. I commend the regulations to the Committee.
Julia Lopez
I thank members of the Committee for attending and for their patience in debating the regulations. I also welcome the hon. Member for Ogmore to his position. I am very glad that he supports the regulations, and I very much appreciate the warm welcome he gave me. I look forward to working with him collaboratively where we can and to addressing his concerns when he raises them.
I assure the hon. Gentleman on our general approach to cyber-security. We entirely understand how important this area is. To that end, this week we are launching a new national cyber strategy, which is a whole-of-Government approach but also a whole-of-society approach. Huge efforts are going to be required by each of us as citizens; otherwise, any vulnerability in the system will have an impact on all of us. As we have seen during the pandemic, more aspects of our lives have gone online, and with that comes a consequent risk.
I completely agree with the hon. Gentleman on the importance of joint reporting and collaboration. We held the future tech forum at the Science Museum a couple of weeks ago, and we started some of those discussions with ministerial counterparts in EU countries. There was an EU representative present and I look forward to working collaboratively with them.
My hon. Friend the Member for Lichfield was absolutely right to refer to the importance of the relationship with Israel. I met the ambassador when I was at the Cabinet Office and we talked about where we can collaborate more closely when it comes to cyber-technology, because it is such an important area. It is the area of the future, where I fear we will be fighting many of tomorrow’s battles.
We have been assured that the ICO has the resources to deal with the extra reporting. I also say to the hon. Member for Ogmore that we will consult on NIS regulations early in the new year. We will also be looking at expanding the list of people that this applies to. I entirely agree with him about the importance of dealing with small businesses, which are going to be holding increasing amounts of risk. We are doing a huge number of things in that regard, including improving the skills base from which they can recruit cyber expertise and introducing a new royal charter so that people can be assured of the cyber expertise that individuals hold. At the moment, that is a very messy landscape. I hope that that assures the hon. Gentleman on some of the initiatives that we are working on. If he has any further questions, I shall be happy to engage with him. I commend the regulations to the Committee.
Question put and agreed to.