Finance (No. 2) Bill (Fifth sitting)
Tuesday 3rd February 2026
(1 day, 12 hours ago)
Public Bill CommitteesFinance (No. 2) Bill 2024-26 View all Finance (No. 2) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
The Chair
Good morning, ladies and gentlemen. Before we continue our line-by-line scrutiny, let me remind the Committee of the usual housekeeping arrangements. Please switch all electronic devices to silent mode. No food or drinks, except the water provided, are permitted during sittings of the Committee. Hansard will be grateful if Members can give their speaking notes to the Hansard colleague in the room or send them by email. Please do bob; the Chairs do not have second sight, so it helps to know who wants to speak.
The selection list for today’s sitting is available in the room and on the parliamentary website; it shows how the clauses, schedules and selected amendments have been grouped for debate. I hope that by now you are beginning to get used to the process by which that is done, but, as always, if you have any questions please do not hesitate to ask them.
Clause 112
Excise duty: charge
Question proposed, That the clause stand part of the Bill.
The Economic Secretary to the Treasury (Lucy Rigby)
It is good to be back, Sir Roger.
The vaping products duty is a new excise duty on vaping products manufactured or imported into the UK from 1 October 2026. The changes made by clause 112 will create a new charge to excise duty and set out the rate, which is £2.20 per 10 ml, rounded down to the nearest penny. The changes made by clauses 113 and 114 will define a vaping product and what constitutes production for the purposes of the vaping products duty. The changes made by clause 115 make clear the powers under which regulations on the vaping products duty will be made, in anticipation of its entry into force on 1 October 2026. Finally, the changes made by clause 116 will allow HM Revenue and Customs to manage and collect the vaping products duty and provide administrative powers around the storage of vaping products before duty has been paid, as well as penalties.
Together, clauses 112 to 116 will establish a coherent and enforceable framework for the vaping products duty and will ensure that vaping products are taxed appropriately. I commend them to the Committee.
James Wild (North West Norfolk) (Con)
Good morning, Sir Roger and members of the Committee. As the Minister says, clauses 112 to 116 will introduce the UK’s excise duty on vaping products and set out the legal and administrative framework for its operation.
Clause 112 will establish the new vaping products duty, setting a flat rate of £2.20 per 10 ml, rounded down to the nearest penny. Clause 113 sets out what counts as a vaping product; the definition is drawn deliberately widely to encompass any liquid that contains nicotine and the solvents used with it, and even liquids without nicotine if they are intended for vaporisation. That means that the apparently popular zero-nicotine shortfills used by smokers who are trying to quit or taper down will be taxed, too. I am advised that shortfills will be the hardest hit by the new duty; Vape 360 reports a 203% price increase. That raises an interesting public health question about the rationale for taxing zero-nicotine liquids in the same way as addictive nicotine-containing liquids. I am interested to hear the Minister’s response to the concern that by adopting this taxation approach we might be discouraging people from switching to less harmful or nicotine-free alternatives.
Clause 114 defines when a product is regarded as produced for duty purposes, not just when liquids are mixed but when they are packaged, labelled or marketed as suitable for vapes. Clause 115 leaves it to future regulations to set out when duty becomes payable and who is liable. Clause 116, the final clause in this group, gives HMRC new powers to control vaping products before duty has been paid. The Opposition will not oppose the clauses, but we do want to probe the Government’s thinking.
Vaping has become increasingly common across the UK. According to the Government’s own tax information and impact note, approximately 5 million people in the UK vape. For the first time, according to the Office for National Statistics, more over-16s in Great Britain are using vapes or e-cigarettes than are smoking cigarettes: 5.4 million adults vape, compared with 4.9 million who still smoke.
The duty was first announced by the then Conservative Government in the spring Budget of March 2024. Alongside the announcement, a consultation was launched on how the duty should work in practice. The Government have since opted for a flat-rate duty rather than the three-tiered structure originally proposed, which would have varied the rate according to nicotine strength. Having read the responses to the consultation, I know that that decision clearly reflects the bulk of the evidence provided and will create a system that is simpler to administer. As the Exchequer Secretary might say, that is evidence of consultation working and the Government listening, which we are becoming very used to.
The tax will raise significant amounts: £400 million in 2027-28 and £465 million in 2028-29, with revenue then increasing further. When introducing a new tax, implementation matters. The Government’s own impact note shows that HMRC expects to spend £140 million just to deliver this measure, of which £20 million will be spent on IT systems, while the other £120 million will be for staffing and compliance costs. I will be grateful if the Minister can clarify whether the headline figure includes the £32 million contract that HMRC is currently advertising to deliver the vaping duty supply contract for five years.
As Border Force will also receive up to £10 million to prepare, delivering the new duty will cost about £150 million, all in. That is a pretty significant sum, so we need to be sure that it will provide proper value for money. Can the Minister give a little more clarity and break down the costs, particularly the £120 million on staffing and compliance? How many people will that involve bringing into HMRC? What exactly will they be doing? Why is the figure seemingly so high in comparison with the take?
Some consultation respondents have questioned whether the new duty will actually shift behaviour. If producers simply absorb the cost, as tobacco firms once did, prices may barely change, which will undermine the public health rationale behind the policy. What consideration has the Minister given to that point? Will the duty rate remain under review if outcomes fall short of the expected impact?
We can also look at the experiences of other countries such as Italy, where vape sales reportedly fell by 70% when a similar duty was introduced—not because consumers quit, but because purchases moved to the black market or unregulated online sellers. That takes us back to one of this Committee’s themes, which is about how raising taxes to a certain level drives people into the black market, and about where the sweet spot is for raising revenue without driving illegal behaviour. We will come on to the enforcement powers in some detail shortly, so I will not get into them now.
This measure will play a useful role in regulating a growing sector, but the Government need to strike a balance between discouraging youth vaping, supporting smokers to quit and maintaining a workable, enforceable tax regime that does not cost the taxpayer a lot of money. I hope that the Minister will respond to the points that I have raised, and particularly the point about zero-nicotine vapes being treated in the same way as nicotine vapes.
Lucy Rigby
It is good to hear that the shadow Exchequer Secretary will not oppose the clauses. He is right about the policy impetus behind what we are doing. For the first time in the UK, more people vape than smoke. The chief medical officer has been clear that vaping is not risk-free, and those who do not smoke should not vape.
Martin Wrigley (Newton Abbot) (LD)
Vaping is a difficult issue, particularly when it comes to recycling. I understand that vape shops are expected to take them back, but local authorities have real problems with the disposal of used vape canister things—I do not know what they are called—with batteries in them. Will the Minister consider helping local authorities with vape recycling, and providing funds to give them more facilities and a way to dispose of them?
Lucy Rigby
I am grateful for the hon. Member’s intervention, which I will come to in a second.
On the shadow Exchequer Secretary’s central point about the definition of vaping and the inclusion of nicotine-free liquids, the definition is deliberately broad to reflect how the market operates and to support what we hope will be effective enforcement. Most liquids used in vapes contain nicotine and either glycerine or glycol. The clause therefore focuses on those ingredients and on whether the liquid is intended to be vaped. Bringing into scope liquids that need to be mixed before use closes a potential loophole in a manner that I am sure we all want, because products could otherwise be sold in separate components to avoid their duty. Nicotine-free liquids are included because it would be easy to misdescribe or mislabel liquids and, in doing so, evade the duty.
The approach that we are taking will give Border Force and HMRC clear rules to work with, enabling quick decisions at the border. That is in line with how other excise regimes define products to minimise avoidance.
As to the cost of implementation, the cost of the duty stamps contract was considered in the shadow Exchequer Secretary’s beloved TIINs, but the industry will pay for it through the stamps.
Finally, the hon. Member for Newton Abbot raised a fair point about recycling. We are considering the impact of recycling and existing Government contracts, so this will be considered in the round.
Question put and agreed to.
Clause 112 accordingly ordered to stand part of the Bill.
Clauses 113 to 116 ordered to stand part of the Bill.
Clause 117
Stamping of vaping products
Question put, That the clause stand part of the Bill.
Lucy Rigby
As I stated in our debate on the previous group, the vaping products duty is a new excise duty on vaping products manufactured or imported into the UK from 1 October 2026. Clause 117 is important in setting out what a duty stamp is for the purposes of the vaping products duty and the conditions under which a vaping product is considered sufficiently stamped and compliant with the vaping duty stamps scheme.
The changes made by clause 118 will allow HMRC commissioners to appoint an approved supplier to produce and distribute vaping duty stamps. In addition, the clause allows a fee to be charged for the duty stamp, separately from the liability of vaping products duty, and explains that that charge may not be offset against duty liability.
The changes introduced by clause 119 will establish a formal approval requirement for UK businesses to purchase duty stamps under the vaping duty stamps scheme, which will allow HMRC commissioners to maintain control over the scheme and ensure compliance.
Clause 120 will ensure that overseas vaping manufacturers have a representative in the UK who is legally and financially responsible for their compliance with the vaping duty stamps scheme, to ensure robust oversight. We are safeguarding compliance by requiring overseas manufacturers to operate within the framework of UK law, strengthening control and accountability across the supply chain. There will be impacts on all overseas importers and manufacturers of vaping products, who will be required to appoint a UK representative in the manner that I have described.
Together, the clauses will ensure that the vaping products duty is robustly enforced through a secure duty stamps regime and that all manufacturers, whether they are based in the UK or overseas, are subject to clear accountability. I commend clauses 117 to 120 to the Committee.
James Wild
Clauses 117 to 120 will introduce the new vaping duty stamp scheme. The Opposition welcome the Government’s decision to move forward with a duty stamps regime for vaping products: it is, after all, a measure that can help our enforcement agencies and responsible businesses alike to distinguish legitimate duty-paid products from those that are illegitimate and being traded illicitly and illegally. We know that there is a substantial illicit market for vapes across the country; without a credible system of verification and traceability, it will continue to undercut legitimate producers, harm public health and cost the Exchequer millions of pounds in lost revenue, so we need to address it.
Clause 117 will establish the legal framework for the duty stamps system. It defines when a vaping product is considered to be stamped, and it sets out that the duty stamp, whether affixed to the product or to its retail packaging, must comply with regulations made under the Bill. Importantly, the clause will enable each stamp to be digitally linked to the product that it marks, and will allow HMRC to collect specified information about those goods, marrying the physical and digital trails of compliance. That is a positive step, and I am pleased that the Government have adopted at least some of the approach for which the Opposition argued during the passage of last year’s Finance Bill when we considered the introduction of the duty stamp regime.
In essence, these measures will bring to the vaping market a track and trace model that is similar to what already exists in the alcohol and tobacco sectors. Clearly, when used properly, such tools can be an effective enforcement system. They allow officers, retailers and consumers alike to verify legitimacy at a glance, building confidence in compliant businesses and exposing those who seek to cheat the system and the taxpayer.
We should be clear, however, about the scale of the challenge that could be created for smaller manufacturers and importers. In implementing this approach, we should ensure that the practical burden of stamping, activating, tracking and reporting, alongside new IT infrastructure, is proportionate for the many businesses that may not previously have had to operate at such a level of compliance. We cannot allow a regime that is intended to fight the black market to end up driving responsible producers to consider joining it.
Clause 118 will give HMRC the authority to issue and manage the duty stamps and to charge administrative fees. It also allows a third-party issuer to be appointed, as I referred to in my comments on the previous group of clauses. I hope that the Minister can confirm how those fees will be set. Will HMRC consult on the level of those fees? What safeguards will exist to ensure that the fees are proportionate and transparent so that businesses do not find themselves paying unpredictable charges that bear little relation to the cost of the compliance regime?
Clause 119 will establish who can hold and use duty stamps: only approved stamp holders may do so, and they must operate from a fixed location within the United Kingdom. That makes sense in principle—it limits the opportunity for diversion or counterfeiting—but the practical implementation will matter greatly. Subsection (5) grants HMRC wide powers to restrict transfers, to define what counts as a fixed place and to cap the number of stamps issued to a business. If the system becomes too bureaucratic or opaque, small UK producers could find themselves struggling in the market while larger incumbents consolidate their position.
The Minister referred to the logic behind clause 120 and the concept of a UK representative for overseas businesses that lack a domestic base. Clearly, there needs to be someone within UK jurisdiction who can be held responsible for compliance and any penalties that may be applied.
Mr Joshua Reynolds (Maidenhead) (LD)
It is a pleasure to serve under your chairship, Sir Roger. I welcome the Economic Secretary to the Treasury back from her visit to China, which I am sure was slightly more exciting than the Thursday we had in Committee in her absence—although obviously we will never be short on excitement.
Duty stamps are proven anti-illicit trading measures. Digital tracking can enable supply chain monitoring, support enforcement and ensure that black market products are easier to identify, which makes it easier for trading standards officers and consumers to catch illegal products. However, as we have seen with duty stamps on spirits, there is significant counterfeiting within the market, so it would be interesting to hear what the Minister and the Government have learned from duty stamps on spirits that they have been able to apply to duty stamps on vaping products.
It is interesting to see, in clause 118, the potential cost that will be associated with these duty stamps. We have already debated the additional duty that would be applied to vapes and the closing of the gap between the price of vape liquid and the price of cigarettes in our discussion on previous clauses. How much further does the Minister think that gap will close?
Additionally, on duty stamps and being able to track sales from a specific product or potentially even from specific stores, many people in this House and among the wider public believe that quite a lot of vaping shops have links with money laundering scams. Does the Treasury have an understanding of how tracking could be used to compare the money going through on the duty stamps with the store data to see if any money laundering is going on? That may be able to help trading standards in future.
Lucy Rigby
I am grateful to the shadow Exchequer Secretary, the hon. Member for North West Norfolk, and the Liberal Democrat spokesperson, the hon. Member for Maidenhead, for their comments. I think we are all aiming for the same thing: a robust and tight enforcement of all the measures. On the shadow Exchequer Secretary’s point about moving towards a purely digital system, the reality is that that would be harder for consumers and for trading standards officers to use on shop floors, and consultation responses highlighted that it could impose greater burdens on small retailers than a visible stamp.
The scheme is designed to have a physical label with embedded digital features, and that two-factor design is central to the compliance strategy. A visible, secure stamp gives retailers, consumers and enforcement officers an immediate way to spot non-compliant products at a glance, without the need for specialist equipment. As I said, however, the digital element is very important; it is similar to a secure QR code, allowing stamps and products to be scanned and verified in real time. That two-factor design is central to the compliance strategy.
On the question of fees, they have been set to cover the cost of operating the scheme. The Government conducted a competitive tender process for the broader scheme. The shadow Exchequer Secretary is absolutely right that HMRC has promised clear guidance in this area, and that will be published in due course.
The Liberal Democrat spokesperson fairly raised a comparison with alcohol duty stamps. HMRC consulted the alcohol industry and enforcement authorities and determined that alcohol duty stamps now play a minimal role in tackling alcohol duty evasion and that more effective controls now exist. HMRC is introducing duty stamps alongside the vaping products duty because of the distinct and significant non-compliance risk associated with the vaping market; it is about the utilisation of modern technology and digitalisation to support the delivery of the vaping products duty. I hope I have explained to him that we have examined the alcohol duty comparison and do not see a direct read across.
The Liberal Democrat spokesperson also raised an important point about money laundering and anti-money laundering, which the Government take extremely seriously—in fact, we are reforming the supervisory function and compliance on AML.
Question put and agreed to.
Clause 117 accordingly ordered to stand part of the Bill.
Clauses 118 to 120 ordered to stand part of the Bill.
Clause 121
Forfeiture
Question proposed, That the clause stand part of the Bill.
Lucy Rigby
Anyone selling illicit vapes puts the public at risk and undermines legitimate businesses. One million illegal vapes were seized by trading standards in the last full year for which statistics are available, so we know that this is a significant enforcement challenge.
Clause 121 introduces enforcement powers to protect the integrity of the vaping duty stamps scheme. The changes made by clause 122 support robust compliance efforts under the vaping products duty and the stamps scheme, ensuring that only legitimate vaping products are supplied in the UK and penalising those who do not comply with the law. The changes made by clause 123 penalise those who lose stamps or attempt to use invalid stamps on illegitimate products to circumvent the rules. Clause 124 ensures that those who do not comply with the relevant regulations for the duty and stamps scheme are liable to penalties. Finally, clause 125 provides for the forfeiture of legitimate vaping products to complement the penalties imposed under the previous clauses. I commend the clauses to the Committee.
James Wild
I rise to speak to clauses 121 to 125, which set out the framework on forfeiture and civil penalties for the new vaping duty regime. As the Minister said, this is a very important part of the new regime, given the impact that illicit vapes could have.
Clause 121 establishes a general liability to forfeiture for three categories of non-compliant goods, namely: an unstamped vaping product that should bear a duty stamp, any invalid duty stamp along with the product that it is attached to, or any unused duty stamp not affixed or returned within 12 months of issue. In plain terms, it gives HMRC the power to seize non-compliant vaping products. An invalid stamp is defined broadly, and includes any stamp that has been altered, forged or voided by HMRC. Other forfeiture triggers are linked to the wider civil and criminal offences contained elsewhere in this part of the Bill, which I am sure we will come on to. These powers are designed to allow both HMRC and local enforcement bodies to remove illicit or suspect products and counterfeit stamps from circulation. That is clearly an important deterrent against the black market in vaping products.
Can the Minister assess the risk of the 12-month rule on unused stamps, and the broad definition of invalid stamps, inadvertently capturing legitimate business activity? For example, operators may over-order stamps as a contingency or make administrative errors. How will the Government ensure that, in those circumstances, genuine stock is not caught up and lost alongside contraband products? Once forfeited, what will happen to those goods? Will they simply be destroyed? It would be helpful to get clarification on that point. Crucially, what safeguards will ensure that forfeiture powers are used proportionately, and that any minor administrative mistakes by otherwise compliant firms do not result in legitimate products being seized and destroyed at the first opportunity?
Clause 122 introduces a civil penalty regime for those who sell, offer for sale or deal in unstamped vaping products packaged for retail sale. The penalties set out are banded according to scale and repeat behaviour, rising to a maximum of £10,000 for 500 or more units, with escalating amounts for repeated contraventions within a rolling two-year period. It provides a strong financial penalty and a disincentive for retailers and wholesalers to stock unstamped products, and it complements the criminal provisions that follow later in this part of the Bill.
Clause 123 creates penalties for approved stamp holders who lose stamps or fail to use, return or destroy them within 12 months of issue, unless they can demonstrate that they took all reasonable steps to prevent loss. In those circumstances, the penalty is set at five times the monetary value of duty per lost stamp, equating to £11 per stamp when the scheme goes live. That comes alongside the existing Finance Act 1994 penalties for altering or misusing stamps. The intention is clear: to encourage tight control of duty stamps, treating them almost as cash equivalents, and to discourage casual or insecure handling that might enable diversion or counterfeiting, which is welcome.
Clause 124 introduces a broad, catch-all civil penalty for failure to comply with the vaping products duty regime using section 9 of the Finance Act 1994 as its legal framework. That is intended to ensure that HMRC can act where non-compliance occurs, but no specific penalty is written into the legislation, reinforcing the need for accurate record keeping and full compliance with operational rules. I can see why a general power may be convenient for HMRC, but for smaller businesses it could increase the risk of innocent mistakes attracting financial penalties. How will HMRC ensure that this general power is used proportionately? Will education and guidance be issued to firms?
Mr Reynolds
I have few points to make about clause 122, which refers to a
“person who sells…unstamped vaping products”.
I would be grateful if the Minister could confirm whether that person is the shop owner, the shop manager or the shop worker who is physically behind the till on that day. Could an 18-year-old shop assistant be charged the £10,000 fine? The phrase “a person” needs a definition. If that person leaves the business in which they serve, will the fine stay with the individual, or will it be on the business? Could somebody get around this clause by closing down their limited company and opening a new one tomorrow, so the offence would then be their first?
Lucy Rigby
The comments of the shadow Exchequer Secretary, the hon. Member for North West Norfolk, refer to the deliberately tough nature of the enforcement regime; there is a real emphasis on deterrence, and there are penalties that apply. It includes the forfeiture powers, which are targeted at serious non-compliance. Where retailers are found selling unstamped products outside duty suspense or breaching key obligations under the scheme, HMRC and Border Force will have the power to seize associated vaping products, including legitimate duty-paid stock. As I said, that is part of a deliberately tough enforcement regime and is a strong deterrent aimed at those who choose to mix illegal products with legitimate ones on the same premises. I am sure we all understand that without such powers, rogue traders can treat penalties as simply a cost of doing business while continuing to profit from illicit trade, and I am sure we all want to avoid that.
The shadow Exchequer Secretary made a number of points about ensuring that the use of powers is proportionate. Given the judicial or criminal processes associated with the use of these powers, it is entirely fair to say that all the usual processes around charging, in a criminal sense or otherwise, will apply. Inherent within those processes are balance and fairness, including taking into account the rights of the accused.
It is good to mention the draft guidance, which will be shared with HMRC-run industry groups well ahead of the go-live date on 1 April, which I hope is sufficiently specific for the shadow Exchequer Secretary. He will be pleased to know—he may already know—that the interim guidance is already on gov.uk, if he is stuck for things to do this evening. I think I am right in saying that the points raised by the Liberal Democrat spokesperson, the hon. Member for Maidenhead, as to liability under these offences will be made explicitly clear in the guidance, such that there is no doubt in those circumstances.
Question put and agreed to.
Clause 121 accordingly ordered to stand part of the Bill.
Clauses 122 to 125 ordered to stand part of the Bill.
Clause 126
Dealing in duty stamps
Question proposed, That the clause stand part of the Bill.
Lucy Rigby
Clause 126 introduces two new criminal offences, to which we have already alluded, for possessing or transferring duty stamps in contravention of the scheme rules. Clause 127 introduces the two new criminal offences that I have just described, and sets out a defence for the purposes of those offences. Clause 128 introduces the power for a court to ban the sales of vaping products, along with an associated criminal offence for non-compliance with the order. Clause 129 sets the level of the penalty associated with the offences, according to the respective legal systems of the devolved nations. Clause 130 introduces additional powers to allow HMRC to enforce the new rules around vaping products by taking illicit products off shelves.
In summary, the clauses represent a comprehensive suite of enforcement tools that support the Government to address the illegal trade and support the legitimate industry. I therefore urge that clauses 126 to 130 stand part of the Bill.
James Wild
Clause 126 creates new criminal offences relating to the possession and transfer of unstuck duty stamps. In plain terms, it becomes an offence for anyone who is not an approved stamp holder to possess a duty stamp that has not been affixed to a vaping product, or to transfer such a stamp to someone else. As the Minister says, the Bill allows a defence where the person did not know or have reason to suspect that they were handling an unstuck stamp, and carves out sensible exemptions, such as transfers between UK representatives and overseas principals, or during commercial delivery and returns.
I would be interested to know what assessment the Treasury has made of the level of abuse that it expects under this regime. HMRC and trading standards are being given a budget for enforcement. Underlying that, there is presumably some assumption about the level of abuse of this system, so it would be interesting to have a flavour of that, given that all of us will be familiar with vape shops and associated issues from our constituencies.
Clause 127 creates criminal offences for possessing, transporting, displaying, selling or otherwise dealing in unstamped vaping products. It also criminalises managers of premises who “cause or permit” the sale of unstamped goods. Under the definition in subsection (4), a manager of premises
“is a person who…is entitled to control their use…is entrusted with their management, or…is in charge of them.”
To pick up the example raised by the hon. Member for Maidenhead, if an 18-year-old is in charge of the premises such that they are unlocking on the day and will be locking up, are they the person, the individual, who could get the fine for dealing in the product, even though they may have had no role whatever in securing the stock and are simply there, getting their minimum wage payment to look after the shop? I would be grateful if the Minister could unpack what subsection (4) means in that sense.
It is right that deliberate participation in the illicit vape trade is met with serious, fierce sanctions. We must also make sure that any junior staff who are wholly innocent—who do not know anything about the matter and could not reasonably have been expected to—are not prosecuted for the actions of others. We need some clarity from the Minister on how responsibility in those cases would be apportioned, and we must again ensure that enforcement authorities are operating with clear guidance.
Clause 128 will enable courts, when convicting under clause 127, to make an order prohibiting the use of premises for the sale of vaping products for up to 12 months, and will create a further offence for managers who breach such an order. The power is of course intended to shut down problem premises that are repeatedly used for illicit trading. That is a tool that local authorities and trading standards officers—and, I suspect, Members of this place and our constituents—will very much welcome. There are many examples in constituencies across the country of illegal vapes being sold, and the communities near them suffer the impact of those criminal enterprises.
We support action to deter such enterprises, but we are also familiar with examples in which trading standards, HMRC or others go in and seize the illegal vapes—the police may be involved as well—and in a matter of hours, that same premises will reopen, selling more illegal vapes. It is great to have a power to shut down such premises, but how will it be enforced? Will the resources be in place to do that? Will there be clear criteria on when the powers will be used, and how a change of ownership of a premises could affect a ban? We may effectively see fake transfers of ownership to try to get around it, so it is important that HMRC and trading standards have robust systems in place.
Clause 129 sets out the penalty framework. On summary conviction, in England and Wales the maximum is the general magistrates limit—imprisonment, a fine or both; in Scotland, the maximum is 12 months and a statutory fine; and in Northern Ireland, it is six months and a statutory fine. So there is a little discrepancy there. On conviction on indictment, the maximum is two years’ imprisonment, an unlimited fine or both. That clearly allows for flexibility to distinguish between serious organised criminal offending and smaller scale non-compliance with the law.
Of course, in the Sentencing Act 2026, the Government are effectively legislating to abolish sentences of up to 12 months, with a presumption that those will become suspended sentences. That is still a penalty, but it will mean that people are in the community rather than in jail serving their punishment, as they should be. The reality is that most people breaking this law are unlikely to actually go to prison; they may simply get a fine. Will the sentencing guidance make clear distinctions between organised criminality and smaller-scale offenders?
The final clause in the group, clause 130, deals with the issue of forfeiture. It goes beyond the general rules in clause 121 by allowing all unstuck stamps or unstamped products linked to offences under clauses 126 to 128 to be seized. In some cases, all the stock on the premises—the Minister made this point—may be forfeited if HMRC believes that it is used in a business connected with the offence. That could be a welcome measure, but we need to have some clarity about how unnecessarily broad powers could potentially be used. Will there be a clear route for traders to challenge such forfeiture of legitimate products where they consider that they have inadvertently breached the rules?
Taken together, the clauses introduce serious new powers, which is why it has been worth spending a few moments considering them and how they will actually be used. I think particularly of the power to shut down a premises for 12 months; we must ensure that that is effective, and that people are prevented from seeking to get around it by pretending to sell the business or list a new owner of the business. I look forward to the Minister’s responses to the points that I have raised.
Martin Wrigley
I am afraid that my training was as an engineer, rather than as a lawyer, so I apologise if I get points of standard law wrong. However, it is fascinating to read the Bill in such detail. In clause 126(3), it says,
“It is a defence for a person charged with an offence under this section to prove that they did not know”
I am interested to hear how the Minister thinks that somebody might prove that they did not know something. It strikes me that it is something that a person cannot actually prove.
Secondly, in relation to clause 128, when a premises has been banned for 12 months, is there anything that prevents someone opening up the next-door premises and continuing exactly as before?
Lucy Rigby
The shadow Exchequer Secretary raised a point about the strong penalties associated with the regime. I have already set out the Government’s aim: that the enforcement mechanisms in the Bill are deliberately tough and are aimed at being a strong deterrent. We believe that the strong penalties, including custodial sentences, are justified due to the size of the illicit vaping market in the UK. Indeed, that goes to the shadow Exchequer Secretary’s point about our assessment of the illicit market and the assessment of abuse. We understand that there is a large illicit market in this area. The powers are deliberately tough, with the aim of ensuring that there is no circumvention.
I will now address the fair points that were made previously by the hon. Member for Newton Abbot and raised again in the context of these clauses. All prosecutions, as hon. Members will know, must meet the public interest test. The test that the Crown Prosecution Service must meet has two limbs: the evidential and public interest elements. Both limbs must be met for prosecutions to be brought. The hon. Member for Newton Abbot referred, fairly, to clause 126(3) and 127(3), which outline the defence that is applicable to both offences. As he helpfully mentioned, it is a defence for a person charged with offences under sections 126 and 127 to
“prove that they did not know, suspect or have reason to suspect”
that they were possessing or transferring a duty stamp that had not been affixed to a vaping product. In that regard, on the question about proof of knowledge, I return to the CPS’s test and to the burden of proof that applies in proceedings in the UK.
Question put and agreed to.
Clause 126 accordingly ordered to stand part of the Bill.
Clauses 127 to 130 ordered to stand part of the Bill.
Clause 131
Publication of information
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Clauses 132 to 136 stand part.
Schedule 14.
Clause 137 stand part.
Government amendments 13 and 14.
Clause 138 stand part.
Lucy Rigby
Clauses 131 to 138 and Schedule 14 set out general provisions to ensure the effective implementation of the duty and the scheme.
Clause 131 allows for the publication of information to ensure effective enforcement of the duty and the scheme. Clause 132 details the instances in which information may be shared between the commissioners and any persons with functions relating to the duty. It will allow information to be transferred in both directions, ensuring successful implementation and the proper joining up of compliance efforts. For any unauthorised disclosure, the clause includes an offence under section 19 of the Commissioners for Revenue and Customs Act 2005.
The changes made by clause 133 provide a definition for local enforcement authorities and allow them to investigate whether businesses in their local areas are compliant with the duty. Clause 134 ensures that HMRC can make regulations and publish notices to make further provisions in relation to both the duty and the scheme. Clause 135 provides that regulations must be made by statutory instrument and sets out circumstances in which the made-affirmative procedure must be followed, including any provision that extends the cases in which vaping products are required to be stamped.
Clause 136 allows for schedule 14 to the Finance Act 2020 to make changes to the Finance Acts of 1994, 2007, 2008, 2017 and 2021. Clause 137 does not make changes to legislation but merely ensures that the Bill is interpreted correctly. Clause 138 provides that the duty and the scheme will commence on 1 October 2026, and that vaping products manufactured or imported before that date will be liable if a duty stamp is affixed to that
product.
Two technical amendments are proposed to clause 138. Amendment 13 clarifies the drafting to ensure elements of the regulations can come into force at the proper time. Amendment 14 puts beyond doubt that the criminal offences under these schemes can apply to vaping products, regardless of the date that they were produced or imported. The amendments ensure that the duty can be successfully administered, and neither one reflects any change in Government policy.
James Wild
We come to the final group of provisions on the important issue of the new vaping duty. I speak to clauses 131 to 138, which concern the general provisions underpinning the new vaping products duty regime. Clause 131 authorises HMRC to publish information about stamped vaping products, for the purposes of enabling retailers, consumers and other persons to assess whether a duty stamp has been activated in respect of a duty product. That is clearly a sane, sound aim, which gives retailers a way to distinguish between legal stamped products and illicit ones. However, that will only work if the data HMRC publishes is accurate and accessible. Mislabelling would harm legitimate firms, and if the system is cumbersome it will put people off using it.
Can the Minister tell us when HMRC will make available a practical, user-friendly checking mechanism—whether that is a public database, an app or some other technology—so that retailers and consumers can verify stamps quickly and easily? What safeguards will exist to correct errors swiftly where inaccurate data risks unfairly damaging a compliant business?
Clause 132 sets out a new information-sharing framework specific to the duty, letting HMRC exchange data with other bodies involved in enforcement. This is a legitimate and useful tool, but can the Minister give assurances about how the data will be logged, audited, and subject to clear internal controls?
Clause 133 delegates day-to-day enforcement to local authorities and trading standards teams, which makes sense. Last year trading standards seized over a million illegal vapes inland and detained 1.2 million at ports in England. Those powers need to be properly resourced if they are going to be effective in stamping out illegal trade, as we know that trading standards is already under considerable pressure to deliver on its various legislative requirements. It is fair to say that there is patchy implementation across the country.
What support will Government provide to local authorities to ensure consistent enforcement and genuine deterrence everywhere, not just in well-resourced areas? Counties, such as my county of Norfolk, have suffered as a result of the revised local government funding formula that the Government have put in place. I want to see them able to deal with the threat of illicit vapes in the same way as the metropolitan areas that benefit from the new formula that the Labour Government put in place.
Clause 134 gives the Treasury wide discretion to make supplementary transitional regulations under the regime. In practice, it is a broad power to fill in the blanks. Can the Minister give some confidence that it will not lead to a complex, rapidly changing rulebook? The Minister referred to the parliamentary procedure for such regulations under clause 135. To be clear, those regulations include the ability to amend an Act of Parliament, which is a considerable power. If such measures came forward, it would clearly be right to properly consult and debate them before they took effect. Will the Minister commit to formal consultation in such cases?
Clause 136 simply implements consequential amendments so that vaping products are recognised across the existing excise framework. Clause 137 deals with the definitions that determine which products fall within scope—clearly, they need to be kept up to date.
Finally, clause 138 sets the commencement and transitional arrangements. As we have discussed, businesses are expected to register from 1 April, with liability beginning from October. That is an ambitious timetable, but I am pleased to hear from the Minister that the interim guidance is available on gov.uk. I was not aware of that, so I will look it up later this evening, as she suggested.
We do not oppose any of these clauses, but I look forward to the Minister’s response on whether there will be formal consultation, particularly where Acts of Parliament will be changed by regulations. That is something every member of the Committee should expect.
Lucy Rigby
The shadow Exchequer Secretary asked about HMRC making compliance-checking methods available. There will be an app for access based on scans of products. It will be available before 1 October, and no scanning will be required before that date. He, fairly, asked a question about the flow of information. That is covered by subsections (3) and (4) of clause 132, which ensure that information can be used only for the purposes for which it was disclosed. Indeed, any other purpose would require further permission from the commissioners. Subsection (4) sets out the penalties that would apply for contravening the preceding provisions.
The shadow Exchequer Secretary also asked about the resources available to trading standards and local authorities. He mentioned Norfolk, is that right?
Lucy Rigby
Beautiful Norfolk—I know it very well. He compared Norfolk with more metropolitan areas. Local enforcement authorities, particularly trading standards, play a central role in tackling illicit vapes on the high street, and as has been mentioned, over 1 million illegal vapes have been seized in a single year under existing powers. Clause 133 gives local authorities the powers they need to conduct inspections and checks relating to both the duty and the scheme, to ensure that compliance work can be carried out effectively at retail level. That will complement the work of HMRC, which happens upstream.
We have already announced additional funding for trading standards in the context of wider tobacco and vaping measures, alongside £10 million for Border Force and the recruitment of over 300 HMRC compliance officers focused on this area. Giving these powers to local authorities, backed by additional resource, will help to ensure that the new regime is enforced on the ground and that compliant retailers are protected from what would otherwise be unfair competition.
Question put and agreed to.
Clause 131 accordingly ordered to stand part of the Bill.
Clauses 132 to 136 ordered to stand part of the Bill.
Schedule 14 agreed to.
Clause 137 ordered to stand part of the Bill.
Clause 138
Commencement and transitional provision
Amendments made: 13, in clause 138, page 146, line 24, at end insert—
“( ) Sections 114(4) (production only in accordance with regulations) and 117(1) (duty to stamp in accordance with regulations) come into force on such day as the Treasury may by regulations appoint.”
This amendment would allow the requirements to produce and stamp vaping products in accordance with regulations to be brought into force at the same time as the regulations.
Amendment 14: in clause 138, page 146, line 27, after “2027” insert
“, and have effect in relation to vaping products irrespective of when they were produced or imported”—(Lucy Rigby.)
This amendment would clarify (in light of the fact that stamping requirements are to be set out in regulations) that the criminal offences can apply to vaping products produced or imported before the Act is passed or the regulations are made.
Clause 138, as amended, ordered to stand part of the Bill.
Clause 139
Introduction to CBAM
The Chair
With this it will be convenient to discuss the following:
Clause 140 stand part.
Schedule 15.
Clauses 141 to 145 stand part.
Government amendment 15.
Clauses 146 and 147 stand part.
Dan Tomlinson
The shadow Exchequer Secretary invited the Economic Secretary to his constituency. Last week, he invited me to come on Valentine’s day to enjoy the bumper cars. I know the Economic Secretary is glad for the invite, but I am particularly glad for the one I received.
Turning to the matter at hand, clauses 139 to 147 and schedule 15 establish the core framework of the carbon border adjustment mechanism, otherwise known as the CBAM—[Interruption.]
Oliver Ryan
If the Minister is not otherwise engaged on Valentine’s day, he is always welcome in Burnley for the bumper cars.
Dan Tomlinson
Thank you. Burnley is a fantastic place to visit, and I hope to come before too long.
These clauses create the charge to CBAM, define the goods and emissions in scope, identify who is liable, and set out how the tax rate is calculated and how the relief operates. Together they form the substantive charging provisions that will underpin the operation of CBAM from 1 January 2027.
Clause 139 introduces CBAM as a new tax and signposts the structure of part 5 of the Bill. Clause 140 establishes the charge to CBAM, which applies to the emissions embodied in specified CBAM goods when they are imported into the UK. Schedule 15 defines the goods in scope, initially covering the aluminium, cement, fertiliser, hydrogen, iron and steel sectors. Clauses 141 to 143 set out when goods are treated as imported for CBAM purposes, and who is liable for the charge. In line with established customs principles, liability rests with the importer, with detailed provisions to ensure that the correct person is identified across different importation scenarios, including goods entering via Northern Ireland or subject to special customs procedures.
Clause 144 provides relevant exemptions from the charge. Clause 145 defines “emissions embodied in a CBAM good” and provides powers for the Treasury to specify, in regulations, how those emissions are determined and evidenced. Clause 146 sets out how the CBAM rate is calculated, and clause 147 provides for carbon price relief, allowing the CBAM charge to be reduced where a relevant carbon price has been incurred overseas in relation to the same emissions. That avoids double taxation while maintaining the integrity of the mechanism. Amendment 15 will ensure that the CBAM rate functions as intended, and that CBAM goods face a carbon price comparable to what would apply if the goods were produced in the UK.
The clauses are central to mitigating carbon leakage, and supporting the UK’s path to net zero.
James Wild
I am not clear from the Minister’s comments whether he has accepted the Valentine’s invitation, but I am sure I am not alone in not expecting a member of the Committee to corpse on CBAM, which some might say is a rather dry topic.
While CBAM can play a role in ensuring a level playing field for UK manufacturers and producers, it also highlights the levies and taxes applied by the Government on energy, which means that our energy prices are much higher than our competitors. I think we all want to see that burden reduced.
At the 2024 Budget, the Government confirmed the UK will introduce this new CBAM from January 2027, covering broadly the same types of highly traded carbon-intensive basic materials, and putting a carbon price on emissions embodied in certain imported goods, so that they face a comparable cost to that paid by domestic producers. Different countries clearly regulate industrial emissions to very different standards.
UK manufacturers already have to follow obligations to measure, reduce and pay for their emissions, which are costs that we think need to be ameliorated. Extending that principle to imports should, in theory, help to prevent carbon leakage and ensure it results in real global emissions cuts, rather than simply offshoring production and pollution.
As the Minister said, the new charge will initially apply to five sectors: aluminium, cement, fertilisers, hydrogen, and iron and steel. Fertilisers, which are one of the sectors brought within the scope of CBAM, are clearly a critical input for British agricultural producers, particularly for arable farms, where fertilisers already account for around 40% of crop-specific spending and around 12% of total farm costs.
The National Farmers Union has warned about what it calls a fertiliser tax, and has said that using domestic production as the baseline for CBAM levies, despite the UK no longer producing ammonium nitrate at scale, risks a wholesale increase in fertiliser prices at a time when farm confidence, as we all know, is at rock bottom.
The direction of travel is clear. Over time, both the EU and UK will raise the cost of high-carbon fertilisers, making lower-carbon alternatives more competitive as carbon prices tighten. Applying higher taxes where the UK is not a significant producer increases input costs for our British farmers. There is a risk of downstream leakage where UK farmers pay more for fertiliser due to CBAM, while competing with imported food from non-CBAM regimes that are still benefiting from cheaper, higher-carbon inputs, again undermining British producers and our food security.
This all lands on top of the other provisions within the Bill, namely the family farm and family business tax, as well as the cuts and delays we have seen in the sustainable farming incentive and the land management payment schemes and, of course, the additional pressures that are coming through in the cost of employment.
Will the Minister set out what specific assessment the Treasury has made of the impact of CBAM on fertiliser prices, on different farm sectors and on UK food security? How does he intend to prevent downstream carbon leakage, which simply shifts emissions from factories to fields?
Some industry groups, as recently reported in the Financial Times, warn that they think the Government’s current design has flaws and could accelerate de-industrialisation rather than prevent it. A major concern is that the Government plan to apply a single sector-wide rate, based on average emissions, instead of differentiating by product type and country of origin, as I understand the EU scheme does. UK Steel, the Mineral Products Association and the Chemical Industries Association have warned that, without changes, the mechanism will leave domestic producers worse off than their overseas competitors and undermine planned investment and decarbonisation. Has the Minister modelled the impact of using a single sector-wide rate rather than a more granular approach, as well as the impact on investment, jobs and emissions in each of the covered industries?
The Chartered Institute of Taxation, which has provided considerable help and input on all the provisions of the Bill, has flagged that further uncertainty will be caused by questions about the UK and EU emissions trading schemes being linked before the implementation date. The Government and the EU announced last May that they intend to link their ETSs, with mutual exemption from CBAM as part of the package, but I understand that formal negotiations have yet to begin. Perhaps the Minister can give us an update. There are also ongoing political discussions with the EU on the interaction of the two schemes, and the EU’s CBAM is undergoing some delays. That impacts on certainty for some transactions involving Northern Ireland, so I would be grateful if the Minister provided some clarity on where those discussions have got to.
Clause 139 establishes CBAM as the new UK tax on emissions, where a broadly equivalent price has not already been paid overseas. That is the foundation of the new charge. Clause 140 defines CBAM as
“charged on the emissions embodied in a CBAM good”
when it
“is imported into the United Kingdom.”
Those goods are defined by reference to the detailed tariff codes set out in schedule 15.
Schedule 15 focuses on the initial regime for aluminium, cement, fertiliser, iron and steel products, and hydrogen, and it gives HMRC powers to keep the schedule updated in line with tariff changes. Could the Minister elaborate on why those five sectors were chosen for inclusion from 2027, and on when the Government will set out a clear timetable and test for extending CBAM to other sectors, such as glass or ceramics?
Will there be a competitive disadvantage for high-carbon sectors left outside the first tranche, as they will still be exposed to cheaper, higher-emissions imports without any corresponding border adjustment? That point has been made to me privately by some of the Minister’s colleagues who would like to see a wider scope. Has the Treasury modelled how many businesses fall just above the £50,000 annual import threshold, and is it confident that it is capturing those that have substantial business and not imposing a burden on others?
Clause 141 sets out when a good is treated as imported into the UK for CBAM. It covers standard imports and goods under special customs procedures, such as warehousing and movements between Great Britain, Northern Ireland and the Isle of Man. The clause intends to dovetail CBAM with existing customs laws. In Committee, I have repeatedly highlighted the importance of practical guidance: the hands-on support that HMRC will give to smaller and medium-sized importers —I suggest that the £50,000 limit is fairly low.
Clause 142 ensures that where
“a CBAM good has been declared for a special customs procedure,”
processed into a non-CBAM good and then imported, CBAM is still charged on those emissions. This anti-avoidance provision aims to prevent companies from avoiding CBAM by doing limited processing to move a good out of the product list before releasing it into free circulation. The provision is welcome, as it would prevent people from dodging the rules.
Clause 143 places the liability for CBAM on the importer, broadly mirroring customs law by tying liability to the person in whose name the customs declaration is made, or on whose behalf it is made. That is intended to provide certainty, which is important, by aligning CBAM with established customs concepts and practices. Will HMRC give simple template wording or clear guidance so that businesses know how to declare who is responsible for CBAM and for sharing information throughout the supply chain?
The Chartered Institute of Taxation has also raised an important question. As the Minister will know, some businesses operate within VAT groups. If they import goods, they hold an EORI—economic operators registration and identification—number, which anyone who lived through the Brexit negotiations and debates will be familiar with. Under HMRC guidance, one VAT group member with an EORI number can make a customs declaration on behalf of another member. However, this group of clauses does not appear to allow for the formation of a CBAM group similar to a VAT or plastic packaging tax group.
It is unclear how the measures affect those liable under the clause where one VAT group member uses another’s EORI number. If the current easement does not apply to CBAM goods, each member may need its own EORI number, which would add some complexity and administrative burden. Will the Minister clarify the position and understanding on that? If an issue needs to be addressed, will the Government introduce legislation to allow for CBAM grouping to maintain the existing simplifications, as I am sure is their intention?
Dan Tomlinson
I thank the shadow Minister for his questions and engagement. This is one of the largest parts of the Bill, and sets out a significant change to taxation and the treatment of imports in order, as he says, to support domestic businesses that may face higher prices than companies seeking to export to the UK that have cheaper prices and higher emissions.
To go through some of the questions that were asked, the criteria that were looked at internally—over many years and starting under the previous Government; it has taken five years of work to determine which sectors will be in scope—were whether sectors were already in scope of the UK emissions trading scheme, because it is important that those are aligned; whether there was real risk of carbon leakage; and whether it was feasible to implement in 2027. That is why these five sectors were chosen, after significant engagement across Government and with stakeholders. The sectoral scope will be kept under review, and there are some sectors that the Government will continue to have conversations with in the coming weeks to understand their concerns and the benefits that there may be to widening the scope in future. We will keep it under review because, at the moment, the focus is on making sure that we can implement this significant change. It is a long piece of legislation and there are lots of good questions, but we want to get this in as drafted first.
The shadow Minister made several points regarding the sectors that are already in and the extent to which, in his words, they might be made “worse off”. It is important to note that they will be better off than without a CBAM in terms of competition and fairness in imports. At the moment, there is no CBAM, so the imports that come to the UK in these five sectors are, in a sense, undercutting domestic production if we have higher costs. With the introduction of CBAM, that undercutting will be significantly reduced. The prices faced by importers will be brought into line with those faced by those companies in the UK. There is a valid point to make about the detail and specificity with which the carbon prices that are used within CBAM are set, and that is something that I certainly want to keep under review, but it is good and it is right that we make progress with CBAM as set out in the legislation.
John Cooper (Dumfries and Galloway) (Con)
The Minister talks about people being better off, but my farmers are very concerned about the fertiliser impact. Four or five years ago, fertiliser was around £180 a tonne; today it is about £400 a tonne, and the introduction of CBAM might put another £100 on top of that. Farmers’ margins are so narrow that they simply have to pass that on, which will have a direct effect on food prices in this country. The Minister says that there will be talks about that. Farmers should be front and centre of those talks, because this is really worrying.
Dan Tomlinson
We will engage, and have engaged, with the industries that are directly affected by this change, including the fertiliser industry, and those for whom there will be knock-on effects from higher import prices. With fertiliser in particular, it is worth noting that UK-based fertiliser manufacturers have received more free allowances in recent years than they needed to surrender to be able to cover their emissions. As such, they are not, in practice, paying a carbon price at the moment. The CBAM rate will therefore be set at a low level to reflect that. It is something that I have been looking at as Minster because of these issues, and we expect the initial impact of CBAM on the fertiliser sector to be very modest. None the less I take the point that the hon. Member raises, and the Government will continue to look at it.
On the point around groupings and EORI numbers, that is not a phrase that I have come across before, but I am glad that I have heard it. I will make sure to remind myself of the torturous Brexit process and will, I am sure, understand the context there in more detail. We engaged with businesses in advance of making the proposal and feedback indicated that group treatment would confer relatively minimal benefits, so we chose not to implement it at this time. We will, of course, keep that under review though.
CBAM is a significant change that has been welcomed by many of the industries in the UK and should go a long way to levelling the playing field for those firms that are producing in these five sectors.
The Chair
The Minister courteously indicated to me that he has another assignation in Westminster Hall. Exceptionally, I will allow him to leave now, although that is unusual in the middle of a series of decisions. The Minister may make his way out quietly.
While I am on my feet, the cold is getting to my brain, but we all know that the heating system is lamentable at the moment. I shall be in the Chair for the first part of this afternoon as well, so if hon. Members feel the need to wear something warmer, I regard personal comfort as more important than sartorial elegance. [Hon. Members: “Hear, hear!”] That is not an invitation to be outrageous—but please ensure that your personal comfort is given attention.
Question put and agreed to.
Clause 139 accordingly ordered to stand part of the Bill.
Clause 140 ordered to stand part of the Bill.
Schedule 15 agreed to.
Clauses 141 to 145 ordered to stand part of the Bill.
Clause 146
Rate
Amendment made: 15, in clause 146, page 154, line 17, at end insert—
“(4A) In determining the ‘baseline free allocation percentage’ in relation to a CBAM sector, ignore any scheme year in which there were no sectoral emissions.”—(Lucy Rigby.)
This amendment clarifies that scheme years in which there were no sectoral emissions should be ignored when determining the baseline free allocation percentage in relation to a CBAM sector.
Clause 146, as amended, ordered to stand part of the Bill.
Clause 147 ordered to stand part of the Bill.
Clause 148
Administration and enforcement
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Schedule 16.
Clause 149 stand part.
Schedule 17.
Lucy Rigby
I appreciate your accommodation of the cold in the room, Sir Roger. I hope this afternoon proves that we can be both sartorially elegant and warm. Committee members may take their own view, but I look forward to this afternoon.
Clauses 148 and 149 and schedules 16 and 17 provide the administrative and enforcement framework necessary to ensure the effective operation of CBAM. They ensure that CBAM can be administered properly by HMRC, complied with by businesses, and enforced where necessary.
The clause introduces schedule 16, which makes detailed provision for the administration and enforcement of CBAM, including requirements for registration, accounting periods, CBAM returns, record keeping, payment deadlines, assessments, penalties and appeals. The schedule aligns CBAM administration with established HMRC processes where possible, helping to minimise additional burdens on businesses while ensuring robust compliance.
Clause 149 introduces schedule 17, which provides for criminal offences relating to CBAM. Those offences apply in serious cases, such as deliberate evasion or fraudulent behaviour, and mirror existing approaches taken elsewhere in the tax system. The inclusion of criminal offences ensures that appropriate deterrents are in place, protecting the integrity of the regime and ensuring a level playing field for compliant businesses.
Together, clauses 148 and 149 provide the necessary administrative and enforcement backbone for CBAM. They ensure that the regime is credible, enforceable and fair, while giving HMRC the tools it needs to administer CBAM effectively. I commend the clauses and schedules 16 and 17 to the Committee.
James Wild
We are sorry to see the Exchequer Secretary disappear. I hope that he comes back this afternoon for our further deliberations.
The clause introduces schedule 16, providing for the administration and enforcement of CBAM. They hand responsibility for managing this new carbon import charge to HMRC, and set out detailed compliance rules, including registration, accounting periods, returns, assessments and appeals. The schedule runs to 27 pages of text. Under these measures, any business importing CBAM goods worth more than £50,000 in a 12-month period, or expecting to reach that threshold within 30 days, must register, report each quarter and keep detailed records potentially for up to six years. HMRC will have wide discretion to make “best judgment” assessments and to counteract any artificial separation of business activities.
Mr Reynolds
The £50,000 threshold imposed as part of schedule 16 is incredibly low. It catches small construction firms importing tonnes of cement or steel, materials that could be consumed in one single medium-sized building project. The businesses importing such volumes will lack the resource of dedicated compliance teams and environmental consultants for quarterly emission verification. Meanwhile, large industrial importers, responsible for the vast majority of imported carbon emissions, face identical per unit compliance obligations, giving them a competitive advantage through their economies of scale.
CBAM introduces entirely new foreign concepts to normal commercial activities, such as calculating the emissions across international supply chains, determining whether carbon prices were paid in origin countries and applying complex fee allocation formulas. A family-run metalworking shop that has successfully filed VAT for 20 years must suddenly become an expert in lifetime emission methodologies and international carbon-pricing verifications. I do not believe that the Government have published any analysis comparing the £50,000 threshold to alternatives such £100,000 or £250,000 thresholds. I am interested to hear from the Minister what verification and changes have been made, and what assessment has been made of the compliance costs for various businesses.
Schedule 16 also introduces a £500 fixed penalty plus a £40 daily charge for failure to notify a change of circumstances, and a £500 penalty for record-keeping failures. While paragraph 40 of schedule 16 includes a reasonable excuse defence, HMRC interprets that quite narrowly as applying to circumstances such as illness, postal strikes or computer failures. The idea that the system or methodology was confusing or, “My supplier could not provide the data,” typically do not fall within the reasonable excuse defence.
The problem here is timings: the comprehensive penalties for CBAM take effect on 1 January 2027, so businesses navigating entirely unprecedented requirements are going to have a challenge. I note that the EU’s CBAM began with a transitional reporting period before enforcement ramped up, whereas the UK’s has no such mechanism.
These are not familiar tax concepts for lots of businesses. They involve new software, new tracking and international verification. These things have not been done in British business before, and I believe that small importers will face penalties while genuinely trying to comply with the regulations. The Liberal Democrats are not against the concept of a CBAM, but we take issue with the way that it has been put together.
Has the Minister considered a 12-month transitional period during which full penalties for deliberate avoidance are maintained but an allowance is given for honest compliance?
James Wild
I share the hon. Member’s concerns about the £50,000 threshold. Has he considered what might be a more appropriate level, in order to reduce the impact on smaller producers?
Mr Reynolds
The EU, for its CBAM, has not set a specific number in that way; it has set a number of tonnes of product. I would be interested to hear from the Government what work has been done to analyse the different impacts of £50,000, £100,000 and £250,000. The Treasury must have done some work on this, but I could not see any. We need the answer to that in order to find out where we stand.
Let me finish by saying that a transitional period may be quite beneficial. It would make sure that we are not setting our small and medium-sized enterprises up to fail and penalising them when they try to do the right thing but unfortunately, because of the complications in the system, they are unable to.
Lucy Rigby
The shadow Exchequer Secretary’s points about the criminal offences are similar to some of the points that were raised earlier in relation to other criminal offences set out in the Bill. I made the point in relation to those other offences, and I make it again here, about the standards that the CPS, or indeed any other prosecutorial authority, has to meet in satisfying both the evidential test and the public interest test. I am not sure that I need to take up the invitation to liaise with the Law Officers in that regard.
Questions were fairly raised about proportionality and the burden on businesses. The UK CBAM will operate like a conventional tax, in order to simplify the administrative and compliance burden for those who need to comply without, we think, undermining the environmental integrity of CBAM. However, the Government recognise that alignment with existing regimes—the Liberal Democrat spokesperson, the hon. Member for Maidenhead, referred to the EU CBAM and, indeed, to the ETS—can reduce administrative burdens, so where possible we will align with and build upon existing methodologies for calculating embodied emissions, as well as rules for monitoring reporting and verification under the ETS.
As hon. Members know, CBAM is not expected to have significant macroeconomic impacts or a significant impact on prices for individuals, households and families. CBAM imports make up only around 1% of average UK industry input costs. Therefore, as the Exchequer Secretary said, the Government do not expect CBAM to have a material impact on food prices, and the impact on farmers would be modest.
On the Liberal Democrat spokesperson’s point about thresholds, the threshold will retain over 99% of CBAM imports while removing 80% of otherwise registrable businesses, and over 70% of those removed from CBAM altogether by the threshold will be micro, small and medium-sized businesses.
Question put and agreed to.
Clause 148 accordingly ordered to stand part of the Bill.
Schedule 16 agreed to.
Clause 149 ordered to stand part of the Bill.
Schedule 17 agreed to.
Clause 150
Supplementary amendments
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Schedule 18.
Clauses 151 to 155 stand part.
Lucy Rigby
Clauses 150 to 155 and schedule 18 make the general, supplementary and commencement provisions for CBAM. They are designed to ensure that CBAM integrates properly with the wider statute book, operates coherently over time and comes into force as intended from 1 January 2027.
More specifically, clause 150 introduces schedule 18, which makes supplementary amendments to other legislation to ensure that CBAM operates consistently alongside existing customs and tax law.
Clauses 151 and 152 provide key definitions and interpretation provisions, including the meaning of “emissions”, “carbon dioxide equivalent”, “importer” and “CBAM good”. These clauses are designed to ensure clarity and legal certainty across the regime.
Clause 153 provides a power to make provision in relation to linked emissions trading schemes. This allows imported goods originating in countries with linked emissions trading scheme arrangements to be excluded from CBAM, reflecting international co-operation and avoiding unnecessary duplication.
Clause 154 sets out how regulations and notices under CBAM are to be made, including the applicable parliamentary procedures, to ensure appropriate scrutiny, with affirmative or made affirmative procedures applying where regulations have a significant impact.
Clause 155 provides for commencement and transitional arrangements. CBAM will apply to goods imported on or after 1 January 2027, with powers to smooth the transition during the initial years of operation.
In summary, clauses 150 to 155 and schedule 18 provide the essential supporting framework that allows for the effective functioning of CBAM, and I commend them to the Committee.
James Wild
We come to the final group on the carbon border adjustment mechanism. Clause 150, along with schedule 18, makes the technical but critical changes needed to fit CBAM into the UK’s existing tax and enforcement framework. These measures ensure that the new tax uses the same information gathering powers, collection mechanisms and penalties already in place. It is sensible to integrate CBAM in this way without creating a new process.
Clause 151 defines what we mean by “emissions” for CBAM purposes and firmly anchors the tax in the existing climate policy framework by adopting the definition in the Climate Change Act 2008. Greenhouse gas emissions will be measured in tonnes of carbon dioxide equivalent, which is sensible.
Clause 152 sets out the interpretive rules for part 5 of the Bill, working alongside clause 151 and schedule 16 to ensure that terminology throughout CBAM is coherent.
Clause 153 gives the Treasury the power to adjust CBAM if the UK’s emissions trading scheme is linked to another country’s carbon pricing system. The Minister touched on this briefly, but as I mentioned in the debate on an earlier group, in May the Government and the EU formally agreed to work towards linking their emissions trading systems to align carbon markets. I do not think the Exchequer Secretary responded to me on that point before he left the Committee. I am conscious that this is not the Minister’s portfolio, but can she give an update on where the EU-UK negotiations on the linkage have got to? This is a broad delegated power that could have real implications for competitiveness, trade and treatment of foreign carbon prices. We have expressed concerns previously about the linkage with the EU ETS and the higher charges that might hit UK businesses as a result. I would be grateful for an update on where the negotiations have got to—if they have actually started—and how the Treasury will ensure that there is proper consultation and debate before using the powers.
Lucy Rigby
The shadow Exchequer Secretary referred to some of the points agreed at the EU-UK summit last May. As he knows, the EU and the UK agreed to work towards linking our respective ETSs. He will not expect me to comment on ongoing negotiations, so I will not do that, but I will say that we are committed to working closely with all interested stakeholders, including international partners, through the CBAM policy design process and, of course, we consulted extensively on the design and implementation of this measure.
We have conducted information sessions at the World Trade Organisation and had extensive bilateral engagement with over 30 jurisdictions since announcing our intention to introduce a CBAM in December 2023. The UK will also engage through the UK CBAM international group, which serves as a forum through which the UK Government can understand the views of international partners and share updates.
The shadow Exchequer Secretary will forgive me for reiterating what I know he already knows, which is that all tax policy is kept under review. He rightly refers to our desire to smooth the transition—that is absolutely key. We will ensure that there is sufficient time built in to facilitate that smooth transition, and time to test systems as well.
Question put and agreed to.
Clause 150 accordingly ordered to stand part of the Bill.
Schedule 18 agreed to.
Clauses 151 to 155 ordered to stand part of the Bill.
Clause 156
Prohibition of promotion of certain tax avoidance arrangements
Question proposed, That the clause stand part of the Bill.
Lucy Rigby
Clauses 156 to 162 introduce a new statutory prohibition on the promotion of tax avoidance arrangements. If you will forgive me, Sir Roger, I will set out a little more background on these clauses than I have on others, which I think is important.
HMRC already can and regularly does stop people promoting marketed avoidance schemes, where it can identify the person or company doing the promotion. However, the controlling minds behind avoidance schemes often simply close down the company they use to promote the scheme before promoting a very similar scheme from a new company with different directors—everyone will be familiar with that concept of phoenixing. HMRC needs to identify and issue a new stop notice to each new entity and, during that time, promoters continue to sell the scheme and cause harm to taxpayers and the UK tax system. This measure will prohibit certain tax avoidance schemes from being promoted without HMRC first having to notify promoters, and will put a stop to promoters playing a game of cat and mouse with HMRC.
These clauses are about targeting those who continue to promote tax avoidance. They are not intended to be directed against legitimate tax advisers who are operating to a high professional standard but, while acting in good faith, make genuine mistakes. Furthermore, the Exchequer Secretary has asked HMRC officials to work with stakeholders in developing published guidance to address the fine detail of exactly how the prohibition will work in practice.
I turn to the individual clauses. Clause 156 will prohibit the promotion of avoidance arrangements that have no realistic prospect of success, as well as enabling HMRC commissioners to prohibit further arrangements in regulations. Any arrangements specified must have been, or be likely to be, marketed to seek a particular tax advantage, unlikely to result in that tax advantage, and likely to cause harm to taxpayers.
Clause 157 provides for the definition of “promotion” of arrangements. It includes important exemptions, such as where goods and services are provided on commercial terms without the knowledge that they are being used to promote tax avoidance, or where legally privileged advice or information is provided.
Clause 158 requires regulations implementing this policy change to be subject to the made affirmative procedure. That will ensure that the regulations take effect immediately, protecting the Revenue and taxpayers, while also ensuring proper oversight by this House.
For anyone breaching the prohibition or the regulations, civil penalties may apply under clause 159, or a criminal offence under clause 160. Under clause 161, where a responsible person has led an entity or partnership to commit a criminal offence through their consent, connivance or neglect, that criminal offence will also apply to them. Clause 162 contains relevant definitions and commencement provisions.
In summary, this measure will allow HMRC to stop the promotion of tax avoidance and tackle the persistent group of promoters. It will ensure that taxpayers and the UK tax system are protected from the harm caused by these promoters.
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Tuesday 3rd February 2026
(1 day, 12 hours ago)
Public Bill CommitteesCyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
The Chair
Good morning, everyone. We are now sitting in public and the proceedings are being broadcast. I remind Members, please, to switch electronic devices to silent, and that tea and coffee are not allowed during sittings. Today, we will first consider the programme motion on the amendment paper. We will then consider a motion to enable the reporting of written evidence for publication and a motion to allow us to deliberate in private about our questions before the oral evidence sessions. In view of the time available, I hope we can take those matters formally without debate. I call the Minister to move the programme motion standing in his name, which was discussed yesterday by the Programming Sub-Committee for the Bill. Time Witness Until no later than 10.00 am Royal United Services Institute; DLA Piper Until no later than 10.40 am techUK; Nine23; ISC2 Until no later than 11.25 am Cisco; Darktrace; NCC Group; Amazon Until no later than 2.40 pm Information Commissioner's Office; Ofcom; Ofgem Until no later than 3.00 pm Inter-Parliamentary Alliance on China Until no later than 3.20 pm Professor John Child, Professor of Criminal Law, University of Birmingham Until no later than 3.40 pm National Police Chiefs’ Council Until no later than 4.00 pm The Worshipful Company of Information Technologists Until no later than 4.20 pm NHS Greater Glasgow and Clyde Until no later than 4.50 pm Fortinet; Palo Alto Networks Until no later than 5.10 pm Department for Science, Innovation and Technology
Ordered,
That—
1. the Committee shall (in addition to its first meeting at 9.25 am on Tuesday 3 February) meet—
(a) at 2.00 pm on Tuesday 3 February;
(b) at 11.30 am and 2.00 pm on Thursday 5 February;
(c) at 9.25 am and 2.00 pm on Tuesday 10 February;
(d) at 9.25 am and 2.00 pm on Tuesday 24 February;
(e) at 11.30 am and 2.00 pm on Thursday 26 February;
(f) at 9.25 am and 2.00 pm on Tuesday 3 March;
(g) at 11.30 am and 2.00 pm on Thursday 5 March;
2. the Committee shall hear oral evidence on Tuesday 3 February in accordance with the following Table:
3. proceedings on consideration of the Bill in Committee shall be taken in the following order: Clauses 1 to 22; Schedule 1; Clause 23; Schedule 2; Clauses 24 to 61; new Clauses; new Schedules; remaining proceedings on the Bill;
4. the proceedings shall (so far as not previously concluded) be brought to a conclusion at 5.00 pm on Thursday 5 March.—(Kanishka Narayan.)
Resolved,
That, subject to the discretion of the Chair, any written evidence received by the Committee shall be reported to the House for publication.—(Kanishka Narayan.)
The Chair
Copies of written evidence received by the Committee will be made available in the Committee Room.
Resolved,
That, at this and any subsequent meeting at which oral evidence is to be heard, the Committee shall sit in private until the witnesses are admitted.—(Kanishka Narayan.)
The Chair
We are now sitting in public again. We have heard declarations of interest. If there are any other others, please say. We will now hear oral evidence from Jen Ellis, associate fellow for cyber and tech at the Royal United Services Institute, who is joining us online, and David Cook, who is a partner at DLA Piper. Thank you for coming.
Before calling the first Member to ask a question, I remind Members that questions should be limited to matters within the scope of the Bill. We must stick to the timings in the programme order that the Committee has agreed to. For this session, we have until 10 am. I call the shadow Minister.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
Q
Jen Ellis: There is a thing that you always hear people say in the cyber-security industry which is, “There are no silver bullets”. There is no quick fix or one easy thing, and that definitely applies when looking at policy as well. I cannot give you a nice, easy, pat answer to how we solve the problem of attacks like the ones we saw last year. What I can say is that, looking at the Cyber Security and Resilience Bill specifically, I think it could include companies above a certain size or impact to the UK economy. The Bill currently goes sector by sector— which makes lots of sense, to focus on essential services—but I think we could say there is another bucket where organisations beyond a certain level of impact on the economy would also be covered. That could be something like the FTSE350. Including those might be one way to go about it, but it is worth noting that it would not simply solve the problem because the problem is complex and multi-faceted, and this is just one piece of legislation.
David Cook: With respect to NIS2, that is an example of a whole suite of laws that have come in across the European Union—the Digital Decade law; I think there is something like 10 or 15 of these new laws. They do all sorts of different things, and NIS2 sits within that. NIS2 is the reform of the NIS directive, which is the current state of play in UK law. NIS2 gives certainty and definition, by way of the legislation itself and then the implementing legislation, which means that organisations have had a run-up at the issue and a wholesale governance programme, which takes a number of years, but they know where they are headed, because it is a fixed point in the distance, on the horizon.
The Bill we are talking about today has the same framework as a base. The plan then is that secondary legislation can be used in a much more agile way to introduce changes quickly, in the light of the moving parts within the geopolitical ecosystem outside the walls. For global organisations with governance that spans jurisdictions, a lack of certainty is unhelpful. Understanding where they need to get to often requires a multi-year programme of reform. I can see the benefits of having an agile, flexible system, but organisations—especially global ones, which are the sort within the scope of this Bill—need time to prepare, recruit people, get the skillset in place, and understand where they need to get to. That fixed future point needs to be defined.
Chris Vince (Harlow) (Lab/Co-op)
Q
David Cook: There is reform all over the world. At its core, we have got a European law that is transposed in UK national legislation, the General Data Protection Regulation. That talks about personal data and has been seen as the gold standard all over the world. Different jurisdictions have implemented, not quite a copycat law, but one that looks a lot like the GDPR, so organisations have something that they can target, and then within their territory they are often going to hit a compliance threshold as well. Because of changes in the geopolitical environment, we are seeing—for example in Europe, but also in Australia and the United States—specific laws coming in that look at the supply chain in different sectors and provide for more onerous obligations. We are seeing that in the environment. NIS2 is being transposed into national laws. Organisations take a long time to get to the point of compliance. We are probably behind the curve, but this is not a new concept. Adapting to change within tech and change within how organisations themselves are relying on a supply chain that is more vulnerable and fragile is common.
Bradley Thomas (Bromsgrove) (Con)
Q
Jen Ellis: For sure, it should not come down to whether you are public or private; it should be about impact. Figuring out how to measure that is challenging. I will leave that problem with policymakers—you’re welcome. I do not think it is about the number of employees. We have to think about impact in a much more pragmatic way. In the tech sector, relatively small companies can have a very profound impact because they happen to be the thing that is used by everybody. Part of the problem with security is that you have small teams running things that are used ubiquitously.
We have to think a little differently about this. We have seen outages in recent years that are not necessarily maliciously driven, but have demonstrated to us how reliant we are on technology and how widespread the impact can be, even of something like a local managed service provider. One that happened to provide managed services for a whole region’s local government went down in Germany and it knocked out all local services for some time. You are absolutely right: we should be looking at privately held companies as well. We should be thinking about impact, but measuring impact and figuring out who is in scope and who is not will be really challenging. We will have to start looking down the supply chain, where it gets a lot more complex.
Tim Roca (Macclesfield) (Lab)
Q
Jen Ellis: As a starting point, I will clarify that I am a fellow at RUSI. I work closely with Jamie, but I do not work for RUSI. I also take no responsibility for Jamie’s comments.
On the comparisons, David alluded to the fact that Europe is a little bit ahead of us. NIS2, its update to NIS1, came into force three years ago with a dangling timeline: nations had until October 2024 to implement it. My understanding is that not everybody has implemented it amazingly effectively as yet. There is some lag across the member states. I do not think we are too out of scope of what NIS2 includes. However, we are talking about primary legislation now; a lot of the detail will be in the secondary legislation. We do not necessarily know exactly how those two things will line up against each other.
The UK seems to be taking a bit of a different approach. The EU has very specifically tried to make the detail as clearly mandated as possible, because it wants all the member states to adopt the same basis of requirements, which is different from NIS1, whereas it seems as though the UK wants to provide a little bit of flexibility for the regulators to “choose their own adventure”. I am not sure that is the best approach. We might end up with a pretty disparate set of experiences. That might be really confusing for organisations that are covered by more than one competent authority.
The main things that NIS2 and CSRB are looking at are pretty aligned. There is a lot of focus on the same things. It is about expanding scope to make sure that we keep up with what we believe “essential” now looks at, and there is a lot of focus on increased incident reporting and information sharing. Again, the devil will be in the detail in the secondary legislation.
The other thing I would say goes back to the earlier question about what is happening internationally. The nations that David mentioned, like Australia or the jurisdiction around the EU, are really proactive on cyber policy—as is the UK. They are taking a really holistic view, which David alluded to in his introduction, and are really looking at how all the pieces fit together. I am not sure that it is always super clear that the UK is doing the same. I think there is an effort to do so, and UK policymakers are very proactive on cyber policy and are looking at different areas to work on, but the view of how it all goes together may not be as clear. One area where we are definitely behind is legislating around vendor behaviour and what we expect from the people who are making and selling technology.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Q
Jen Ellis: Again, that is a hugely complex question to cover in a short amount of the time. One of the challenges that we face in UK is that we are a 99% small and mediums economy. It is hard to think about how to place more burdens on small and medium businesses, what they can reasonably get done and what resources are available. That said, that is the problem that we have to deal with; we have to figure out how to make progress.
There is also a challenge here, in that we tend to focus a lot on the behaviour of the victim. It is understandable why—that is the side that we can control—but we are missing the middle piece. There are the bad guys, who we cannot control but who we can try to prosecute and bring to task; and there are the victims, who we can control, and we focus a lot on that—CSRB focuses on that side. Then there is the middle ground of enablers. They are not intending to be enablers, but they are the people who are creating the platforms, mediums and technology. I am not sure that we are where we could be in thinking about how to set a baseline for them. We have a lot of voluntary codes, which is fantastic—that is a really good starting point—but it is about the value of the voluntary and how much it requires behavioural change. What you see is that the organisations that are already doing well and taking security seriously are following the voluntary codes because they were already investing, but there is a really long tail of organisations that are not.
Any policy approach, legislation or otherwise, comes down to the fact that you can build the best thing in the world, but you need a plan for adoption or the engagement piece—what it looks like to go into communities and see how people are wrestling with this stuff and the challenges that are blocking adoption. You also need to think about how to address and remove those challenges, and, where necessary, how to ensure appropriate enforcement, accountability and transparency. That is critical, and I am not sure that we see a huge amount of that at the moment. That is an area where there is potential for growth.
With CSRB, the piece around enforcement is going to be critical, and not just for the covered entities. We are also giving new authorities to the regulators, so what are we doing to say to them, “We expect you to use them, to be accountable for using them and to demonstrate that your sector is improving”? There needs to be stronger conversations about what it looks like to not meet the requirements. We should be looking more broadly, beyond just telling small companies to do more. If we are going to tell small companies to do more, how do we make it something that they can prioritise, care about and take seriously, in the same way that health and safety is taken seriously?
David Cook: To achieve the outcome in question, which is about the practicalities of a supply chain where smaller entities are relying on it, I can see the benefit of bringing those small entities in scope, but there could be something rather more forthright in the legislation on how the supply chain is dealt with on a contractual basis. In reality, we see that when a smaller entity tries to contract with a much larger entity—an IT outsourced provider, for example—it may find pushback if the contractual terms that it asks for would help it but are not required under legislation.
Where an organisation can rely on the GDPR, which has very specific requirements as to what contracts should contain, or the Digital Operational Resilience Act, which is a European financial services law and is very prescriptive as to what a contract must contain, any kind of entity doing deals and entering into a contract cannot really push back, because the requirements are set out in stone. The Bill does not have a similar requirement as to what a contract with providers might look like.
Pushing that requirement into the negotiation between, for example, a massive global IT outsourced provider and a much smaller entity means either that we will see piecemeal clauses that do not always achieve the outcomes you are after, or that we will not see those clauses in place at all because of the commercial reality. Having a similarly prescriptive set of requirements for what that contract would contain means that anybody negotiating could point to the law and say, “We have to have this in place, and there’s no wriggle room.” That would achieve the outcome you are after: those small entities would all have identical contracts, at least as a baseline.
Emily Darlington (Milton Keynes Central) (Lab)
Q
David Cook: The original NIS regulations came out of a directive from 2016, so this is 10 years old now, and the world changes quickly, especially when it comes to technology. Not only is this supply chain vulnerability systemic, but it causes a significant risk to UK and global businesses. Ransomware groups, threat actors or cyber-criminals—however you want to badge that—are looking for a one-to-many model. Rather than going after each organisation piecemeal, if they can find a route through one organisation that leads to millions, they will always follow it. At the moment, they are out of scope.
The reality is that those organisations, which are global in nature, often do not pay due regard to UK law because they are acting all over the world and we are one of many jurisdictions. They are the threat vector that is allowing an attack into an organisation, but it then sits with the organisations that are attacked to deal with the fallout. Often, although they do not get away scot-free, they are outside legislative scrutiny and can carry on operating as they did before. That causes a vulnerability. The one-to-many attack route is a vulnerability, and at the moment the law is lacking in how it is equipped to deal with the fallout.
Jen Ellis: In terms of what the landscape looks like, our dialogue often has a huge focus on cyber-crime and we look a lot at data protection and that kind of thing. Last year, we saw the impact of disruptive attacks, but in the past few years we have also heard a lot more about state-sponsored attacks.
I do not know how familiar everyone in the room is with Volt Typhoon and Salt Typhoon; they were widespread nation-state attacks that were uncovered in the US. We are not immune to such attacks; we could just as easily fall victim to them. We should take the discovery of Volt Typhoon as a massive wake-up call to the fact that although we are aware of the challenge, we are not moving fast enough to address it. Volt Typhoon particularly targeted US critical infrastructure, with a view to being able to massively disrupt it at scale should a reason to do so arise. We cannot have that level of disruption across our society; the impacts would be catastrophic.
Part of what NIS is doing and what the CSRB is looking to do is to take NIS and update it to make sure that it is covering the relevant things, but I also hope that we will see a new level of urgency and an understanding that the risks are very prevalent and are coming from different sources with all sorts of different motivations. There is huge complexity, which David has spoken to, around the supply chain. We really need to see the critical infrastructure and the core service providers becoming hugely more vigilant and taking their role as providers of a critical service very seriously when it comes to security. They need to think about what they are doing to be part of the solution and to harden and protect the UK against outside interference.
David Cook: By way of example, NIS1 talks about reporting to the regulator if there is a significant impact. What we are seeing with some of the attacks that Jen has spoken about is pre-positioning, whereby a criminal or a threat actor sits on the network and the environment and waits for the day when they are going to push the big red button and cause an attack. That is outside NIS1: if that sort of issue were identified, it would not be reportable to the regulator. The regulator would therefore not have any visibility of it.
NIS2 and the Bill talk about something being identified that is caused by or is capable of causing severe operational disruption. It widens the ambit of visibility and allows the UK state, as well as regulators, to understand what is going in the environment more broadly, because if there are trends—if a number of organisations report to a regulator that they have found that pre-positioning—they know that a malicious actor is planning something. The footprints are there.
Freddie van Mierlo (Henley and Thame) (LD)
Q
Jen Ellis: You have covered a lot of territory there; I will try to break it down. If you look at the attacks last year, all the companies you mentioned were investing in cyber-security. There is a difficulty here, because there is no such thing as being bullet-proof or secure. You are always trying to raise the barriers as high as you can and make it harder for attackers to be successful. The three attacks you mentioned were highly targeted attacks. The example of Volt Typhoon in the US was also highly targeted. These are attackers who are highly motivated to go after specific entities and who will keep going until they get somewhere. It is really hard to defend against stuff like that. What you are trying to do is remove the chances of all the opportunistic stuff happening.
So, first, we are not going to become secure as such, but we are trying to minimise the risk as much as possible. Secondly, it is really complex to do it; we saw last year the examples of companies that, even though they had invested, still missed some things. Even in the discussions that they had had around cyber-insurance, they had massively underestimated the cost of the level of disruption that they experienced. Part of it is that we are still trying to figure out how things will happen, what the impacts will be and what that will look like in the long term.
There is also a long tail of companies that are not investing, or not investing enough. Hopefully, this legislation will help with that, but more importantly, you want to see regulators engaging on the issue, talking to the entities they cover and going on a journey with them to understand what the risks are and where they need to get to. If you are talking about critical providers and essential services, it is really hard for an organisation—in its own mind or in being answerable to its board or investors—to justify spend on cyber-security. If you are a hospital saying that you are putting money towards security programmes rather than beds or diagnostics, that is an incredibly difficult conversation to have. One of the good things about CSRB, hopefully, is that it will legitimise choices and conversations in which people say, “Investing time and resources into cyber-security is investing time and resources into providing a critical, essential service, and it is okay to make those pay-off choices—they have to be made.”
Part of it is that when you are running an organisation, it is so hard to think about all the different elements. The problem with cyber-security—we need to be clear about this—is that with a lot of things that we ask organisations to do, you say, “You have to make this investment to get to this point,” and then you move on. So they might take a loan, the Government might help them in some way, or they might deprioritise other spending for a set period so that they can go and invest in something, get up to date on something or build out something; then they are done, and they can move back to a normal operating state.
Security is not that. It is expensive, complex and multifaceted. We are asking organisations of all sizes in the UK, many of which are not large, to invest in perpetuity. We are asking them to increase investment over time and build maturity. That is not a small ask, so we need to understand that there are very reasonable dynamics at play here that mean that we are not where we need to be. At the same time, we need a lot more urgency and focus. It is really important to get the regulators engaged; get them to prioritise this; have them work with their sectors, bring their sectors along and build that maturity; and legitimise the investment of time and resources for critical infrastructure.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Q
David Cook: The legislation talks about secondary legislation, so it allows for an agile, flexible programme whereby organisations can be brought within scope very quickly if concerns make that necessary. What that leaves us with, though, is that although legislation can be changed quickly, organisations often cannot. Where there is a definition, as we see with NIS2, as to which entities are in scope, organisations can embark on a multi-year programme to get into a compliant position. They can throw money at it, effectively.
What this legislation talks about, through the secondary legislation, is bringing organisations into scope and mandating specific security controls or specific requirements on those organisations in terms of security, but while the law might come in over a weekend, organisational change will not necessarily follow. There is a potential issue there. I can see the benefit and attractiveness of secondary legislation being used to achieve that aim, but having a clearer baseline as to what that sort of scope might look like—it could be ramped up or down, and the volume could be turned up or down, depending on need—would be more helpful. Reducing scope while diverging from NIS2 might be a benefit in terms of the commercial reality, but it might be a misstep in terms of security and the long tail that it takes to get more secure.
The Chair
Thank you. I am going to bring Allison Gardner in, because she has been waiting. You have two minutes, Allison.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Q
Jen Ellis: That is a great question, and a tricky one. We talk a lot about training and security awareness, and unfortunately I think it becomes yet another tick box: you start a job and watch your little sexual harassment training video, then you watch your cyber-security training video, and probably the former sticks with you better than the latter. I think we have to change that. We have to change that dynamic.
I go back to my last answer, which was that I think one of the strengths of the Bill is that, hopefully, it will enable the regulators to engage much more on this topic and therefore to engage their covered entities much more. That is what we need to see. We need to see the leadership in organisations engage with the topic of cyber-security, not as a chore, as a tick-box exercise or as that headline they read about JLR, but actually as something that matters to their organisation—as something they are going to engage with at a board and executive team level, all the way down through the organisation. Cultural change comes from the top, typically, and we need to see that level of change.
I do not think that there is anything specific in the legislation, as it is currently written, that says, “And this,” in flashing lights, “is going to change the human factors piece.” I think that the devil will be in the detail of the secondary legislation, and then in what the regulators specifically ask for. But there does need to be a general shift in the culture, whereby as sectors generally we start to talk more about this as a requirement. The financial services sector has talked about security for a long time—it has been a reality for it—but I am not sure how true that is, at breadth, in something like the water industry.
I hope that that will change. I hope that we will start to see having those conversations at the top levels, and then all the way down, becoming more of a cultural norm. Unfortunately, you cannot create culture change quickly. When it comes to talking about human factors, it is about people becoming much more aware of it and thinking more about it. That will take time—
The Chair
Order. Thank you very much, but I have to cut you off there.
Jen Ellis: Sorry for taking too long.
The Chair
No, you have been brilliant.
That brings us to the end of the time allotted for the Committee to ask questions. On behalf of the Committee, may I thank you both for sparing time from your busy schedules to give evidence this morning?
Examination of Witnesses
Jill Broom, Stuart McKean and Dr Sanjana Mehta gave evidence.
The Chair
Good morning, everyone, and welcome. We will now hear oral evidence from Jill Broom, head of cyber-resilience at techUK, from Stuart McKean, chairman of Nine23, and from Dr Sanjana Mehta, senior director for advocacy at ISC2. We must stick to the timings in the programme motion that the Committee has agreed for this session; we have until 10.40 am. Will the witnesses please briefly introduce themselves for the record?
Dr Sanjana Mehta: Good morning. My name is Sanjana; I work as senior director, advocacy, at ISC2.
Jill Broom: Good morning. My name is Jill Broom; I am head of cyber-resilience at techUK, the trade association for the technology industry in the UK.
Stuart McKean: Good morning. I am Stuart McKean; I am the founder and chairman of Nine23. We are a small MSP, based in the UK.
Dr Spencer
Q
My second question is a bit more technical. Do you consider that the definition in the Bill of a managed service provider is sufficiently clear and certain for businesses to understand whether they are in scope or out of scope of the Bill?
Dr Sanjana Mehta: I appear before the Committee today on behalf of ISC2, which is the world’s largest not-for-profit membership association for cyber-security professionals. We have 265,000 members around the world and 10,000-plus members in the UK.
On your question about sectoral scope, our central message is that we welcome the introduction of the Bill and we believe that it will go a long way towards improving the cyber-resilience of UK plc. Yes, there are certain sectors that are outside the scope of the Bill, and we believe that there are a number of non-legislative measures that could be used to enhance the cyber-security of other industries and parts of the sector. In particular, the forthcoming national cyber action plan should be used as a delivery vehicle for improving the resilience of UK plc as a whole.
On the previous panel, I think Jen mentioned that there are voluntary codes of practice. As an organisation, we have piloted the code of practice for cyber governance, and we have signed up to the ambassadors scheme for the code of practice for secure software development. We think that the upcoming national cyber action plan can further encourage the uptake of such schemes and frameworks. Most importantly, we call upon Government to focus on skills development as a non-legislative measure, because ultimately that will be the key enabler of success, whether it is for organisations that are within or outside the scope of the Bill.
The Chair
The witnesses need not feel obliged to answer every question; if colleagues could direct their questions to individual witnesses, we will get through quicker.
Stuart McKean: I think that the MSP definition is quite broad at the moment, so adding some clarity to it will help. At the moment, the key definition of an MSP is based on size, and whether you are a small, medium, large or even microenterprise. The reality is that only11%, I think, of MSPs are the large and medium-sized enterprises that are going to fall in scope of the Bill as a managed service provider. Although the definition might be quite broad, the clarity on the size of MSP is actually quite particular, and you will lose a lot of MSPs that will not be in scope.
Jill Broom: Although some of our members are content with the definition of managed service provider, others feel that, as Stuart said, it is too broad. It continues to cause a little bit of confusion, since it is likely to encompass virtually any IT service. Probably some further work needs to be done and further consultation. There will be some further detail in the secondary legislation around that definition. I wanted to highlight that a lot of detail is coming in secondary legislation, which can make it quite difficult to scrutinise the primary legislation. A broad call-out for ensuring mandatory and meaningful consultation on that secondary legislation and associated guidance would be really welcome.
We are already working with the Bill team to put some of the pre-consultation engagement sessions in place, but we would call for the consultation to be brought forward to help us to understand some of the detail. The consultation period on the secondary legislation is currently estimated to happen towards the end of the summer, but we would like that to be brought forward, where possible. That consultation is going to cover a lot of detail, so it needs to be a substantial amount of time to allow us to comment. We are keen to be involved in that process as much as possible.
Kanishka Narayan
Q
Stuart McKean: You are going to hear the word “complex” a lot in this session. It is hugely complex. I would almost say that everyone likes to dabble. Everyone has little bits of expertise. Certain companies might be cloud-focused, or focused on toolsets; there are a whole range of skillsets. Of course, the larger organisations have multiple teams, multiple scopes and much more credibility in operating in different areas. As that flows down the supply chain, in many cases it becomes more difficult to really unpick the supply chain.
For example, if I am a managed service provider delivering a cloud service from a US hyperscaler, who is responsible? Am I, as the managed service provider, ultimately on the hook, even though I might be using a US-based hyperscaler? That is not just to pick on the hyperscalers, by the way—it could be a US software-based system or a set of tools that I am using. There are a whole range of parts that need to become clearer, because otherwise the managed service community will be saying, “Well, is that my responsibility? Do I have to deliver that?”.
You are then into the legislation side with procurement, because procurement will flow down. Although I might not be in scope directly as a small business, the reality is that the primes and Government Departments that are funding work will flow those requirements down on to the smaller MSPs. Although we might not be in scope directly, when it comes to implementing and meeting the legislation, we will have to follow those rules.
Dr Gardner
Q
Jill Broom: With the board, historically, cyber has not been viewed as a business risk, but as a technical problem to be addressed by the technical teams, instead of being a valuable, fundamental enabler of your business and a commercial advantage as well, because you are secure and resilient. That has been a problem, historically. It is about changing that culture and thinking about how we get the boards to think about this.
I think a fair amount of work is happening; I know the Government have written to the FTSE 350 companies to ask them to put the cyber governance code of practice into play. That is just to make cyber a board-level responsibility, and also to take account of things such as what they need to do in their supply chain.
Dr Gardner
Q
Jill Broom: Some of our members have pointed out that the number of organisations under cyber-regulations is very small, and it is only going to increase a small amount with the advent of this particular Bill. Similarly, in the different jurisdictions there are duties at the board level. There is an argument for it. The key thing is that we need to be mindful of it being risk-based, and also that there are organisations that could be disproportionately affected by this. I think it needs a little more testing, particularly with our members, as to whether a statutory requirement is needed.
Bradley Thomas
Q
Dr Sanjana Mehta: May I weigh in on the second question first? It is good to note that the definition of reportable incident has expanded in the current legislation. One of the concerns that the post-implementation reviews had from the previous regulatory regime was that the regulated entities were under-reporting. We note that the Bill has now expanded the definition to include incidents that could have an adverse impact on the security and operations of network and information systems, in addition to those incidents that are having or have had a negative impact.
While that is clear on the one hand—some factors have been provided, such as the number of customers affected, the geographical reach and the duration of the incident—what is not clear at the moment is the thresholds linked with those factors. In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators.
We must think about regulatory capacity to deal with all the reports that come through to them, and to understand what might be the trade-offs on the regulated entities, particularly if an entity is regulated by more than one competent authority. For those entities, it would mean reporting to multiple authorities. For organisations that are small or medium-sized enterprises, there is a real concern that the trade-offs may result in procedural compliance over genuine cyber-security and resilience. We call on the Government for immediate clarification of the thresholds linked to those factors.
Jill Broom: I would like to come in on that point. Our members would agree with it. Companies need to be clear about what needs to be reported, when it needs to be reported and where they need to report it. A bit of clarity is required on that, certainly around definitions. As Sanjana said, it is good to see that the definition is expanding, but definitions such as “capable of having” a significant impact remain unclear for industry. Therefore, we need a bit more clarity, because again, it means that we could risk capturing absolutely everything that is out there, and we really want to focus on: what is most important that we need to be aware of? Determining materiality is essential before making any report.
In terms of the where and the how, we are also in favour of a single reporting platform, because that reduces friction around the process, and it allows businesses, ultimately, to know exactly where they are going. They do not need to report here for one regulator and there for another. It is a streamlined process, and it makes the regime as easy as possible to deal with, so it helps incentivise people to act upon it.
I have another point to add about the sequencing of alignment with other potential regulation. We know that, for example, the Government’s ransomware proposals include incident-reporting requirements, and they are expected to come via a different legislative vehicle. We need to be careful not to add any additional layers of complexity or other user journeys into an already complex landscape.
Freddie van Mierlo
Q
Secondly, Dr Mehta, you spoke earlier about what is not in scope in this legislation. I am particularly interested in the fact that local government is not included in it, because it has a critical role in electoral services and in local and national democracy. What do you think are the threats from leaving local government out of scope?
Jill Broom: I think that generally, our members would always call for alignment, where possible, in any kind of legislation that spans the geographies. But we understand that the Bill focuses on a particular sector—the critical national infrastructure in the UK—and we welcome the intent of it.
Dr Sanjana Mehta: On sectoral scope, with the way that the Bill is currently drafted, there is obviously flexibility to introduce new sectors, and to bring in more provisions and guidance through secondary legislation and additional guidance. That being said, our recommendation is certainly to expand the sectoral scope at this stage by bringing in public administration.
There are a number of key reasons for that. First, public administration needs to be role model of good cyber-security to the rest of the economy. I think it was the 2025 state of digital government review that pointed out that the risk of cyber-attacks on Government is critical. You mentioned local government, but there are also central Government Departments that hold and process vast amounts of personal and sensitive information; I think, for example, DWP administered £288 billion of benefits over the past year. More than 23 million people claimed some sort of benefits from DWP and, in responding to those claims, DWP must have processed huge amounts of very sensitive medical and financial information on individuals. We think it is an omission to leave it out, and we recommend that the Government consider bringing it into scope.
Lincoln Jopp (Spelthorne) (Con)
Q
Stuart McKean: I do not think the cyber-criminal really cares, to be blunt. They will attack anywhere. You can, of course—
Alison Griffiths
I am so sorry. Could you possibly speak into the microphone? I cannot hear you.
Stuart McKean: Sorry. I was saying that the cyber-criminal does not care about lines, geographies or standards. They do not care whether you have an international standard or you follow the legislation of a certain country. They will attack where they see the weak link.
Lincoln Jopp
Q
Stuart McKean: It is probably across all three, to be quite honest with you. It is very dependent on what they want to achieve, whether it be an economic attack or a targeted attack on a corporate entity. I do not think it has those boundaries—I genuinely think it is across the whole industry and the whole globe. The reality is that cyber-attacks everybody. We are being attacked every day. I do not see it as an international boundary, or a UK thing or a US thing. It is generally across the globe.
Lincoln Jopp
Do either of the other witnesses have anything to say on that?
Jill Broom indicated dissent.
Dr Sanjana Mehta indicated dissent.
Andrew Cooper (Mid Cheshire) (Lab)
Q
Jill Broom: I think, again, there is something to be said about the devil being in the detail. A lot is coming with the secondary legislation, so we will learn more about the specifics on incident reporting and penalties that will come into play. There needs to be a balance between those in terms of the risk and the impact. In the Bill itself, there probably need to be some greater safeguards or references to frameworks about how those types of decisions will be made.
Andrew Cooper
Q
Stuart McKean: It is an interesting cultural challenge. You want people to be open and to report incidents that are having an impact, but at the same time, if they report those incidents they might get fined, which could be economically challenging, particularly for a small business. Yes, we want to open and to report incidents, but—and this is where the detail comes in—what is the level of detail that needs to be reported and what is the impact of reporting it? When you report it to the regulators, what are they going to do with it? How will they share it and how will it benefit everybody else? The devil is definitely in the detail, and it is a cultural change that is required.
Sarah Russell (Congleton) (Lab)
Q
Jill Broom: We can assume that it will, because if you are in the supply chain or come within scope, you will have certain responsibilities and you will have to invest, not just in technology but in the skills space as well. How easy it is to do that is probably overestimated a bit; it is quite difficult to find the right skilled people, and that applies across regulators as well as business.
Generally speaking, yes, I think it will be costly, but there are things that could probably help smaller organisations: techUK has called for things such as financial incentives, or potentially tax credits, to help SMEs. That could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first.
Dr Sanjana Mehta: If I may expand on that, we have been consulting our members and the wider community, and 58% of our respondents in the UK say that they still have critical and significant skills needs in their organisations. Nearly half of the respondents—47%—say that skills shortages are going to be one of the greatest hurdles in regulatory compliance. That is corroborated by evidence, even in the impact assessment that has been done on the previous regulatory regime, where I think nearly half of the operators of essential services said that they do not have access to skills in-house to support the regulatory requirements. Continuing to have sustained investment in skills development is definitely going to require funding. Taking it a step back, we need first of all to understand what sort of skills and expertise we have to develop to ensure that implementation of the Bill is successful.
Alison Griffiths
Q
Stuart McKean: I am not an expert on the detail, but I would say that there is currently very little detail in the Bill regarding IT and OT.
Alison Griffiths
Q
Stuart McKean: The devil is always in the detail, so any more clarity that can be put in the Bill is always going to be a good thing.
Alison Griffiths
Does anyone have anything else?
Jill Broom: I think that I will need to come back to you in writing on the specifics of operational technology.
The Chair
Feel free to write in, secondary to this session, if you feel that you want to expand on any answers.
Dave Robertson (Lichfield) (Lab)
Q
It is very easy to write a piece of legislation, but if we do not have the professionals needed to deliver the level of compliance at the thresholds we are setting in this place, that raises other potential issues. Do you have a view about whether the 11% you mentioned is in the right ballpark for the number of professionals we have, or whether it needs to move either way?
Stuart McKean: I am referring to the Government’s report on MSPs that was done a couple of years ago. There are some 12,500 MSPs in the UK. Of those that are in scope of the Bill, 11% are medium-sized and large, but they account for something like 85% of the revenue that MSPs generate in the UK. Proportionally, the larger and medium-sized organisations will have the skillsets needed to deliver the requirements set out in the Bill. As it comes down the supply chain, most managed service providers are suitably qualified to deliver, but they will not be in scope of the Bill. Certainly the critical national infrastructure will not be in that sort of space. We have a good industry, and I think most of the MSPs are in that space, but I would highlight that MSPs are generally IT companies, and cyber-security is not an IT problem. It is much bigger than IT.
Although MSPs can be at one end, this goes back to a question that was asked before about why companies do not just do this anyway, and so be more secure. The reality is that they do not generally understand it; they do not understand the risk and they do not have the qualified people, and it goes on in a sort of vicious circle. A lot of those companies will just go, “Yeah, I’ve got an MSP. They deal with that.” It is an interesting challenge, but, to your question directly, I think medium-sized and large MSPs will not have an issue.
Dr Sanjana Mehta: If I may weigh in on this, I just want to take a step back and comment on the state of the profession in the UK. I appreciate that we are having this discussion specifically in relation to the regulated entities, but there is a broader picture. Parts of the industry are not in scope, but they need to have the right skills as well. We are starting off on a good foundation. The work done by industry, academia and professional associations over the past few years has helped to grow the profession steadily. The report by the Department for Science, Innovation and Technology mentions that the number of cyber-security professionals directly employed in the sector has increased by 11% over the past year.
That said, there is more to be done. I urge the Government to think about the skills piece, not only in relation to the Bill but as a wider challenge. We are very proud of our 10,000-plus members in the UK, who work very hard day and night to secure their organisations despite all the challenges and pressures, but the Bill does give Government a pivotal opportunity to elevate the status of the profession and to professionalise the sector.
Andrew Cooper
Q
Stuart McKean: It is about understanding what your service is delivering. Again, one of the key terms in the Bill is resilience. Needing resilience is a key part of the Bill. Whether you need a service that has international boundaries and you need to fail over to another country will be down to the organisations defining where they want their services to be. If they are happy that they are failed over into the US or another country, that is fine; but the reality is that it will be down to the organisation that has a requirement for a resilient service understanding where its data is. As long as it understands where its data is and what it is asking of the MSP, I am not sure the Bill will cover that as such. It is talking about resilience in general. I do not think it goes into the detail of where your data is.
Bradley Thomas
Q
Stuart McKean: Under the designation of a critical supplier, the Bill says:
“any such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom”.
That is a pretty big statement. As a small business owner, how do I know whether what I do is going to have an economic effect on the UK? It will have an economic effect on my business, but whether it has a wider impact is a big statement. I am not sure that it is clear enough.
Bradley Thomas
Q
Stuart McKean: It needs more detail, even if that is about providing some boundaries so that we have something to say, “If it is going to do the following, what is a ‘significant economic impact’?”. I would like to think that none of our services would have a significant economic impact, but they may well affect a person, so I would bring it more on to the citizen and the impact on people. We heard this a number of times in relation to the JLR incident: the impact on the supply chain was huge, it was economically very costly and directly impacted people’s lives. Anything that can provide more clarity in the definition of an impact at that level can only help.
Jill Broom: I agree. More clarity is needed. The Bill should be tighter in terms of defining that sort of systemic risk.
Dr Sanjana Mehta: The Bill as it stands requires competent authorities and regulators to designate an organisation as a critical supplier rather than the regulated entity. Organisations work with complex multi-tier supply chains, and the concern is that competent authorities that are one step further removed from those complex supply chains, and have even less visibility, transparency and control over those supply chains, might find it difficult to determine true criticality and risk within the supply chains. We ask for greater collaboration and co-ordination between the regulated entities and the competent authorities in designating an organisation as a critical supplier.
Dr Spencer
Q
Jill Broom: There is probably a broader point around legal certainty, which is not given on the face of the Bill. Some of our members have highlighted language that could create some pretty significant legal jeopardy for regulated entities. The Bill needs to go a bit further. It could and should do more to provide some legal certainty, because the cost to companies could be quite significant. To the point on consistency across regulators and things like that, we need more frameworks around how that is going to work. Leaving all the detail to secondary legislation is what makes it slightly difficult to examine what is on the face of the Bill, so making sure that everything is consulted on in a mandatory and meaningful way will be important.
The Chair
I am looking around the table, and it seems to me that everybody is satisfied. Thank you very much indeed, Sanjana, Jill and Stuart, for giving your time so freely this morning—I know you are very busy people.
Examination of Witnesses
Matt Houlihan, Ben Lyons, Chris Anley and Dr Ian Levy gave evidence.
The Chair
Q
Dr Ian Levy: Good morning. I am Ian Levy, and I am a vice-president and distinguished engineer at Amazon. That job allows me to look across everything that Amazon does, including Amazon Web Services, the bookshop, our new satellite system and everything in between. Prior to that, I spent 23 years in GCHQ, and I was the founding technical director and designer of the National Cyber Security Centre.
Chris Anley: I am Chris Anley, chief scientist at NCC Group. We are a multinational cyber-security company, listed on the London Stock Exchange and headquartered in Manchester.
Matt Houlihan: Hi everyone. I am Matt Houlihan, and I am the vice-president for government affairs in Europe for Cisco, which is a technology company specialising in networking, security and collaboration technologies.
Ben Lyons: Good morning. I am Ben Lyons, and I am senior director for policy and public affairs at Darktrace. We are a company that uses AI for cyber-security, headquartered up in Cambridge.
Dr Spencer
Q
Starting with Ben from Darktrace, how are developing and emerging technologies such as AI and post-quantum crypto changing the nature of cyber-security threats? Do you think the Bill responds adequately to that changing threat landscape?
Moving on to Matt from Cisco, what further guidance and consultation from the Government and the Information Commissioner is needed for MSPs to comply effectively with their obligations under the Bill?
Chris from NCC Group, the National Audit Office report last year highlighted lots of serious deficiencies in Government cyber-resilience. Do you think the cyber action plan goes far enough? How can Government Departments be overseen and held to account in a way that will deliver meaningful improvements in cyber-resilience?
Finally, Ian from Amazon, a core feature of your business model is extensive exposure to supply chain partners. Do you think that the designation of critical suppliers by regulators under the Bill is the correct approach? What further consultation is needed to make sure that that is proportionate, prioritises the most critical suppliers and, crucially, gives a degree of certainty, whether legal or financial?
Ben Lyons: AI is significantly changing cyber-security. You can think about it at three levels: first, the way in which attackers are using AI to mount cyber-attacks; secondly, the need to secure AI systems and AI within companies and organisations; and thirdly, the question of how AI is changing cyber-security on the defensive side.
In brief, we see significant use of AI by attackers. Today, we are releasing the results of a survey in which 73% of surveyed security professionals say that AI-powered threats are having a significant impact on their organisation. These are things like phishing, reconnaissance, and lowering the barriers to being able to launch attacks and review more targets more effectively. Last month, the chief executive officer of Anthropic, which is one of the main frontier AI labs, warned that he sees AI-led cyber-attacks as potentially being the main way in which cyber-attacks are conducted in the future.
At the level of the enterprise, you have a challenge of how you secure the enterprise, in terms of not only developing and deploying AI, but visibility of AI used in an organisation. We are certainly seeing AI transform how cyber-security vendors and organisations manage the threat: they have greater visibility, can detect threats more quickly and the like. On how the Bill responds to that, one positive in its approach is that it is setting out an agile, outcomes-based approach that means that the regulatory regime can be capable of evolving as the threat evolves. It is sensible not to talk about AI in depth on the face of the Bill, but through mechanisms such as the code of practice, it will be possible for expectations to evolve over time as the threat and the technology mature.
The Chair
I should say to the witnesses: do not feel obliged to answer each question if you do not feel that you have anything material to add.
Matt Houlihan: It is very tempting to answer the question on AI, but thank you for the question on managed service providers. It is right that managed service providers are looked at in this Bill. An increasing amount of the work of managing IT services is clearly now outsourced to managed service providers. There needs to be some scrutiny and some baseline of cyber-security with those. I would say a couple of things on what guidance is needed. We broadly support the definition in the Bill. I appreciate the comments in the previous session that suggested that the definition was a little too broad and could be refined, which I think is fair, but when you compare the definition in the CSRB with the definition of managed service providers used in the NIS2 legislation, a couple of bits of clarity are provided in the CSRB. First, the managed service provider needs to provide an
“ongoing management of information technology systems”.
We feel that word “ongoing” is quite important. Secondly, it has to involve
“connecting to or…obtaining access to network and information systems relied on by the customer”.
We feel that
“connecting to or…obtaining access to”
the network is an important part of the definition that should be put forward. One area where more tightness can be provided is where, in the Bill, there is a non-exhaustive list of activities that an MSP could be involved in, such as
“support and maintenance, monitoring, active administration”.
The Bill then says, “or other activities”, which adds quite a bit of uncertainty on what is and is not an MSP.
The other area I would like to highlight and link to Ben’s answer on AI is that the “active administration” activity raises a question about the extent to which AI-enabled managed services would come under that definition. I am sure that lots of managed service providers will use AI more and more in the services that they provide to their end customers; to what extent does “active administration” involve an AI-related service?
To end on that specific question, the Information Commissioner’s Office will, I believe, issue guidance for managed service providers once the Bill is passed. That guidance will be the critical thing to get right, so there should be consultation on it, as my colleague from techUK suggested earlier. I would also suggest that that guidance cannot be a simple check-box list of things that have to be done. We should shift our thinking to have more of an ongoing appreciation of what cyber-security involves in practice for MSP or other regulated entities under the Bill. Making sure there is an ongoing process and that there is effective enforcement will be important.
Chris Anley: On the NAO report , the cyber action plan and public sector cyber-security, you are absolutely right to point out that the NAO report identifies serious issues. The Government recently acknowledged that they are likely to miss their 2030 cyber-resilience targets. It is also important to point out that the cyber action plan lays out an approach with many very positive elements such as an additional £210 million in central funding. There are many benefits to that, including a centralised provision of services at scale, a concentration of expertise and a reduction of costs.
Then there are other broader initiatives in the cyber action plan. The UK software security code of practice, which has been mentioned several times in these sessions, is a voluntary code that organisations can use as a tool to secure their supply chain. Cisco and NCC Group are ambassadors for that scheme and voluntarily comply with it, and it improves our own resilience.
Whether the cyber action plan goes far enough is a very difficult question. The NAO report also points out the extreme complexity of the situation. Within the budgetary constraints, I think it is fair to say that the steps in the plan seem reasonable, but there is a broader budgetary conversation to be had in this area. Two of the most significant issues identified in the report are the skills shortage, which has come up in these sessions—almost a third of cyber-security posts in Government are presently unfilled, which is dangerous—and the fact that Departments rely on vulnerable, outdated legacy IT systems, which may be the cause of an incident in their own right and would certainly make an incident much more severe were one to occur. The problem is that those are both largely budgetary issues. Successive Governments have obviously focused on delivering taxpayer value, as they should—we are all taxpayers—but over a period of a decade or more, that has led to a position where Departments find it difficult to replace legacy IT systems and fill these high-skill, high-cost cyber-security positions. There is very much a broader discussion to be had, as has been raised in these sessions, about where we should be in terms of the budget. You are absolutely right to raise the public sector issues. Although the Bill focuses on the private sector, the public sector obviously must lead by example.
Dr Ian Levy: We think the current definitions of critical suppliers are probably overly broad and risk bringing in SMEs, when you really do not want to do that. That said, we need to think about the transitive nature of supply chains. With previous regulations that talk about cyber-security, we have seen a flow-down of requirements through contracting chains. There is a question about how far it is reasonable to go down those contracting chains. In my experience, the value of the contract and the potential impact are not necessarily correlated. We certainly saw that when we were giving evidence for the Telecommunications (Security) Act 2021.
There is a real question about how you define what supply chain you mean. You mentioned that AWS has a complex supply chain. We certainly do—it is astoundingly complex—but the important thing is that we control the really important parts of that. For example, we build our own central processing units, graphics processing units, servers, data centres and so on. The question then becomes: how does that translate out to customers? If a customer is using a partner’s service running on AWS, where does the liability accrue? I do not think that is adequately covered in the Bill.
In terms of certainty and foreseeability, the Bill as it stands admits a single entity being regulated multiple times in multiple different ways. We are subject today to at least four different sets of regulations and regulators. Some of them conflict, and some of them are ambiguous. As this expands out, a single reporting regime—a lead regulator model—would take some of that ambiguity away so that you have more foreseeability and certainty about what you are trying to do.
There are things in the current drafting of the Bill that we think need some consultation. There are things in primary legislation, such as the Secretary of State’s powers, that seem to be unbounded—that is probably the best way to describe it—and that seems dangerous. We understand the necessity for powers around national security, but we think there need to be some sort of safeguards and consultation about how they are used in practice. For any multinational company, something that is effected in the UK is likely to affect all our customers, so some real constraint is needed around that.
Kanishka Narayan
Q
Chris Anley: By our calculation, as you say, the number of organisations that fall under the scope of the Bill in terms of the Government’s impact assessment is 0.1% of the private sector, which is one one-hundredth of the tip of the iceberg. We are going to have to adopt a whole-of-economy approach if we are going to secure the UK—we have already talked about the public sector issues.
On the Bill itself, we have three main comments. First, the secondary legislation forms the bulk of the technical measures, so we are calling for early consultation on that. Secondly, the Bill imposes additional reporting obligations, adding to an already complicated situation for reporting cyber-incidents in the UK. The reporting obligations trigger at a time of great complexity for an organisation, so we are calling for a single point of contact for reporting all cyber-security incidents in the UK and a single timeline. That may sound like a big ask—an impossible dream. Australia has already done it, and the EU is in the process of doing it in its digital omnibus streamlining package.
Finally, in terms of cyber professionals, the passage of a cyber-security Bill through Parliament is a golden opportunity to address the serious problems with the Computer Misuse Act 1990. Cyber professionals who are defending the UK cannot currently do so without risking criminal prosecution. We cannot carry out basic identification and verification actions without potentially committing the offence of unauthorised access to computer material, because a ransomware gang, for example, is unlikely to give us authorisation to identify the command and control system they are using to attack the UK.
We support the CyberUp campaign, which is proposing an amendment to the Computer Misuse Act to provide a statutory defence, resting on four strong safeguarding principles. We believe that that would help to protect our defenders while maintaining the integrity of the law. Based on the campaign’s research into the size of the cyber-security industry in the UK, the amendment would not only help to prevent incidents and mitigate incidents in progress, but add 9,500 highly skilled jobs and over £2.5 billion in revenue to the UK economy. Other nations are already benefiting from this type of safeguard, including our oldest ally, Portugal, which has implemented them in its recent amendments to NIS2, which is the exact legislative equivalent of the process we are in today. In summary, please help us to defend the UK by protecting our defenders.
Dr Ian Levy: To follow up on what Chris says, we strongly agree on early consultation on the technical detail of the secondary legislation. Somebody said in the previous session that, in security, the devil is always in the detail. Well-meaning text can be massively misinterpreted. We need to be very careful about that, so wide, early consultation is key.
On incident reporting, I will make two points. Chris made the point that when you are being asked to report, you are at your most desperate, because you have just found out that you have been attacked and you do not know what is going to happen. A lot of legislation accidentally ignores the victim. When we set up the NCSC, one of the primary things was that we were there to support the victims. I urge you not to lose sight of that. Absolutely, go after and find the culprits later, but in the moment, the victims are absolutely key to this.
The second part of that, about a single reporting timeline and a single reporting route, is that it is not just good for the victims but the only way that we generate strategic intelligence. That is one of the things that is missing in the UK—and has been for decades. We have five, six or seven different reporting portals that all characterise things differently and take different types of information, and bringing them together to have a single picture about the actual threat to the UK is incredibly difficult. A single reporting forum could fix that.
Ben Lyons: I might distinguish between what organisations need to do and whether organisations are in scope. In terms of what they need to do, the outcomes-based approach is sensible. If you think about when the Johnson Government were consulting on the measures that would go on to form this Bill, that was a time when ChatGPT had not been invented and the geopolitical environment was very different. The world is moving fast, and I think that the cyber assessment framework is a good starting place for what a code of practice could look like, because it is already understood by industry and is outcomes-driven.
I agree with the previous comments about incident reporting. I think that there is a lot of merit in the suggestion around a shared portal so that it is easier to report incidents in that moment of dealing with a cyber-attack. Within the regime as envisaged, probably the most important bit with reference to reporting is about improving that early clarity and visibility for the NCSC so that they can help. That is probably where I would place the emphasis, more than on regulators having that information within 24 hours. In that context, an approach that recognises best efforts in that first 24 hours but is focused on tackling the problem will be important for dealing with the issue.
On the supply chain, I would say—and we have heard about this before—that there could be more clarity there in terms of who would be in scope for designated suppliers. Thinking a bit around both systemic dependency and the potential for wider disruption would be important factors to give it more clarity.
Matt Houlihan: To round off the responses, on the question about finding the balance between specificity and agility, the Bill does a reasonable job at that. We can totally see the need to keep some of the doors open, because not only is the nature of the threat changing rapidly but the nature of technology—and of our capabilities to defend—is changing as well. We have already talked about AI, and we have lots of quantum research taking place as well that will have a big bearing on cyber-security.
It is right that the Bill has some agility in it, but it is clear from the responses today that there is a need to tighten it up in certain places. We talked about incident reporting, and having a simpler, more co-ordinated system for regulated entities to work with so that that reporting process is easier. The definition of “incident” itself needs to be looked at, we believe. The idea of an instance not only having, but being capable of having, an adverse effect on information systems opens the door very widely to lots of potential incidents that may need to be reported on. Having a tighter definition there would be very useful.
To touch on the point about Secretary of State powers, we feel that the door is a little bit too wide. If you look at legislation such as Australia’s cyber-security legislation from 2018, the Security of Critical Infrastructure Act, that also has some good Secretary of State powers, but there are lots of guardrails contained in it that make it clear that it is a power of last resort, where the entity is unwilling or unable to carry out the remedial action itself. There are also other guardrails contained in that legislation. We urge the Committee and the Government to look at that Act and take inspiration from it to think about where those guardrails could be worked into the UK law.
The Chair
Four colleagues wish to ask questions, and they have only 20 minutes in which to ask them, so I appeal for brevity, both in the questions and, if you do not mind, in the answers.
Bradley Thomas
Q
Dr Ian Levy: I will start with that one.
The Chair
Please, Gentlemen, do not feel obliged to answer each question.
Dr Ian Levy: On the diverse networks and where they are hosted, it is important to be clear that resilience changes as scale changes. When it comes to the statistical model used to talk about resilience for a national system, if you have, say, three physical data centres in the UK connected by a redundant ring, that has a well-understood statistical model, but as you get bigger and bigger and more diverse, the statistics change, so the way you analyse resilience changes. That is not specific to Amazon Web Services; it applies to any large-scale system.
The way that we talk about resilience needs to be thought through carefully. I would urge you to consider outcomes and talk about availability and resilience to particular events. If somebody drives a JCB into a data centre, in a national-scale resilience model that can have a big impact, but in a hyperscale it will not.
We need to be clear about what the regulation is trying to do. If you look at us as a data centre operator, it is very different from someone who is providing co-location services. We provide our data centres for the sole purposes of providing our services, which have a very particular resilience model that is very different from somebody sticking their own racks in a third-party data centre. Some of the terms need to be better defined.
In terms of balancing growth, regulation, oversight and so on, there is a fallacy about putting specific technologies into legislation, except in very specific circumstances. We talked about post-quantum cryptography and AI. They will affect resilience, but probably not in the way we think they will today, so I would caution about putting specific technology definitions on the face of the Bill.
Matt Houlihan: On the cross-border question, very quickly, there are clearly a lot of jurisdictions looking at legislation in this space. There is absolutely an opportunity in the UK to look at things, such as mutual recognition agreements, that would simplify the international regulatory landscape, but there is also the opportunity for the UK to lead in this space as a very well-respected and cyber-capable country.
Touching on getting the balance right on growth and security, we have seen some useful moves recently from the UK Government and previous Governments on looking at codes of practice, which are voluntary in nature but help engage companies, as the recent software security code of practice did with mine and Chris’s. Techniques like that offer a nice balance and engage companies, but get that message around growth absolutely right.
Dr Gardner
Q
My second question is for Ben. In combining AI and cyber, you are combining technologies that come with their own unique risks with cyber-security. I am interested in how you mitigate against that. I am intrigued because, when you talk about AI, I assume you are not talking about straightforward machine learning.
Chris Anley: In terms of what other things we could do, we have talked about voluntary codes. The value of voluntary codes was questioned in an earlier session; but the World Health Organisation best practice guide on handwashing, which is entirely voluntary, saved millions of lives in the recent pandemic. It is important to bear in mind that codes that help you to protect yourself are definitely valuable.
Other actions that are already taking place that we may want to extend on the basis of solid evidence and data are the cyber essentials scheme, for example, and the various codes of practice. The cyber governance code of practice for boards was mentioned earlier, along with the Government outreach and attempting to get boards to recognise that cyber risk is a business risk and an existential threat. We talked about the cyber assessment framework and how that is likely to be the scope within which this Bill is implemented. So, we do not necessarily need to do something new. The scope of the Bill, as we said, is 0.1% of the UK private sector. There is scope to expand the existing things that we are doing, especially cyber essentials, for example, raising the bar for small and medium-sized enterprises across the economy. There is a lot that we are already doing that we could do, that we already have the scope to expand, but obviously that must be done prudently and on the basis of solid evidence.
Dr Gardner
Q
Ben Lyons: That is something we think very deeply about. We see AI as helping to mitigate some of the risks from cyber-security by making it possible to detect attacks more quickly, understand what might be causing them, and to respond at pace. We are an AI native company and we have thought deeply about how to ensure that the technology is both secure and responsible. We are privacy-preserving by design. We take our AI to the organisation’s environment to build an understanding of what normality looks like for them, rather than vast data lakes of customer data. We take a lot of effort to ensure that the information surfaced by AI is interpretable to human beings, so that it is uplifting human professionals and enabling them to do more with the time they have. We are accredited to a range of standards, like ISO 27001 and ISO 42001, which is a standard for AI management. We have released a white paper on how we approach responsible AI in cyber-security, which I would be happy to share with you and give a bit more detail.
Chris Vince
Q
Matt Houlihan: I am very happy to. Two main comparators come to mind. One is the EU, and we have talked quite a bit about NIS2 and the progress that has made. NIS2 does take a slightly different approach to that of the UK Government, in that it outlines, I think, 18 different sectors, up from seven under NIS1. There is that wide scope in terms of NIS2.
Although NIS2 is an effective piece of legislation, the implementation of it remains patchy over the EU. Something like 19 of the 27 EU member states have implemented it to date in their national laws. There is clearly a bit of work still to do there. There is also some variation in how NIS2 is being implemented, which we feel as an international company operating right across the European Union. As has been touched on briefly, there is now a move, through what are called omnibus proposals, to simplify the reporting requirements and other elements of cyber-security and privacy laws across the EU, which is a welcome step.
I mentioned in a previous answer the work that Australia has been doing, and the Security of Critical Infrastructure Act 2018—SOCI—was genuinely a good standard and has set a good bar for expectations around the world. The Act has rigorous reporting requirements and caveats and guardrails for Government step-in powers. It also covers things like ransomware, which we know the UK Home Office is looking at, and Internet of Things security, which the UK Government recently looked at. Those are probably the two comparators. We hope that the CSRB will take the UK a big step towards that, but as a lot of my colleagues have said, there is a lot of work to do in terms of seeing the guidance and ensuring that it is implemented effectively.
Chris Anley: On the point about where we are perhaps falling behind, with streamlining of reporting we have already mentioned Australia and the EU, which is in progress. On protection of their defenders, other territories are already benefiting from those protections—the EU, the US, and I mentioned Portugal especially. As a third and final point, Australia is an interesting one, as it is providing a cyber-safety net to small and medium-sized enterprises, which provides cyber expertise from the Government to enable smaller entities to get up to code and achieve resilience where those entities lack the personnel and funding.
Emily Darlington
Q
Dr Ian Levy: The previous set of witnesses talked about board responsibility around cyber-security. In my experience, whether a board is engaged or not is a proxy indicator for whether they are looking at risk management properly, and you cannot change corporate culture through regulation—not quickly. There is something to be done around incentives to ensure that companies are really looking at their responsibilities across cyber-security. As the previous panellists have said, this is not just a technical thing.
One of the things that is difficult to reconcile in my head—and always has been—is trying to levy national security requirements on companies that are not set up to do that. In this case I am not talking about Amazon Web Services, because AWS invests hugely in security. We have a default design principle around ensuring that the services are secure and private by design. But something to consider for the Bill is not accidentally putting national security requirements on those entities that cannot possibly meet them.
When I was in government, in the past we accidentally required tiny entities, which could not possibly do so, to defend themselves against the Russians in cyber-space. If you translate that to any other domain—for example, saying that a 10-person company should defend itself against Russian missiles—it is insane, yet we do it in cyber-space. Part of the flow-down requirements that we see for contracting, when there is a Bill like this one, ends up putting those national security requirements on inappropriate entities. I really think we need to be careful how we manage that.
Matt Houlihan: Can I make two very quick points?
The Chair
Very briefly—yes.
Matt Houlihan: My first point is on the scale of the challenge. From Cisco’s own research, we released a cyber-security readiness index, which was a survey of 8,000 companies around the world, including in the UK, where we graded companies by their cyber maturity. In the UK, 8% of companies—these are large companies—were in the mature bracket, which shows the scale of the challenge.
The other point I want to make relates to its being a cyber-security and resilience Bill, and the “resilience” bit is really important. We need to focus on what that means in practice. There are a lot of cyber measures that we need to put in place, but resilience is about the robustness of the technology being used, as well as the cyber-security measures, the people and everything else that goes with it. Looking at legacy technology, for example—obsolete technology, which is more at risk—should also be part of the standards and, perhaps, the regulatory guidance that is coming through. I know that the public sector is not part of the Bill, but I mention the following to highlight the challenge: over a year ago, DSIT published a report that showed, I think, that 28% of Government systems were in the legacy, unsupported, obsolete bracket. That highlights the nature of the challenge in this space.
Alison Griffiths
Q
Chris Anley: On the OT versus IT question, we have mentioned specificity versus flexibility. The benefit of the UK sectoral regulator model is that regulators that are in areas where OT is predominant can set specific measures that can reinforce those environments, whereas if you try a one-size-fits-all approach, you run the risk of certain critical OT-based systems becoming subject to successful attacks.
Ben Lyons: The broad approach that the UK is taking is sensible, in that the existing guidance has a range of principles around OT, as well as IT, security. Manufacturing is not in the scope of the Bill, which is probably appropriate, but it is worth looking at what could be done to improve the security of the manufacturing sector, more broadly, probably through non-legislative means. In light of recent attacks, it is important to ensure that guidance and incentives are in place to support that sector.
Freddie van Mierlo
Q
Dr Ian Levy: In October 2025, we had an incident that had quite a widespread impact. We have engaged with regulators around the world, including multiple regulators in the UK, to explain what happened. We published, quite transparently, what had happened during the incident and afterwards. Explaining how the part of the organisation that had built that particular system works is very time-consuming. It is also almost certainly out of date by the time we have finished. In that particular case, it was something called a “race condition”, which is a well understood computer-science hard problem. No amount of regulation or legislation would have made a difference, because it was a race condition, and they are incredibly hard to find in software.
I think that regulating outcomes is the right answer, and making sure that we are doing due diligence, and that our view of appropriate risk management is broadly the same as yours, without making us a national security entity. That is the challenge. How we run our business is not really relevant; it is the outcomes that matter.
Matt Houlihan: It is increasingly important that businesses, parliamentarians and Government officials work together on these issues. As we said earlier, the pace of change in terms of the technology, and indeed the business environment—at both the UK and global levels—is moving very quickly. Having that exchange of information will be important.
It is important—from an international business point of view—that regulation is as aligned as is practicable with the other jurisdictions that a lot of the companies here will be working in. That will not only benefit companies that are headquartered elsewhere and operate in the UK; it will benefit UK-headquartered companies that are looking to expand abroad. It must also be proportionate and targeted. I think that at the nub of your question, there is clearly a need, going forward, for strong co-operation and the sharing of expertise and experiences.
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Tuesday 3rd February 2026
(1 day, 12 hours ago)
Public Bill CommitteesCyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
The Chair
Good afternoon. We will now hear oral evidence from Ian Hulme, the interim executive director of regulatory supervision and director of regulatory assurance for the Information Commissioner’s Office; Natalie Black, group director for infrastructure and connectivity for Ofcom; and Stuart Okin, director of cyber regulation and artificial intelligence for Ofgem. We need to stick to the timings in our programme order, so we have until 2.40 pm for this session. Could the witnesses please introduce themselves briefly before we hand over for questions?
Ian Hulme: Good afternoon. My name is Ian Hulme, and I am interim executive director of regulatory supervision at the ICO.
Natalie Black: Good afternoon. I am Natalie Black, and I am group director for infrastructure and connectivity at Ofcom.
Stuart Okin: My name is Stuart Okin; good afternoon. I am the director for cyber regulation and artificial intelligence at Ofgem.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
Q
My second question is jointly for Ian and Stuart, from the ICO and Ofgem. Some industry stakeholders have expressed concern about low levels of incident reporting and enforcement under the NIS1—network and information systems—regs. How will your respective approaches to regulation change as a result of this Bill, to ensure that it is implemented and that cyber-resilience is improved across the sectors you are responsible for regulating?
Natalie Black: I will kick off. We have some additional responsibilities, building on the NIS requirements, but the data centre aspect of the Bill is quite a substantial increase in responsibilities for us. It is worth emphasising that we see that as a natural evolution of our responsibilities in the sector. Communications infrastructure is evolving incredibly quickly, as you will be well aware, and data centres are the next big focus. In terms of preparations, we are spending this time getting to know the sector and making sure we have the right relationships in place, so that we do not have a standing start. I have done a number of visits, for example, to hear at first hand from industry representatives about their concerns and how they want to work with us.
We are also focusing on skills and recruitment. We already have substantial cyber-security responsibilities in the communications infrastructure sector. We are building on the credibility of the team, but we are focused on making sure we continue to invest in them. About 60% of the team already come from the private sector. We want that to continue going forward, but we are not naive to how challenging it is to recruit in the cyber-security sector. For example, we are working with colleagues from the National Cyber Security Centre, and looking at universities it is accrediting, to see how we can recruit directly using those kinds of opportunities.
Ian Hulme: On incident reporting, the thresholds in the existing regulations mean that levels are very low. Certainly, the reports we see from identity service providers do not meet those thresholds. I anticipate that we will see more incidents reported to us. With our enhanced regulatory powers and the expanded scope of organisations we will be responsible for, I anticipate that our oversight will deepen and we will have more ability to undertake enforcement activity. Certainly from our perspective, we welcome the enhanced reporting requirements.
Stuart Okin: To pick up on the incident side of things, I agree with Ian. The thresholds will change. With the new legislation, any type of incident that could potentially cause an issue will obviously be reported, whereas that does not happen today under the NIS requirements.
On enforcement, in seven years we have used all the enforcement regimes available to us, including penalties, and we will continue to do so. We absolutely welcome the changes in the Bill to simplify the levels and to bring them up, similar to the sectorial powers that we have today.
Chris Vince (Harlow) (Lab/Co-op)
Q
Stuart Okin: In the energy sector, we tend to use operational technology rather than IT systems. That might mean technology without a screen, so an embedded system. It is therefore important to be able to customise our guidance. We do that today. We use the cyber assessment framework as a baseline, and we have a 335-page overlay on our website to explain how that applies to operational technology in our particular space. It is important to be able to customise accordingly; indeed, we have added physical elements to the cyber assessment framework, which is incredibly important. We welcome that flexibility being maintained in the Bill.
Ian Hulme: Just to contrast with colleagues from Ofcom and Ofgem, ICO’s sector is the whole economy, so it is important that we are able to produce guidance that speaks to all the operators in that sector. Because our sector is much bigger, we currently have something like 550 trust service providers registered, and that will grow significantly with the inclusion of managed service providers. So guidance will be really important to set expectations from a regulatory perspective.
Natalie Black: To round this off, at the end of the day we always have to come back to the problem we are trying to solve, which is ensuring cyber-security and resilience. As you will have heard from many others today, cyber is a threat that is always evolving. The idea that we can have a stagnant approach is for the birds. We need to be flexible as regulators. We need to evolve and adapt to the threat, and to the different operators we will engage with over the next couple of years. Collectively, we all appreciate that flexibility.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Q
The ICO is a horizontal regulator working across all sectors. In your experience, would a single cyber regulator be a good idea? What would be the benefits and the challenges? I will allow Ofcom and Ofgem to jump in and defend themselves.
Ian Hulme: I suppose the challenge with having a single regulator is that—like ourselves, as a whole-economy regulator—it will have to prioritise and direct its resources at the issues of highest harm and risk. One benefit of a sectoral approach is that we understand our sectors at a deeper level; we certainly work together quite closely on a whole range of issues, and my teams have been working with Natalie and Stuart’s teams on the Bill over the last 18 months, and thinking about how we can collaborate better and co-ordinate our activities. It is really pleasing to see that that has been recognised in the Bill with the provisions for information sharing. That is going to be key, because the lack of information-sharing provisions in the current regs has been a bit of a hindrance. There are pros and cons, but a single regulator will need to prioritise its resources, so you may not get the coverage you might with a sectoral approach.
Natalie Black: Having worked in this area for quite some time, I would add that the challenge with a single regulator is that you end up with a race to the bottom, and minimum standards you can apply everywhere. However, with a tailored approach, you can recognise the complexity of the cyber risk and the opportunity to target specific issues—for example, prepositioning and ransomware. That said, we absolutely recognise the challenge for operators and companies in having to bounce between regulators. We hear it all the time, and you will see a real commitment from us to do something about it.
Some of that needs to sit with the Department for Science, Innovation and Technology, which is getting a lot of feedback from all of us about how we need it to co-ordinate and make things as easy as possible for companies—many of which are important investors in our economy, and we absolutely recognise that. We are also doing our bit through the UK Regulators Network and the Digital Regulation Cooperation Forum to find the low-hanging fruit where we can make a difference. To give a tangible example, we think there should be a way to do single reporting of incidents. We do not have the answer for that yet, but that is something we are exploring to try and make companies’ lives easier. To be honest, it will make our lives easier as well, because it wastes our time having to co-ordinate across multiple operators.
Bradley Thomas (Bromsgrove) (Con)
Q
Ian Hulme: Again, to contrast the ICO’s position with that of other colleagues, we have a much larger sector, as it currently exists, and we will have a massively larger sector again in the future. We are also funded slightly differently. The ICO is grant in aid funded from Government, so we are dependent on Government support.
To move from a reactive footing, which is our position at the moment—that is the Government’s guidance to competent authorities and to the ICO specifically—to a proactive footing with a much expanded sector, will need significant uplift in our skills and capability, as well as system development in order to register and ingest intelligence from MSPs and relevant digital service providers in the future.
From our perspective at the ICO, we need significant support from DSIT so that we can transition into the new regulatory regime. It will ultimately be self-funding—it is a sustainable model—but we need continued support during the transition period.
Bradley Thomas
Q
Ian Hulme: At the moment, to give you a few broad numbers our teams are around 15 people, and we anticipate doubling that. In the future, with self-funding, we will be a bit more in control of our own destiny. It is a significant uplift from our perspective.
Natalie Black: The challenge is that the devil is in the detail. Until that detail has worked through secondary legislation, we will have to reserve our position, so that we give you accurate numbers in due course. From Ofcom’s point of view, it is about adding 10s rather than significant numbers. I do not think we are that far off the ICO.
But I want to emphasise that this is about quality, not necessarily quantity. Companies want to work with expert regulators who really know what they are doing. Ofcom is building on the work we are already doing under the Telecommunications (Security) Act 2021. It will be a question of reinforcing that team, rather than setting up a separate one. We want to get the best, high-quality individuals who know how to talk to industry and really know cyber-security, to make sure people have a good experience when engaging with us.
Ian Hulme: To add to that, the one challenge we will face as a group is that we are all fishing in the same pond for skills. MSPs and others will also be fishing in that pond from the sector side. There needs to be recognition that there is going to be a skills challenge in this implementation.
Stuart Okin: To specifically pick up on the numbers, we have a headcount of 43 who are dedicated within cyber regulation. That also includes the investment side. We also have access to the engineering team—the engineering directorate—which is a separate team. There is also our enforcement directorate, as well as the legal side of things. The scope changes proposed in the Bill are just the large load controllers and supply chain, so we are not expecting a major uplift. These will be small numbers in comparison. Unlike my colleagues, we are not expecting a big uplift in resourcing.
Tim Roca (Macclesfield) (Lab)
Q
Ian Hulme: There are two angles to that. From a purely planning and preparation perspective, it is incredibly difficult, without having seen the detail, to know precisely what is expected of MSPs and IDSPs in the future, and therefore what the regulatory activity will be. That is why, when I am answering questions for colleagues, it is difficult to be precise about those numbers.
Equally, we are hearing from industry that it wants that precision as well. What is the expectation on it regarding incident reporting? What does “significant impact” mean? Similarly, with the designation of critical suppliers, precision is needed around the definitions. From a regulatory perspective, without that precision, we will probably find ourselves in a series of potential cases arguing about the definition of an issue. To give an example, if the definition of MSP is vague, and we are saying to an MSP that we think it is in scope, and it is saying, “No, we are not,” then a lot of our time and attention will be taken up with those types of arguments and disputes. Precision will be key for us.
Tim Roca
Q
Ian Hulme: There is a balance to be struck. When something is written on the face of the Bill and things change—and we know that this is a fast-moving sector—it makes it incredibly difficult to change things. There is a balance to be struck between primary and secondary, but what we are hearing and saying is that more precision around some of the definitions will be critical.
Natalie Black: I strongly agree with Ian. A regulator is only as good as the rules that it enforces. If you want us to hold the companies to account, we need to be absolutely clear on what you are asking us to do. The balance is just about right in terms of primary and secondary, particularly because the secondary vehicle gives us the opportunity to ensure that there is a lot of consultation. The Committee will have heard throughout the day—as we do all the time from industry—that that is what industry is looking for. They are looking for periods of business adjustment—we hear that loud and clear—and they really want to be involved in the consultation period. We also want to be involved in looking at what we need to take from the secondary legislation into codes of practice and guidance.
Dr Spencer
Q
Natalie Black: That is a great question, and I am not at all surprised that you have asked it, given everything that is going on at the moment. As well as being group director for infrastructure and connectivity, I am also the executive member of the board, sitting alongside our chief executive officer, so from first-hand experience I can say that Ofcom really recognises how fast technology is changing. I do not think there is another sector that is really at the forefront of change in this way, apart from the communications sector. There are a lot of benefits to being able to sit across all that, because many of the stakeholders and issues are the same, and our organisation is learning to evolve and adapt very quickly with the pace of change. That is why the Bill feels very much like a natural evolution of our responsibility in the security and resilience space.
We already have substantial responsibilities under NIS and the Telecommunications (Security) Act 2021. We are taking on these additional responsibilities, particularly over data centres, but we already know some of the actors and issues. We are using our international team to understand the dynamics that are affecting the Online Safety Act, which will potentially materialise in the security and resilience world. As a collective leadership team, we look across these issues together. The real value comes from joining the dots. In the current environment, that is where you can make a real difference.
Dr Spencer
Q
Natalie Black: That is definitely not what I am saying. You can cut the cake in many different ways. From where I sit—from my experience to date—you need specific sector regulators because you need regulators that understand the business dynamics, the commercial dynamics, the people dynamics and the issues on a day-to-day basis.
We have many people who have worked at Ofcom for a very long time, and who know the history and have seen these issues before. When it comes to threats, which is ultimately what we are dealing with—cyber-security is a threat—it is cross-cutting. It adapts, evolves and impacts in different ways. The knack is having a sector regulator that really understands what is going on. That means that when you are dealing with cyber-incidents, you understand the impact on real people and businesses, and ultimately you can do something more quickly about it.
Dr Spencer
Q
Stuart Okin: We have a clear understanding of the responsibilities within Ofgem. We are the joint competent authority with the Department for Energy Security and Net Zero. The Department does the designation and instant handling, and we do all the rest of the operations, including monitoring, enforcement and inspections. We understand our remit with NCSC. GCHQ is part of the cyber-security incident response team; it is ultimately responsible there.
Going back to your main concern, we are part of an ecosystem. We have to understand where our lines are drawn, where NCSC’s responsibilities are and what the jobs are. To go back to us specifically, we can talk about engineering aspects, electrical engineering, gas engineering and the cyber elements that affect that, including technology resilience—not cyber. As long as we have clear gateways and communication between each other—and I think that the Bill provides those gateways—that will also assist, but there are clear lines of responsibilities.
Natalie Black: It is clear that there is work to do to get in the same place for the Bill. Exactly as Stuart said, the information gateways will make a massive difference. It is too hard, at the moment, to share information between us and with the National Cyber Security Centre. The fact that companies will have to report within 24 hours not only to us but to the NCSC is very welcome.
To return to my earlier point, we think that there is a bit of work for DSIT to do to help to co-ordinate this quite complicated landscape, and I think that industry would really welcome that.
Ian Hulme: I agree with colleagues. From an ICO perspective, we see our responsibilities as a NIS competent authority as complementary to our role as a data protection regulator. If you want secure data, you have to have secure and resilient networks, which are obviously used to process data. We see it as a complementary set of regulations to our function as a data protection regulator.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Q
It strikes me that, if one of the things that this legislation is to guard against is pre-positioning, and there are 14 parallel reporting systems in place, it could be the case that those pre-positioning attacks are not picked up as co-ordinated attacks from another nation state or organisation, because they are not pulled together in time.
Natalie Black: I point to my earlier remarks about information sharing. You are right: that is one of the great benefits of the Bill. To be able to do more, particularly when it comes to pre-positioning attacks, is really important. You will have heard from the NCSC, among others, that that is certainly a threat that we are seeing more and more of.
At the moment, it is too difficult to share information between us. The requirement to have an annual report to the NCSC is a good mechanism for consolidating what we are all seeing, and then for the NCSC to play the role of drawing conclusions. It is worth emphasising that Ofcom is not an operational organisation; we are a regulator. We look to the NCSC to provide threat leadership for what is going on across the piece. I think that that answers your question about where it all comes together.
Stuart Okin: I fully support that. The NSCS will be the hub for that type of threat intel and communications, in terms of risks such as pre-positioning and other areas. The gateways will help us to communicate.
Ian Hulme: Bringing it back to the practicalities of instant reporting, you said that there are potentially 14 lines of incident reporting because there are 14 competent authorities. How that can be consolidated is something to be explored. Put yourself in a position of an organisation that is having to make a report: there needs to be clarity on where it has to make it to and what it needs to report.
David Chadwick
Q
Ian Hulme: As we have already explained, the current regs do not allow us to share the information, which is a bit of a barrier for us. In the future, certainly, we will be working together to try to figure it out. I think that there is also a role for DSIT in that.
Natalie Black: First, we currently have a real problem in that information sharing is much harder than it should be. The Bill makes a big difference in addressing that point, not only among ourselves but with DSIT and NCSC. Secondly, we think that there is an opportunity to improve information reporting, particularly incident reporting, and we would welcome working with DSIT and others—I have mentioned the Digital Regulation Cooperation Forum—to help us find a way to make it easier for industry, because the pace at which we need to move means that we want to ensure that there is no unnecessary rub in the system.
Emily Darlington (Milton Keynes Central) (Lab)
Q
Ian Hulme: We need to think about this as essentially two different regimes. The requirements under data protection legislation to report a data breach are well established, and we have teams, systems and processes that manage all that. There are some notable cases that have been in the public domain in recent months where we have levied fines against organisations for data breaches.
The first thing to realise is that we are still talking about only quite a small sub-sector—digital service providers, including cloud computing service providers, online marketplaces, search engines and, when they are eventually brought into scope, MSPs. A lot of MSPs will provide services for a lot of data controllers so, as I explained, if you have the resilience and security of information networks, that should help to make data more secure in the future.
Lincoln Jopp (Spelthorne) (Con)
Q
I have dealt with the ICO before. Maybe it was the company that I worked in and led, but there was a culture there that, if you had a data breach, you told the ICO. There was no question about it. How are you going to develop your reactions and the behaviours you reward in order to encourage a set of behaviours and cultures of openness within the corporate sector, bearing in mind that, as was said this morning, by opening that door, companies could be opening themselves up to a hefty fine?
Stuart Okin: In the energy sector, we have that culture. It is one of safety and security, and the chief executives and the heads of security really lean into it and understand that particular space. There are many different forums where they communicate and share that type of information with each other and with us. Incident response is really the purview of DESNZ rather than us, but they will speak to us about that from a regulatory perspective.
Ian Hulme: From the ICO’s perspective, we receive hundreds of data-breach reports. The vast majority of those are dealt with through information and guidance to the impacted organisation. It is only a very small number that go through to enforcement activity, and it is in only the most egregious cases—where failures are so egregious that, from a regulatory perspective, it would be a failure on our part not to take action.
I anticipate that is the approach we will take in the future when dealing with the instant reporting regime that the Bill sets out. Our first instinct would be to collaborate with organisations. Only in the most egregious cases would I imagine that we would look to exercise the full range of our powers.
Natalie Black: From Ofcom’s point of view, we have a long history, particularly in the telecoms sector, of dealing with a whole range of incidents, but I certainly hear your point about the victim. When I have personally dealt with some of these incidents, often you are dealing with a chief executive who has woken up that morning to the fact that they might lose their job and they have very stressed-out teams around them. It is always hard to trust the initial information that is coming out because no one really knows what is going on, certainly for the first few hours, so it is the maturity and experience that we would want to bring to this expanded role when it comes to data centres.
Ultimately the best regulatory relationships I have seen is where there is a lot of trust and openness that a regulator is not going to overreact. They are really going to understand what is going on and are very purposeful about what they are trying to achieve. From Ofcom’s point of view it is always about protecting consumers and citizens, particularly with one eye on security, resilience and economic growth. The experience we have had over the years means that we can come to those conversations with a lot of history, a lot of perspective, and, to be honest, a bit of sympathy because sometimes those moments are very difficult for everyone involved.
The Chair
We have only five minutes left for this session, so if we can have concise questions and answers we might get everyone in.
Sarah Russell (Congleton) (Lab)
Q
Stuart Okin: Essentially, we would not go all the way down the supply chain. First, the operators of essential services are defined very much by the thresholds. Ultimately, they are the first point of responsibility. On the critical third party suppliers that have been brought in by the Bill, there will be a small number of those that, for energy, are for the entire systemic system of the UK, not the smaller entities. So we will hold those to account. On the enforcement side of things, if and when it comes to that, they will be in the same situation as the current operators of essential services are today. We welcome the simplification in the Bill and bringing those into the same sectorial powers and the same types of fines that we see today. It will not go down to those minutiae of detail. Again, the secondary legislation gives you the ability to define that.
Natalie Black: To keep it brief, we welcome the supply chain being brought into scope because we are all well aware that the most high-profile recent incidents often emanated from the supply chain. That said, we should be very honest about the complexity of entering this space, exactly for all the points that you have alluded to in terms of volume and scale and everything. We are already using this time to work through what our methodology will be. Engaging with the operators of essential services who are ultimately the customer of these suppliers has to be a starting point in terms of who they are most worried about in their supply chain. As Stuart says, you will see some commonality across all our sectors, so the numbers might not be as big as we might at first think, but this is what we need to work through over the coming months.
Ian Hulme: From an ICO perspective, one of the big tasks that we are going to have in understanding the MSP market is what their supply chains look like. We are perhaps a little behind colleagues in other regulators because of the difference in the regulatory regime, but that is one of the tasks that we will have to get to grips with.
Freddie van Mierlo (Henley and Thame) (LD)
Q
Ian Hulme: Certainly from an ICO perspective, many IDSPs that we currently regulate are operating across boundaries. From our perspective, the focus is on the outcome. If they have operations in other jurisdictions that are providing services into the UK, our focus is on the outcome and getting to understand the UK side of things more than anything else.
Natalie Black: This is a challenge for us every day. Many of the companies that we regulate have a footprint in the UK or multiple footprints around the world. The issue is in making sure that the UK requirements are as clear as possible to give them no excuse to argue exceptionalism. That is why we really welcome the opportunity to get into the detail through secondary legislation, which will be very important in holding all the companies to account that we think need to be held to account.
The Chair
That brings us the end of the allotted time for the Committee to ask questions. On behalf of the Committee, I thank our witnesses for their evidence.
Examination of Witness
Chung Ching Kwong gave evidence.
The Chair
We will now hear oral evidence from Chung Ching Kwong, senior analyst for the Inter-Parliamentary Alliance on China. We have until 3 pm for this session.
Chris Vince
Q
Chung Ching Kwong: Just to give some background, I am a senior analyst for the Inter-Parliamentary Alliance on China, and a PhD candidate in law at the University of Hamburg, focusing on data protection and data transfer. My expertise is not entirely on critical infrastructure security, but I do a lot of analysis on China’s legal system and also how it works in general. That is how I can contribute to this evidence session.
The threat posed by the CCP to our critical national infrastructure, such as water, energy and transportation, has shifted from espionage—stealing secrets—to pre-positioning, or preparing for sabotage. We cannot understand the threat without understanding the civil-military fusion of the Chinese state. Chinese companies operating in our CNI are not independent per se, in the way we would normally think about that in our country—in other words, private entities that operate on their own and have their own decision-making mechanisms. They are legally obligated under at least article 7 of China’s national intelligence law to co-operate with the state, to provide information, to provide help with decryption and to gather information at the request of the Government.
As highlighted by the NCSC, groups such as Volt Typhoon are pre-positioning within utility networks in the States. They do not use malware; they live off the land, using legitimate administrative credentials to proceed undetected for years. That is not for financial gain; they do it until the time is right for them to pull the trigger and cause a crisis.
In the transportation sector, there are a lot of cellular IOT modules embedded in e-buses and EVs. These devices require constant communication with servers in China to function, so they are constantly feeding data back to China for maintenance, remote access of data and that kind of thing. It could all be innocent and a feature for operational and functional purposes, but if—and only if—Beijing orders that data to be handed over and actions to be taken, it will become a problem.
That is the context of the risk we are facing when it comes to China, especially in terms of state-sponsored attacks. All entities, be they foreign companies in China or local Chinese-founded companies, have an obligation under Chinese law.
Chris Vince
Q
Chung Ching Kwong: Gathering information and data is definitely one of the main goals, but it is not limited to data transfer. Right now, in the UK, they do not need to rely only on access to critical infrastructure; under the Data Protection Act here in the UK, it is legal to transfer personal data through contractual clauses, so they can have access to personal data as long as they have that.
Of course, gathering data gives them insight into what is happening in the UK; if they want transportation data or power grid data, they can gather those data by different means. But it is also very important to understand Xi Jinping’s comprehensive national security concept. I think this is the reason why they are so determined to collect information, not only in the UK but worldwide.
In that kind of comprehensive security concept, political security, defined as the survival of the regime, is paramount. It overrides anything—not economic gain, not whether or not the GDP of China is going to grow in the next year, but any information or action that they see as necessary to make sure that the CCP is in control. That means it is gathering data of dissidents overseas, it is gathering data on the power grid, it is gathering data on transportation—anything they might find useful for a different purpose, which is, ultimately, to serve the goal of the survival of the regime.
Dr Spencer
Q
Secondly, it has been reported recently that communications of senior Government aides were hacked by Chinese state affiliates between 2021 and 2024. In view of that threat to telecoms networks, what are the potential cyber-risks to communications infrastructure that you see arising from the intended location of China’s super-embassy in the City of London?
Chung Ching Kwong: On the first question, about what can be done to help sectors understand the risks, education is paramount. At this point, we do not have a comprehensive understanding of what kind of risks state actors like China pose. We are very used to the idea that private entities are private entities, because that is how the UK system works; we do not see that organisations, entities or companies associated with China or the Chinese state are not independent actors as we would expect, or want to expect.
There is a lot of awareness-raising to be done and guidance to be issued around how to deal with these actors. There is a lot of scholarly work that says that every part of Chinese society—overseas companies and so on—is a node of intelligence collection within the system of the CCP. Those things are very important when it comes to educating.
Also, the burden of identifying what is a national security risk and what is not should not be put on small and medium-sized businesses, or even big companies, because they are not trained to understand what the risks are. If you are not someone specialising in the PLA and a lot of other things academically, it would be very difficult to have to deal with those things on a day-to-day basis and identify, “That’s a threat, and that’s a threat.”
Sorry, what was the second question?
Dr Spencer
Q
Chung Ching Kwong: There is not a lot of publicly available information on the sensitive cabling that is around the area, so I cannot confidently say what is really going to happen if they start to build the embassy and have such close contact with those cables. The limit of this Bill when it comes to the Chinese embassy is that it cannot mitigate the risks that are posed by this mega-embassy in the centre of London, because it regulates operators and not neighbours or any random building in the City. If the embassy uses passive interception technology to harvest data from local wi-fi or cellular networks, no UK water or energy company is breached. There is no breach if they are only pre-positioning there to collect information, instead of actually cutting off the cables, so when they do cut off the cables, it will be too late. There will be no report filed under the Bill, even if it is under the scope of the Bill when it comes to regulation. The threat in this case is environmental and really bypasses the Bill’s regulatory scope.
Dave Robertson (Lichfield) (Lab)
Q
Chung Ching Kwong: I think that to a certain extent they will. For hackers or malicious actors aiming for financial gain with more traditional hacking methods, it will definitely do a job in protecting our national security. But the Bill currently views resilience through an IT lens. It is viewing this kind of regulatory framework as a market regulatory tool, instead of something designed to address threats posed by state-sponsored actors. It works for cyber-criminals, but it does not work for state actors such as China, which possess structural leverage over our infrastructure.
As I said before, we have to understand that Chinese vendors are legally obliged to compromise once they are required to. The fine under the Bill is scary, but not as scary as having your existence threatened in China—whether you still have access to that market or you can still exist as a business there. It is not doing the job to address state-sponsored hackers, but it really does help when it comes to traditional hacking, such as phishing attempts, malware and those kinds of things.
Bradley Thomas
Q
Chung Ching Kwong: The US is probably a good example. It passed Executive order 14028 in May 2021, which requires any software vendor selling to the US federal Government to provide something called a software bill of materials—SBOM. That is technically a table of ingredients, but for software, so you can see exactly what components the software is made of. A lot of the time people who code are quite lazy; they will pull in different components that are available on databases online to form a piece of software that we use. By having vendors provide an SBOM, when anything happens, or whenever any kind of vulnerability is detected, you can very easily find out what happened.
That is due to a hack in 2021, in which a tiny, free piece of code called Log4j was found to have a critical vulnerability. It was buried inside thousands of commercial software products. Without that list of ingredients, it would be very difficult for people who had been using the software to find out, because, first, they may not have the technological capabilities and, secondly, they would not even know if their software had that component. This is one of the things the US is doing to mitigate the risks when it comes to software.
Something that is not entirely in the scope of the Bill but is also worth considering is the US’s Uyghur Forced Labour Prevention Act. That is designed to prevent goods made with forced labour from entering the supply chain. The logic of preventing forced labour is probably something that the UK can consider. Because the US realised that it could not inspect every factory in Xinjiang to prove forced labour, it flipped the script: the law creates a rebuttable presumption that all goods from that region are tainted, so the burden of proof is now on the importer to prove, with clear and convincing evidence, that their supply chain is clean.
A similar logic could be considered when it comes to this Bill to protect cyber-security. Any entities that are co-operating with the PLA—the People’s Liberation Army—for example, should be considered as compromised or non-trustworthy until proven otherwise. That way, you are not waiting until problems happen, when you realise, “Oh, this is actually tainted,” but you prevent it before it happens. That is the comparison that I would make.
Tim Roca
Q
Thank you for speaking to us today. May I turn the conversation a little on its head? We have been talking about national security and the threat from China and others. You were an activist in Hong Kong and made a great deal of effort to fight the Chinese Communist party’s invasion of privacy—privacy violations using the national security law—and other things. Do you see any risk in this legislation as regards civil liberties and privacy? We have had a bit of discussion about how much will go into secondary legislation and how broad the Secretary of State’s powers might be.
Chung Ching Kwong: The threat to privacy, especially to my community—the Hong Kong diaspora community in this country—will be in the fact that, under clause 9, we will be allowing remote access for maintenance, patches, updates and so on. If we are dealing with Chinese vendors and Chinese providers, we will have to allow, under the Bill, certain kinds of remote access for those firms to maintain the operation of software of different infrastructures. As a Hongkonger I would be worrying, because I do not know what kind of tier 2 or tier 3 supplier will have access to all those data, and whether or not they will be transmitted back to China or get into the wrong hands. It will be a worry that our data might fall into the wrong hands. Even though we are not talking specifically about personal data, personal data is definitely in scope. Especially for people with bounties on their head, I imagine that it will be a huge worry that there might be more legitimate access to data than there is right now under the Data Protection Act.
Tim Roca
Q
Chung Ching Kwong: It is always a double-edged sword when it comes to regulating against threats. The more that the Secretary of State or the Government are allowed to go into systems and hold powers to turn off, or take over, certain things, the more there is a risk that those powers will be abused, to a certain extent, or cause harm unintentionally. There is always a balance to be struck between giving more protection to privacy for ordinary users and giving power to the Government so that they can act. Obviously, for critical infrastructure like the power grid and water, the Government need control over those things, but for communications and so on, there is, to a certain extent, a question about what the Government can and cannot do. But personally I do not see a lot of concerns in the Bill.
Emily Darlington
Q
Chung Ching Kwong: It should definitely be covered by the Bill, because if we are not regulating to protect hardware as well, we will get hardware that is already embedded with, for example, an opcode attack. Examples in the context of China include the Lenovo Superfish scandal in 2015, in which originally implemented ad software had hijacked the https certificate, which is there to protect your communication with the website, so that nobody sees what activity is happening between you and the website. Having that Superfish injection made that communication transparent. That was done before the product even came out of the factory. This is not a problem that a software solution can fix. If you were sourcing a Lenovo laptop, for example, the laptop, upon arrival, would be a security breach, and a privacy breach in that sense. We should definitely take it a step further and regulate hardware as well, because a lot of the time that is what state-sponsored attacks target as an attack surface.
The Chair
That brings us nicely to the end of the time allotted for the Committee to ask questions. On behalf of the Committee, I thank our witness for her evidence.
Examination of Witness
Professor John Child gave evidence.
The Chair
We will now hear evidence from Professor John Child, professor of criminal law at the University of Birmingham and co-founding director of the Criminal Law Reform Now Network. For this session, we have until 3.20 pm.
Dr Spencer
Q
Professor John Child: My specialism is in criminal law, so this is a bit of a side-step from a number of the pieces of evidence you have heard so far. Indeed, when it comes to the Bill, I will focus on—and the group I work for focuses on—the potential in complementary pieces of legislation, and particularly the Computer Misuse Act 1990, for criminalisation and the role of criminalisation in this field.
I think that speaks directly to the first question, on effective collaboration. It is important to recognise in this field, where you have hostile actors and threats, that you have a process of potential criminalisation, which is obviously designed to be effective as a barrier. But the reality is that, where you have threats that are difficult to identify and mostly originating overseas, the actual potential for criminalisation and criminal prosecution is slight, and that is borne out in the statistics. The best way of protecting against threats is therefore very much through the use of our cyber-security expertise within the jurisdiction.
When we think about pure numbers, and the 70,000-odd cyber-security private experts, compared with a matter of hundreds in the public sector, police and others, better collaboration is absolutely vital for effective resilience in the system. Yet what you have at the moment is a piece of legislation, the Computer Misuse Act, that—perfectly sensibly for 1990—went with a protective criminalisation across-the-board approach, whereby any unauthorised access becomes a criminal offence, without mechanisms to recognise a role for a private sector, because essentially there was not a private sector doing this kind of work at the time.
When we think about potential collaboration, first and foremost for me—from a criminal law perspective—we should make sure we are not criminalising effective cyber-security. The reality is that, when we look at the current system, if any authorised access of any kind becomes a criminal offence, you are routinely criminalising engagement in legitimate cyber-security, which is a matter of course across the board. If you are encouraging those cyber-security experts to step back from those kinds of practices—which may make good sense—you are also lessening that level of protection and/or outsourcing to other jurisdictions or other cyber-security firms, with which you do not necessarily have that effective co-operation, reporting and so on. That is my perspective. Yes, you are absolutely right, but we now have mechanisms in place that actively disincentivise that close collaboration and professionalisation.
Sarah Russell
Q
Professor John Child: Yes. It is not the easiest criminal law tale, if you like. If there were a problem of overcriminalisation in the sense of prosecutions, penalisation, high sentences and so on, the solution would be to look at a whole range of options, including prosecutorial discretion, sentencing or whatever it might be, to try to solve that problem. That is not the problem under the status quo. The current problem is purely the original point of criminalisation. Think of an industry carrying out potentially criminalised activity. Even if no one is going to be prosecuted, the chilling effect is that either the work is not done or it is done under the veil of potential criminalisation, which leads to pretty obvious problems in terms of insurance for that kind of industry, the professionalisation of the industry and making sure that reporting mechanisms are accurate.
We have sat through many meetings with the CPS and those within the cyber-security industry who say that the channels of communication—that back and forth of reporting—is vital. However, a necessary step before that communication can happen is the decriminalisation of basic practices. No industry can effectively be told on the one hand, “What you are doing is vital,” but on the other, “It is a criminal offence, and we would like you to document it and report it to us in an itemised fashion over a period of time.” It is just not a realistic relationship to engender.
The cyber-security industry has evolved in a fragmented way both nationally and internationally, and the only way to get those professionalisation and cyber-resilience pay-offs is by recognising that the criminal law is a barrier—not because it is prosecuting or sentencing, but because of its very existence. It does not allow individuals to say, “If, heaven forbid, I were prosecuted, I can explain that what I was doing was nationally important. That is the basis on which I should not be convicted, not because of the good will of a prosecutor.”
Dr Gardner
Q
Professor John Child: I think the Bill does a lot of things quite effectively. It modernises in a sensible way and it allows for the recognition of change in type of threat. This goes back to my criminalisation point. Crucially, it also allows modernisation and flexibility to move through into secondary legislation, rather than us relying purely on the maturations of primary legislation.
In terms of board-level responsibility, I cannot speak too authoritatively on the civil law aspects, but drawing on my criminal law background, there is something in that as well. At the moment, the potential for criminalisation applies very much to those making unauthorised access to another person’s system. That is the way the criminal law works. We also have potential for corporate liability that can lead all the way up to board rooms, but only if you have a directing mind—so only if a board member is directing that specific activity, which is unlikely, apart from in very small companies.
You can have a legal regime that says, whether through accreditation or simple public interest offences, that there are certain activities that involve unauthorised access to another person’s system, which may be legitimate or indeed necessary. However, we want a professional culture within that; we do not want that outsourced to individuals around the world. You can then build in sensible corporate liability based on consent or connivance, which goes to individuals in the boardroom, or a failure-to-prevent model of criminalisation, which is more popular when it comes to financial crimes. That is where you say, “If this exists in your sector, as an industry and as a company, you can be potentially liable as an entity if you do not make sure these powers are used responsibly, and if you essentially outsource to individuals in order to avoid personal liabilities”.
Dr Gardner
Q
Professor John Child: Again, I have to draw back to the criminal law aspects. I think the Bill does the things it needs to do well; certainly, from the conversations I have had with those in cyber-security and so on, these are welcome steps in the right direction.
However, when you look at critical national infrastructure, although you can create layers of civil responsibility and regulation—which is entirely sensible—most of that will filter down to individuals doing cyber-security and resilience work. It is about empowering those individuals; within a state apparatus, that is one thing, but even with regulators and in-house cyber-security experts, individuals are working only within the confines of what they are allowed to do under the criminal law, as well as the civil regulatory system.
The reason I have been asked here, and what a lot of my work has focused on, is this: if you filter responsibility down to individuals doing security work for national as well as commercial infrastructure, you need to empower them to do that work effectively. The current law does not do that; it creates the problem of either doing that work under the veil of criminalisation, or not doing it, with work being outsourced to places where you do not have the back-and-forth communication and reporting regime you would need.
Dr Gardner
I think you are touching on the old problem of where liability lies when you have this long supply chain of diffused responsibility, but thank you.
Dave Robertson
Q
Professor John Child: That is a good question. It is certainly fair to say that all jurisdictions are somewhat in flux about how to deal with cyber threats, which are mushrooming in ways people would not have expected—certainly not in 1990, but even many years after.
The various international conventions—the OECD, the Budapest convention and so on—require regulation and criminalisation, but those are not nearly as wide as the blanket approach that was taken in this country. Some comparative civil law jurisdictions in the rest of Europe start from a slightly different place, in that they did not necessarily take the maximalist approach to criminalisation we did.
In a number of jurisdictions, you do not have direct criminalisation of all activities, regardless of the intention of the actor, in the same way that we do. So we are starting from a slightly different position. Having said that, we do see a number of jurisdictions making positive strides in this direction, because they need to; indeed, we see that at European Union level as well, where directives are being created to target this area of concern.
There are a few examples. We wrote a comparative report, incidentally, which is openly available. In terms of some highlights from that, there is a provision in French law, for example, where, despite mandatory prosecution being the general model within French criminal law, there is a carve-out relating to cyber-security and legitimate actors, where there is not the same requirement to prosecute. In the Netherlands, there was a scandal around hacking of keycards for public transport. That was done for responsible reasons, and there was a backlash in relation to prosecution there. There were measures taken in terms of prosecutorial discretion. Most recently, in Portugal, we saw a specific cyber-security defence created within the criminal law just last year.
In the US, it varies between states. In a lot of states, you have quite an unhelpful debate between minimalist and maximalist positions, where they either want to have complete hack-back on the one hand or no action at all on the other, but you have a slightly more tolerant regime in terms of prosecution.
So there are varying degrees, but certainly that is the direction of travel. For sensible, criminal law reasons that I would speak to, as well as the commercial benefits that come with a sector that is allowed to do its work properly, and the security benefits, that is certainly the direction of travel.
Dave Robertson
Q
Professor John Child: Yes. As I understand it, it does. This is part of the reason, incidentally, why my organisation, which focuses very much on criminal law aspects, ended up doing some collaborative work with the CyberUp campaign. That is because, from the industry perspective, they can do that kind of business modelling in a way that we do not. Whereas we can make the case for sensible criminal law reform, they can talk about how that reform translates into both the security environment and the commercial environment. Their perspective on this is, first, that we can see that there is already outsourcing of these kinds of services, particularly to the US, Israel and other more permissive jurisdictions. That is simply because, if you are a cyber-security expert in one of those jurisdictions, you are freer to do the work companies would like you to do to make sure their systems are safe here.
There are also the sectoral surveys and so on, and the predictions about what it is likely to do to the profession if you allow it to do these kinds of services in this jurisdiction. That is about the security benefits, but they are also talking about something like a 10% increase in the likely projection of what cyber-security looks like in this jurisdiction—personnel, GDP and so on.
Dr Spencer
Q
Professor John Child: There are obviously a number. It is always more comfortable when you have a beginning point of criminalisation. The argument to decriminalise in an environment where you want to protect against threats is sometimes a slightly unintuitive sell. Is the criminalisation that we have doing the necessary work in terms of actually fighting the threats? To some extent, yes, but it is limited. Is it doing harms? There is an argument to say that it is doing harms.
This comes back to the point that was made earlier, which was perfectly sensible. When you speak to the CPS and others, their position as prosecutors is to say, “Very few people are being prosecuted, and we certainly don’t want to be prosecuting legitimate cyber-security experts, so there is no problem.” Admittedly, that means there is no problem in terms of actual criminalisation and prosecution, but that is the wrong problem. If you focus on the problem being the chilling effect of the existence of the criminalisation in the first place, you simply cannot solve that through prosecutorial discretion, and nor should you, when it comes to identifying what a wrong is that deserves to be criminalised. You certainly cannot resolve it through sentencing provisions.
The only way that you can sensibly resolve this is either by changing the offence—that is very difficult, not least because, from a position of criminalisation, it might be where other civil jurisdictions begin—or by way of defence, which realistically is the best solve from the point we are at now. If you have a defence that can be specifically tailored for cyber-security and legitimate actors, you can build in reverse burdens of proof. You can build in objective standards of what is required in terms of public interest.
The point here is that the worry is one of bad actors taking advantage. The reality is that that is very unlikely. The idea that the bad actors we identify within the system would be able to demonstrate how they are acting in the public best interest is almost ridiculous. Indeed, the prospect of better threat intelligence, better securities and so on provides more information and better information-sharing to the NCSC and others and actually leads to more potential for prosecution of nefarious actors rather than less.
It is a more complicated story than we might like in terms of a standard case for changing the criminal law, but it is nevertheless an important one.
The Chair
That brings us to the end of the time allotted to ask questions. On behalf of the Committee, I thank our witness for his evidence. We move on to our next panel.
Examination of witness
Detective Chief Superintendent Andrew Gould gave evidence.
The Chair
We will now hear oral evidence from Detective Chief Superintendent Andrew Gould, programme lead for the National Police Chiefs’ Council cyber-crime programme. For this session, we have until 3.40 pm. I call Dr Ben Spencer.
Dr Spencer
Q
Secondly, on ransomware attacks, you will know that the Government review states that ransomware is
“the greatest of all serious and organised cybercrime threats”.
In your view, what is the scale of that threat and what sectors and businesses are the primary targets?
DCS Andrew Gould: To take the actors first, they are probably quite well known, in terms of the general groupings. Yes, we have our state actors—the traditional adversaries that we regularly talk about—and they generally offer very much a higher-end capability, as you will all be aware.
The next biggest threat group is organised crime groups. You see a real diversity of capability within that. You will see some that are highly capable, often from foreign jurisdictions—Russian jurisdictions or Russian-speaking. The malware developers are often the more sophisticated as service-type offerings. We see more and more ransomware and other crime types almost operating as franchises—“Here is the capability, off you go, give us a cut.” Then they have less control over how those capabilities are used, so we are seeing a real diversification of the threat, particularly when it comes to ransomware.
Then, where you have that proximity to state-directed, if not quite state-controlled—that crossover between some of those high-end crime groups and the state; I am thinking primarily of Russia—it is a lot harder to attribute the intent behind an attack. There is a blurring of who was it and for what purpose was it done, and there is that element of deniability because it is that one further step away.
Moving back down the levels of the organised crime groups, you have a real profusion of less capable actors within that space, from all around the world, driving huge volumes, often using quite sophisticated tools but not really understanding how they work.
What we have seen is almost like a fragmentation in the criminal marketplace. The barrier to criminal entry is probably lower than it has ever been. You can download these capabilities quite readily—you can watch a tutorial on YouTube or anywhere else on how to use them, and off you go, even if you do not necessarily understand the impact. We certainly saw a real shift post pandemic from traditional criminals and crime groups into more online crime, because it was easier and less risky.
You look more broadly at hacktivists, terrorists—who are probably a lot less capable; they might have the intent but not so much the capability—and then the group that are sometimes slightly patronisingly described as script kiddies. These are young individuals with a real interest in developing their skills. They have an understanding that what they are doing is wrong, but they are probably not financially or criminally motivated. If they were not engaging in that kind of cyber-crime, they probably would not be engaging in other forms of criminality, but they can still do a lot of damage with the tools they can get their hands on, given that so many organisations seem to struggle to deliver even a basic level of cyber-resilience and cyber-security.
One of the things that we really noticed changing over the last 18 months is the diversification of UK threats. Your traditional UK cyber-criminal, if there is such a thing, is primarily focused on hacking for personal benefit, ransomware and other activity. Now we are seeing a diversification, and more of a hybrid, cross-organised crime threat. There are often two factors to that. We often hear it described in the media or by us within law enforcement publicly as the common threat—this emerging community online—otherwise known as Scattered Spider.
There, we are seeing two elements to those sorts of groups. You see an element of maybe more traditional cyber-skills engaged in hacking or using those skills for fraud, but we also see those skills being used for Computer Misuse Act offences, in order to enable other offences. One of the big areas for that at the moment that we see is around intimate image abuse. We see more and more UK-based criminals hacking individuals’ devices to access, they hope, intimate images. They then identify the subject of those intimate images, most predominantly women, and then engage in acts of extortion, bullying or harassment. We have seen some instances of real-world contact away from that online contact.
Think of the scale of that and the challenge that presents to policing. I can think of cases in cyber-crime unit investigations across the country where you have got a handful of individuals who have victimised thousands of women in the UK and abroad. You have got these small cyber-crime units of a handful of people trying to manage 4,000 or 10,000 victims.
It is very difficult and very challenging, but the flipside of that is that, if they are UK-based, we have a much better chance of getting hold of them, so we are seeing a lot more arrests for those cross-hybrid threats, which is a positive. There is definitely an emerging cohort that then starts to blend in with threats like Southport and violence-fixated individuals. There seems to be a real mishmash of online threat coming together and then separating apart in a way that we have never seen historically. That is a real change in the UK threat that is driving a lot of policing activity.
Turning to your ransomware question, what is interesting, in terms of the kinds of organisations that are impacted by ransomware, a lot of the ransomware actors do not want to come to notice for hitting critical national infrastructure. They do not want to do the cloning of pipelines. They do not want to be taking out hospitals and the NHS. They know they will not get paid if they hit UK critical national infrastructure, for starters, so there is a disincentive, but they also do not want that level of Government or law enforcement attention.
Think of the disruptive effect that the UK NCA and policing had on LockBit the year before last. LockBit went from being the No. 1 ransomware strain globally to being out of the top 10 and struggling to come back. We saw a real fragmentation of the ransomware market post that. There is no dominant strain or group within that that has emerged to cover that. A lot of those groups that are coming into that space may be a bit less skilled, sophisticated and successful.
The overall threat to organisations is pretty much the same. The volume is the volume, but it is probably less CNI and more smaller organisations because they are more vulnerable and it is less likely to play out very publicly than if there is a big impact on the economy or critical national infrastructure. As such, there is probably not the level of impact in the areas that people would expect, notwithstanding some of the really high-profile incidents we had last year.
David Chadwick
Q
DCS Andrew Gould: That is a really good question. The international jurisdiction challenge for us is huge. We know that is where most of the volumes are driven from, and obviously we do not have the powers to just go over and get hold of the people we would necessarily want to. You will not be surprised to hear that it really varies between jurisdictions. Some are a lot more keen to address some of the threats emanating from their countries than others. More countries are starting to treat this as more of a priority, but it can take years to investigate an organised crime group or a network, and it takes them seconds to commit the crime. It is a huge challenge.
There are two things that we could do more of better—these are things that are in train already. If you think about the wealth of cyber-crime, online fraud and so on, all the data, and a lot of the skills and expertise to tackle that sit within the private sector, whereas in law enforcement, we have the law enforcement powers to take action to address some of it.
With a recent pilot in the City funded by the Home Office, we have started to move beyond our traditional private sector partnerships. We are working with key existing partners—blockchain analytic companies or open-source intelligence companies—and we are effectively in an openly commercial relationship; we are paying them to undertake operational activity on our behalf. We are saying, “Company a, b or c, we want you to identify UK-based cyber-criminals, online fraudsters, money-laundering and opportunities for crypto-seizure under the Proceeds of Crime Act 2002”. They have the global datasets and the bigger picture; we have only a small piece of the puzzle. By working with them jointly on operations, they might bring a number of targets for us, and we can then develop that into operational activity using some of the other tools and techniques that we have.
It is quite early days with that pilot, but the first investigation we did down in the south-east resulted in a seizure of about £40 million-worth of cryptocurrency. That is off a commercial contract that cost us a couple of hundred grand. There is potential for return on investment and impact as we scale it up. It is a capability that you can point at any area of online threat, not just cyber-crime and fraud, so there are some huge opportunities for it to really start to impact at scale.
One of the other things we do in a much more automated and technical way—again funded by the Home Office—is the replacement of the Action Fraud system with the new Report Fraud system. That will, over the next year or so, start to ingest a lot of private sector datasets from financial institutions, open-source intelligence companies and the like, so we will have a much broader understanding of all those threats and we will also be able to engage in takedowns and disruptions in an automated way at scale, working with a lot of the communication service providers, banks and others.
Instead of the traditional manual way we have always been doing a lot of that protection, we can, through partnerships, start doing it in a much more automated and effective way at scale. Over time, we will be able to design out and remove a lot of the volume you see impacting the UK public now. That is certainly the plan.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Q
DCS Andrew Gould: I love the fact that you have heard of it. One of the things that we struggle with is promoting a lot of these initiatives. Successive Governments actually deserve a lot of credit for the range of services that are provided. We aspire to be a global cyber-power, and in many ways we are. When you look at the range of services, tools, advice and guidance that organisations or the public can get, there is quite a positive story to tell there. I think we struggle to bring that into one single narrative and promote it, which is a real challenge. People just do not know that those services are there.
For those who are not familiar with Police CyberAlarm, it is a Home Office-funded policing tool focused on small and medium-sized organisations that probably do not have the skills or understanding to protect themselves as effectively. They can download that piece of software, and it will sit on their external networks and monitor for attacks. For the first time, it helps us in policing to build a domestic threat picture for small and medium-sized organisations, because everybody has a different piece of the puzzle. GCHQ has great insight into what is coming into the UK infrastructure, but it obviously cannot monitor domestically. Big organisations that provide cyber-security services and monitoring know what is impacting their clients or their organisation, but not everybody else. At policing, we get what is reported, which is a tiny piece of the puzzle. So everyone has a different bit of the jigsaw, and none of it fits together, and, even if it did, there would still be gaps. For SMEs, that is a particular gap.
For us, we get the threat intelligence to drive our operational activity, which has been quite successful for us. The benefit for member organisations—we are up to about 12,000 organisations at the moment, which are mostly schools, because we know that they are the most vulnerable to attack for a variety of reasons—is that, having the free tool available, it can do the monthly vulnerability scans and assessments. So they are getting a report from the police that tells them what they need to fix and what they need to patch.
We do not publicly offer a lifetime monitoring service, because we would not want the liability and responsibility, and we do not have the infrastructure to run that scale of security operation centre. But, in effect, that is actually what we have been doing for a long time—maybe not 24/7, but most of the time—because we have been able to identify precursor activity to ransomware attacks on schools or other organisations, and have been able to step in and prevent it from happening. There have been instances where officers have literally got in cars and gone on a blue light to organisations to say, “You need to shut some stuff off now, because you are about to lose control of your whole organisation.”
To that extent, it has been really impactful, but the challenge for us is how to scale. How do you scale so that people understand that it is there? How do you make it easier for organisations to install? That is one of the things that we are working on at the moment, so that everybody can benefit from the scans and the threat reporting, and we can benefit from a bigger understanding of what is going on.
The flip side of the SME offer from our point of view is our cyber-resilience centres. By working with some of the top student talent in the country, we can scale to offer our member organisations across the country the latest advice and guidance, help them understand what the NCSC advice and guidance is, and then help them to get the right level of security policies, patch their systems and all that kind of thing. It helps them to take the first steps on their cyber-resilience journey, and hopefully be more mature consumers of cyber-security industry services going forward. We are helping to create a market for growth, but also helping those organisations to understand their specific vulnerabilities and improve from a very base level.
Bradley Thomas
Q
DCS Andrew Gould: That is another really good question. Generally, it is financial, but you will often get what is called the double dip, so there is the extraction of data as well as the encryption of it, so that you no longer have access to it. They might take that data as well, primarily personal data, because of the regulatory pressures and challenges that that brings. There is a sense among a lot of criminal groups that, if they have personal data, you are more likely to pay, because you do not want that reputation, embarrassment and all the rest of it, as opposed to if they take intellectual property, for example. But it is not that that does not happen as well. Primarily, it is financial gain.
Chris Vince
Q
DCS Andrew Gould: It is a tricky one. It feels like the technology change is getting ever faster and ever more challenging, but I first went into cyber-crime in the Met back in 2014, and we are giving the same advice now as we were giving then. Sometimes your head can explode with the technical complexity of it, but a lot of the solution just comes down to doing the really boring basics in a world-class way. It is things like patching and doing your software updates. Whether you are a member of the public or running an organisation, finding a way to do those updates and patches means that 50% of the threat has gone, there and then. With something like multi-factor authentication, it seems like most organisations do not want to inconvenience their staff or customers by putting it in place, but that would be another 40% of the problem solved. It is not infallible—nothing is—but if you are thinking about how attacks are still successful, it is pretty basic: a lot of our protections are not in place. Solving that means that 90% of the threat is gone, there and then. That then leaves the 10% of more sophisticated threats—let’s make the criminals work a bit harder.
The Chair
Order. That brings us to the end of the time allotted for the Committee to ask questions. I thank the witness for his evidence.
Examination of Witness
Richard Starnes gave evidence.
The Chair
We will now hear oral evidence from Richard Starnes, chair of the information security panel for the Worshipful Company of Information Technologists. We have until 4 pm for this session.
Dr Spencer
Q
Richard Starnes: The question about effectiveness is difficult to answer. There is the apparent effectiveness and the actual effectiveness. The reason I answer in that way is that you have regulators that are operating in environments where they may choose to not publicly disclose how they are regulating; it may be classified due to the nature of the company that was compromised, or who compromised the company. There may not necessarily be a public view of how much of that regulation is actually going on. That is understandable, but it has the natural downside of creating instances where somebody is being taken to task for not doing it correctly, but that is not exposed to the rest of the world. You do not know that it is happening, so the deterrent effect is not there.
Information sharing and analysis centres started in the United States 20 or 25 years ago, when different companies were in the same boat. The first one that I was aware of was the Financial Services ISAC, which comprises large entities—banks, clearing houses and so on—that share intelligence about the types of attacks that they are receiving internationally. They may be competing with one another in their chosen businesses, but they are all in the same boat with regard to being attacked by whatever entities are attacking them. Those have been relatively good at helping develop defences for those industries.
Dr Spencer
Q
Richard Starnes: Yes. We have FS-ISAC operating in the United Kingdom and in Europe, with all the major banks, but if you took this and replicated it on an industry-by-industry basis, particularly ones in CNI, that would be helpful. It would also help with information sharing with entities like NCSC and GCHQ.
David Chadwick
Q
Richard Starnes: On what you say about the 18-month tenure, one of the problems is stress. A lot of CISOs are burning out and moving to companies that they consider to have boards that are more receptive to what they do for a living. Some companies get it. Some companies support the CISOs, and maybe have them reporting to a parallel to the CIO, or chief information officer. A big discussion among CISOs is that having a CISO reporting to a CIO is a conflict of interest. A CISO is essentially a governance position, so you wind up having to govern your boss, which I would submit is a bit of a challenge.
How do we help CISOs? First, with stringent application of regulatory instruments. We should also look at or discuss the idea of having C-level or board-level executives specifically liable for not doing proper risk governance of cyber-security—that is something that I think needs to be discussed. Section 172 of the Companies Act 2006 states that you must act in the best interests of your company. In this day and age, I would submit that not addressing cyber-risk is a direct attack on your bottom line.
Dr Gardner
Q
Richard Starnes: I think this should flow from the board to the C-level executives. Most boards have a risk committee of some sort, and I think the chair of the risk committee would be a natural place for that responsibility to sit, but there has to be somebody who is ultimately responsible. If the board does not take it seriously, the C-levels will not, and if the C-levels will not, the rest of the company will not.
Dr Gardner
Q
Richard Starnes: That is a very broad question.
Dr Gardner
I know, sorry. I collapsed it down from quite a few.
Richard Starnes: There is any number of different reasons. You have 12 competent authorities, at last count, with varying funding models and access to talent. Those could vary quite a bit, depending on those factors. I am not really sure how to answer that question.
Dr Gardner
Q
Richard Starnes: True, but I would submit that under the Companies Act that liability is already there for all the directors; it just has not been used that way.
Emily Darlington
Q
Richard Starnes: You just stepped on one of my soapbox issues. I would like to see the code of practice become part of the annual Companies House registrations for every registered company. To me, this is an attestation that, “We understand cyber-security, we’ve had it put in front of us, and we have to address it in some way.”
One of the biggest problems, which Andy talked about earlier, is that we have all these wonderful things that the Government are doing with regard to cyber-security, down to the micro-level companies, but there are 5.5 million companies in the United Kingdom that are not enterprise-level companies, and the vast majority of them have 25 employees or fewer. How do we get to these people and say, “This is important. You need to look at this”? This is a societal issue. The code of practice and having it registered through Companies House are the way to do that. We need to start small and move big. Only 3% of businesses are involved in Cyber Essentials, which is just that: the essentials. It is the baseline, so we need to start there.
David Chadwick
Q
Richard Starnes: Throughout my career, I have been involved in cyber incidents from just about day one. One of the biggest problems that you run into in the first 72 hours, for example, is actually determining whether you have been breached. Just because it looks bad does not mean it is bad. More times than not, you have had indicators of compromise, and you have gone through the entire chain, which has taken you a day, or maybe two or three days, of very diligent work with very clever people to determine that, no, you have not been breached; it was a false positive that was difficult to track down. Do you want to open the door to a regulator coming in and then finding out it is a false positive?
You are also going to have a very significant problem with the amount of alerts that you get with a 24-hour notification requirement, because there is going to be an air of caution, particularly with new legislation. Everybody and his brother is going to be saying, “We think we’ve got a problem.” Alternatively, if they do not, then you have a different issue.
The Chair
If there are no further questions, I thank our witness for his evidence. I will suspend the Committee for a few minutes because our next witnesses, who will give evidence online, are not ready yet.
The Chair
We will now hear oral evidence from Brian Miller, head of IT security and compliance, and Stewart Whyte, data protection officer, both from NHS Greater Glasgow and Clyde and joining us online. For this session we have until 4.20 pm. Will the witnesses please introduce themselves for the record?
Brian Miller: Good afternoon, Chair. It is nice to see you all. I am Brian Miller and I head up IT security and compliance at NHS Greater Glasgow and Clyde. It is a privilege to be here, albeit remotely. I have worked at NHS Greater Glasgow and Clyde for four years. Prior to that, I was infrastructure manager at a local authority for 16 years and I spent 10 years at the Ministry of Defence in infrastructure management. I look at the Bill not only through the lens of working with a large health board, but from a personal perspective with a philosophy of “defenders win” across the entire public sector.
Stewart Whyte: Good afternoon, Chair, and everyone. My name is Stewart Whyte and I am the data protection officer at NHS Greater Glasgow and Clyde. I am by no means a cyber-security expert, but hopefully I can provide some insight into the data protection side and how things fit together.
Dr Spencer
Q
Brian Miller: That is a good question. Some of our colleagues mentioned the follow-up secondary legislation that will help us to identify those kinds of things. I suppose there is no difference from where we are at now. We would look at any provision of services from a risk management perspective and say what security controls apply. For example, would they be critical suppliers in terms of infrastructure and cyber-security? Does a cleaning service hold identifiable data? What are the links? Is it intrinsically linked from a technological perspective?
I mentioned looking at this through a “defenders win” lens. Yes, some of these technologies are covered. I saw some of the conversations earlier about local authorities not being in scope, but services are so intrinsically linked that they can well come into scope. It might well be that some of the suppliers you mentioned fall under the category of critical suppliers, but that might be the case just now. There might be provision of a new service for medical devices, which are a good example because they are unique and different compliance standards apply to them. For anything like that, where we stand just now—outside the Bill—we risk assess it. There is such an intrinsic link. A colleague on another panel mentioned data across the services; that is why Stewart is here alongside me. I look after the IT security element and Stewart looks after the data protection element.
Dr Spencer
Q
Brian Miller: Sometimes, but sometimes not. I do not think we had any physical links with Synnovis, but it did work on our behalf. Emails might have been going back and forward, so although there were no physical connections, it was still important in terms of business email compromise and stuff like that—there was a kind of ancillary risk. Again, when things like that come up, we would look at it: do we have connections with a third party, a trusted partner or a local authority? If we do, what information do we send them and what information do we receive?
Chris Vince
Q
Stewart Whyte: Anything that increases or improves our processes in the NHS for a lot of the procured services that we take in, and anything that is going to strengthen the framework between the health board or health service and the suppliers, is welcome for me. One of our problems in the NHS is that the systems we put in are becoming more and more complex. Being able to risk assess them against a particular framework would certainly help from our perspective. A lot of our suppliers, and a lot of our systems and processes, are procured from elsewhere, so we are looking for anything at all within the health service that will improve the process and the links with third party service providers.
Dr Gardner
Q
Brian Miller: That is a great question. I will touch on some different parts, because I might have slightly different information from some of the information you have heard previously. On reporting—Stewart will deal with the data protection element for reporting into the Information Commissioner’s Office—we report to the Scottish Health Competent Authority. It is important that we have an excellent relationship with the people there. To put that in context, I was speaking to them yesterday regarding our transition to the CAF, as part of our new compliance for NHS Greater Glasgow and Clyde. If there was a reportable incident, we would report into the SHCA. The thresholds are really well defined against the confidentiality, integrity and availability triad—it will be patient impact and stuff like that.
Organisationally, we report up the chain to our director of digital services, and we have an information governance steering group. Our senior information risk officer is the director of digital, and the chief information security officer role sits with our director of digital. We report nationally, and we work really closely with National Services Scotland’s Cyber Security Centre of Excellence, which does a lot of our threat protection and secure operations, 24/7, 365 days a year. We work with the Scottish Government through the Scottish Cyber Co-ordination Centre and what are called CREW—cyber resilience early warning—notices for a lot of threat intelligence. If something met the threshold, we would report to the SHCA. Stewart, do you want to come in on the data protection officer?
Stewart Whyte: We would report to the Information Commissioner, and within 72 hours we also report to the Scottish Government information governance and data protection team. We would risk assess the breaches and determine whether they meet the threshold for reporting. Not every data breach is required to be reported.
From the reporting perspective, it would be helpful to report into one individual organisation. I noticed that in the reporting requirements we are looking at doing it within 24 hours, which could be quite difficult, because sometimes we do not know everything about the breach within that time. We might need more information to be able to risk assess it appropriately. Making regulators aware of the breach as soon as possible is always going to be a good thing.
Lincoln Jopp
Q
Brian Miller: We would work with the Scottish Health Competent Authority as our regulator; I cannot speak for other regulators and what that might look like. We are doing work on what assurance for critical suppliers outside the Bill looks like just now, and we are working across the boards in Scotland on identifying critical suppliers. Outside of that, for any suppliers or any new services, we will assess the risk individually, based on the services they are providing.
The Bill is really valuable for me, particularly when it comes to managed service provision. One of the questions I was looking at is: what has changed since 2018? The biggest change for me is that identity has went to the cloud, because of video conferencing and stuff like that. When identity went to the cloud, it then involved managed service providers and data centres. We have put additional controls around that, because the network perimeter extended out into the cloud. We might want to take advantage of those controls for new things that come online, integrating with national identity, but we need to be assured that the companies integrating with national identity are safe. For me, the Bill will be a terrific bit of legislation that will help me with that—if that makes sense.
Lincoln Jopp
Q
Brian Miller: I think we would work with the regulator, but we are looking for more detail in any secondary legislation that comes along. We have read what the designation of critical suppliers would be. I would look to work with the Scottish Health Competent Authority and colleagues in National Services Scotland on what that would look like.
Stewart Whyte: On how we would make that decision, from our perspective we are looking at what the supplier is providing and what sort of data they are processing on our behalf. From the NHS perspective, 90% of the data that we process will be special category, very sensitive information. It could be that, from our side, a lot of the people in the supply chain would fall into that designation, but for some other sectors it might not be so critical. We have a unique challenge in the NHS because of the service we provide, the effect that cyber-crime would have on our organisations, and the sensitivity of the data we process.
Dr Spencer
Q
Stewart Whyte: For me, it would be a slightly different assessment from Brian’s. We would be looking at anything where there is no processing of personal data. For me, that would not be a critical supplier from a data protection perspective. But there might be some other integration with NHS board systems that Brian might have concerns about. There is a crossover in terms of what we do, but my role is to look at how we manage data within the NHS. If there are suppliers where there is no involvement with identifiable data of either staff or patients, I would not see them as a critical supplier under this piece of legislation.
Lincoln Jopp
Q
Brian Miller: I do not want to step out of my lane. There will be clinical stuff that absolutely would be essential. I would not be able to speak in any depth on that part of it; I purely look at the cyber element of it. As an organisation, we would be identifying those kinds of aspects.
In terms of suppliers, you are absolutely right. We have suppliers that supply some sort of IT services to us. If we are procuring anything, we will do a risk assessment—that might be a basic risk assessment because it is relatively low risk, it might be a rapid risk assessment, or it may be a really in-depth assessment for someone that would be a critical supplier or we could deem essential—but there are absolutely suppliers that would not fall under any of that criteria for the board. The board is large in scale, with 40,000 users. It is the largest health board in the country.
Dr Spencer
Q
Stewart Whyte: Yes. There is a lot of information sharing between acute services and primary care via integrated systems. We send discharge letters and information directly to GP practices that then goes straight into the patient record with the GP. There is a lot of integration there, yes.
Dr Spencer
Q
Stewart Whyte: Yes, there is integration between ourselves and the local authorities.
The Chair
If there are no further questions from Members, I thank witnesses for their evidence. We will move on to the next panel.
Examination of Witnesses
Chris Parker MBE and Carla Baker gave evidence.
The Chair
We will now hear oral evidence from Chris Parker, director of government strategy at Fortinet and co-chair of the UK cyber resilience committee at techUK, and Carla Baker, senior director of government affairs in the UK and Ireland at Palo Alto Networks. For this session, we have until 4.50 pm.
Dr Spencer
Q
Carla, from the Palo Alto Networks perspective, what are your views on the changes to the incident reporting regime under the Bill? Will the approach help or hinder regulators in identifying and responding to the most serious threats quickly?
Chris Parker: I should point out that Carla is also co-chair of the cyber resilience committee, so you have both co-chairs here today.
As large cyber companies, we are very proud of one thing that is pertinent to the sector that may not be clear to everybody outside. I have worked in many sectors, and this is the most collaborative—most of it unseen—and sharing sector in the world. It has to be, because cyber does not respect borders. When we go to the most vulnerable organisations, which one would expect cannot afford things and therefore there must be a function of price, such as SMEs—I was an SME owner in a previous life—that is very dear to us. With the technology that is available, what is really good news is that when people buy cyber-security for their small business—in the UK or anywhere in the world—they are actually buying the same technology; it is effectively just a different engine size in most cases. There are different phases of technology. There is the latest stuff that is coming in, which they may not be getting into yet. However, the first thing to say is that it is a very fair system, and pricing-wise, it is a very fair system indeed for SMEs.
The second point is about making sure we are aware of the amount of free training going on across the world, and most of the vendors—the manufacturers—do that. Fortinet has a huge system of free training available for all people. What does that give? It is not just technical training for cyber-security staff; it is for ordinary people, including administrative workers and the people who are sometimes the ones who let the bad actor in. There are a lot of efforts. There is a human factor, as well as technological and commercial factors.
The other thing I would like to mention is that the cyber resilience committee, which Carla and I are lucky to co-chair, is elected. We have elected quite a large proportion of SME members. There is also a separate committee run by techUK. You heard from Stuart McKean earlier today, and he is one of the co-chairs, or the vice chair, of that committee.
Carla Baker: On incident reporting, as I am sure you are aware, the Bill states that organisations must report an incident if it is
“likely to have an impact”.
Our view, and I think that of techUK, is that the definition is far too broad. Anything that is likely to cause an impact could be a phishing email that an organisation has received. Organisations receive lots and lots of spoof emails.
I will give an example. Palo Alto Networks is one of the largest pure-play cyber-security companies. Our security operations centre—the hub of our organisation—processes something like 90 billion alerts a day. That is just our organisation. Through analysis and automation, the number is whittled down to just over 20,000. Then, through technology and capabilities, it is further whittled down, so that we are analysing about 75 alerts.
You can equate it to a car, for example. If you are driving and see a flashing yellow light, something is wrong. That is like 20,000 alerts. It is then whittled down to about 75, so we would potentially have to report up to 75 incidents per day, and that is just one organisation. There are a lot more. The burden on the regulator would be massive because there would be a lot of noise. It would struggle to ascertain what is the real problem—the high-risk incidents that impact the UK as a whole—and the noise would get in the way of that.
We have come up with a suggestion, an amendment to the legislation, that would involve a more tiered approach. There would be a more measurable and proportionate reporting threshold, with three tiers. The first is an incident that causes material service disruption, affecting a core service, a critical customer or a significant portion of users. The second is unauthorised, persistent access to a system. The third is an incident that has compromised core security controls—that is, security systems. Having a threshold that is measurable and proportionate is easier for organisations to understand than referring to an incident that is
“likely to have an impact”,
because, as I said, a phishing email is likely to cause an impact if an organisation does not have the right security measures in place.
David Chadwick
Q
Chris Parker: That is an excellent question. The good news is that a lot is happening already. An enormous amount of collaborative effort is going on at the moment. We must also give grace to the fact that it is a very new sector and a new problem, so everybody is going at it. That leads me on to the fact that the UK has a critical role in this, but it is a global problem, and therefore the amount of international collaboration is significant—not only from law enforcement and cyber-security agencies, but from businesses. Of course, our footprints, as big businesses, mean that we are always collaborating and talking to our teams around the world.
In terms of what the UK can do more of, a lot of the things that have to change are a function of two words: culture and harmonisation—harmonisation of standards. It is about trying not to be too concerned about getting everything absolutely right scientifically, which is quite tempting, but to make sure we can harmonise examples of international cyber-standards. It is about going after some commonality and those sorts of things.
I think the UK could have a unique role in driving that, as we have done with other organisations based out of London, such as the International Maritime Organisation for shipping standards. That is an aspiration, but we should all drive towards it. I think it is something the UK could definitely do because of our unique position in looking at multiple jurisdictions. We also have our own responsibilities, not only with the Commonwealth but with other bodies that we are part of, such as the United Nations.
It is not all good news. The challenge is that, as much as we know that harmonisation is okay, unfortunately everyone is moving. Things have started, and everyone is running hot. An important point to make is that it is one of the busiest sectors in the world right now, and everybody is very busy. This comes back to the UK having a particular eye on regulatory load, versus the important part that other elements of our society want, which is growth and economic prosperity. We talked earlier about SMEs. They do not have the capability to cover compliance and regulatory load easily, and we would probably all accept that. We have to be careful when talking about things such as designating critical suppliers.
All of this wraps up into increasing collaboration through public-private partnerships and building trust, so that when the Government and hard-working civil servants want to see which boundaries are right to push and which are not, bodies such as the UK cyber resilience committee, which Carla and I are on, can use those collaborative examples as much as possible.
There is quite a lot there, but something the UK certainly should be pushing to do is culture change, which we know has to be part of it—things have been talked about today by various speakers—as well as the harmonisation of standards.
Carla Baker: I think we are in a really interesting and exciting part of policy development: we have the Bill, and we have recently had the Government cyber action plan, which you may have heard about; and the national cyber action plan is coming in a few months’ time. The Government cyber action plan is internally facing, looking at what the Government need to do to address their resilience. The national cyber action plan is wider and looks at what the UK must do. We are at a really exciting point, with lots of focus and attention on cyber-security.
To address your point, I think there are three overarching things that we should be looking at. First is incentivising organisations, which is part of the Bill and will hopefully be a big part of the national cyber action plan. We must incentivise organisations to do more around cyber-security to improve their security posture. We heard from previous panellists about the threats that are arising, so organisations have to take a step forward.
Secondly, I think the Government should use their purchasing power and their position to start supporting organisations that are doing the right thing and are championing good cyber-security. There is more that the Government can do there. They could use procurement processes to mandate certain security requirements. We know that Cyber Essentials is nearly always on procurement tenders and all those types of things, but more can be done here to embed the need for enhanced security requirements.
Thirdly, I think a previous witness talked about information sharing. There is a bit of a void at the moment around information sharing. The cyber security information sharing partnership was set up, I think, 10 years ago—
Chris Parker: Yes, 10 years ago.
Carla Baker: It was disbanded a couple of months ago, and that has left a massive void. How does industry share intelligence and information about the threats they are seeing? Likewise, how can they receive information about the threat landscape? We have sector-specific things, but there isn’t a global pool, and there is a slight void at the moment.
David Chadwick
Q
Chris Parker: It is a national problem. We have had a lot of discussion on that at the techUK cyber resilience committee. We think it is not just about skills and bunging lots of training at people, because you have to work out cyber as a whole. A very small component of cyber is people at the wonderfully high-tech end, where they are coding and writing software. There are an awful lot of jobs in places out there that a lot of people are just not aware of, and perhaps would therefore not be volunteering or aiming towards it—even at their school. There are lots of jobs in cyber sales, marketing and analysis that do not require a very high level of mathematics, for example. Some of them do not need a very high level of mathematics at all. I think that some awareness needs to be built there.
Personally, I would like to see more championing of the people who are in the sector at the moment. We have some fantastic young men and women in the sector, but we also need to make sure they are able to have chartered status. It is out there, now that we are starting, but it needs to gather pace, because we need to make sure these people are represented and feel professional, so that it can be reflected.
Another thing to mention is that there is a lot of effort in the cyber growth partnership, which is run through DSIT and techUK. It is initiating an idea where people will be lent from industry into academia, to offer inspiration but also to improve lecture quality and standards, because things move fast and we are running so hot. It is very hard for academia to keep up. There is quite a lot that can be done to increase the workforce and skills, but going back to our original points, with greater public-private collaboration and discussion, we will get it absolutely right on focusing on the right places to spend resources.
Dr Gardner
Q
Carla Baker: My comment on information sharing was about what else the Government could do. It was not necessarily specifically to do with the Bill. If you want me to elaborate on the wider issue of information sharing, I am happy to.
Dr Gardner
Particularly between regulators, and how that would work.
Carla Baker: I cannot necessarily talk in much detail about information sharing across regulators. It is more about information sharing across the technology industry that I can talk about.
Dr Gardner
Q
I will ask my actual question, and I am trying to get my head around this. You recommend mandating that company boards be accountable for mitigating cyber-risks, and as we know from the annual cyber-security breaches survey, there are declining levels of board responsibility for cyber in recent years, which links to whether there should be a statutory duty. I am a little worried about small and microbusinesses having to deal with that regulatory burden, especially if they are designated as critical suppliers. I am trying to marry those two things together, and the concern of where liability sits, because we are very dependent on service providers. I do not know if that makes any sense to you, but could you clarify my thinking?
Chris Parker: It is a concern. I will start off with a small point about where there is a statutory requirement, certainly for large companies. I personally believe—and I am pretty sure that most industry people I speak to would say this—that it would be very surprising if we did not have cyber-focused people on boards and in much bigger governance, as we would in a financial services company, where people who are expert in financial risk are able to govern appropriately. As we get smaller and smaller in scale, that is much harder to do.
The good news is that there are some brilliant—and I really mean that—resources available from probably the most underused website in the world, but the best one, which is the National Cyber Security Centre website. It has some outstanding advice for boards and governance on there. You can effectively make a pack and write a checklist, even if you are a very small company with a board of two people, and go through your own things and make sure your checklists are there.
The data and the capability are there to give support. Whether it is signposted enough, and whether we are helping on a local level, to make sure that people are aware of those things is perhaps something we could do better at in this country. But I am sure that industry will do our part, and we do, to share and reinforce the good sharing of things like that website, to guide good governance for SMEs especially.
Carla Baker: That board-level accountability is really important, and it is crucial for cyber-security. I think it is getting better—from the senior execs that I speak to in industry, there is more understanding—but generally speaking, there is a view that cyber-security is an IT issue, not a business issue. I am sure you have heard throughout the day about understanding the risks we have seen around vulnerabilities, and the incidents that have affected the retail or manufacturing sectors. Those are substantial incidents that have impacted the UK and have systemic knock-on effects. Organisations have to understand the serious nature of cyber-security, and therefore put more emphasis on cyber at the board level.
Should we be mandating board-level governance? That is useful for this debate to seek information and input on, but the burden on SMEs has to be risk-based and proportionate, however it is framed.
Dr Gardner
Q
Chris Parker: That is a harder question. There is precedent here—of course, we can think back to the precedents that this great building has set on allowing things such as, post-Clapham train disaster, the Corporate Manslaughter and Corporate Homicide Act 2007 putting it very firmly on boards, evolving from the Health and Safety at Work etc. Act 1974. We are not there yet, but do not forget that we are starting to legislate, as is everyone else in Europe and America who are on this journey.
I believe that we will see a requirement at some point in the future. We all hope that the requirement is not driven by something terrible, but is driven by sensible, wise methodology through which we can find out how we can ensure that people are liable and accept their liability. We have seen statements stood up on health and safety from CEOs at every office in this country, for good reason, and that sort of evolution may well be the next phase.
Carla and I talk about this a lot, but we have to be careful about how much we put into this Bill. We have to get the important bit about critical national infrastructure under way, and then we can address it all collaboratively at the next stage to deal with very important issues such as that.
Lincoln Jopp
Q
Chris Parker: I was referring to strategic and critical suppliers, which is a list of Government suppliers. We are advocating that the level of governance and regulatory requirement inside an organisation is difficult, and it really is. It requires quite a lot of work and resource, and if we are putting that on to too small a supplier, on the basis that we think it is on the critical path, I would advocate a different system for risk management of that organisation, rather than it being in the regulatory scope of a cyber-resilience Bill. The critical suppliers should be the larger companies. If we start that way in legislation and then work down—the Bill is designed to be flexible, which is excellent—we can try to get that way.
As a last point on flexibility—this is perhaps very obvious to us but less so to people who are less aware of the Bill—there is a huge dynamic going on here where you have a continuum, a line, at one end of which you have the need for clarity, which comes from business. At the other you have a need for flexibility, which quite rightly comes from the Government, who want to adjust and adapt quite quickly to secure the population, society and the economy against a changing threat. That continuum has an opposing dynamic, so the CRB has a big challenge. We must therefore not be too hard on ourselves in finding exactly where to be on that line. Some things will go well, and some will just need to be looked at after a few years of practice—I really believe that. We are not going to get it all right, because of the complexities and different dynamics along that line.
Carla Baker: This debate about whether SMEs should be involved or regulated in this space has been around since we were discussing GDPR back in 2018. It comes down to the systemic nature of the supplier. You can look at the designation of critical dependencies. I am sure you have talked about this, but for example, an SME software company selling to an energy company could be deemed a critical supplier by a regulator, and it is then brought into scope. However, I think it should be the SMEs that are relevant to the whole sector, not just to one organisation. If they are systemic and integral to a number of different sectors, or a number of different organisations within a sector, it is fair enough that they are potentially brought into scope.
It is that risk-based approach again. But if it is just one supplier, one SME, that is selling to one energy company up in the north of England, is it risk-based and proportionate that they are brought into scope? I think that is debatable.
Andrew Cooper (Mid Cheshire) (Lab)
Q
I can imagine that the legislation has been worded as it is to try to capture that situation where activity might occur, but not have an impact. Would you accept that that is important, and how would that fit in with the tiered approach that you described?
Carla Baker: I completely get your point. We have looked at that; my legal colleagues have looked at things such as spyware, where you have malware in the system that is not doing anything but is living there, for example, or pre-emptive, where they are waiting to launch an attack, and we think this amendment would still cover those scenarios. It is not necessarily cause and impact: the lights have not gone out, but if there is, for example, a nation state actor in your network, we think the amendment would still cover that.
Dr Spencer
Q
Chris Parker: Yes, absolutely.
Carla Baker: Yes, completely. That is similar to my point, which was probably not explained well enough: how you are deemed critical should be more about your criticality to the entire ecosystem, not just to one organisation.
Dr Spencer
Q
Carla Baker: I think that is part of the issue about not having clear criteria about how regulators will designate. That also means that different regulators will take different approaches, so we would welcome more clarity and early consultation around the criteria that will be used for the regulators to designate a critical dependency, which prevents having different regulatory approaches across the 12 different regulators, which we obviously do not want, and gives greater harmonisation and greater clarity for organisations to know, “Okay, I might be brought in, because those are the clear criteria the Government will be using.”
David Chadwick
Q
Chris Parker: The consultation has been a best effort and I think it is a best effort as a function of three things. First, we have a new sector, a new Bill—something very new, it is not repeating something. Secondly, we are doing something at pace, it is a moving target, we have to get on with this, and so there is some compulsion involved. Thirdly, there are already some collaborative areas set up, such as techUK, that have been used. Would I personally have liked to have seen more? Yes—but I am realistic about how much time is needed; when you only have a certain resource, some people have got to do some writing and crafting as well as discussing.
One thing that we could look at, if we did the process again, would be more modelling, exercising and testing the Bill until it shakes a bit more—that is something that perhaps we could do, if we were to do this again. With the Telecommunications (Security) Act 2021, that was done at length and collaboratively with industry, on a nearly fortnightly basis, for some time. Beyond that, I think that we are realistic in industry because we understand the pressures on the people trying to bring legislation in. A second point to remember is that we are all volunteers. Carla and I, and all those on the Cyber Resilience Committee, volunteer away from our day jobs—which are busy—to do all this. There is a realistic expectation, if you like—but I would say there has been a best effort.
Carla Baker: I would like to look to the future. We have all the secondary legislation that is coming—and there will be lot—so we recommend early insights, and time to review and consult, in order to provide that industry insight that we are happy to provide. Let us look to the secondary legislation and hope that there is good consultation there.
The Chair
If there are no further questions from Members, I will thank the witnesses for their evidence. We will now move on to our final panel.
Examination of Witness
Kanishka Narayan MP gave evidence.
The Chair
We will now hear oral evidence from the Minister for AI and Online Safety, Kanishka Narayan. For this session, we have until 5.10 pm.
Dr Spencer
Q
Kanishka Narayan: Thank you for the question on definitions. I have two things to say on that. First, observing the evidence today, it is interesting that there are views in both directions on pretty much every definitional question. For example, on the definition of “incident thresholds”, I heard an expert witness at the outset of the day say that it is in exactly the right place, precisely because it adds incidents that have the capability to have an impact, even if not a directness of impact, to cover pre-positioning threats. A subsequent witness said that they felt that that precise definitional point made it not a fitting definition. The starting point is that there is a particular intent behind the definitions used in the Bill, and I am looking forward to going through it clause by clause, but I am glad that some of those tensions have been surfaced.
Secondly, in answer to your question on consultation, a number of the particular priority measures in the Bill were also consulted on under the previous Government. We have been engaging with industry and, in the course of implementation, the team has started setting up engagement with regulators and a whole programme of engagement with industry as well.
Dr Spencer
Q
Kanishka Narayan: I have met a number of companies, but the relevant Minister has also had extensive engagement with both companies and regulators, including on the question of definitions. I do not have a record of her meetings, but if that is of interest, I would be very happy to follow up on it.
Dr Spencer
Q
Kanishka Narayan: I am referring to the Minister for Digital Economy, who is in the other place.
Dr Spencer
Q
Kanishka Narayan: I have had some meetings but, as the Minister in charge of this Bill, she has been very engaged with businesses, so I think that is fitting. We have obviously worked very closely together, as we normally do, in the course of co-ordinating across the two Chambers.
Dr Spencer
Q
Kanishka Narayan: I have spoken to the Secretary of State about the Bill, including the reserve powers, and we have agreed that the policy objective is very clear. I do not think I am in a position to divulge particular details of policy discussions that we have had; I do not think that would be either appropriate or a fitting test of my memory.
Dr Spencer
Q
Kanishka Narayan: I think the guardrails in the Bill are very important, absolutely. The Bill provides that, where there is an impact on organisations or regulators, there is an appropriate requirement for both deep consultation and an affirmative motion of the House. I think that is exactly where it ought to be, and I do not think anything short of that would be acceptable.
Chris Vince
Q
Kanishka Narayan: The primary thing to say is that the range of organisations—commercial ones as well as those from the cyber-security world more generally—coming out to welcome the Bill is testament to the fact that it is deeply needed. I pay tribute to the fact that some of the provisions were engaged on and consulted on by the prior Government, and there is widespread consensus across industry and in the regulatory and enforcement contexts about the necessity and the quality of the Bill. On that front, I feel we are in a good place.
On specific questions, of course, there is debate—we have heard some of that today—but I am very much looking forward to going through clause by clause to explain why the intent of the Bill is reflected in the particular definitions.
Bradley Thomas
Q
Kanishka Narayan: I am shy of making comments on specific incidents, but as a broad brush, clearly the food supply or automotive manufacturing sectors are not directly in scope of the Bill, for reasons I am very much happy to discuss.
Bradley Thomas
Q
Kanishka Narayan: Let me place the focus of this Bill in the global context. As we have heard, there is a range of legislative as well as non-legislative measures on cyber-security. It is deeply important that every organisation, whether in scope of the Bill or not, acts robustly, and we will look at that, not least through the cyber action plan, which I know industry welcomed earlier today and which we are looking forward to publishing very soon.
The particular focus of this Bill is on essential services, the disruption of which would pose an imminent threat—for example, to life and to our economy—in the immediate context. For reasons that we can dive into, if you look at a market such as food supply, the diversity, competitive nature and alternative provision in that market are so obvious that to designate it as fitting the definitional scope I have just highlighted would not be an evidence-led way of engaging.
Bradley Thomas
Q
Kanishka Narayan: As I have said, this legislative vehicle is focused on really high standards of rigour for essential services. I am very keen to ensure that, in the first instance, we are engaging with those companies through the cyber action plan and the National Cyber Security Centre’s framework and to ensure that, as a consequence of those, they are in a robust place.
Bradley Thomas
Q
Kanishka Narayan: This is a great question. There are two things on my mind. One is that the Government have published a cyber action plan, the crux of which is to make sure that, from the point of view of understanding, principles, accountability and, ultimately, skills, there is significant capability in the public sector. The second thing to say is that we have a very broad-based plan on skills more generally across the cyber sector, public and private. For example, I am really proud of the fact that, through the CyberFirst programme, some—I think—415,000 students right across the country have been upskilled in cyber-security. It is deeply important that the public sector ensures that we are standing up to the test of hiring them and making the attraction of the sector clear to them as well. There is a broad-based plan and a specific one for the public sector in the Government context.
Tim Roca
Q
Kanishka Narayan: That is a great question. Broadly, the Bill takes a risk-based and outcomes-focused approach, rather than a technology-specific one. I think that is the right way to go about it. As we have heard today and beyond, there are some areas where frontier technology—new technology such as AI and quantum, which we talked about earlier today—will pose specific risks. There are other areas where the prevalence of legacy systems and legacy database architectures will present particular risks as well.
The Bill effectively says that the sum total of those systems, in their ultimate impact on the risk exposure of an organisation, is the singular focus where regulators should place their emphasis. I would expect that individual regulators will pay heed to the particular prevalence of legacy systems and technical debt as a source of risk in their particular sectors, and as a result to the mitigations that ought to be placed. I think that being technology agnostic is the right approach in this context.
Lincoln Jopp
Q
Kanishka Narayan: Do you mean operators of essential services, or critical suppliers, as in the third party element?
Lincoln Jopp
I meant operators of essential services.
Kanishka Narayan: The Bill effectively specifies operators of essential services as large participants in the essential services sectors. I think that that definition is very straightforward. The hospital in this question would be an operator of an essential service. If the question extends to critical third party suppliers—
Lincoln Jopp
Q
Kanishka Narayan: There are two things to say on this. There is at least a four-step test on the face of the Bill for what would qualify as a critical supplier. First, a critical supplier has to supply to an operator of an essential service, in this case the hospital. Secondly, the supplier itself must engage with important network and information systems. Thirdly, the disruption to that third party supplier would have to cause a material disruption to the operator in question—in this case, if the third party supplier falls over from a cyber-security point of view, there would be material and business continuity disruption to the hospital. Fourthly, not only that, but that disruption would have to be sufficiently severe in its impact to be in scope. That is one set of things. Underlying that is a further test in the Bill, whereby alternative provision of that third party supply could not be secured in a practicable way. The combination of those tests means that the scope set out for the critical third party suppliers is extremely tight and robust.
Then there is still the question, having gone through that five-step test, of the particular burden placed on relevant suppliers in scope. My expectation and hope would be that regulators take a much more proportionate approach there than to set the precise same conditions on those suppliers as they do on the operator in question; in particular, that the burden on them is placed specifically in sight of the directional risk that they pose to the operator, rather than the risk in sum for that third party supplier.
The first thing is therefore that the Bill clearly specifies a very tight scope. The second is that it does not seem to me, as a relative novice to both the medical world and cyber-security, unusual to have a specification of this nature in a Bill. Given my professional context, I am particularly conscious of the very clear and critical third party comparable requirement in the Financial Services and Markets Act 2000, which focuses on both cyber-security and supply chain risks. That has worked relatively proficiently in that context, so I hope that there are some good lessons to learn from that.
Lincoln Jopp
Q
Kanishka Narayan: The way in which I would envisage it is that each individual regulator assesses the critical nature of the risk posed to its regulated operators. If a hospital has a third party supplier, and the presence and nature of its supply means that there is a critical risk exposure for the hospital, that would be in scope for some degree of regulation in the Bill. To your question, if there is a comparable but separate hospital in a part of England that is separately regulated, but has the same third party supplier, there is obviously a question of whether that third party supplier would end up being regulated twice if the criticality threshold is met. In that instance, and in other similar instances of multiple regulators covering the same third party supplier, I would expect a high degree of co-ordination. In fact, the provisions in the Bill, as well as my hopes for subsequent guidance, are focused on our efficiency and proportionality when there are multiple regulators. However, I think the assessment has to be undertaken by each regulator on a separate basis, because the question being assessed is not the nature, the sum risk, of the third party supplier in itself, but the risk posed by its relationship to the operator it is providing to—if that makes sense.
Lincoln Jopp
Q
Kanishka Narayan: Yes, I guess, added together in the sense that they would be separately regulated, but they would all come within the scope of the regulations. Where there is an overlap in the party being regulated, my hope is that the Bill provides for individual regulation, but is very much open to the prospect of a lead regulator engaging in a softer way with the other regulators, as long as each regulator feels that that has assured them of the risk.
Andrew Cooper
Q
We have heard quite a bit about how important it will be, if taking a sectoral approach, to make sure that sharing information between regulators works smoothly, and that there are no information silos. The witness from Ofcom talked about an annual report to the National Cyber Security Centre. That sent chills down my spine, though I am sure she did not mean it quite in that way. How will you ensure that there is an adequate flow of information between regulators in a timely manner? They might not realise that there is cross-sectoral relevance, but when that information is provided to another regulator, it might turn out that there is. How do you address the importance of a single point of reporting that we heard about time and again from witnesses today?
Kanishka Narayan: Those are really important points. In terms of supporting the quality, frequency and depth of information sharing, first, the Bill provides the legal possibility of doing that in a deeper way. It gives the permission and the ability to do that across regulators.
Secondly, in the light of the implicit expectation of that information sharing, the National Cyber Security Centre already brings together all the relevant regulators for deeper conversation and engagement on areas of overlap, best practice sharing, and particularly the sharing of information related to incidents and wider risk as a result. I hope that will continue to be systematic.
On the question of a single reporting avenue, the National Cyber Security Centre, from an incident and operational point of view, is clearly the primary and appropriate location during the implementation of the Bill. From my conversations with the centre and its conversations with the regulators, I know there has been engagement to ensure that it remains a prompt venue for regulators to feed in their information.
Andrew Cooper
Q
Kanishka Narayan: The Bill currently says, “We are now giving you the power to be able to do information sharing.” The Bill, as well as other specific bits of wider legislation, has clear expectations on regulators to carry out their regulatory duty. If there appears to be a challenge in the frequency and quality of information sharing, we will of course look at whether we need to go further, but at the moment, giving them substantive permission and the fact that they have clear regulatory responsibilities individually is a very powerful combination.
David Chadwick
Q
Kanishka Narayan: As I mentioned at the outset, the scope of the sectors is focused on a specific test: are they essential services, the disruption to which could cause an immediate threat to life or have an extremely significant impact on the day-to-day functioning of the country? I do not mean to diminish the significance of electoral services, but, notwithstanding their significant impact on me as a candidate on election day, the test does not appear to be met.
David Chadwick
Q
Kanishka Narayan: It is absolutely critical that boards take their responsibilities to the organisation and the consequences of being in a regulated sector very seriously. The scope of the Bill has been mentioned. The Secretary of State wrote to FTSE 350 businesses, as well as a range of small businesses, to make that point very clear. The cyber assessment framework has particular requirements for boards to take their cyber-security responsibilities seriously. In the course of implementing the Bill and in the secondary legislation process, we will look to ensure that specified security and resilience activities, including the possibility of specific responsibilities, are set out very clearly.
Dr Gardner
Q
Kanishka Narayan: It is an important point. We know that the quality of current regulation for cyber-security varies across regulators. As an earlier panellist said, there is virtue in the fact that we have not set an effective cap on where regulators can go by having a single standard. At the same time, we need to make sure that we are raising a consistent floor of quality and proportionality judgments.
First, there is obviously constant oversight of each regulator through the lead Departments. In my case, for example, we consistently engage with Ofcom on a range of areas, including this one, to ensure the quality of regulation and that proportionality judgment is appropriately applied. Secondly, there is a clear commitment in the Bill for the Secretary of State to report back, on a five-year basis, on the overall implementation of the regime proposed in the Bill. That will be when we can get a global view of how the whole system is working.
The Chair
That brings us to the end of the time allotted for the Committee to ask questions, and to the end of the sitting. On behalf of the Committee, I thank the Minister for his evidence.
Ordered, That further consideration be now adjourned. —(Taiwo Owatemi.)
Railways Bill (Ninth sitting)
Tuesday 3rd February 2026
(1 day, 12 hours ago)
Public Bill CommitteesRailways Bill 2024-26 View all Railways Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
The Committee divided: - Ayes: 5 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 3 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 3 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 9 - Question accordingly negatived.
The Chair
Before we begin, I remind Members to switch their electronic devices to silent. Tea and coffee are not allowed during the sittings. I remind Members that the selection and grouping documents show the way in which amendment and new clauses have been arranged for debate. Any Divisions on amendments and new clauses will take place in the order in which they appear in the amendment paper.
Clause 25
Designation of services by Secretary of State
Jerome Mayhew (Broadland and Fakenham) (Con)
I beg to move amendment 226, in clause 25, page 14, line 9, at end insert—
“(1A) When designating railway passenger services, the Secretary of State must—
(a) take account of—
(i) the Rail Freight Target under section 17, and
(ii) the Infrastructure Capacity Plan under section 60; and
(b) demonstrate that designations under this section cause no unreasonable detriment to rail freight capacity or growth.”
This amendment requires that passenger service decisions are made in the context of network capacity and freight increase priorities.
The Chair
With this it will be convenient to discuss the following:
Clause stand part.
Amendment 227, in clause 26, page 14, line 33, at end insert—
“(1A) When designating railway passenger services, the Scottish Ministers must—
(a) take account of—
(i) the Rail Freight Target under section 17, and
(ii) the Infrastructure Capacity Plan under section 60; and
(b) demonstrate that designations under this section cause no unreasonable detriment to rail freight capacity or growth.”
See explanatory statement for Amendment 226.
Clause 26 stand part.
Amendment 228, in clause 27, page 15, line 20, at end insert—
“(1A) When designating railway passenger services, Welsh ministers must—
(a) take account of—
(i) the Rail Freight Target under section 17, and
(ii) the Infrastructure Capacity Plan under section 60; and
(b) demonstrate that designations under this section cause no unreasonable detriment to rail freight capacity or growth.”
See explanatory statement for Amendment 226.
Clause 27 stand part.
Jerome Mayhew
Thank you, Mrs Barker, for chairing the debate. It is great to see everyone back in the room.
Clause 25 requires the Secretary of State to designate the railway passenger services for which Great British Railways should be responsible. Designation is the mechanism for assigning responsibility for running passenger train services. The Secretary of State, Scottish Ministers and Welsh Ministers each have designation powers to set out services that GBR or others, including ScotRail, may run for them. Ministers can exempt services from these designations, thereby allowing them to be devolved to other authorities such as Transport for London. Designation also underpins the delineation of relevant powers and requirements in relation to those services, such as the discount fare schemes that we are going to discuss with clause 34.
The clause requires the Secretary of State to designate the railway passenger services for which GBR should be responsible. It excludes Scotland-only and Wales-only services, as well as services exempted under clause 28. Again, there is a reference to Transport for London, among others, being exempted from designation by the Secretary of State. It also clarifies that the Secretary of State is not required to designate services, even if parts of them are already designated by the Scottish or Welsh Ministers.
The explanatory notes state:
“The new Secretary of State designation is expected to be succinct and will not provide route nor timetable-level detail. This will ensure GBR has sufficient flexibility to act as a directing mind and plan best use of the network in the public interest and in accordance with its duties…All designations and changes must be published.”
The Government’s notes on the clause describe GBR as the “directing mind”, yet all its powers are able to be second-guessed by the Secretary of State, including the designation of services. That really prompts the question once again, who is the directing mind? Is it GBR or the Secretary of State?
The seeds of GBR’s failure as a directing mind are already being drafted into the text of the Bill. We have already seen all the Secretary of State’s rights to provide “guidance”, then to “direct” in clauses 7 and 9, as well as the long-term rail strategy in clause 15 and the decision on the provision of funding. This is Department for Transport management of the nationalised railways by the back door, confirming the suspicion that GBR will be, or is at risk of being—I hope it is not—the worst of both worlds. These are costs associated with a stand-alone organisation, coupled with the costs of a DFT shadow organisation that over time will grow again to second-guess GBR as catered for in this Bill. It is not just about the cost; it is about the delay, the obfuscation, the inability to decide whether a decision has actually been made and the second-guessing of decisions. That is death to dynamism in an organisation.
The railways obviously have two functions: passenger services and freight. Amendment 226 will make clear that any designation of passenger services will need to have taken account of freight and demonstrate that freight is not caused unreasonable detriment to capacity or future growth. The amendment is clearly in the interests of the common cause to make freight growth a target for GBR, which the Government agree with. It is impossible to deal with either passenger or freight without having regard to the other. That mutual regard is missing from the Bill, and this amendment supplies the necessary focus, so I shall seek to divide the Committee on it.
I move now to clause 26 and amendment 227. We recognise that, at present, Scotland funds and controls Scotland-only services. Scotland can and does designate cross-border services where it has an operational interest. Scotland must consult with the Secretary of State but, ultimately, has autonomy on Scotland-only designations. Clause 26 requires Scottish Ministers to designate Scotland-only railway passenger services and particular cross-border services—either those that they consider should be provided together with Scotland-only services or existing cross-border services designated to them before the Bill comes into force. It ties into clause 31, where Scottish Ministers can provide the designated services themselves or make direct awards under regulation 17 of the 2023 transport regulations.
In this instance, “Scotland-only services” refers to passenger services that start and end in Scotland and do not make a scheduled call in England or Wales. It provides flexibility for the designation to be made either for specific services or for services of a particular class or description. It also allows Scottish Ministers to designate cross-border services where they consider those services should be provided in conjunction with designated Scotland-only services. It is also worth noting that the clause excludes from designation any services exempt under regulations made under clauses 28 or 29, and requires consultation with the Secretary of State before designation, variation or revocation. It is my understanding that very limited designations are reserved to the UK Government. They lay primarily around open access and freight. Those two areas, I suspect, we will enter into discussions at length later in the Committee.
On cross-border services, it is eminently sensible that the UK and Scottish Governments co-ordinate strongly on this. A later amendment to another clause relates to the allocation of ticket sales on a proportionate basis, to ensure that UK and Scottish Governments—in the fullness of time, we will discuss the Welsh Government too—each get their fair share of funding. Amendment 227 would apply a duty to Scottish Ministers, similar to the one that amendment 226 would place on the Secretary of State, to take account of the rail freight target and the infrastructure capacity plan when considering passenger services. Depending on how the vote goes on amendment 226, I will take a view on whether it is worth proceeding to another Division on amendment 227.
Finally, I turn to clause 27 and amendment 228. It is a broadly similar approach, but applies to designation of services by Welsh Ministers. Hon. Members can read the explanatory notes if they wish, but I am just going to take that as read. On first reading the clause, it seemed sensible; after all, Welsh Ministers are responsible for services that start and end in Wales. The cited example in the explanatory notes is the Cambrian line, which typically goes from Aberystwyth and Pwllheli to Shrewsbury or Birmingham International. These services will, on occasion, terminate at Machynlleth. The Heart of Wales line goes between Swansea and Shrewsbury, and Holyhead services will typically end in England. The Welsh Government will have only a handful of services exclusively in Wales. That is a substantially different from Scotland. Those services are the Core Valley lines, the dedicated Swansea to Cardiff route and the Blaenau to Llandudno route—only three. All other services that start in Wales will generally run into England, which poses a significant challenge for the allocation of moneys from ticket sales.
The Minister may find it useful to outline the practical management of cross-border rail services, and how the Welsh Government’s operator can operate with a degree of confidence when it must report to both Governments, but exists under only one. That is a genuine tension, which I would be grateful if the Minister could explain the Government’s thoughts on.
Amendment 228 is similar to amendments 226 and 227. I will not repeat my arguments, but there is a qualitative difference between the situation in Scotland and that in Wales. It will have a significant impact on revenue sharing, where 97% of all routes for the Welsh Government contain an English element. I would be grateful if the Minister could consider that.
The Parliamentary Under-Secretary of State for Transport (Keir Mather)
Good morning, Mrs Barker, and to everybody—another day in Committee. I thank the hon. Member for Broadland and Fakenham for these amendments, which seek to ensure that the designation of passenger services does not negatively impact rail freight or undermine GBR in network capacity planning activity.
I hope it is helpful if I clarify that clauses 25 to 27, which set out designation powers of the Secretary of State and devolved Ministers for passenger services, only describe a very high-level mechanism for assigning responsibility for passenger services. For example, the designation helps make clear who is responsible for the service. Further clarity is provided by exemption from designation to show where services have been devolved to other authorities, such as to mayoral strategic authorities or Transport for London. Designation is not a detailed service specification, nor does it determine network access or capacity allocation.
Last week, we published a draft of the Secretary of State’s designation letter to help clarify that, and copies are available in the room today. Ministers’ designation powers do not override or conflict with GBR’s role in determining network access. The access decision process requires GBR to balance passenger and freight needs. The safeguards in the Bill, including the statutory duty to promote rail freight or the ORR’s oversight and appeals body to protect fare freight access are also unaffected by designation. The amendment is therefore impractical and unnecessary and would not achieve its intended purpose in practice.
Protecting rail freight, which I fully endorse, is already enshrined within the Bill. For absolute clarity, I must emphasise that the access clauses in the Bill set out the stages through which network access is determined. It is not determined or affected by designation. The access clauses include producing the infrastructure capacity plan, which will set out GBR’s view of how best to use GBR’s infrastructure to accommodate freight, open access and publicly funded passenger services, as well as maintenance and improvement of the network. GBR will take into account its infrastructure capacity plan when allocating capacity. In comparison, designation is simply the method of determining whether a service should be devolved to, for example, a local authority, or maintained by the Secretary of State and run by GBR. I therefore request that the hon. Member withdraw the amendment.
Clause 25 requires the Secretary of State to designate railway passenger services for which GBR should be responsible. Designation is the mechanism by which responsibility for who should run passenger rail services is determined. Clauses 26 and 27 replicate this, but for Scottish and Welsh Ministers respectively. The Secretary of State, Scottish and Welsh Ministers each have designation powers to set out services which GBR or others—including Transport Scotland or Transport for Wales—may run for them. Designation powers will also assist in providing clarity about which Minister has responsibility to provide, or contract for, cross-border services. Ministers can also exempt services from these designations, which is the way that services can be devolved to mayoral strategic authorities. That was the mechanism used to allow Transport for London to run its devolved service. As I have mentioned, the new Secretary of State designation is expected to be succinct and will not include route level or timetable detail. Designation is therefore entirely separate from access or timetabling decisions.
Jerome Mayhew
As I intimated previously, I will put the first amendment to a Division and then we will take a view after that.
Question put, That the amendment be made.
Keir Mather
Clauses 28 and 29 enable the Secretary of State and Scottish and Welsh Ministers to exempt certain railway passenger services from designation. Exempting a service means that the Secretary of State or devolved Ministers will not be responsible for that service. Instead, responsibility can be devolved to someone else—for example, a mayoral strategic authority—for them to run or contract out the service. That mechanism preserves the existing approach for devolving services to mayoral strategic authorities and their transport agencies, such as Transport for London or Merseytravel, and for light rail networks such as in Greater Manchester. The Secretary of State cannot exempt Scotland-only or Wales-only services, because those fall under the devolved responsibilities of Scottish and Welsh Ministers. Clause 29 allows devolved Governments to determine which services fall outside designation, offering flexibility in managing their respective networks.
These clauses are necessary to ensure that there is still a way to devolve services, where that can bring benefits and is the best outcome for the network. Exemptions must be made by regulations, ensuring that the allocation of responsibility for passenger services is transparent. Clause 30 provides supplementary provisions for exemptions under clauses 28 and 29. It allows exemptions to apply to specific persons, classes of persons, services generally or parts of services. Exemptions may be conditional or time-limited, so that decisions to devolve services can be tailored to the specific circumstances on a case-by-case basis.
Jerome Mayhew
You will be surprised to hear that I am going to canter through this, Mrs Barker. Clause 28 concerns the method by which the operation of passenger train services has been devolved. A good example is services operated by Transport for London and Merseyrail. It is clearly a sensible approach. There is only one clarification that I seek from the Minister. Paragraph 103 of the explanatory notes states:
“All existing exemptions from designations…will be retained.”
That, however, is not in the Bill. I would be grateful for the Minister’s clarification on the difference between the explanatory notes and the Bill. I am not looking for an amendment to the Bill, but his assurance on the Government’s intention. Clause 29 is similar, but relates to Scottish and Welsh Ministers. I see no need to change it as drafted. It sits in line with clause 28 and seems not to act in contravention of the devolution settlement.
Clause 30 clarifies that exemptions made under clause 28 by the Secretary of State, or clause 29 by the Scottish or Welsh Ministers, may apply to specific persons, classes of persons or services generally. I have no objection to the clause, but out of interest, I would be grateful if the Minister could explain in what circumstances the clause would be useful.
Keir Mather
I can start by confirming that existing exemptions from designation will be retained. I hope that provides an assurance to the shadow Minister. The powers could be used to allow devolved Administrations to determine which services fall outside of designations, and therefore give them flexibility in meeting the needs of passengers relying on services that otherwise could fall through the cracks. I hope that, having provided the shadow Minister with that assurance, he can support these clauses.
Question put and agreed to.
Clause 28 accordingly ordered to stand part of the Bill.
Clauses 29 and 30 ordered to stand part of the Bill.
Clause 31
Provision of railway passenger services
Jerome Mayhew
I beg to move amendment 41, in clause 31, page 16, line 30, leave out from “so” to “, in” in line 31 and insert
“by making a direct award of a contract to Great British Railways, a GBR company, or a private business.”
This amendment would allow private sector companies to operate train services on behalf of the Secretary of State.
The Chair
With this it will be convenient to discuss the following:
Government amendments 170 to 172.
New clause 6—Repeal of the Passenger Railway Services (Public Ownership) Act 2024—
“The Passenger Railway Services (Public Ownership) Act 2024 is repealed.”
This new clause repeals the Passenger Railway Services (Public Ownership) Act 2024 so that train services can continue to be provided by private companies.
Clause stand part.
Amendment 44, in clause 32, page 17, line 35, leave out subsection (3).
This amendment requires pre-award publication of public service contracts.
Clause 32 stand part.
Jerome Mayhew
Clause 31 has a bit more meat to it than the previous half dozen or so clauses. We are looking at the provision of railway passenger services. The clause provides that the Secretary of State may only secure delivery of the passenger services designated under clause 25 through GBR or a GBR company by directly awarding a public service contract to GBR or a GBR company in accordance with regulation 17 of the Public Service Obligations in Transport Regulations 2023.
Similarly, the clause grants Scottish and Welsh Ministers two options for delivering their designated services under clauses 26 and 27: either by providing the services directly or by securing their provision through a direct award of a public service contract to one or more public sector companies, including to GBR or a GBR company, in accordance with the 2023 regulations. The powers to provide services directly could also be used in conjunction with clause 4 to enable GBR to operate services on behalf of Welsh or Scottish Ministers.
Subsection (5) provides that, where passenger services are secured through a contract with a joint venture, subsidiary of GBR or GBR, clauses 7 to 10, 13 and 16 to 18—the directions and guidance and GBR’s duties—apply to the provision of those services in the same way as if GBR was performing the contract itself. Subsection (6) ensures that the relevant Ministers have the power to operate network services, station services and light maintenance services, as well as to store and consign goods transported by rail, to enable their responsibility for passenger services. Finally, subsection (7) provides that the obligation to provide or secure the provision of a service under the clause does not give rise to civil liability for breach of a statutory duty.
There is an obvious elephant in the room. The clause implies that GBR, one of its subsidiaries or the respective devolved Government-run rail operators are the only efficient and permitted provider of rail services. The public sector is the only permitted provider of rail services, but that should not be the case. There are many very efficient providers of rail services that are being excluded even from consideration by the wording of the Bill. There may be some instances where private operations are best placed to offer a service, either now or in the future, where they can drive innovation and growth, just like open access has.
Restricting awards by primary legislation to GBR companies provides damaging constraints on the flexibility of future Secretaries of State. If a circumstance exists in the future where a private sector operator is able to offer a better service for a lower cost to the taxpayer, why should the Secretary of State of the day be prevented by primary legislation from making such an award? What is the rationale that the Minister can come up with, beyond union pressure and the Labour party distrust of profitable businesses? What is the danger that this primary legislation is seeking to protect the rail industry from by removing any ability of the Secretary of State of a future Government to award a private sector contract in any circumstances, including those we may not yet have foreseen? It is clearly a bad decision.
Amendments 41 to 43 grant maximum flexibility to a future Secretary of State, which is surely what we want, as well as to Scottish and Welsh Ministers, to make an award to the organisation best placed to undertake the operation, whether it be public or private. Amendments 42 and 43 were grouped with clause 18, so they have already been debated, but they are relevant to this clause as well. These amendments do not mandate the Government to permit private passenger services; they simply allow them flexibility. There may well be opportunities for the private sector to operate passenger services, and why not combine the very best of public and private and allow that provision to exist under the auspices of GBR? The amendment would allow Welsh and Scottish Ministers to do the same, as flexibility is a very important tool in the Government’s arsenal. It is only right that devolved Governments also have the ability to decide, if they so wish—they are not required to—to have private operators as well.
Our approach allows the principle of private investment driving growth, innovation and expansion to be an element of GBR as it progresses. After all, it will rely on the private sector rolling stock providers for its fleet, and private sector supply chain and infrastructure providers to support its Network Rail function, and presumably it will incorporate other private sector elements around freight and open access, so it is only logical that it allows itself the flexibility to strengthen passenger services by having private sector investment, which is more likely to take risks under the GBR banner.
If the Government disagree with that assessment, I would like to hear their rationale. Why do they accept the private sector in all the other parts of the industry that I have just listed, but believe that this sector alone is required to be protected from the private sector so much that the Government have to use primary legislation to tie the hands of every future Secretary of State in every circumstance?
Rebecca Smith (South West Devon) (Con)
My hon. Friend’s comments provoke the question, is it a concern that the lack of flexibility for the Secretary of State will mean that there is no space for private sector companies in this role in the future? Ultimately, given the measures set out in the Bill, and that the opportunity to give access to other private businesses is entirely in the hands of the Secretary of State, it is potentially foreseeable that there could be no private involvement in the future, which would be a problem.
Jerome Mayhew
It is a genuine and legitimate concern of private sector rail operators that the tenor of the Bill will design out private sector and open access operators. Through the capacity duty and the ridiculous lack of an appeals process for GBR decisions, they have designed in a structural conflict of interest, in that GBR is both an operator and the quasi-regulator of its own operations. They will be making decisions without an effective appeal right for access and charging of their direct competitors. That is a genuine and legitimate fear, if the Government do not stop and listen to many experts in the industry.
Amendments 41, 42 and 43 would allow private sector companies to operate train services on behalf of the Secretary of State, the Scottish Ministers and the Welsh Ministers, respectively. I will press them to a vote if I get the opportunity.
Government amendments 170 and 171 provide for the Welsh Ministers to have the power to award a public service contract to any public sector company when exercising the Secretary of State’s function under clause 31(1). Government amendment 172 would apparently remove a provision that is unnecessary—I will take the Government’s word for that because I do not have it in front of me.
New clause 6, which is in my name, would repeal the Passenger Railway Services (Public Ownership) Act 2024, as the title suggests, so that train services can continue to be provided by private companies as well as GBR. We have always maintained that the Government should act as the operator of last resort and allow any organisation, public or private, to provide the highest standard of railway services.
We should step back from ideological certainty one way or the other—whether it is about having a nationalised business or a privatised one—and approach ownership structures based on what works supported by data, not intuition. I fear that this Government are driven by ideology, which is very evident in clause 31, and by their union supporters—I wrote down “paymasters”, but I feel that the tone of the Committee would not permit me to make that assertion; we are all too close to each other—to whom they are far too close to insist on nationalisation irrespective of evidence to the contrary. Passenger numbers have exploded under privatisation and there are popular open-access routes. Those are social goods; they are supporting our constituents to have a better experience on the railways. The Government appear to be seeking to deny that for the future.
I do not expect immediate Government support, but new clause 6 makes clear our rejection of the Government’s “nationalisation or bust” approach—it is more likely to be nationalisation and bust. For that reason, I wish to press new clause 6 to a vote.
Clause 32 relates to contracts awarded under clause 31, which we have just been talking about. It provides flexibility for the Secretary of State or the Scottish or Welsh Ministers to include financial arrangements, operational requirements and property-related obligations within the contract. It ensures that contracts can be tailored to meet the operational and strategic needs of the train service, and provides that obligations to publish pre-award information under regulation 22 of the 2023 transport regulations, which we have already referred to, do not apply to direct awards.
The removal of pre-award publications significantly reduces transparency around direct awards. That is a problem because it prevents external scrutiny of value for money and limits the ability of operators or stakeholders to challenge ineffective or poorly structured contracts. This is the public sector not publishing information about cosy contracts with other public sector organisations, thereby not exposing themselves to critique. Where is the transparency here? The explanatory notes merely restate the lack of a publication requirement; they do not justify why this reduced transparency is necessary or what safeguards will exist in its place. The clause means that the private sector will be unable to critique the operations or question the value for money achieved by the public sector negotiating with itself.
Amendment 44 removes clause 32(3). That will require the pre-award publication of public service contracts to facilitate the application of private sector companies in bidding for contracts. It would also allow the private sector to critique the performance of the public sector. Without publication—all too cosy—and with no ability for external challenges on the provision of services or on value for money, we will lack transparency, which, I am afraid, is a theme that has run through so much of our discussions. I will seek to divide on that; it is an important point.
Olly Glover (Didcot and Wantage) (LD)
It is a pleasure to serve under your chairship, Mrs Barker. I have some brief comments on the Conservative spokesperson’s amendments.
Olly Glover
Apologies. One recognises one’s status.
We agree with the shadow Minister on the principle that it should not be about ideology between the public and private sectors. We have argued that consistently in the past. If it was so simple that nationalising train operators would lead to transformative performance improvements, Northern would be a globally inspiring example. I realised this morning that this month it reaches its half-decade anniversary of being in the public sector and, certainly for friends of mine in the north, it remains some way from being a globally leading example. That highlights the fact that public and private sector ideology is but one factor needed to give excellent rail services.
I wonder whether some of the shadow Minister’s amendments are perhaps fighting yesterday’s war. Of course we should all continue to advocate for what we believe, but it seems unlikely that—in the near future at least—there will be a change in approach to the core train operating companies’ being franchised out. Perhaps, rather than relitigating that, we need to focus on other aspects of the Bill, as indeed he has done, and on how we can make the new world better—particularly by removing the Secretary of State’s ability to interfere too much. I wonder what the shadow Minister and Government Minister have to say about that.
Keir Mather
May I begin by saying that I hope the shadow Minister can forgive my initial sluggishness on this drab Tuesday morning, because he asked a perfectly reasonable question about the application of the clause when we debated it last. I did not give him an adequate answer so, if you do not mind me looking retrospectively for a moment, Mrs Barker, I would like to inform him that all existing designations are unconditional. The clause is not there to be used often. However, it replicates an existing power, with the idea being that if the Secretary of State wanted to exempt a service to a new local authority that had not had an exemption before, she might wish to provide a time limit to check how it was performing before granting a longer-term exemption. I hope that is a sufficiently adequate answer to his perfectly reasonable question.
I will now speak to the amendments tabled in my name. Amendments 170 and 171 enable Welsh Ministers to continue securing rail services in the Wales and borders region on behalf of the Secretary of State. Welsh Ministers will do that by contracting Transport for Wales to run the services. That will ensure that passenger services that cross between England and Wales every day continue to connect communities, contributing to economic growth. Without these amendments, the Secretary of State would be forced to abandon existing agency arrangements and procure all the services that she designates exclusively through Great British Railways, including English sections of the services currently operated by Transport for Wales. That is inefficient, and contrary to the collaborative spirit of devolution. This is about making the system work, not creating barriers where none need exist. The amendments were always intended to be part of the Bill, and we are correcting that now. The amendments strengthen the Bill by preserving today’s devolved responsibilities once GBR is established. That will ensure that Transport for Wales can continue running services into England, maintaining reliability for passengers and ensuring connectivity.
The other amendment tabled in my name, amendment 172, is a minor and technical amendment that removes a redundant provision in the legislation. I am grateful to the hon. Member for Isle of Wight East for his parliamentary question in November 2025 regarding the policy rationale for that drafting, which helpfully drew it to our attention. I am pleased to confirm that it is no longer necessary.
Amendment 41 and new clause 6 are intended to reintroduce private sector companies running passenger services. The Government were elected on a clear manifesto commitment to return franchised passenger services to public ownership. Public ownership, with the whole system working to one clear set of objectives to improve reliability, performance and punctuality for passengers, is the only way to make the railway run better. I think we all agree that the current system simply is not working. However, the amendment and new clause seek to undo all the progress we have made so far. They could cause chaos on the railway and return us to the dark days of franchising, which did not perform for passengers or taxpayers. The Bill is not about re-debating the principles of public versus private; it is about getting on with this generational reform and delivering for passengers, freight users and taxpayers.
Finally, amendment 44 would require the Government and Scottish and Welsh Ministers to publish pre-award details of public service contracts at least a year in advance of entering into the contract. As I am sure the hon. Member for Broadland and Fakenham knows, publishing pre-award information a year in advance would be an unnecessary and impractical administrative burden. The focus for public service operators should be on efficient delivery and clear reporting rather than rigid pre-award timelines. The Government will continue to be required to act transparently by publishing relevant information about the contract, such as contract dates and the parameters of financial compensation, within two months of entering into the contract.
Given those points, I urge the Committee to support the amendments in my name and I hope that the hon. Member for Broadland and Fakenham will withdraw, or not move, his amendments. I also hope that the Committee supports clause 31, which sets out how designated services are to be provided, and clause 32, which sets out supplementary provisions for public service contracts awarded under clause 31.
The Bill makes it clear that the Secretary of State may assign responsibility for running her services only to Great British Railways or a GBR company. She can secure the provision of services by first designating them and then making a direct award of a public service contract to GBR or a GBR company. Public service contracts are a typical arrangement between public authorities and transport operators for providing public transport and are compliant with relevant subsidy control requirements. As clause 32 sets out, contracts may include a range of obligations, including those relating to additional railway assets, operational requirements and financial arrangements—for example, how any payments will be calculated, and performance targets.
Scottish and Welsh Ministers may either provide designated services directly in house or secure them through a direct award to one or more public sector companies, such as ScotRail or Transport for Wales. They also have the option to contract with GBR or a GBR company, which could unlock the integration of track and train in Scotland and Wales. Clause 31 also ensures that GBR’s duties apply to services operated by joint ventures or GBR subsidiaries under contract and gives Scottish and Welsh Ministers powers to handle freight goods where necessary.
Jerome Mayhew
The Minister’s response demonstrates an extraordinary lack of confidence by the Government in the efficacy of nationalisation—the very thing that they are seeking to promote in the majority of the Bill. All that amendments 41 to 43 would do is give the Secretary of State flexibility by making them able by law, in certain circumstances, to give a contract for passenger services to the private sector. They would not require it; they are not saying that this is a battle between privatisation and nationalisation. The only ideological battle here is by the Government, who are saying that it is impossible to conceive of any circumstance in which a private business might be able to offer better value for money for the taxpayer and a better service for passengers than a nationalised part of GBR. They are so concerned that a private business might be offered that opportunity, because they are overwhelmingly better, that they are seeking to legislate to tie the hands of every future Secretary of State.
Laurence Turner (Birmingham Northfield) (Lab)
Would the shadow Minister follow the logic of his argument as far as to say that the Conservative Government that passed the Railways Act 1993 were ideologically motivated and acted in an ideological manner, given that that Act barred the public sector from taking on franchises?
Jerome Mayhew
I was 23 at the time, and I certainly was not following every clause of the 1993 Act as it went through the House—I accept that that shows a shocking lack of dedication to my future career. We can re-argue the battles of the early 1990s or we can seek to learn from the mistakes of the past, if the hon. Gentleman claims that they are mistakes, but let us not repeat them in the opposite direction, which is exactly what the clause is intended to do. If he is right that that was a mistake then, on his own logic, it is equally right that this is a mistake, and I look forward to him supporting me as we vote on amendment 41.
Question put, That the amendment be made.
Jerome Mayhew
I beg to move amendment 45, in clause 33, page 18, line 9, leave out subsections (1) and (2).
This amendment removes the Secretary of State’s ability to give directions and set guidance as to the general level and structure of railway fares.
The Chair
With this it will be convenient to discuss the following:
Amendment 148, in clause 33, page 18, line 9, leave out subsection (1).
This amendment removes the power to give binding directions over fares.
Clause stand part.
Jerome Mayhew
The clause sets out that the Secretary of State or Scottish Ministers’ power to give directions to GBR under clauses 7 or 8 may be exercised to give a direction relating to fares. That direction could cover the general level and structure of fares that the Secretary of State or Scottish Ministers expect to see on the passenger train services that GBR is running on their behalf. Likewise, the Secretary of State or Scottish Ministers can use the power in clauses 9 or 10 to issue guidance about the general level and structure of fares. Clause 33(3) also allows for provision about the general level and structure of fares to be set out in the public service contract under clause 31, which we have just debated. That allows Ministers to manage overall fare levels on their designated services.
Clause 33 centralises control of fares in the hands of the Secretary of State, allowing Ministers—not GBR—to determine the general level and structure of fares. That cuts directly against the idea that GBR will operate as an independent guiding or directing mind, and leaves the organisation responsible for outcomes that it does not control. The clause provides no statutory principles, tests or transparency requirements for how fare decisions should be taken—by the Secretary of State, presumably —and recent written parliamentary questions 84697, 86756 and 86754 underline the risk built into the model. In response to the questions, Ministers were unable to define what the “right” fare means, they were unable to say which fares will go up or down under GBR, and they confirmed that all future fare decisions remain entirely at ministerial discretion.
If Ministers are to retain that power, the Bill needs at least a duty to publish the assumptions, criteria and objectives underpinning fare setting, so that decisions can be assessed against passenger growth and affordability. At the moment we have none of that. The clause is in complete contradiction to the assertion in the explanatory notes that the Secretary of State’s directions
“are intended to be used as a responsive tool for necessary course correction, rather than as a proactive tool to set requirements on GBR”,
or in other words,
“they are a last resort”.
The clause says, “No, that’s absolute rubbish. We’re not doing that. We’re keeping in the hands of the Minister the power to guide and then direct and establish what the right fares are.”
Daniel Francis (Bexleyheath and Crayford) (Lab)
Does the shadow Minister accept that in recent years, when Transport for London was negotiating its fare settlements, the previous Government dictated the level of fares that should be charged not just for the congestion charge, but for passenger rail services? The Conservative Secretary of State and Government were doing that very thing in negotiations with Transport for London for rail passenger services in London.
Jerome Mayhew
I think we have to decide what GBR is going to be. Is it going to be a stand-alone organisation that is trying to run itself efficiently, providing value for money for the taxpayer and hopefully, one day, a check on the Secretary of State? Or is it going to be a creature of the Department for Transport that is told what to do and having its decisions second-guessed? This is a big decision that the Government have to take.
The clause creates a huge risk of stasis, as GBR gets bossed around and becomes a passive recipient of instructions from the Department for Transport. I worry that it is a recipe for future disaster, so I have questions for the Minister. What factors will the Secretary of State take into account when deciding the general level and structure of fares? Why is the Secretary of State in a better position to take those decisions than GBR is, given the objects that she has set the organisation? What additional information will she use that is not available to GBR? I will be grateful for the Minister’s answer. At least it is clear that any future failure of the railways will be down to the Department for Transport and the Secretary of State, not to GBR, since the power to guide and then direct and then set fares lies expressly with the Secretary of State.
My amendment 45 would remove the Secretary of State’s ability to give directions and set guidance as to the general level and structure of railway fares, thereby preventing ministerial intervention in how fares are set and making that decision separate from political influence. When considering amendment 45, Rail Forum said:
“We support this as it should be for GBR, as an arm’s length body and the directing mind, to determine fares not the Secretary of State.”
Amendment 148 in the name of the hon. Member for Didcot and Wantage would remove the power to give binding directions over fares—another version of our approach.
The clause as drafted is overreach by the Department for Transport and exactly the kind of micromanagement that the Minister claims will not happen. Why do we need these powers?
Edward Morello (West Dorset) (LD)
It is an honour to serve under your chairship, Mrs Barker.
As the shadow Minister outlined, amendment 148 tabled by my hon. Friend the Member for Didcot and Wantage is not overly dissimilar to Conservative amendment 45 in what it tries to achieve, but I will come at it from a slightly different angle. Clause 33, as drafted, gives the Secretary of State the power to issue binding directions to Great British Railways on the level and structure of fares. We have said many times that the Bill already grants the Secretary of State extensive influence over GBR. Allowing binding directions on fares risks tipping that influence into outright micro-management. It opens the door to the imposition of short-term political decisions, rather than long-term, evidence-based decisions about fares being made by those responsible for actually running the railways. It is a tool that can be misused, particularly in times of fiscal or political pressure.
Even if the current Government assure us that they would not misuse the power, the problem is that once it exists, it exists for all future Governments. I hope the Government will recognise the inherent risk in that and support amendment 148, thereby preventing not only themselves but all future Secretaries of State from being able to abuse the power.
Keir Mather
On the role of the Secretary of State in setting parameters for fares, we have had a lot of debate in the Committee about the need to ensure efficiency on behalf of taxpayers, who are also passengers on the railway. It is the Secretary of State who ultimately has the democratic responsibility to do so; therefore, it is right that the power exists to set broad parameters as they relate to fares. However, that process must be undertaken transparently. Parameters will be set through guidance and public service contracts, which will be published and open to scrutiny. The Bill says that the Secretary of State can direct on fares, but not that she will do so regularly. That is important to the point about overreach, and the exceptional circumstances in which direction might be a wise provision to have in the legislation. I will turn to that later.
Edward Argar (Melton and Syston) (Con)
Can the Minister give a few examples of the exceptional circumstances that might cause the power to be used?
Keir Mather
The right hon. Member is far too eager. I shall turn to that in due course.
Amendment 148 would prevent the Secretary of State and Scottish Ministers from issuing directions to GBR relating to fares, and amendment 45 would do the same for directions and guidance. I remind hon. Members that, as I said when we debated the directions and guidance clauses earlier in the Bill, the strategic parameters and guardrails that the Secretary of State will set for GBR on fares may not ultimately be delivered through directions and guidance by default.
Clause 33 already allows for provisions on fares parameters and guardrails to be included in public service contracts awarded to GBR for operating passenger services. Nevertheless, it is crucial that the Secretary of State retains the powers to direct and give guidance to GBR on fares. It is necessary that the Government and GBR alike can respond to exceptional circumstances, which may necessitate a swift reappraisal of the strategic approach to fares. That is precisely what the Secretary of State’s directions-making power allows for, supplemented by the ability to issue guidance, to ensure a clear and speedy response if there is a crisis or unexpected change in context.
Amendments 148 and 45 would remove those options for the Secretary of State and, in fact, for Scottish Ministers where GBR is operating services that they designate. The Government strongly believe that that is not in the interests of passengers or taxpayers. I agree with Opposition Members that we do not want Ministers interfering with day-to-day fares policy. GBR will have the freedom to define its fares policy within the parameters and guardrails set out, simplifying fares, removing duplication and, in turn, improving value for money. It will therefore be set up to succeed from the outset. Contrary to what Opposition Members believe, the powers in clause 33 do not undermine that.
Edward Morello
I know it has probably been overused already in the Committee, but I keep returning to the NHS England example. The Government set up arm’s length bodies and Ministers are then invariably unable to resist the urge to tinker. The Government devolve responsibility out and then realise that having something completely arm’s length, which they have no control over, is very unattractive when they are politically responsible. What starts off being explained as happening only in exceptional circumstances invariably becomes day to day. The amendments are an attempt to protect against a repeat of the mistake with NHS England, which the Government are now having to unpick.
Keir Mather
We have repeatedly had this allusion drawn between NHS England and the NHS on the one hand and the Department for Transport and GBR on the other. I do not believe that these examples are analogous. NHS England replicated functions in a way that did not serve the interests of patients or taxpayers who paid into the health service. The entire principle here is to take decision-making power from DFT, which under this broken system remains the only body truly accountable for what happens on the railway, and to give it to GBR, in a way that empowers it to ensure that services run in the public interest and represent value for money. I cannot envisage that Members across the House would not think it reasonable, within very broad parameters, to retain some ability to have political accountability in the fare-setting process in exceptional circumstances, such as during the pandemic. That is wholly sensible in making sure the railway continues to offer value for money for both passengers and taxpayers, who are ultimately one and the same.
Olly Glover
I understand what the Minister is saying, but if he means that the ability to give these directions would exist only in very extreme, exceptional cases, such as pandemics or large-scale wars, would he not be open to specifying that in the Bill?
Keir Mather
These direction powers, as drafted, replicate those in many other pieces of legislation, which are fit for purpose in making sure there is democratic accountability for the functioning of institutions, while not being overly onerous and overbearing. We see them with the Oil and Gas Authority, Great British Energy and Great British Nuclear. Only one direction has been given to the Oil and Gas Authority in the 10 years the legislation has existed. In government, the Opposition included the precise same direction power for GBR in their draft Rail Reform Bill, so they clearly believed it was necessary at the time. I therefore believe that it strikes an adequate balance.
Joe Robertson (Isle of Wight East) (Con)
The Minister says Great British Railways, not the Department for Transport, will run the railways. He says that is different from the set-up for the Department of Health and Social Care and NHS England. Was that not exactly the reason NHS England was set up, albeit not by his Government: to run the NHS so that the Department did not have to? I do not see the conceptual difference here at all; what I do is see the inconsistency in the Government getting rid of NHS England because that model does not work and bringing in GBR in the context of transport.
The Chair
Order. Before I bring the Minister back in, I remind colleagues that we are not debating NHS England.
Keir Mather
We may have to hash this out in our own time. There is a principle around the replication of functions between organisations. The principle of GBR is that once those decision-making powers are taken out of the Department for Transport—this is the single-mind approach to access decisions, charging and best use of the railway—there is not replication and burdensome inefficiencies in how those functions are designated and actualised by the different organisations. I believe that the difference lies in that point.
To return to my previous remarks, and on the basis of what I have explained, I urge hon. Members not to press their amendments.
Jerome Mayhew
I am wholly unpersuaded. The Minister did his best, but he cannot hide from the huge disparity between setting up a stand-alone arm’s length business, which is meant to run itself efficiently and with dynamism, and taking away its revenue-driving function. It is ridiculous. We will end up with an organisation that is second-guessed by the Department for Transport. We all say it is the Secretary of State, but of course it is not; it is many hundreds of DFT officials. They will each no doubt do their best as they see it, but they will be second-guessing the role of the industry organisation. That is not a recipe for an effective management structure, and I will push amendment 45 to a Division.
Question put, That the amendment be made.
Jerome Mayhew
I beg to move amendment 46, in clause 34, page 18, line 20, after “are” insert “UK veterans,”.
This amendment, alongside Amendments 47 to 50 would require GBR to continue to offer discounted rail fares for veterans.
The Chair
With this it will be convenient to discuss the following:
Amendment 51, in clause 34, page 18, line 20, after “are” insert
“members of the UK armed forces and their families,”.
This amendment, along with Amendments 52 to 55, would require GBR to continue to offer discounted rail fares for members of the UK armed forces and their families.
Amendment 47, in clause 34, page 18, line 28, after “are” insert “UK veterans,”.
See explanatory statement for Amendment 46.
Amendment 52, in clause 34, page 18, line 28, after “are” insert
“members of the UK armed forces and their families,”.
See explanatory statement for Amendment 51.
Amendment 48, in clause 34, page 18, line 31, after “are” insert “UK veterans,”.
See explanatory statement for Amendment 46.
Amendment 53, in clause 34, page 18, line 31, after “are” insert
“members of the UK armed forces and their families,”.
See explanatory statement for Amendment 51.
Amendment 49, in clause 34, page 18, line 35, after “are” insert “UK veterans,”.
See explanatory statement for Amendment 46.
Amendment 54, in clause 34, page 18, line 35, after “are” insert
“members of the UK armed forces and their families,”.
See explanatory statement for Amendment 51.
Amendment 50, in clause 34, page 19, line 4, after “are” insert “UK veterans,”.
See explanatory statement for Amendment 46.
Amendment 55, in clause 34, page 19, line 4, after “are” insert
“members of the UK armed forces and their families,”.
See explanatory statement for Amendment 51.
Clause stand part.
New clause 51—Remembrance Sunday ticket fare exemption—
“(1) The Secretary of State must make regulations which require Great British Railways to provide a scheme enabling persons under subsection (2) to travel for free on railway passenger services to and from events that commemorate Remembrance Sunday.
(2) Regulations under this section must include a person who—
(a) is a member of the armed forces;
(b) has been a member of the armed forces; or
(c) is a widow, widower, or one direct family member of any member of the armed forces who has died in the course of their service.
(3) Regulations under this section must apply the provision of paragraph (2)(c) in such a way that one person is entitled to free travel for each member of the armed forces to which that paragraph applies.
(4) ‘armed forces’ as set out in subsection (2) means any of His Majesty’s forces (within the meaning of the Armed Forces Act 2006).”
This new clause would require the Secretary of State to make a travel fee exemption for journeys to and from Remembrance Sunday events for armed forces personnel, armed forces veterans and one representative of a deceased armed forces member across all Great British Railways passenger services.
New clause 59—Police officer fare exemption—
“(1) The Secretary of State must make regulations which require Great British Railways to provide a scheme enabling police officers and Police Community Support Officers (PSCO) under subsection (2) to travel for free on railway passenger services.
(2) Regulations under this section must only make provision for police officers who—
(a) present a valid warrant card or PCSO designation card,
(b) are in full uniform or are undertaking such travel for operational purposes.
(3) Regulations under this section are subject to the affirmative resolution procedure.”
This new clause requires all rail operators to permit free travel for police officers on all passenger services, subject to certain requirements.
Jerome Mayhew
The clause requires GBR to provide a discount fare scheme for passengers who are “young, elderly or disabled”—that is it—to ensure they can access cheaper rail fares and tickets. I recognise that the clause does not limit GBR to only those discount schemes, and it can create other schemes that provide for cheaper fares and tickets at its discretion, but these are the only mandatory schemes, so they identify where the Government’s priorities lie: the young, elderly or disabled.
The use of discount fare schemes may be subject to conditions. The clause ensures that discounted fares for the young, elderly or disabled are made available on any services designated by Scottish and Welsh Ministers, as well as on services provided by GBR. It is remarkable that subsection (1) preserves statutory discount schemes only for young, elderly and disabled passengers. The veterans railcard remains entirely outside statute, meaning that it can be changed or withdrawn without parliamentary oversight. Given the strong precedent in the 1993 Act for protecting key concessionary schemes in law, the Bill is a missed opportunity; it is not just a carry-over. In fact, it is an active decision not to give veterans the same statutory guarantee and long-term security as under existing railcards.
Subsection (3) allows any set of conditions to be applied to a scheme, so the whole clause is functionally meaningless without sight of the conditions. We do not know what they are; it is another bit of work the Government have not done. It could be one service, once a month. That risks hollowing out the statutory concession entirely, allowing GBR to comply in form while restricting access in practice.
Amendments 46 to 50 would require GBR to continue to offer discounted rail fares for veterans. Will the Minister support the amendments, or will the Government demonstrate by their actions that they do not rate veterans’ discounts to be as important as the other discount groups? I will look to divide the Committee on every one of the amendments, because this is a politically sensitive issue.
Amendments 51 to 55 would extend consideration to the immediate families of veterans. They would require GBR to continue to offer discounted rail fares for members of the UK armed forces and their families. Again, this is a political issue, so I wish to divide on all the amendments, but I hope that we can be quick.
I will not speak to new clause 51, but new clause 59, in the name of the hon. Member for Didcot and Wantage, would require all rail operators to permit free travel for police offers and police community support officers, if they are in full uniform and travelling for work. It is a noble calling, but where do we stop? If they are travelling to work, they will be reimbursed by the constabulary. No officers commute to work in uniform, for security reasons, so I do not support the new clause.
Olly Glover
We understand and support the intent of the Conservative amendments on veterans, but I suppose the debate will get into what should be legislated for in discount schemes, as opposed to specified in other forms. It will be interesting to hear from the Minister why the Government have opted to put certain discount schemes in the Bill and not others. Hopefully, there is some clear logic, but we shall see.
Our new clause 51 would require the Secretary of State to make a travel fee exemption for journeys to and from Remembrance Sunday events for armed forces personnel, armed forces veterans and one representative of a deceased armed forces member across all GBR passenger services. The context is that there is currently an agreement in place for that travel fee exemption, which is agreed by the Secretary of State and the train operating companies. The new clause would simply formalise something that already happens, but would do so in the framework of GBR and ensure long-term certainty and consistency, national coverage across the GBR network and the inclusion of a representative of a deceased service member. At present, deceased personnel are often not represented at Remembrance events if a family member cannot afford the cost of travel. The new clause addresses that inequity.
The new clause places an existing informal arrangement on a statutory footing and ensures consistency and fairness. The cost implications are limited and predictable, as the travel demand is concentrated around a single annual event and largely happens on that day. The new clause recognises the importance of remembrance for bereaved families and sends a clear message of respect and recognition for service and sacrifice.
On our new clause 59, I understand the shadow Minister’s points, but the intention is simply to reduce red tape and bureaucracy. This is about officers needing to use the train in the course of their duties. It is important that many of them do so, particularly those engaged in highly visible community policing. The new clause would simply reduce the red tape and bureaucracy of them needing to buy tickets, procure travel warrants and so on. It is not about travel to and from work, but about making sure they can easily use the network while on duty.
Daniel Francis
I will briefly respond to some of the comments that have been made. First, the Greater London Authority Act 1999 does not have many of these components. Yet the Mayor of London allows a number of discounts, including for veterans, care leavers, apprentices and people who are unemployed and seeking work. They are not on the face of that legislation, but those exemptions do exist, including for veterans, and I am sure the Minister will cover those points in due course. However, there is other legislation where that is the case. At no point in their 14 years did the previous Government attempt to amend that Act to provide that exemption for veterans, so that is the position that remains.
I remind Members of my interest as chair of the all-party parliamentary group for wheelchair users. Amendment 62 causes some concern with its reference to fares being “one third lower” because in many cases that would represent a fare increase for wheelchair users and blind passengers.
Rebecca Smith
I echo what my hon. Friend the Member for Broadland and Fakenham said on amendments 46 to 50. I too am surprised that the Government are not seeking to enshrine the right to a veterans railcard on the face of the Bill. While it is laudable that they want to ensure that those long-fought-for discount fare schemes remain for young, elderly or disabled people, I believe that not making the veterans railcard a statutory discount is a backward step and will send a particularly strong message to that community, who we know are quite agitated by a lot of what is being done by this Government, particularly around the prosecution of veterans for previous conduct. Not to use this Bill as an opportunity to put this provision on the statute book is a retrograde step.
I want to pay tribute to the former Member for Plymouth Moor View, Johnny Mercer, who drove putting the veterans railcard in place in the first place through the work of the Office for Veterans’ Affairs. He said at the time that it underlined the “debt of gratitude” that we owe to our veterans. They are ultimately men and women who have fought hard for our country, and the opportunity to receive that discount in perpetuity—whether they have served one day or 100—is something that we should be proud of as a country and should seek to enshrine in legislation. The same goes for the opportunity for serving personnel to travel with their families.
I will be very surprised if the Government vote against the amendment: that would send a very clear message to our veterans community that they are valued more greatly by the Conservatives than by Labour. Although I am sure there is no ill intent behind the omission of the veterans railcard in the Bill, we have to think about the messaging and the political point that is being made. It would be relatively easy to put the veterans railcard in law so that it cannot be changed in the future, and I would support that. As has been said, the Bill does not prevent it from being added later, but I wonder why we are not seeking to enshrine it in law now.
Keir Mather
I sincerely thank the hon. Members for Broadland and Fakenham and for Didcot and Wantage for the amendments, which are about discounted travel for members of the UK armed forces, veterans, their families and the police.
On amendments 46 to 55, first and most importantly, the Government fully recognise the enormous contributions made by members of the UK armed forces, UK veterans and their families. I am pleased to confirm that there are absolutely no plans to change the existing range of discount schemes, including the veterans railcard and the armed forces railcard, which also covers family members of serving personnel. Those are valuable discounts for people who have sacrificed in the public interest, and the Government are rightly committed to them.
In our view, however, it is not necessary to reflect that commitment on the face of the Bill,. The Bill gives continued statutory protection to the discount schemes that are already protected by the Railways Act 1993 to ensure consistency for groups for whom cost has historically been a particular barrier to travel, to ensure that our railway continues to be inclusive and to be consistent with previous Acts. That does not mean that other discount schemes are not at the forefront of our mind and will not continue.
Rebecca Smith
I appreciate what the Minister is saying but, if that is the case, surely we should just remove the whole clause. If the Government do not seek to remove any discount schemes, why do they need three discount schemes, and none of the others, on the face of the Bill? It seems to me that there is a bit of a contradiction there.
Keir Mather
As I have just mentioned, we want to carry over those schemes to provide consistency for those groups. We are carrying over the role of the discretionary schemes as set out in legislation. We think that consistency is important but, for reasons that I will come to later, we also believe it is important that GBR is able to move in an agile way and think about evolving needs when it comes to concessionary travel. It is important, in terms of legislative carry-over, to ensure that that remains in place.
Jerome Mayhew
The Minister says that he wants GBR to remain agile, but does he foresee a situation in which it is agile by removing the veterans railcard? If he says no, as I suspect he will, why does he not put that on the face of the Bill and support our veterans?
Keir Mather
For the reasons I have just outlined. I have already confirmed that there are absolutely no plans to change the existing range of discount schemes, which include the veterans railcard and the armed forces railcard.
Jayne Kirkham (Truro and Falmouth) (Lab/Co-op)
Perhaps the Minister can confirm that the veterans scheme is incredibly important, that we all agree with it being there, and that there are absolutely no plans to remove it.
Keir Mather
Yes, I am very eager to agree with my hon. Friend.
This is a serious point. In my constituency, I see the difficulty that veterans have in attending Selby Abbey to mark the enormous contribution that people in our armed services have made across many conflicts. I would have thought that this is personal to every single member of this Committee, which is why I am pleased to agree with my hon. Friend.
Laurence Turner
Does the Minister agree that there is a comparison with the disabled persons railcard, the criteria for which have been significantly expanded? That change is due to be implemented over the coming months, and that has been possible only because there was not a restrictive statutory definition in primary legislation. Our understanding of disability has changed since the legislation was passed, and we would not want to restrict ourselves unnecessarily for the future.
Keir Mather
My hon. Friend makes an interesting point and is absolutely right to note that we want the concessionary schemes to be able to evolve to reflect the needs and lived experiences of those they are designed to help. I will expand on that point in more detail later.
I will make some progress now. We are of the view that minimising the number of listed discounts on the face of the Bill will enable GBR to develop and adjust discount arrangements over time, reflecting passenger needs and other objectives. For example, in the future it might be desirable to rationalise the existing concessionary offer for current and former military personnel and their families to ensure consistent terms and conditions between the armed forces and veterans. GBR should be able to consider such options but, if we enshrine the schemes in primary legislation, it will become virtually impossible to amend and improve them.
The Government remain fully committed to supporting the armed forces community through travel discounts and other means. For that reason, while I sincerely understand the motivation behind the amendments, the Government do not believe they are necessary and I ask the hon. Member for Broadland and Fakenham to withdraw them.
New clause 51 requires GBR to provide free travel
“to and from events that commemorate Remembrance Sunday.”
As I have said, the Government remain committed to all those who serve, and that includes supporting their attendance at events commemorating Remembrance Sunday. Last year, as in previous years, the Government worked closely with the rail industry to ensure that serving members of the armed forces and veterans were eligible for free travel to and from services of remembrance across the country. Likewise, Poppy Day volunteers and collectors—and their children—travelling to the London Poppy Day events were given complimentary travel to support their fundraising efforts on behalf of the Royal British Legion.
Rebecca Smith
I appreciate the Minister’s reassurance that there will still be opportunities for people taking part in remembrance events. However, there are additional matters such as the poppy train, which comes up through the south-west with Great Western Railway. While such things may be worked through in conjunction with the Secretary of State, they are put on by a privately owned franchise rail company. Is the Minister effectively saying that it will be down to the individual business units to decide what happens within their railway scope, or will it be in guidance through the licence or something else? There are many things that have been provided by privately owned franchises that the Bill does not confirm will take place once the railways are state owned.
Keir Mather
While I do not anticipate provision around the specific instance the hon. Lady described—for example the poppy train being frozen into the licence of GBR—I do expect that GBR will be minded and motivated to continue to ensure that members of the armed forces community, veterans and their families can attend Remembrance Sunday services across the country. In our view, concessionary travel more broadly will improve the ability to do that. It will allow GBR to set provisions in an agile manner through an evolving concessionary fares scheme, rather than freezing them as part of the Bill—and, moreover, to set provisions that are not already locked into legislation and do not therefore need to be carried over, in the interest of consistency for the groups that they affect.
Turning back to my remarks on Poppy Day volunteers travelling to events with their children, I do look forward to that policy continuing in the years to come, although precise arrangements for how that will work will be confirmed closer to the time. All that being the case, we do not see the need for legislative amendments. These are things that the Government and rail industry already strongly support and have been providing for many years. A regulatory framework would only complicate delivery, which is more effectively facilitated at the operational level, so, while we wholeheartedly support the spirit of new clause 51, I urged the hon. Member for Epsom and Ewell to withdraw it.
New clause 59 requires GBR to provide a scheme enabling free rail travel for police officers and police community support officers who are in full uniform or who are travelling for operational purposes. The Government gratefully acknowledge the service of police officers across the country and all that they do to keep us safe. The speed, skill and professionalism of the response by British Transport police and other brave first responders to the horrific train attack in Huntingdon last year is just one example of how police officers and all our emergency services save lives every day across our country.
While I understand the intention of the new clause in supporting that vital work, the Bill is not the correct place to set out the requirements for such a scheme. As the hon. Member for Didcot and Wantage knows, any new staff travel scheme should be the product of negotiations between the relevant organisations. To prescribe a scheme in primary legislation sidelines that process and risks the creation of a scheme that is not fit for purpose, as well as unfunded financial impacts to the railway. Therefore, while I am sympathetic to the intentions of the new clause, the Bill is not the appropriate avenue to establish such a scheme, and I urge the hon. Member not to move it.
Clause 34 ensures that GBR will be able to provide discount schemes, such as those offered today as railcards. First, the clause continues the 1993 Act’s statutory protection for young, senior and disabled passenger discounts. Prices are historically more likely to be a barrier to these groups’ accessing rail travel, and they are covered by the protected characteristics of age and disability. Maintaining these concession schemes in primary legislation supports equal access to employment, education and essential services. It is worth noting that, while other concessionary discounts are not included in the Bill, the Government recognise that they too are important, and there are no plans to withdraw any of the discounted schemes currently being offered.
Nevertheless, the clause also gives GBR the flexibility required to simplify and modernise discount schemes across the network, and to evolve the offer where that is considered desirable to meet passenger needs in the future. Finally, the clause ensures that devolved operators will still be required to offer the core statutory discounts, and that they will have flexibility over whether to participate in the GBR scheme or to create their own.
Jerome Mayhew
It is extraordinary that the Government say, on the one hand, that age and disability need to be included in primary legislation, but on the other hand that it is totally unnecessary to have the same security for veterans. We on the Conservative side of the House do not accept that logic and we will be pushing amendments 46 to 55, individually, to votes.
Question put, That the amendment be made.
Jerome Mayhew
I beg to move amendment 56, in clause 34, page 18, line 20, after “are” insert “aged 26-30,”.
This amendment, along with Amendments 57 to 60, would require GBR to continue to offer discounted rail fares for young people aged 26-30.
The Chair
With this it will be convenient to discuss the following:
Amendment 57, in clause 34, page 18, line 28, after “are” insert “aged 26-30,”.
See explanatory statement for Amendment 56.
Amendment 58, in clause 34, page 18, line 31, after “are” insert “aged 26-30,”.
See explanatory statement for Amendment 56.
Amendment 59, in clause 34, page 18, line 35, after “are” insert “aged 26-30,”.
See explanatory statement for Amendment 56.
Amendment 60, in clause 34, page 19, line 4, after “are” insert “aged 26-30,”.
See explanatory statement for Amendment 56.
Jerome Mayhew
This should be a short debate, since amendments 56 to 60 serve a single function: to defend the long-term provision of discounts for 26 to 30-year-olds. Although clause 34 refers to discounts for the young, there is potential for the definition to exclude discounts for 26 to 30-year-olds—and that is young to me, at least. Amendments 56 to 60 would require GBR to continue to offer discounted rail fares for young people in this age group. Given the Government’s willingness to identify some characteristics as worthy of discounts in primary legislation—the young, elderly or disabled—what is the principled objection to including other, equally worthy groups? I will press the amendment to a Division.
Keir Mather
I thank the hon. Member for tabling the amendments, which would place a statutory duty on GBR and on Scottish and Welsh Ministers to ensure that discounted rail fare schemes are available for persons aged 26 to 30—I do not know whether I should declare an interest, as a holder of one of those railcards.
The Government have stated that there are no plans to change the existing range of discount schemes, including the 26-30 railcard, but we do not consider it necessary or appropriate to list specific age ranges in the Bill in the way proposed. Listing specific age ranges would be unnecessarily inflexible. The Government are absolutely committed to retaining discount schemes for younger people; however, much of the current discount system is fragmented due to its origin in the franchising system, so GBR may want to rationalise the existing range of discount schemes currently targeting younger people to simplify duplicative and overlapping offers and age ranges between 16 and 30, for example, as part of introducing a modernised, more consistent offer for passengers.
Given that Acts of Parliament are drafted to last a generation or more, placing specific age ranges in the Bill would likely remove those opportunities and potentially limit opportunities for young people. For those reasons, I urge the hon. Member to withdraw the amendment.
Jerome Mayhew
The Minister says that he wishes to have flexibility. The whole point is that we are trying to remove flexibility, so that GBR cannot take away discounts for 26 to 30-year-olds in the future. The Minister’s argument actually increases my concern that that is a realistic prospect in the Government’s mind, and I feel even more strongly that we should divide in order to ensure that discounts for 26 to 30-year-olds are protected in the long term.
Question put, That the amendment be made.
Jerome Mayhew
I beg to move amendment 61, in clause 34, page 18, line 25, leave out subsection (3).
This amendment would remove GBR’s ability to set unrestricted conditions about discounted fares.
The Chair
With this it will be convenient to discuss the following:
Amendment 62, in clause 34, page 19, line 10, leave out “lower fare” and insert
“fare that is one third lower”.
This amendment would ensure that discounted fares remain at one third off the price of a standard fare.
New clause 13—Report on the potential merits of customer loyalty programmes—
“(1) Within twelve months beginning on the day on which this Act is passed, the Secretary of State must lay before Parliament a report on the potential merits of customer loyalty programmes for rail passengers (‘rail miles programmes’).
(2) A review under this section must consider any beneficial effect on the growth of rail passenger numbers of introducing rail miles programmes.”
This new clause would ensure the Secretary of State conducts a report into potential benefits of a “rail miles” programme for passenger numbers.
Jerome Mayhew
Amendment 61 would remove GBR’s ability to set unrestricted conditions about discounted fares. The amendment probably goes too far, so I will treat is as a probing amendment to flush out what conditions the Minister anticipates will be imposed under subsection (3). Will the Minister undertake that the intention is to minimise constraints on discounts, to afford maximum advantage to the groups that discount schemes are in place to promote? I would be grateful if he could clarify the Government’s position on that.
Amendment 62 would ensure that discounted fares remained at one third lower than the price of a standard fare. That would give certainty to those currently using the variety of railcards mentioned above that their discount will remain the same. The Government claim that GBR will bring savings; all the amendment does is prevent discounted fares from costing more. If the Government do not support the amendment, they would be paving the way for GBR to reduce focus on the passenger and revert to the typical standard of a nationalised organisation, where you get what you are given and expected to be grateful for it.
New clause 13, in the name of the hon. Member for Didcot and Wantage, would ensure that the Secretary of State conducted a report into the potential benefits of a rail miles programme for passenger numbers. That is an idea—but in our view, it is not one that should be included in primary legislation. It is qualitatively different from discounts for veterans and young persons.
Daniel Francis
I again declare my interest as chair of the all-party parliamentary group for wheelchair users.
Amendment 62 appears to refer not to railcards but to all ticketing. As I have said, it would result in an increase for many tickets for wheelchair users and blind and visually impaired people. As the parent of a child who is a wheelchair user, I know that the discount on a ticket for wheelchair users is 75%, and it is the same for an adult day return. For blind and visually impaired users the discount on an adult day return is 50%.
Some discounts also apply to the carer or companion of the wheelchair user or blind or visually impaired passenger. That provision is not included in the Bill, yet the Opposition thought it was more important to table an amendment to introduce a discount for 26 to 30-year-olds than to table one on a discount for the carer of a wheelchair user or blind or visually impaired passenger. I anticipate that the Government will confirm that the discount remains for carers and companions, and in my mind that does not need to be included in the Bill. I certainly do not support amendment 62, as it would undo the current, more generous discount arrangements for wheelchair users and blind or visually impaired passengers, and cause an increase in their fare.
Jerome Mayhew
This may shock the Committee, but I listened carefully to the hon. Member for Bexleyheath and Crayford, and his expertise has exposed a lack of knowledge on my part. I was not aware that the discount in that circumstance was in excess of one third. Given that, I will not press the amendment to a vote. I am grateful for his contribution.
Olly Glover
I will speak briefly about the Conservative amendments. I agree with some of the shortcomings identified by the shadow Minister, but there would be a risk in setting in stone some of the current discount and fares arrangements, as amendment 61 seeks to do.
On amendment 62, apart from the good points made by the hon. Member for Bexleyheath and Crayford about the existing differential discount rates, I am not sure of a particularly compelling reason for why the main discount rate of one third should be preserved in aspic—I said that I would not say “aspic” any more, but I have anyway. There may be times in the future when a higher discount, or maybe even a lower one, could make sense.
I assure the shadow Minister that our new clause 13 would require the examination of the idea, rather than a commitment to do it. Our idea is based on the ubiquity of air miles as a highly valued consumer product. So many people talk about air miles in conversation, and the popularity of certain credit cards—I can probably name them, as I do not have an interest, but I will not—is explained by the accumulation of air miles. Why not rail miles? It would promote our network, reward loyal customers and be a brilliant way of promoting domestic tourism, were people able to accumulate rail miles as they currently can air miles. It would also be a good way to promote lower-carbon transport.
Our new clause would simply require the examination of the idea of a rail miles programme, and the production of a report on its potential merits that the Secretary of State would lay before Parliament within 12 months of the passage of the Bill. I hope to hear the Minister’s warm words about the idea, although I would naturally be astonished if he embraced it.
Edward Argar
Is the hon. Member aware that, although not in a domestic context, there have in the past been schemes in which, instead of air miles, points or miles have been available—for example, with Eurostar—and they were extremely popular?
Olly Glover
The right hon. Gentleman makes a good point. The air miles concept has been highly successful for Eurostar, and it is now time to apply the idea to the domestic market.
Rebecca Smith
It is worth reminding the Committee that the idea has also been used on a domestic route. Not that long ago GWR had a scheme with Nectar, and the points I accrued while travelling up and down to London for various engagements used to service me with a bottle of gin once a year. I am not necessarily saying that I support the hon. Gentleman’s new clause, but it is worth putting on the record the fact that it is not so farfetched an idea. It certainly made me use GWR’s app, even if I did not use anything else.
Olly Glover
I thank the hon. Lady for her intervention, although perhaps she is advocating another concept called gin miles, which would definitely be beyond the scope of our new clause. She makes the strong point that there have been examples along the lines of this idea in pockets of the network. The new clause would put the idea on a national footing, boost good practice and give GBR positive things to offer its customers from day one. Perhaps it would even compensate for the ghastly livery that GBR is telling us all is so wonderful.
Edward Morello
I want to speak in support of new clause 13, tabled by my hon. Friend the Member for Didcot and Wantage. The new clause is our proposal for a rail miles scheme, as he eloquently laid out, but I want to add a couple of things. First, a rail miles scheme would encourage people to return to rail time and again, reward passengers for regular use and provide additional flexibility and discount. As has been outlined, we have seen existing or similar systems in respect of Eurostar, supermarkets and air miles, and, in certain cases, within the UK railway system.
It is worth stressing that, importantly, new clause 13 does not mandate the introduction of a scheme. It would require a report on how a customer loyalty programme could work in practice, boost passenger numbers and be designed to remain affordable and cost-effective for the taxpayer and the Government. All we ask for is an evidence-based review of rail miles as an important step towards a fairer system. As it is not a mandate but simply a request for the Government to look into the idea, the new clause should be relatively easy for the Government to support.
Keir Mather
Let me start by reasserting the principle that we do not want Ministers to be micromanaging the railway. However, the point about gin miles was very well made and I shall relay it to GBR.
Keir Mather
Well, there we are.
Let me start by responding to what the shadow Minister described as a probing amendment. He asked me to set out a little more detail on how we envisage the use of conditions on discounts, and I want to reflect the intent that he described. We want to ensure that eligibility for concessionary schemes and discounts is kept up to date, is reflective and is rationalised where necessary. A good example could be changing terms and conditions to change the eligibility criteria for the disabled railcard to include non-visible disabilities, which we have committed to in the accessibility road map. The intent to make sure that discounts are reflective of the lived experience of those who rely on them very much lies behind the provisions.
I thank the shadow Minister for tabling amendment 61, which would seek to remove GBR’s ability to set conditions on the use of discounted fare schemes. As drafted, the legislation will enable GBR to develop and adjust discount arrangements, if necessary, to reflect changing circumstances and passenger needs. More generally, it is worth noting again that the future framework on fares introduces clear and enforceable mechanisms that can be used to hold GBR to account, to ensure it delivers value for passengers and sustainable outcomes for taxpayers. Under this model, the Secretary of State will set parameters and guardrails aligned to GBR’s financial settlements. We believe that strikes an effective balance between strategic oversight and operational independence.
Jerome Mayhew
As I intimated, I am happy to withdraw amendment 61, which is more of a probing amendment, and I will not move amendment 62. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
The Chair
We now come to amendments 47 to 50 and 52 to 55. Divisions are granted at the discretion of the Chair. Although I understand the importance to the hon. Gentleman of the principle of the amendments, the Committee has already made a decision on the principles, so I am not inclined to allow further Divisions.
Jerome Mayhew
In the normal course of events I would not seek to have repeated amendments on variations of a theme. However, this matter is politically salient because it deals with a live political issue between the parties on discounted fares, and whether the Government support veterans and veterans’ families. Each amendment deals with a separate part of the veteran community and also with veterans’ families. It is important that we hear the Government’s view through Divisions on every single one, so I ask you to reconsider your determination, Ms Barker, because of the political salience of the individual Divisions. I am sure you will have noticed that in other areas I have been co-operative, and that I do not cause Divisions just for the sake of it, but I ask you to allow Divisions on this occasion.
Amendment proposed: 47, in clause 34, page 18, line 28, after “are” insert “UK veterans,”.—(Jerome Mayhew.)
See explanatory statement for Amendment 46.
Question put, That the amendment be made.
Railways Bill (Tenth sitting)
(1 day, 12 hours ago)
Public Bill CommitteesRead Hansard Text Read Debate Ministerial Extracts
The Committee divided: - Ayes: 5 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 3 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 3 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 3 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 9 - Question accordingly negatived.
The Chair
I hear the Committee made very good progress this morning. I am sure you will share my ambition to get through part 2 this afternoon, but that will depend very much on how much progress we make. The official stop is 5 pm but if we have to go over, we have to go over. I also intend to have a comfort break at a convenient point.
Clause 34 ordered to stand part of the Bill.
Clause 35
Interpretation of Chapter 1 of Part 2
Question proposed, That the clause stand part of the Bill.
The Parliamentary Under-Secretary of State for Transport (Keir Mather)
It is a pleasure to serve yet again under your chairship, Mrs Hobhouse. Clause 35 provides definitions for key terms used in chapter 1 of part 2, ensuring clarity and consistency in interpretation. I commend the clause to the Committee.
Jerome Mayhew (Broadland and Fakenham) (Con)
I agree.
Question put and agreed to.
Clause 35 accordingly ordered to stand part of the Bill.
Clause 36
General duties of the Council
Jerome Mayhew
I beg to move amendment 63, in clause 36, page 19, line 35, after “of” insert
“all users, and potential users of the railways, including”.
This amendment ensures that the Passengers’ Council must have regard to the needs of all users, and potential users of the railway.
The Chair
With this it will be convenient to discuss the following:
Amendment 64, in clause 36, page 20, line 2, leave out
“make efficient use of those funds”
and insert
“ensure value for money through a cost benefit analysis.”
This amendment would require the Passengers’ Council to consider value for money, rather than efficient use of public funds.
Clause stand part.
New clause 7—Purpose of the Passengers’ Council—
“The purpose of the Passengers’ Council is to—
(a) champion the interests of all users and potential users of the railway, including, in particular, the needs of disabled persons,
(b) advocate for the reliability of passenger services, covering punctuality, cancellations, short-forming, delays and the reliability of key connections,
(c) advocate for safety and security, covering safety incidents, security incidents affecting passengers, staff presence, and delivery of safety-critical maintenance,
(d) advocate for passengers’ comfort and on-board experience, covering cleanliness, the functioning of heating, air-conditioning, and lighting, overcrowding, the availability and performance of any internet connection or power sockets, and toilet facilities,
(e) advocate for affordability and value for money, covering fare levels, availability of discounted or flexible fares, transparency of fare information, and passenger perception of value for money, and
(f) advocate for passenger growth and network expansion, covering growth in passenger numbers, the number of communities served, service frequency, and the provision of new or restored services.”
This new clause would give a statutory purpose for the Passengers’ Council to champion the interests of all rail users.
Jerome Mayhew
Thank you, Mrs Hobhouse, for agreeing to chair this afternoon’s deliberations.
Here we are at clause 36, on the general duties of the passengers’ council. The clause requires the passengers’ council to consider the interests and needs of disabled persons when it exercises its rail functions. It also places a duty on the council to consider costs and the efficient use of public funds when it exercises its functions. That updates the council’s duty on value for money, which we can see in section 76(7) of the Railways Act 1993, and is consistent with the duty the Secretary of State, the Office of Rail and Road, Scottish and Welsh Ministers and Great British Railways will have if clause 18(2)(f) makes it into the final Act.
Clause 36(a), however, is silent on the general travelling public; it only mentions having particular regard to disabled persons. It seems like an odd omission for a provision on a passengers’ council to not mention passengers in the round. For the rest of the public, the council only has to
“keep under review matters affecting the interests of the public”,
under clause 37(1)(a).
The current drafting risks the creation, inadvertent I am sure, of a skewed body, directed to focus on disabled passengers and silent on the rest. I know that would not be the intention of the Ministry or anybody else in this Committee, but that is what the draft text would require of the council under its statutory obligations. It sits uneasily alongside clause 18(2)(a) on the general duties of Ministers, GBR and the ORR, which we all remember, and which frames disabled people within a wider body of all users, stating that it is to
“promote the interests of users and potential users of railway passenger services including, in particular, the needs of disabled persons”.
Why is different language being used? There is a difference, within the same draft text, between clause 18 and clause 36. The effect is to leave the passengers’ council operating statutorily on a narrower basis than GBR. The Minister will need to explain the intention behind that, because I do not believe it is intentional. If it is, he needs to explain why he wishes to constrain artificially the application of the passengers’ council to an area which is less wide than that covered by GBR, which it is meant to be monitoring.
Joe Robertson (Isle of Wight East) (Con)
I do not wish to interrupt the shadow Minister mid-flow, but I hope the Government will take on board his amendments and new clause. If they do not, perhaps they might like to amend the name of the passengers’ council to the “disabled passengers’ council”, because, in effect, that is the work it will be doing, so why not name it appropriately?
Jerome Mayhew
I am grateful for my hon. Friend’s intervention, although unfortunately he did interrupt my flow—though it was very kind of him to say that he did not want to in the process. He is quite right. Although I obviously love chucking half-bricks at the Government, I do not believe for a moment that there is a serious intention on the part of the Department for Transport to skew the passengers’ council in the way that the drafting currently requires. I am highlighting the provision in the best interests of improving the drafting of the Bill. I am sure the Minister will find a reason not to agree with me in a few minutes’ time, but I hope that he, or his officials, will go away and have a quiet look at it before the Bill reaches the House of Lords.
Subsection (b) provides only a duty to “take into account” the costs of recommendations. Surely, as legislators, we want the organisation to balance the public benefits against the likely costs—a cost-benefit analysis, essentially—and not just to consider costs to be met from public funds, because this also involves farebox income. Amendment 63 therefore
“ensures that the Passengers’ Council must have regard to the needs of all users, and potential users of the railway”,
preventing a skewed council with competing interests, borrowing the language used by the Government in clause 18.
Amendment 64 would require the passengers’ council to consider value for money through a cost-benefit analysis, rather than merely the “efficient use” of public funds, which is only half of the issue. There is a key difference here: value for money focuses on achieving the best balance of cost, quality and outcomes, whereas the good use of public funds also requires spending to be transparent, fair and aligned with the public interest and wider policy objectives. That makes this amendment important in achieving the lowest possible cost for the taxpayer.
New clause 7 would give the passengers’ council a statutory purpose to champion the interests of all railway users and potential users of the railway. The passengers’ council would advocate for the reliability of passenger services, for safety and security, and for passengers’ comfort and on-board experience, which we have discussed a number of times. It would also advocate for affordability and value for money, passenger growth and network expansion. It is important to have a clear set of directions for this new passengers’ council at its inception, and the new clause would help to provide that.
Edward Argar (Melton and Syston) (Con)
As ever, Mrs Hobhouse, it is a pleasure to serve under your chairmanship. I will speak primarily to amendment 63, as articulated, typically eloquently, by my hon. Friend the shadow Minister.
We have heard some extremely powerful interventions during the course of this Committee, particularly from the hon. Member for Bexleyheath and Crayford, about the importance of ensuring that the system—if I can call it that—genuinely recognises and is responsive to the needs of those who are disabled, have mobility issues, or face a whole range of things. He has made that case very powerfully, and I can understand what the Minister is seeking to do.
I suspect—although I do not wish to put words in his mouth—that the Minister will say that the amendment is unnecessary because it is inherent in the purposes of a passengers’ council that, of course, all passengers will be considered, and that the amendment simply draws out a particular aspect that must be highlighted. I can understand that. If that is the case, the Minister could accept this amendment without any adverse effects, and without any challenges to the drafting of the Bill or the integrity of what he is seeking to do with the clause, because the amendment emphasises that responsibility but does not lose sight of the particular needs of disabled people and others in the operation of the railway—I am sure the hon. Member for Bexleyheath and Crayford would make a point about the importance of that.
Looking at the amendment tabled by my hon. Friend the Member for Broadland and Fakenham, very little—if anything—would undermine the integrity or policy intent of what the Minister is seeking to achieve with the clause. It would simply draw it out and make it much clearer, and remind the passengers’ council, in explicit terms in the legislation, of what it is there to do. I hope that the Minister, in recognising the intent behind it, can move some way to meet my hon. Friend and I by potentially accepting the amendment, or at least, if he is not able to do so today, by committing to take it away and consider whether he might accept it at a later stage.
Daniel Francis (Bexleyheath and Crayford) (Lab)
It is a pleasure to serve under your chairship, Mrs Hobhouse.
I hear what was said about amendment 63, and I will wait to hear what the Minister says. I have sat on a passenger watchdog, although not this one, and worked in that role alongside Passenger Focus, as it was back then—it is now Transport Focus. I served as a member of the board of London TravelWatch, which is referred to as the London Transport Users Committee in the legislation, for four years, although that was a long time ago now. Many of the provisions we will see in later clauses are inherent in the aims and work of such organisations. Investigations, reports, representations and referrals come to the attention of the organisation from all passengers.
The amendment is not necessary. I did this work as a member of a board for four years, and chaired many meetings of sub-committees looking at some of that work, and, in the work of a watchdog, these issues are there, they are referred to the organisation and they are in the reports that are presented on behalf of all passengers.
Jerome Mayhew
The hon. Gentleman notes that clause 36 is about the general duties of the council. It sets out what the passengers’ council is for and those general duties. Does he not think that it is odd that the clause does not refer to passengers, other than one subclass of passengers? Would it not be better for the general duties of the passengers’ council to refer to all passengers?
Daniel Francis
If the hon. Gentleman looks at the clauses in the group, he will see that there are significant issues that the passengers’ council needs to take into account for all passengers, which come to the door and—as I know, having sat on a watchdog for four years—come in the form of casework and meetings. I am sure that I will talk later about why nationalisation, and having trains, signals and rolling stock under one operator, is much better for a passengers’ council, but those issues come to the organisation’s attention anyway.
I fully support the need to look at the issues for disabled passengers who come to the council’s door, and I will hear what the Minister has to say, but I believe that how things are investigated and brought to the organisation’s attention are set out in the legislation, just as they are, in many regards, for Transport Focus and for the London Transport Users Committee. I do not believe that the amendment is necessary.
Keir Mather
I thank the hon. Member for Broadland and Fakenham for these amendments, but also right hon. and hon. Members across the Committee for their contributions on this important point.
The right hon. Member for Melton and Syston is correct that I intend to argue that the passenger watchdog will focus inherently on the needs of passengers. I believe that that is self-actualising, to an extent, in creating one in the first place. But he is also right to push me further on specific provisions.
My hon. Friend the Member for Bexleyheath and Crayford made some really important points, first about the fact that the duties and responsibilities inherent to the passenger watchdog demonstrate how it will serve the interests of passengers. Having an independent monitoring power for the passenger experience, investigation powers, enforcing minimum consumer standards—this is inherent to representing passengers on the railway.
Jerome Mayhew
The Minister has come up with an ingenious argument, but if he takes the trouble of actually reading the opening sentence of clause 36, he will find that it says, under “General duties”:
“When exercising its functions relating to railways and railway services”—
So, arguments about buses and other modes of transport are clearly outside the scope of this clause, are they not?
Keir Mather
But they are not outside the scope of the passenger watchdog as a whole. We would not want to be prescriptive in one place, only for us not to be able to make the passenger watchdog agile and adaptive in dealing with the needs of other modes. There could be unforeseen issues in which the passenger watchdog will need to represent passengers, or new developments, for instance those arising from new technology, where we would want the council to be able to advocate for passengers in the future.
The Bill already gives the council a purpose: via a combination of the functions and duties set out in the Bill and the Railways Act 2005, the council’s purpose and railways functions are set out sufficiently and are rightly broad.
Amendment 64 replaces the passenger watchdog’s duty to make efficient use of funds with a duty to consider value for money through a cost-benefit analysis. The revised duty being suggested by the shadow Minister and the duty in the Bill are to all intents and purposes the same. The watchdog will need to conduct some form of analysis to ensure it is making efficient use of funds when deciding which issues to investigate. Therefore, the amendment is duplicative and in my view unnecessary. With all this in mind, I urge the shadow Minister not to press these amendments.
Clause 36 places two general duties on the watchdog, which it must consider when carrying out its rail functions. The first is a duty to consider the interests and needs of disabled persons, which is designed to ensure that the watchdog will pay specific attention to the experiences of disabled passengers. The second is a duty to consider the costs and efficient use of public funds when it exercises its rail functions, which will ensure that the watchdog takes the overall cost of the railway into account when carrying out its functions—for example, when advising GBR or the Government. This will ensure that its recommendations are realistic and actionable, and therefore carry more weight in the industry. These duties will enable the watchdog to be an effective passenger champion, with the needs of disabled people at the heart of its priorities.
Jerome Mayhew
You will not be totally amazed to learn, Mrs Hobhouse, that I am not persuaded by the position that the Minister has taken. The obfuscation, chucking in other modes of transport when that is clearly excluded by the wording of the clause, does not persuade me and I wish to press both amendments to a vote.
Question put, That the amendment be made.
Edward Morello (West Dorset) (LD)
I beg to move amendment 208, in clause 36, page 20, line 2, at end insert—
“(2) The Passengers’ Council must make arrangements for rail passenger groups to be members of a board, committee or panel of the Council.”
This amendment, along with Amendment 209, guarantees representation for passenger groups on the Passengers’ Council.
The Chair
With this it will be convenient to discuss the following:
Amendment 209, in clause 37, page 20, line 4, leave out
“so far as it appears expedient”.
See explanatory statement for Amendment 208.
Amendment 65, in clause 37, page 20, line 14, at end insert—
“(3) When the Passengers’ Council makes representations under this section, either to the Secretary of State or Great British Railways, they are both under a duty to respond to those representations within the period of one month.”
This amendment would require the Secretary of State and Great British Railways to respond to any representations the Passengers’ Council makes under this section.
Amendment 235, in clause 37, page 20, line 14, at end insert —
“(3) The Passengers’ Council must, at least once every twelve months, assess the levels of satisfaction of users of public passenger railway services and report their finding in a manner which enables Great British Railways to fulfil its functions under section 3.”
This amendment would require the Passengers Council to assess levels of public passenger railway services’ satisfaction and report these in a manner which enables GBR to fulfil its functions.
New clause 22—Passengers’ Council: Membership and representation—
“(1) The Secretary of State must by regulations make provision about membership of the Passengers’ Council.
(2) Regulations under this section must make provision that the Passengers’ Council membership includes representatives from—
(a) local friends of stations organisations;
(b) local rail user groups;
(c) regional rail travellers’ associations;
(d) community rail partnerships;
(e) other national passenger groups.
(3) Regulations under this section must include provision about the representation of the Passengers’ Council on any board established by the Secretary of State to govern or otherwise oversee Great British Railways.
(4) Provision under subsection (3) must include—
(a) that any board includes in its membership a member of the Passengers’ Council,
(b) that the member of the Passengers’ Council who is a member of any such board must be elected to that post by a basic majority of members of the Passengers’ Council,
(c) provision about the operation of any election under paragraph (b), and
(d) that any member of the Passengers’ Council who is a member of a board under subsection (3) may vote on any decision made by that board.”
Edward Morello
I will speak in support of amendments 208 and 209, tabled in the name of my hon. Friend the Member for Didcot and Wantage. Amendment 208 would guarantee representation for rail passenger groups within the passengers’ council. In West Dorset, we are fortunate to have active and committed groups such as the Salisbury to Exeter rail user group and the west Dorset western area transport action group—they do have snappier acronyms. These organisations bring together passengers, MPs, councils and local communities to push for better services, improved stations, more resilient timetables and new trains. They lobby operators, Network Rail, the Department for Transport and others. They understand in detail what is working and what could be done better. Groups like these exist all over the country and their expertise and insight should be embedded in the passenger watchdog from the start.
Amendment 209 would strengthen that further by removing the vague caveat that representation should be included only
“so far as it appears expedient”.
The Bill promises a powerful new passenger champion that sets standards, investigates poor performance, and holds operators and GBR to account. We envisage that amendments 208 and 209 would do exactly that. I hope the Government will see the logic of supporting them.
Keir Mather
I thank the hon. Members for Didcot and Wantage and for Broadland and Fakenham for tabling these amendments, and the hon. Member for West Dorset for speaking to them. They seek to make changes to the governance and obligations of the passenger watchdog.
I will turn to amendments 208 and 209, which seek to ensure that rail passenger groups are represented within the passenger watchdog. The passengers’ council currently operates under the name Transport Focus and is led by a board of non-executive directors, including members for Scotland, Wales and London. These are statutory appointments as defined in the Railways Act 2005, and we are not amending those arrangements via the Bill.
Although we are not mandating specific representation of rail passenger groups on the board, the watchdog is a body that represents passengers, just like other rail passenger groups, and will directly engage with them. As mentioned, to ensure that happens, the Bill already requires that the watchdog must consult anyone who it thinks is appropriate and co-operate with other bodies representing the interests of passengers, including other rail passenger groups.
Amendment 209 seeks to delete the words
“so far as it appears expedient”
from the watchdog’s requirement to keep matters under review. Although the watchdog will be a powerful champion and will have resources to reflect that, we must ensure that it can focus its time and resources on the matters that have the most impact on passengers and prioritise its work as it sees appropriate. Without that caveat, it would be required to keep all matters affecting passengers under review, no matter how minor or trivial, which is not a reasonable duty to place on the watchdog.
Amendment 65 would set a deadline of one month for the Secretary of State and GBR to respond to any representations made by the passenger watchdog under clause 37. I agree with the hon. Member for Broadland and Fakenham that it is important for representations from the watchdog to be responded to efficiently, but more complex issues raised by it need careful consideration. Setting a uniform deadline could have the effect of rushing that consideration, which might not lead to the best outcomes for passengers. In fact, allowing more time to consider representations would increase the chances of actions being taken that might require a commitment of funding, so I do not think that such a deadline necessarily serves passengers. Additionally, having a duty to respond within a time period in the Bill that would be enforceable only through the courts could result in issues taking much longer to resolve. I therefore urge the hon. Member not to press the amendment.
Finally, amendment 235 would require the passenger watchdog to assess and report on passenger satisfaction at least once a year. Assessing passenger satisfaction is currently a well-established practice of the passengers’ council, which operates under the name Transport Focus, and that will not change with its transition into the new passenger watchdog. Transport Focus has a long record of collecting passenger feedback in the form of its rail user survey.
In addition, a new rail customer experience survey has recently been introduced. This is an industry-wide survey of customers’ experiences. It provides a crucial insight into rail customers’ experience, supporting the industry to achieve a better understanding of where it does well, where improvement is needed and what elements of the journey matter most to passengers. New survey data is provided every four weeks and the passenger watchdog will have access to the raw survey data to enable it to carry out its own independent analysis of the results.
The watchdog will publish its own analysis on a regular basis, as Transport Focus does currently, in the form of rail operator scorecards—including a GBR scorecard—that will be found on their websites and that will demonstrate to passengers which operators are performing well on passenger matters and which are not. Given Transport Focus’ long-established role in assessing rail passenger satisfaction, and the introduction of the new rail customer experience survey, I believe continuous monitoring of passenger experience is well established without this amendment. I therefore urge the hon. Member not to press the amendment.
The Chair
We are now slightly out of sync because the Minister has responded before the shadow Minister could make the case. I remind Members to bob after I put the question, even if the amendment itself is not mentioned when I put the question. I know it is slightly difficult. I will call the shadow Minister, then the Minister will respond very briefly.
Jerome Mayhew
I would not want to prevent the Minister from agreeing with me at some length. We have a slightly odd grouping here, because amendments 208 and 209 would amend clause 36, but the other amendments in the group would amend clause 37—perhaps that is where we have gone wrong.
I will not really speak on amendments 208 and 209, because the Liberal Democrats spokesman has indicated that he will not push them to a vote. In so far as they guarantee representation for passenger groups on the passengers’ council, we support the direction of travel, but as they are not progressing further, I will not say more.
Clause 37 deals with keeping matters under review and collecting information. The Minister has already set out a précis of what the clause—
The Chair
Order. I am sorry to interrupt the shadow Minister, but you should be talking to amendments you have tabled, amendment 235 and new clause 22, but not clause 37 itself.
Jerome Mayhew
I understand where you are coming from, Mrs Hobhouse. The problem is that the amendments relate to clause 37, not clause 36, so it is inevitable that I have to describe the clause. I am not speaking to the clause, but explaining how my amendment fits within it.
Jerome Mayhew
I am not going to repeat what the clause does, but it establishes only a passive role. The council must “keep under review” and “make representations”, but it has no proactive duty to investigate or intervene. That is quite a big omission, and it contrasts with what the Minister said in answer to written parliamentary question 76652. The Minister gave an assurance that the new watchdog will deliver clear and robust oversight, but the co-operation duty is narrowly drawn, excluding wider consumer and accessibility organisations.
As drafted, the council lacks a clear purpose—in fact, it does not even have a purpose clause—and the practical tools needed to act as the strengthened passenger watchdog the Government have promised. Without a purpose clause, there is no direction as to what the council should be making representations about. Even the title of clause 37 is anodyne: “Keeping matters under review and collecting information” is hardly a strong description of a watchman for the interests of the passenger. Having kept matters “under review”, its only power is to “make representations”, which of course is meaningless.
The Urban Transport Group expressed similar concerns in its written evidence to the Transport Committee:
“The Bill must ensure that the Passengers Council exercise their powers in relation to GBR as they would any other operator and that these hold weight. It is not enough for GBR to only be held meaningfully to account by the Secretary of State, who has varying responsibilities outside of rail, and who may not have the time to investigate instances of poor performance to the relevant level of scrutiny.
Further consideration should be given to the explicit powers and levers the Passengers’ Council will have”—
they are going to split the infinitive—
“to meaningfully hold GBR to account on behalf of users.”
There is a risk that the passengers’ council will be just a busy talking shop, with no ability to effect change. As drafted, it rather feels like an afterthought. For example, there are no enforcement powers, save for referral to the Office of Rail and Road. Under clause 37(1), the council will have the authority to
“make representations to…such persons as they think appropriate”
on
“matters affecting the interests of the public”.
In reality, that will mainly be to the Secretary of State and GBR, but there is no corresponding duty for either the Secretary of State or GBR to respond in any way to those representations. Consider that for a moment: there is a duty to make representations, and no duty to respond at all. It could not be more toothless if it tried.
Amendment 65, in my name, would go a modest way to rectifying the toothlessness of this representative body. It would simply require the Secretary of State and Great British Railways to respond to any representations the passengers’ council makes under this clause. Surely members of this Committee and the Government would agree that that is a reasonable expectation for the passengers’ council and the passengers it represents.
Amendment 235, in the name of the hon. Member for Didcot and Wantage, would require the passengers’ council to assess levels of satisfaction with public passenger railway services and report these in a manner that enables GBR to fulfil its functions. Any amendment, and this is one of them, that ensures greater transparency and therefore a better service from this organisation—
Olly Glover (Didcot and Wantage) (LD)
If the shadow Minister is talking about 235, that is one that he tabled, not me.
Jerome Mayhew
No wonder I agree with it so strongly. I put “LD” by it, but that is being unduly generous to the Liberal Democrats. It is an excellent amendment. As I was concluding, it would ensure greater transparency and, therefore, a better service from this organisation, so I have no hesitation in supporting amendment 235 and I hope that the Liberal Democrats join me in doing so.
Keir Mather
The Committee will be glad to hear that I do not intend to re-rehearse the argument that I pre-emptively set out in response to the amendments. On the broader point made by the hon. Member for Broadland and Fakenham about the passenger watchdog and its capabilities, I am of the view that having independent monitoring powers for the passenger experience, having investigation powers, having the ability to demand information by a deadline, enforcing an independent dispute resolution service, and making sure that minimum consumer standards are protected with the ability to escalate to the ORR for enforcement is a suite of measures that will allow the watchdog to fully account for the passenger experience. That relates both to this clause and ones that I am sure we will arrive at in short order. On that basis, I urge the hon. Member for West Dorset to withdraw his amendment.
Edward Morello
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 36 ordered to stand part of the Bill.
Clause 37
Keeping matters under review and collecting information
Amendment proposed: 65, in clause 37, page 20, line 14, at end insert—
“(3) When the Passengers’ Council makes representations under this section, either to the Secretary of State or Great British Railways, they are both under a duty to respond to those representations within the period of one month.”—(Jerome Mayhew.)
This amendment would require the Secretary of State and Great British Railways to respond to any representations the Passengers’ Council makes under this section.
Question put, That the amendment be made.
Keir Mather
I am pleased to speak to clauses 37 and 38 relating to the passenger watchdog’s duty to keep matters under review and its power to collect information. Clause 37 ensures that the passenger watchdog proactively monitors any matters affecting passengers, whether they relate to passenger services or stations. It also requires the watchdog to consult relevant people and to co-operate with other bodies that represent passengers, such as London TravelWatch. Clause 37 also gives the watchdog the power to collect information so it can effectively monitor the passenger experience.
The clause will ensure that the watchdog is proactive and has a good overview of any emerging issues that may impact passengers. It will also ensure that the watchdog engages and co-operates with relevant bodies and seeks information to effectively address potential issues with the passenger experience. I hope hon. Members will agree that that power is fundamental to the effectiveness of the watchdog as a passenger champion.
Finally, clause 38 will enable the passenger watchdog to enter into agreements with other public bodies so that, if necessary, they can perform the functions under clause 37 instead of the watchdog itself. The Secretary of State’s consent is required before entering into agreements under the clause. The clause replicates section 76A of the Railways Act 1993, which we wish to retain for cases where another body could keep certain passenger matters under review more effectively than the watchdog. That could, for example, happen in a certain geographical area where there is an effective devolved body with specialised local knowledge. The clause supports the watchdog to operate as an effective passenger champion by ensuring that it can flexibly co-operate with local bodies to the overall benefit of passengers.
Jerome Mayhew
I am not going to reheat the discussions that we have already enjoyed on clause 37, and clause 38 simply replicates the 1993 Act. We are happy for the clauses to proceed without amendment.
Question put and agreed to.
Clause 37 accordingly ordered to stand part of the Bill.
Clause 38 ordered to stand part of the Bill.
Clause 39
Investigations
Olly Glover
I beg to move amendment 142, in clause 39, page 21, line 19, at end insert—
“(1A) The Passengers’ Council must not investigate a matter unless the matter has been considered first by Great British Railways and is subject to an appeal for further consideration.”
This amendment makes Great British Railways the first stage of a complaint submitted, with the Passenger Standards Council the appellant body should the complainant not be satisfied by the response from Great British Railways.
Olly Glover
I can be very concise, Mrs Hobhouse. We consider the provisions on the passengers’ council to be among the stronger components of the Bill. Some sound thinking is involved.
Amendment 142 is a very basic amendment that aims simply to reduce red tape and bureaucracy. All it would do is ensure that when a complaint is submitted, the first stage is for GBR to look at it. It will be a GBR issue, because GBR is going to run everything. If the appellant body is not satisfied with the response from GBR, the complaint can by all means go to the passengers’ council for investigation.
If the complaint goes first to the passengers’ council, what will happen in pretty much every case is that the council will have to go to GBR to find out the facts. How else will it know them? I hope that the amendment is uncontentious, but if the Minister does not agree I am sure he will give a typically eloquent explanation.
Jerome Mayhew
The clause sets out the circumstances in which the passengers’ council must—that is “must”, not “may”—investigate matters relating to railway passenger services or station services. I could provide a long description of the clause, but I will leave that to the Minister, who I know will want to explain it to the Committee.
Essentially, the Bill largely lifts the current framework into the GBR model, so I can see why no amendment would be needed, although Ministers should clarify how the national and London watchdogs will co-ordinate on cross-boundary issues. I will be grateful for an explanation of how the Minister will undertake the balancing act between GBR and the London Transport Users Committee.
There is, however, a big issue with the current wording of the clause. It requires the council actively to
“investigate any matter relating to the provision of railway passenger services”
put to it by members of the public, as well as others. That sounds great, but from a practical perspective, there are 1.75 billion passenger journeys each year. The potential issues with the service that passengers receive will run into the tens of thousands every year, yet the drafting of the clause will impose a legal duty on the passengers’ council to investigate every single one of them, unless they are “frivolous or vexatious”.
“Frivolous” and “vexatious” are legal terms. To demonstrate that something is vexatious is a very high bar for the passengers’ council: it would typically have to provide evidence of multiple previous complaints on a similar subject that came to nothing. That is what “vexatious” means, and “frivolous” is not far off it. The Minister, perhaps unwittingly, is creating an enormous a legal duty and a vast workstream for the host organisation that is becoming the passengers’ council, which has fewer than 30 members of staff.
Edward Morello
I wonder whether the shadow Minister’s line of argument actually supports the Liberal Democrat amendment. The vast majority of those claims could be resolved by GBR via a repayment or penalty, without ever getting to the passengers’ council in the first place.
Jerome Mayhew
The hon. Member is absolutely right that there is a sequence of complaint. Before going to an external body, one would typically be expected to have exhausted the internal complaints procedure of the organisation against which one is complaining. It would be perfectly reasonable for the passenger watchdog’s first questions to be, “Have you complained to GBR? If so, what did it say?” In fact, that might be its working definition of frivolousness: going straight to the watchdog without having made a complaint.
I warn the Minister that the current wording is an open chequebook. It could lead to a huge amount of work for an organisation that is not currently set up to deal with it, and which would require significant funds from somewhere to do so. What assessment of demand has been undertaken for council investigation powers? What budget has been earmarked for the huge increase in workload? Transport Focus, the host organisation, currently has fewer than 30 staff—I speak from memory and stand to be corrected, but when I visited there were something like 22 staff. To what size does the Minister anticipate expanding Transport Focus or the new passenger watchdog?
Amendment 142 would make GBR the first stage of a complaint submitted, with the passenger standards council as the appellant body should the complaint not be satisfied by the response from Great British Railways. I doubt whether it needs an amendment to primary legislation, but it would be the right sequence for any complainant to exhaust the in-house complaints procedure first. Does the Minister not mean the passengers’ council to have the authority to pick and choose its investigations? If he does not, he should stick with the current wording; if he does, he should think again.
Keir Mather
The shadow Minister asked about the interaction between Transport Focus and London TravelWatch in instances in which cross-border services might need active deliberation between the two organisations. They currently operate under a memorandum of understanding, and I understand that they are planning to update it when the Bill becomes more mature, which will allow them to develop a consistent framework for dealing with cross-border issues. Where a case is under investigation and is fully within the London railway area, it falls within the remit of London TravelWatch: rightly, the passenger watchdog must refer the case to London TravelWatch as the independent expert on travel in the London area.
The shadow Minister also asked some operational questions about the passenger watchdog’s budgetary planning and the size of its staff. Those matters will be actively developed later in the process, once we have set the legislative foundation for the organisation to be created.
The shadow Minister made a fair point about the principle of investigation, but intensive investigations are one thing, and the ability to have regard to complaints that are not vexatious is quite another.
Jerome Mayhew
That is all very well, but it is not the wording of the Bill. The text does not say “have regard to”; it is a mandatory requirement to investigate every single allegation. I totally understand where the Minister says he is coming from, but unfortunately his Bill does not agree with him.
Keir Mather
My point is that the shadow Minister’s interpretation of the term “investigation” might diverge slightly from mine in respect of what we expect the passenger watchdog to do in relation to each individual complaint that it may receive, and especially to those that are vexatious or frivolous.
On the broader point, I thank the hon. Member for Didcot and Wantage for his amendment, which would require the passenger watchdog to wait until GBR has considered an issue before investigating it itself. He is right to point out that individual passenger complaints should go to operators, including GBR, in the first instance. If the passenger is unable to get a satisfactory resolution to their complaint, they can raise the issue with the watchdog through the service provided by the rail ombudsman for independent dispute resolution. As the amendment suggests, that is a very sensible process.
However, there are times when the watchdog will need to investigate issues before or instead of operators. For example, if an issue falls outside the scope of the ombudsman service, or if the issue is systemic and persistent and cannot be appropriately dealt with by a single operator, the watchdog may decide to open its own investigation.
We expect the watchdog to actively investigate a wide range of issues beyond individual passenger complaints and GBR services. They could include systemic or cross-industry issues in the provision of passenger assistance, such as the issues that we have unfortunately seen on the railway in the past, or persistent issues with punctuality, open access or devolved services. The amendment is therefore not appropriate, as it would unnecessarily restrict the watchdog’s ability to act freely on behalf of the passenger. I do not support restricting in legislation which issues the watchdog can investigate.
Jerome Mayhew
I recognise that the Minister has his line to take and that there will be lots of angry people sitting behind him at tea time if he makes any concessions. However, a simple amendment to the wording of the mandatory requirement in clause 39(1), paragraphs (a) to (e), would give the passenger watchdog the ability to pick and choose. Changing “or” to “and” at the end of paragraph (d), before
“it appears to the Council that the matter is one that the Council ought to investigate”,
would surely provide the flexibility that everyone probably thinks is necessary.
Keir Mather
I will happily let the shadow Minister intervene again, because I would like to seek clarity on how inserting “and” would allow the watchdog to choose whether it has to investigate something in the first instance.
Jerome Mayhew
In the wording of clause 39(1), at the moment paragraphs (a) to (e) are additional. If the “or” in
“or…it appears to the Council”
at the end of paragraph (d) were replaced with “and”, there would be a two-part test. The council would receive complaints from all the kinds of people in paragraphs (a) to (d), and the second part of the test would be that
“it appears to the Council that the matter is one that the Council ought to investigate.”
That would give agency to the council to monitor and choose the most important things for it to investigate.
The Chair
I remind the Minister that this is not part of the amendment that has been proposed. Could he therefore wind up? The shadow Minister is welcome to table a new amendment, but his proposal is not relevant to this afternoon’s discussion.
Keir Mather
I thank the shadow Minister for his contribution. Perhaps, in slower time, he can walk me through each specific provision and we can come to a determination as to the intent that he outlined, but for the moment—at your discretion, Mrs Hobhouse—I will proceed with the matter at hand.
I do not support restricting in legislation which issues the watchdog can investigate. The watchdog will already be working closely with GBR to ensure that GBR can respond to its own passenger issues effectively and according to best practice and will not duplicate investigations unless it is necessary to do so. I therefore urge the hon. Member for Didcot and Wantage to withdraw amendment 142.
Clause 39 will enable the passenger watchdog to investigate matters relating to railway passenger services or station services. The clause places a duty on the watchdog to conduct investigations in certain circumstances. For example, the watchdog must investigate any matters referred to it by passengers, potential passengers or organisations representing passengers provided that the matters are not vexatious. It must also investigate any issues referred to it by the Secretary of State, Scottish and Welsh Ministers or the ORR, and anything that it appears to the watchdog that it ought to investigate.
If the matters fall wholly within the London railway area, the passenger watchdog must refer it to the London Transport Users Committee. Transport Focus, the body out of which the watchdog will be built, has a duty to investigate matters referred to it, but the clause expands the list of people who may refer cases for investigation, to reflect the central role of the watchdog, its role in the reformed railway and the importance of passenger experience to this Government.
Olly Glover
I hear what the Minister says. I still think that the logical wording of the clause could be ameliorated, but I shall leave that to the Government and spare the Committee a Division. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 39 ordered to stand part of the Bill.
Clause 40
Power to obtain information
Jerome Mayhew
I beg to move amendment 66, in clause 40, page 22, line 11, leave out subsections (5)(a) and (5)(b) and insert
“the Passengers’ Council may take such action (if any) as it thinks appropriate.”
This amendment would give the Passengers’ Council enforcement powers when its requests for information are not met.
The Chair
With this it will be convenient to discuss the following:
Clause stand part.
Clause 41 stand part.
Jerome Mayhew
It is much easier when I start with the amendment, because then I know where I am. This clause is about the power to obtain information. I will leave it to the Minister to give a précis, but it seeks to create a sensible power for the passengers’ council to be able to require the provision of information. However, the council has no power to compel compliance—it may only refer the matter further, to the Office of Rail and Road—so we begin to get into one of the problems with the passengers’ council, which is that it has no enforcement powers at all. Any teeth that are associated with the works of the passengers’ council come only from the economic regulator, soon to be just the safety regulator: the ORR. That will lead to some serious problems.
There is no proposal to require the ORR, as a regulating body with no enforcement powers, to take the preparatory work of the passengers’ council as automatically worthy of acceptance without reinvestigation. That is quite a serious point, because when an investigation undertaken by the passengers’ council comes to a roadblock that it feels requires some kind of enforcement action, it has to go to a separate body, the Office of Rail and Road, because the Government do not intend to give the council any real powers of its own. The ORR, as an independent regulator and enforcement body, then has to start the investigation de novo. It has no ability to take as read the investigation work of the passengers’ council.
That will create the bizarre situation of the ORR having to reinvestigate as an enforcing body, which is a quasi-judicial function, and then come to a decision every single time the passengers’ council refers any matter to it. Surely the Minister can do better than that, with all the resources of his many civil servants and drafting professionals in the Department. That messy process will lead to delay and uncertain enforcement—hardly the stuff of empowering passengers.
I fear that those on the Treasury Bench have asserted that the watchdog will be a nightwatchman, but the Department has granted it no enforcement powers or powers to compel. That will be bitterly disappointing to many rail passenger groups and advocates. When an issue arises and the council begins an investigation, it will inevitably require information. If it is unable to get that information, it must ask the ORR to step in and take over. We heard a lot about that in evidence to the Transport Committee. For example, Emma Vogelmann of Transport for All said:
“In terms of the watchdog itself, I have briefly touched on this already, but we feel very much that the passengers’ council really needs to be given enforcement powers to be able to take proper action on cases that are involving accessibility breaches. In cases where things do get referred up to the ORR, we would like there to be a statutory duty on them to act on those referrals made by the passengers’ council, and to have those outcomes within a clear timeframe.”
Another point she makes is that the ORR does not have to do anything. The passengers’ council can refer a matter to the ORR, but the ORR can say, “We’re busy, thank you, and we don’t think it is important.” It has no obligation to act.
Keir Mather
I turn first to the shadow Minister’s point about either diffusing enforcement capabilities between the ORR and the passenger watchdog or seeking to double them up as part of legislation that is designed to rationalise and simplify notions of accountability and enforcement within the railway. Under the system outlined in the Bill, the ORR can use the findings of the watchdog; the watchdog just has to make its own assessment of the materials given to it by the ORR. In my view, that does not constitute the same thing as reinvestigating a matter. The intention is for the ORR to be made aware of the passenger watchdog’s work at every step toward referral by the watchdog itself. There is therefore a low risk of the ORR having to retake steps, given that it is actively consulted as that process unfolds.
I will now speak directly to amendment 66 and clauses 40 and 41. As the shadow Minister has outlined, amendment 66 would give the passenger watchdog enforcement powers when its requests for information were not met. The Government are creating a strong passenger watchdog that will have powers to monitor passenger experience, and to hold GBR and others to account. Although it will not have full enforcement powers, it will be able to demand information from operators to a deadline, investigate problems, demand improvement plans and refer cases for enforcement action to the ORR. It is important to have one clear enforcement body for the entire sector to avoid duplication or confusion for industry. If there were two bodies with enforcement powers, the risk of conflicting enforcement steers creating additional bureaucracy would be too high.
The ORR will therefore enforce GBR’s new streamlined licence, ensuring that the organisation meets its industry obligations and all minimum standards, including passenger standards. As it does today, the ORR will enforce all other railway licences to ensure that there is an independent, consistent enforcement body for the sector. We expect our licence proposals to include a condition requiring operators to co-operate with the passenger watchdog. That will help to ensure that other licensed operators co-operate with requests from the watchdog. That type of provision is typically found in operator licences. For example, there is a similar requirement for operators to co-operate with Transport Focus today. For those reasons, the amendment is not necessary.
Turning to clauses 40 and 41, clause 40 gives the passenger watchdog the power to request the necessary information to effectively carry out investigations into issues affecting passengers. That information could be requested from train or station operators including, of course, GBR. The information must be provided to the watchdog within a reasonable timeframe, unless the person did not have, or could not reasonably obtain, the information. If the watchdog did not receive a satisfactory response to its information request, it could refer the matter to the ORR, which will continue to act as the enforcement body for the rail sector. The watchdog’s power to request information from operators to a deadline is a new one, demonstrating the Government’s commitment to a strong passenger champion that can make an impact on the railway. That will ensure that the watchdog can carry out its investigations effectively and in a timely manner.
Clause 41 protects any information where the person who provided the information has requested that it be held in confidence. That will ensure that confidential or sensitive information is not published or disclosed by the watchdog, with some sensible exceptions such as ensuring that the watchdog can refer the matter to the ORR for enforcement and that relevant law is complied with. Clause 41 also ensures that information held by a rail operator that may help an investigation but is sensitive or confidential—due to its commercial nature, for example—will not be published in any investigation reports. That will encourage operators to share information and ensure that the watchdog can carry out any investigation effectively while protecting confidential information.
Jerome Mayhew
The Minister’s argument is clearly—is it parliamentary to say nonsense? I hope it is. His argument, that the industry will be confused if the passengers’ council is able to enforce its own deliberations, is ridiculous; he just has to think about it. The ORR has its areas of competence on which it enforces, and the passengers’ council has its areas of competence; they are discrete. Where confusion might really arise is if the passengers’ council thinks it is trying to get information and is stymied by the ORR taking a different view, which is the position the Minister has put forward. I have no hesitation in pushing the amendment to a vote.
Question put, That the amendment be made.
Jerome Mayhew
I beg to move amendment 67, in clause 42, page 23, line 7, leave out subsection (2).
The Chair
With this it will be convenient to discuss the following:
Amendment 68, in clause 42, page 23, line 17, leave out subsection (3)(b)(ii).
This amendment would require the ORR to take action where a contravention has been referred to it.
Clause stand part.
Jerome Mayhew
The amendments relate to clause 42, so I will explain what that clause seeks to achieve. Its title is “Representations and referrals”, and its focus is on introducing a power so that
“the Passengers’ Council may make representations to such persons as it thinks appropriate for the purpose”,
such as train or station operators, to resolve a matter under investigation.
If the passengers’ council believes that an operator
“is contravening, or likely to contravene”
its licence obligations, it must either engage with the operator directly, as we will discuss further when we consider clause 47, and/or refer the matter to the ORR and notify the Secretary of State. There are various other things that clause 42 does, but those are the main things.
The clause makes it clear that even after a passengers’ council investigation has identified a licence breach, the ORR retains complete discretion on whether or not to act. Once again, that will create a two-stage process in which the council must refer breaches that it cannot resolve itself, but the body receiving the referral is not obliged to act on it, or to intervene. Therefore, the watchdog investigates, but only the ORR can enforce, which it can choose not to do. That structure falls way short of the supposed strengthened passenger accountability model described by Ministers, and it serves only to risk causing prolonged delays for passengers who face ongoing harm, to the extent that a licence provision is breached, without a guaranteed remedy.
Thus far, we have not seen a clear rationale as to why the Government would create a watchdog only for it not to have any enforcement powers. It prompts the question: “What’s the point?” Evidence to the Transport Committee was very clear—the passengers’ council needs to have enforcement powers of its own to do the job envisaged for it. At the very least, if the ORR is to remain the enforcement body, there should not be a weeding process between the decisions of the passengers’ council and the ORR; the ORR should at least get on and enforce. That is what amendments 67 and 68 would achieve, by requiring the ORR to take action when a contravention had been referred to it.
Keir Mather
I thank the hon. Member for the amendments, which would require the ORR to take action in the event of a referral from the passenger watchdog.
First, I will point out that enforcement actions by the ORR are not the only way in which problems can be solved. The Bill gives the watchdog the power to request improvement plans, to allow operators to explain their planned improvements and agree them with the watchdog before issues are referred to the ORR for potential enforcement action. That is likely to be a faster way to get improvements for passengers than going straight to enforcement action.
I appreciate the intention behind the amendments, which is to ensure that the watchdog will be listened to; it is an intention that the Government support. However, it is also important that the ORR, as the sector regulator, is able to take a broader view before deciding whether enforcement action is appropriate. That is because the passenger watchdog is only a passenger champion—it has a sole focus—and, by comparison, the ORR is the regulator for the whole sector and has to take into account a wide range of matters. If that were not the case, enforcement decisions could be taken that were good for the passenger but had a negative impact on the network as a whole. Each time that the ORR makes a decision, it must transparently explain its rationale to the watchdog on that basis. Therefore, in our view these amendments are unnecessary and I urge the hon. Member to withdraw them.
Clause 42 will give the passenger watchdog the power to:
“make representations to such persons as it thinks appropriate”,
in order to resolve a matter under investigation. If the watchdog believes that an operator is currently
“contravening, or likely to contravene”
its licence obligations, it must either engage with the operator directly to request an improvement plan or refer the matter to the ORR and inform the Secretary of State that it has done so.
If the case is referred to the ORR, the ORR can choose whether to take enforcement action or not. It must then inform the watchdog and the Secretary of State of its decision. That will ensure that the watchdog can act independently to resolve problems through engagement with operators and by directly engaging with the ORR when necessary. Without clause 42, the watchdog would not be able to effectively resolve matters that it had investigated and follow up on them. I commend the clause to the Committee.
Jerome Mayhew
I am not persuaded by the Minister. There are two amendments. In order to save time, I will press the first one to a Division, and the outcome of that will determine whether or not I press the second one to a Division.
Question put, That the amendment be made.
Edward Morello
I beg to move amendment 138, in clause 43, page 23, line 21, leave out
“may prepare a report of its findings”
and insert
“must publish and lay before Parliament a report of its findings”.
This amendment requires the Passengers’ Council to prepare a report of findings after an investigation and ensures any report is laid before Parliament.
The Chair
With this it will be convenient to discuss the following:
Amendment 69, in clause 43, page 23, line 33, leave out “may” and insert “must”.
This amendment would require the Passengers’ Council to publish any report on a matter investigated under section 39.
Amendment 70, in clause 43, page 23, line 33, at end insert—
“(3A) The report must be published within six months of the completion of the investigation.”
This amendment would require the Passengers’ Council to publish its report within six months of completing the investigation.
Amendment 140, in clause 43, page 23, line 34, leave out subsection (4).
This amendment removes the requirement that the Passengers' Council must obtain the Secretary of State’s consent before sending or publishing a report if the investigation resulted from a referral by the Secretary of State, by the Scottish Ministers or by the Welsh Ministers.
Clause stand part.
Edward Morello
My hon. Friend, who is departing the Committee, and I are tag teaming, Mrs Hobhouse. Clause 43 sets out the powers of the passengers’ council when it investigates problems affecting rail users. Amendments 138 and 140 would strengthen transparency, independence and parliamentary scrutiny.
Amendment 138 would require the passengers’ council to publish its findings and lay them before Parliament after an investigation, rather than that just being an option. It would ensure that evidence was made public and that Parliament could see clearly where the system was or could be failing passengers. Amendment 140 would remove the requirement for the passengers’ council to obtain the Secretary of State’s consent before publishing a report where the investigation had been referred by Ministers. We have all lived through the experience of reports going into the bottom drawer of desks, never to be seen again, and we would like to create a situation here where that does not happen.
A watchdog cannot be effective if the person who triggered the investigation can also control whether its conclusions are published. The amendments would ensure that the passengers’ council had teeth, could operate independently and could report honestly without political interference. Together, amendments 138 and 140 would strengthen accountability, protect the integrity of the passenger watchdog, and ensure Parliament and the public are properly informed when things go wrong on our railways. On the recommendation of my hon. Friend the Member for Didcot and Wantage, we intend to press amendment 138 to a Division.
Daniel Francis
London TravelWatch is a large organisation, and I used to chair some of its casework committees. It deals with and reports on a huge range of issues and, like Passenger Focus, it deals not just with trains but with other modes of transport. I made recommendations on a range of issues. I remember making recommendations to Eurostar about issues regarding disabled passengers. I remember making recommendations regarding changes to timetables. There were some significant issues that one would want to issue a report on. There was an issue back then for South Western about how Network Rail and the train operator were integrating, and a report had to be commissioned. There will be reports that are really to say to the operator, “You need to look at this specific issue.” We do not need to make it mandatory that all those reports are tabled in this House, with the bureaucracy that brings.
Edward Morello
I absolutely take the hon. Gentleman’s point that we are snowed under with paperwork in this place at the best of times. I think there is a difference between providing a report to Parliament as standard, allowing Parliament to make the decision on whether it needs to be scrutinised, and the council or any other part of the regulator having the power to decide itself whether a report should go before Parliament.
The issue is where the balance of power should lie regarding whether Parliament has the right to scrutinise a report. All our amendment seeks to do is, by making it mandatory, to return the weighting and the power to Parliament on those issues.
Daniel Francis
I do not think this provision needs to be on the face of the Bill. These issues already exist; there are examples where the passenger watchdog and the Transport Committee would be looking at the same matter. There would be examples with other Departments where an ombudsman would also be looking at something in a similar vein to a Select Committee. My view is that it would be an overly bureaucratic system. Passenger watchdogs issue many reports, and some are on very serious matters, but sometimes they need to issue a report that is not at that level, and I do not believe these amendments are necessary.
Jerome Mayhew
Under clause 43, the passengers’ council can prepare, send and publish a report of its findings in an investigation, but it must obtain the Secretary of State’s consent before sending or publishing a report if the investigation was undertaken following a referral. Similar provisions exist for the Scottish and Welsh Ministers. The wording of subsection (3) makes publication discretionary even after a full investigation and subsection (4) requires ministerial consent before publishing any report arising from a referral.
As the explanatory notes confirm, that structure gives Ministers an effective veto over publication. Why should the Minister have a veto over publication when the organisation being investigated is their own creation? If the state has created a toothless investigation watchdog body that, despite its lack of enforcement powers, has managed to do an investigation, write a report that is no doubt critical of the state, GBR or perhaps even the Secretary of State and the Department for Transport, the Secretary of State, or the Scottish or Welsh Minister can, for whatever reason they like, veto its publication. They can muzzle the watchdog at whim.
That risks undermining the whole process—where is the transparency?—and weakens the credibility of the new watchdog. If the aim is to strengthen passenger oversight, investigation reports should be published as a matter of course, with only narrowly defined exemptions for confidentiality or commercial reasons. Transport for All explains in its written evidence to the Transport Committee how that will affect passengers:
“Clauses 42-47 empower the Passengers’ Council to receive complaints, investigate issues, and identify potential breaches of licence conditions. However, the Council has no power to compel corrective action, issue penalties, or enforce compliance. If it identifies significant accessibility failings, it must refer the matter to the ORR, which retains full discretion over whether to investigate or take enforcement action.
Disabled passengers already face disproportionate obstacles when raising complaints, and this indirect model appears to add another layer of bureaucracy without increasing accountability. We worry that it will create further delays, weaken enforcement, confuse passengers, and result in inconsistent redress. A watchdog without enforcement powers is fundamentally limited in its capacity to protect passengers’ rights or drive accessibility improvements.”
Amendment 69 requires the passengers’ council to publish any report on a matter investigated under clause 39. That will create greater transparency and accountability in the new watchdog. Frankly, if the Government are serious about supporting the rights of passengers, rather than designing in an ability to hide embarrassing conclusions, they must support this amendment.
Amendment 70 would require the passengers’ council to publish its report within six months of completing the investigation. Having in statute a specific timeframe in which a report must be published would create a sense of urgency, or at least of purpose, and a culture would develop within the organisation that placed high importance on those reports—exactly as it should.
Amendments 138, tabled in the name of the Liberal Democrats—presumably the hon. Member for Didcot and Wantage—would require the passenger’s council to prepare a report of findings after an investigation and ensure that any report is laid before Parliament. It is another attempt to strengthen the reporting requirements from a different angle and should be supported because it is seeking to achieve a similar outcome to my own amendments.
Amendment 140, also in the name of the hon. Member,
“removes the requirement that the Passengers’ Council must obtain the Secretary of State’s consent before sending or publishing a report if the investigation resulted from a referral by the Secretary of State”.
Amendment 69 is a mandatory requirement that they must publish every report. If that is not acceptable to the Government for whatever reason, then amendment 140 is a slight variation on the theme in that it takes the discretion away from the Secretary of State and leaves it where it properly lies, if there is to be discretion: with the passenger watchdog. That body, surely, having undertaken the investigation, written the report and come to a conclusion, are best placed to decide whether it is in the public interest to publish, not the owner of the nationalised industry that is being investigated.
Keir Mather
I thank hon. Members for these amendments, which all relate to the passenger watchdog’s investigation reports. I will begin with amendments 138 and 69, which both require the watchdog to publish its investigation reports. Amendment 138 also requires the watchdog to lay the reports before Parliament.
First, I would like to reassure the Committee that the passenger watchdog will routinely publish reports of all its investigations. The watchdog also has an obligation under the Railways Act 2005 to prepare a report of its activities at the end of each financial year, which the Secretary of State must lay before Parliament. That obligation will remain unchanged and will ensure there is transparency and parliamentary scrutiny around the watchdog’s activities.
However, it is worth saying that, for matters referred to it by the Government and the ORR, there must be an opportunity for the referees to review the watchdog’s findings and consider next steps before reports are published. The watchdog’s investigations may also uncover issues that need to be kept confidential, for instance commercially sensitive issues that should not be shared publicly. For those reasons, I do not support the amendments. The existing transparency and security requirements on the watchdog are comprehensive enough to ensure that the public and Parliament have access to investigation results and general reporting without compromising sensitive information.
I thank the hon. Member for Broadland and Fakenham for amendment 70, which would require the passenger watchdog to publish reports of its investigations within six months of completing them. Although we would expect the watchdog to publish reports of all investigations within a reasonable timeframe, it is important that it has some discretion. The watchdog’s investigation may uncover issues that need to be considered carefully and some investigations will naturally be more complex and time-consuming than others, for example investigations into persistent cross-industry issues involving multiple operators and regions.
Transport Focus has raised concerns that setting a deadline may force it to hasten or reduce the scope of investigations, which is not in the passenger’s interest. Transport Focus also has arrangements in place to raise urgent issues with operators, which would continue, so it can act quickly to solve problems for passengers in parallel with investigations if needed. In some cases, reports may benefit from being shared in draft, with time allowed for those impacted to consider improvements. The watchdog should have the flexibility, in that instance, to seek the best outcome for passengers. For those reasons, I do not support a statutory requirement to publish all investigation reports to a six-month deadline.
I thank the hon. Member for West Dorset for amendment 140, which proposes to remove the requirement for the Scottish or Welsh Ministers or the Secretary of State to consent to the publication of an investigation report on issues that they referred to the watchdog. Clause 43 is intended to ensure that Ministers have an opportunity to review the investigation report on matters they have referred to the council before the report is published. That is especially important where the matter under investigation is sensitive and needs some discretion to raise issues carefully and privately, as that may be the best and quickest way to get action for passengers. One example would be issues relating to availability of funding, where Ministers will need to weigh that up carefully against other priorities.
For those reasons, I do not support removing the requirement for ministerial consent before the council sends or publishes a report of an investigation resulting from a referral by the Secretary of State or by Scottish or Welsh Ministers. We are not expecting Ministers to refuse consent to publication, but the clause is a necessary safeguard to protect confidential information, to allow issues to be weighed up carefully and to ensure that problems are fixed for passengers as swiftly as possible. I urge the hon. Member to withdraw the amendment.
Finally, clause 43 will enable the passenger watchdog to prepare, share and publish reports of its investigation findings. As I have already set out to the Committee, the watchdog must obtain the Secretary of State’s consent before sending or publishing a report if the investigation was undertaken following a referral from the Secretary of State. Similar provision is in place if the investigation has been undertaken following a referral from Scottish or Welsh Ministers. If the investigation was undertaken following a referral from the ORR, the watchdog must inform the ORR before publishing a report of its findings. The clause will ensure that findings of the investigations are transparent and available to the public and Parliament, so that train operators, including GBR, can be held to account for the way they are treating passengers.
The Chair
With this it will be convenient to discuss the following:
Clause 45 stand part.
New clause 46—Complaints statistics—
“(1) At least twice each year, Great British Railways must provide to the Office of Rail and Road the number of complaints closed by each passenger service designated by the Secretary of State.
(2) The Office of Rail and Road must publish the statistics received under subsection (1) at least twice each year.”
This new clause would ensure that the ORR would continue to publish data on complaints in the same manner as they currently do.
Keir Mather
With your permission, Mrs Hobhouse, I will speak to the clauses now and address the new clause once I have heard the shadow Minister’s remarks.
Clauses 44 and 45 relate to complaints and dispute resolution. Clause 44 designates the passenger watchdog as the body that will deal with complaints about potential infringements to retained EU law on rail passenger rights. Retained EU law on rail passenger rights includes requirements on operators to provide travel information to passengers and assistance to passengers who need it to travel.
Transport Focus is currently the body designated to receive complaints about potential infringements to retained EU law on rail passenger rights. The Bill consolidates the existing regulation to ensure that Transport Focus retains that role when it becomes the passenger watchdog. The clause therefore replaces the existing regulations on this matter. That will ensure that operators are held to the same, or indeed higher, standards for passenger experience, and that there is still a body clearly responsible for monitoring and addressing such complaints.
Cause 45 places a duty on the passenger watchdog to provide an independent alternative dispute resolution service to users and potential users of train and station services. The watchdog will take over sponsorship of the Rail Ombudsman from the ORR to fulfil that duty, ensuring that the watchdog provides an independent service to rail passengers that can handle disputes between passengers and service operators fairly and impartially.
Transferring the sponsorship of the Rail Ombudsman to the passenger watchdog will provide an effective independent service that has the appropriate third-party accreditation. That includes ombudsman status, which gives it the power to require remedial action from operators on passenger complaints that it upholds. The clause will ensure that the watchdog has the legal obligation to continue to provide an alternative dispute resolution service, even after the existing contract with the Rail Ombudsman expires in 2028.
Jerome Mayhew
I have nothing to add on clause 44. Clause 45 provides a duty for the passengers’ council to secure independent dispute resolution arrangements. As the Minister just said, it is anticipated—according to the explanatory notes, at least—that it will take over sponsorship of the Rail Ombudsman from the ORR in order to fulfil that duty.
I want to ask the Minister what powers the dispute resolution function will have, because the Bill and the explanatory notes are entirely silent. That is the modus operandi that we have become used to during the course of these Bill proceedings: there is endless putting off, and the detail has not been thought out—or, certainly, not shared. This seems to be a similar case.
New clause 46, in my name, would ensure that the Office of Rail and Road continued to publish data on complaints in the same manner as it currently does. During a significant transition such as the creation of GBR, it is crucial that data collection and publication are maintained in a manner that allows for accurate comparison—another small but important point. The new clause would achieve that objective. The alternative is to risk an inability to make like-for-like comparison, which of course would let the new organisation off the hook. Without continuity of data collection and publishing, GBR would be able to avoid comparative scrutiny.
Keir Mather
I thank the shadow Minister for his remarks. We consulted the industry and the public on the future of the content and functions of the alternative dispute resolution service, and identified that the transfer of the Rail Ombudsman sponsorship to the watchdog represents the simplest option with the least disruption to the passenger experience. That choice was supported by both Transport Focus and the Rail Delivery Group.
In the current service, decisions on disputes are made by legally trained staff. That gives passengers and operators assurance and confidence that disputes are handled fairly and correctly. The resolutions are binding, and the impartiality and neutrality between passengers and operators ensures that disputes are resolved fairly. Passengers achieve fair solutions, and operators are required to issue reasonable compensation. That places the balance of duty on operators while ensuring that the passenger experience is at the heart of what the ADR service is there to facilitate. If the shadow Minister requires any further information, I will happily seek it out and provide it.
On new clause 46, I assure the shadow Minister that the ORR will retain its role as the official publisher of rail statistics. As now the frequency of publication is not dictated by law, which enables flexibility and allows the collection of data to be proportionate and needs-based and ensuring necessary levels of transparency. Detailed arrangements for the collection of data by the ORR in the new system will be worked through with GBR once it is established. However, the current system provides a great deal of transparency and we do not propose to reduce that going forward.
The passenger watchdog will have access to the data collected by the ORR and be able to use it to identify issues in areas for improvement for passengers and to follow up. I therefore hope that the shadow Minister will feel that this matter is already addressed by the Bill and existing legislation and will seek to withdraw his amendment. I also thank him for his contributions.
Question put and agreed to.
Clause 44 accordingly ordered to stand part of the Bill.
Clause 45 ordered to stand part of the Bill.
Clause 46
Standards
Jerome Mayhew
I beg to move amendment 71, in clause 46, page 24, line 26, after “for” insert
“all users and potential users of the railways including, in particular,”.
This amendment allows the Passenger Council to set access standards for all users and potential users of the railway.
The Chair
With this it will be convenient to discuss the following:
Amendment 72, in clause 46, page 24, line 33, at end insert—
“(e) passenger service reliability, including punctuality, cancellations, short-forming, delays and the reliability of key connections,
(f) safety and security, including safety incidents, security incidents affecting passengers, staff presence, and delivery of safety-critical maintenance,
(g) comfort and on-board experience on passenger services, including cleanliness, the functioning of heating, air-conditioning, and lighting, overcrowding, the availability and performance of any internet connection or power sockets, and toilet facilities,
(h) affordability and value for money of passenger services, including fare levels, availability of discounted or flexible fares, transparency of fare information, and passenger perception of value for money.”
This amendment would require the Passengers’ Council to set standards relating to the reliability, safety and security, comfort and on-board experience and affordability of railway passenger services.
Amendment 141, in clause 46, page 25, line 1, leave out subsection (5).
This amendment removes the requirement for the consent of the Secretary of State (and the Office of Rail and Road) before the Passengers’ Council sets, varies, or revokes standards.
Amendment 73, in clause 46, page 25, line 1, leave out “and the ORR”.
This amendment means the Passenger Council does not need the ORR’s consent to set, vary, or revoke standards.
Amendment 144, in clause 46, page 25, line 3, leave out subsection (6).
This amendment aims to ensure the independence of the Passengers' Council by removing the requirement for the Secretary of State’s consent to publish new standards.
Clause stand part.
New clause 16—Access for All programme: review—
“(1) Within a year of the passing of this Act the Secretary of State must conduct a review of the Access for All programme.
(2) The review as set out in subsection (1) must identify the level of investment required to support accessibility improvements.
(3) Accessibility improvements as set out in subsection (2) include ensuring step-free access to all—
(a) platforms;
(b) entrances to stations;
(c) exits from stations.
(4) The review must identify all stations with fewer than 1,000,000 entries and exits a year, as recorded by the estimates of station usage published by the Office for Rail and Road, that do not have step-free access as set out in subsection (3).
(5) The review must set out an explanation for spending decisions on the Access for All programme between the period 25 October 2022 and 24 May 2024.
(6) The review must set out recommendations with the objective of facilitating the level of investment required to support accessibility improvements.”
This new clause would mandate a review of the Access for All programme. The review would seek to ensure that step-free access at railway stations is provided under the programme. The review would explain spending decisions on the programme under the previous Government and set out recommendations for future spending.
New clause 17—Accessibility of passenger information: trains—
“(1) Great British Railways and all passenger railway service operators must ensure that all trains that they operate provide passenger information announcements that are accessible for passengers with sight or hearing loss.
(2) Announcements under subsection (1) include information on—
(a) the current and next station;
(b) interchanges at any given station;
(c) safety.
(3) The Passengers’ Council must monitor compliance with subsection (1) under its duties in section 46.”
This new clause ensures that passenger information provided on trains is accessible for passengers with sight or hearing loss.
New clause 18—Accessibility of passenger information: stations and railway premises—
“(1) Great British Railways and all passenger railway service operators must ensure that all stations and railway premises that they operate provide passenger information systems that are accessible to passengers with sight or hearing loss.
(2) The Passengers’ Council must monitor compliance with subsection (1) under its duties in section 46.”
This new clause ensures that passenger information provided in stations and railway premises is accessible for passengers with sight or hearing loss.
New clause 53—Accessible ticket machines—
“(1) The Secretary of State must by regulations make provision about the accessibility of ticket machines in all stations used by Great British Railways passenger services.
(2) Regulations made under this section must provide that all stations used by Great British Railways passenger services have at least one ticket machine that meets necessary accessibility requirements for wheelchair users.
(3) Regulations made under this section must provide that all ticket machines—
(a) offer all ticket types available across all Great British Railways passenger services;
(b) have the same user interface;
(c) include accessibility options for passengers with sight or hearing loss; and
(d) include the same language options as ticket machines operated by Transport for London.
(4) Regulations under this section are subject to the affirmative resolution procedure.”
This new clause would require the Secretary of State to mandate the use of the same ticketing machine across all Great British Railways passenger service stations, introduce a minimum number of accessible ticket machines per station and offer the same ticketing options across the network for passengers and tourists.
New clause 69—Accessible rail strategy—
“(1) Within 12 months of the passing of this Act and before the end of each subsequent period of 10 years, Great British Railways must publish a strategy on accessible rail.
(2) Each strategy under subsection (1) must set out required services standards for stations operated by Great British Railways.
(3) Services standards under section (2) must include targets for the—
(a) percentage of stations with step free access,
(b) number of days per year on which lifts at each station are operational,
(c) number of stations at which passenger assistance is available.
(4) Before the end of 12 months beginning with the publication of a strategy under subsection (1), and before the end of every subsequent 12 months, Great British Railways must publish a report on performance against the strategy.
(5) Any report under subsection (4) must be laid before both Houses of Parliament.”
This new clause mandates that Great British Railways publish an accessibility strategy every ten years to monitor and improve accessibility across the rail network, and that GBR reports annually on its progress against the accessibility strategy.
Jerome Mayhew
Clause 46 gives the passengers’ council a power to set consumer standards for operators of rail passenger services and station services, which will be imposed on them via licence conditions. Of course, we have not seen any of those licence conditions, so we will just have to take it on faith. The clause sets out matters that the standards may cover, including passenger assistance, provision of travel information, a process for compensation if services are disrupted, and complaints about passenger services. The council must seek the Secretary of State’s and the ORR’s consent before setting new standards or varying existing ones, and it must publish them, and any variations or revocations of them, and monitor how operators are complying with them.
In summary, the clause gives the passengers’ council a standard-setting role in areas such as assistance, information, compensation and complaints. What about standards on core passenger priorities, such as punctuality, reliability, crowding, staffing, cleanliness, safety and ticketing transparency? Would the Secretary of State be minded to grant consent for such standards, and if not, why not?
Requiring both the Secretary of State and the ORR to consent to any new standard creates two veto points, limiting the council’s independence. The result is a standards framework far weaker than the broader watchdog model described in the consultation. As we have discussed, subsection (2)(a) makes no direct reference to general users of the railway; the only reference is to disabled people. While I understand the additional focus that disability access requires, the current wording risks a wholly unbalanced approach for the new organisation.
Amendment 71 would solve that drafting imbalance and encourage the passengers’ council to set standards for all users and potential users of the railway. In drafting it, all I did was take the Government’s own words in clause 18, which, in describing the general functions, refers to all users, both able bodied and disabled. It does not seem to be an enormous stretch to require the passenger watchdog to have a similar functions scope as the organisation that it is watchdogging.
Amendment 72 would require the passengers’ council to set standards relating to the reliability, safety and security, comfort, onboard experience, and affordability of railway passenger services. These are the key issues of importance to passengers. Why do the Government not allow their key champion to tackle the real problems and not just the peripheral ones? Instead of focusing on information provision and complaints processes, let us get to the nitty-gritty. Let us have a watchdog that can actually draft and implement standards, and enforce improvement on a large nationalised organisation in the interests of passengers—that is what they actually want—rather than tipping a cap towards it and saying, “Oh yes, we’ve got a watchdog but it has no enforcement powers. It can write standards, but only about what information you receive, not about the really important stuff.”
If the Government really want to put
“passengers at the heart of the railway”,
why do they not vote for these amendments and enhance the powers of the passenger watchdog? They cannot have it both ways. At the moment, it looks like they are just pretending; they have a superficial watchdog that ticks a box but has very limited practical use for passengers.
Amendment 73 would remove the passengers’ council’s need to obtain the ORR’s consent to set, vary or revoke standards. A truly effective passenger watchdog needs to have its own real powers, and the ability to set its own standards without the consent of another organisation. Why does the Minister not have faith in his own passenger watchdog to do that? If his answer is that such an objection from the ORR would relate to safety-critical functions, why does the Bill not just say that? The Government are planning on stripping most of the competences away from the ORR, save for the remaining aspect of safety, but they do not say, “If the watchdog has a standard that has an impact on the safety-critical application of the railway, it needs to get the permission of the ORR.” That would make sense. Instead, the ORR has a blanket veto.
Amendment 141, in the name of the hon. Member for Didcot and Wantage, would remove the requirement for the consent of the Secretary of State and the ORR before the passengers’ council sets, varies or revokes a standard—a similar approach to that which I have put forward. I would be minded to support it, were it to be pressed to a Division.
Amendment 144 comes from a similar quarter. I am sure it is unintentional, but it contains a drafting mistake. The notes to the amendment make it clear that it seeks to delete subsection (5), but the wording as it stands relates to subsection (6). I stand to be corrected, but I think that is what has happened.
New clause 16, in the name of the Liberal Democrats, would require a review of the Access for All programme. It seeks to ensure that step-free access at stations is provided under the programme. The review would explain historical spending decisions and set out recommendations for future spending. I will leave new clauses 17 and 53 to the Liberal Democrat spokesman.
New clause 69, in the name of my hon. Friend the Member for Runnymede and Weybridge (Dr Spencer), would mandate GBR to publish an accessibility strategy every 10 years, to monitor and improve accessibility across the rail network, and to report annually on its progress against that strategy. I welcome that approach to transparency and the focus on accessibility. It deals with the Minister’s arguments about imposing onerous reporting targets on GBR. Given the number of stations involved, the requirement is limited to once a decade, which would be a reasonable compromise. Without such data, how can GBR expect to allocate resources efficiently? The Minister needs to set out how GBR will address accessibility investment without such data. I anticipate an argument that it would be imposing onerous conditions on GBR for it to have an idea as to accessibility around the country. Every now and again, it should know what its own business is up to.
Olly Glover
The shadow Minister is right to say that our amendments have similar intentions to his; we may have taken slightly different avenues but we are heading in the same direction.
Amendments 141 and 144 are intended to reduce the Secretary of State’s role in the passengers’ council’s abilities to set standards and go about its work. The shadow Minister is quite right to point out that there is a typo in amendment 144, which I had not spotted—the intention is to delete subsection (5) and not subsection (6). I thank him for drawing our attention to that.
Edward Morello
I will speak briefly to new clauses 16, 17 and 18, tabled by my hon. Friend the Member for Didcot and Wantage, and new clause 53, tabled by my hon. Friend the Member for Epsom and Ewell. Accessibility is still inconsistent, poorly enforced and often treated as optional. If railways are to work for everyone, accessibility has to be planned, delivered and monitored.
New clause 16 would require a full review of the Access for All programme, including past spending decisions and future investment needs. Too many stations, particularly small and rural ones, still lack step-free access to platforms, entrances and exits. New clauses 17 and 18 focus on accessible passenger information on trains and at stations. Reliable audio and visual announcements on safety, stops and interchanges are essential for passengers with sight or hearing loss, and should be consistently monitored and enforced. New clause 53 would ensure that ticket machines are accessible, standardised and usable independently by all passengers. Machines must work for wheelchair users, people with visual impairments or limb differences, older passengers, and visitors without apps or digital access, offering the same tickets and interfaces across the network.
The new clauses are designed to deliver practical and enforceable accessibility that improves passenger confidence, independence and safety, and I very much hope that the Government will see the logic of them.
Keir Mather
I thank hon. Members for their amendments, which relate to the standard-setting role of the passenger watchdog and to accessibility. I will speak first to those related to the passenger watchdog.
Amendment 71 would allow the passenger watchdog to set accessibility standards for all users and potential users of the railway, replacing the current reference to disabled passengers and those needing assistance. It is important that all passengers can access the railway, and I support the shadow Minister’s intention to ensure that that happens. However, clause 46 already covers both users and potential users of the railway who require assistance to access services. Furthermore, the list of areas in which the watchdog may set standards is not exhaustive; it can set accessibility standards for anyone it deems appropriate, potentially including passengers travelling with prams or some of the other examples that were outlined. Let me also clarify that the wording of the clause is not exhaustive, so as well as the examples given in the Bill, the passenger watchdog can set standards on any other matters relating to passenger experience, at its discretion. That allows it to be responsive to passenger feedback and passenger needs. For that reason, I do not feel that the amendment is necessary.
Amendment 72 would expand the list of example areas where the passenger watchdog may set standards. First, as I mentioned, the clause already allows the passenger watchdog to develop standards covering all areas of the passenger experience. The list in subsection (2) sets out matters that may be covered by the standards and is not exhaustive, so it does not prevent the passenger watchdog from developing further standards in other areas in time; in fact, we expect that it might do so, for some of the very reasons that the shadow Minister suggested. The amendment is therefore unnecessary, as it would not make a practical difference to the watchdog’s powers. Let me also clarify that standards on safety and security would significantly expand the remit of the watchdog, and are best left to expert safety bodies such as the ORR.
Jerome Mayhew
I think the Minister may have misunderstood my point. I was not for a moment suggesting that the passenger watchdog should take over responsibility for safety-critical functions. I was anticipating that he might argue that the ORR needs to retain a veto right because there might be clashes with its safety-critical functions, in which case the clause could be redrafted to make it clear that that is the area of focus.
Keir Mather
I thank the shadow Minister for that clarification.
Amendment 141 would remove the requirement for the Secretary of State and the ORR to consent to standards that may be set, varied or revoked by the passenger watchdog. Amendments 73 and 144 would both remove the requirement for the ORR and the Secretary of State respectively to consent to new standards. It is my view that the watchdog must seek the Secretary of State’s consent before the standards are referenced in associated licence conditions, and therefore before they becoming binding on operators, because that is one of the only ways to ensure that the standards are affordable and actionable.
Ultimately, the Secretary of State is funding GBR, and if the Government are not able to provide the funds to support a new standard, which could in theory add costs for operators, the standards are doomed to fail. Similarly, the ORR will remain the sector enforcement body, enforcing all licences. It is therefore important that it gives consent to standards before they become binding on operators. That will ensure that all standards are fair and enforceable. These measures are necessary to ensure that the new rail system will work effectively. The Secretary of State’s and the ORR’s input into the standards will provide constructive challenge, ensuring that all standards are high quality and serve the railway as well as possible.
All three bodies are subject to the duty to promote the interests of passengers and disabled passengers, so they will share a common goal of improving the passenger experience. There should therefore be no concern that the process will weaken or undermine standards; rather, all bodies will be committed to improvements for the passenger. I therefore urge the hon. Members for Broadland and Fakenham and for Didcot and Wantage not to press their amendments.
New clause 16 would require the Secretary of State to review the Access for All programme, which delivers step-free access upgrades at stations across Great Britain. I recognise that passengers with accessibility needs often find rail travel challenging, as facilities and assistance frequently do not meet expectations. Many of Great Britain’s 2,581 railway stations predate modern accessibility standards, making navigation difficult for disabled passengers. That is why the Access for All programme was introduced in 2006, and why it is so important. More than 270 stations have benefited from it so far.
The hon. Member for Didcot and Wantage has proposed a review of the programme, and I am delighted to inform him that the Government agree with him so strenuously that a review was already conducted in late 2024. The Department and Network Rail have acknowledged that the delivery of the programme from 2019 to 2024 was disappointing, which led to the late 2024 review. The national Network Rail Access for All team has now been strengthened to improve governance and financial control, and accessibility has been given a higher priority by all Network Rail regions. That review, and the associated changes, resulted in almost 34 projects being completed in the last 18 months, compared to 36 in the previous five years. I think that that demonstrates our commitment to improvement.
Edward Argar
Does the Minister also recognise that the review has led to cuts of about 20 individual programmes? That was not done on the grounds of accessibility—although the letter I received from his colleague the noble Lord accepts that there is clearly a significant accessibility challenge in the case of station in my constituency—but by imposing on the scheme a match funding requirement that was never, as I understand it, part of the original scheme.
Keir Mather
The right hon. Gentleman is right to be impatient with the Government’s pace in achieving accessibility improvements at stations in his constituency and across the country. He is right to point out that even though the number of stations that have been upgraded and improved has increased, that does not mean that all stations have done been, and the Government need to work at pace to deliver improvements across the piece. However, given that the review the new clause requests has already happened, and that measurable improvements have already been demonstrated by the Government, although there is more work to achieve, I encourage the hon. Member for Didcot and Wantage to withdraw new clause 16.
I thank the hon. Member for new clauses 17 and 18, which together would ensure that accessible passenger information is provided for those with hearing or sight loss. Our commitment to the outcomes sought by the new clauses is clear and unambiguous. Accessibility is at the core of what we are here to do, and it will be central to GBR from day one. Both legislation and the GBR licence will ensure that accessibility is always considered.
I also recognise the importance of ensuring that timely information is provided, and that it is provided in a format that all passengers can access. To that end, the Bill lays the foundation for GBR’s licence, and establishes a powerful passenger watchdog with a mandate to act in disabled passengers’ interests, setting licence standards and holding GBR to account. The objective of these new clauses is best achieved there, where licence conditions can set out the necessary detail about what accessibility standards are needed, rather than in primary legislation.
To acknowledge that, the Government have already committed that accessible travel policies will be included in GBR’s licence. Those policies will include requirements, as they do now, about accessible information, including specific mention of visually and hearing-impaired passengers. The standards for accessible information included in the licence will be monitored by the passenger watchdog and enforced by the ORR.
The Government’s proposals for accessibility build on the work of the accessibility road map, published in November 2025, which is taking clear steps to improve real-time information provision on the railways, and rolling out welcome points across the network in England. Those will include closed-loop and British Sign Language capability. Despite the positive measures we have committed to in the Bill and in the licence, we are not waiting: we are acting now to improve things for people with disabilities. I therefore urge the hon. Member for Didcot and Wantage not to press the new clauses.
New clause 53 would require the Secretary of State to make regulations about the accessibility of ticket vending machines. I reassure the hon. Member for Didcot and Wantage that all station operators are currently required through their station licence to comply with an accessible travel policy, which includes assisting disabled passengers in relation to ticket facilities. Subject to consultation, we expect GBR to have a similar requirement in its new licence.
Jerome Mayhew
I am grateful to the Minister for his detailed assessment of the new clauses and amendments. In the interests of time, I do not propose to press amendment 71, but I do not swallow the explanations given in relation to amendment 72. We need to focus the passenger watchdog on important issues for passengers, so we will press that amendment to a Division. However, on amendment 71, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Amendment proposed: 72, in clause 46, page 24, line 33, at end insert—
“(e) passenger service reliability, including punctuality, cancellations, short-forming, delays and the reliability of key connections,
(f) safety and security, including safety incidents, security incidents affecting passengers, staff presence, and delivery of safety-critical maintenance,
(g) comfort and on-board experience on passenger services, including cleanliness, the functioning of heating, air-conditioning, and lighting, overcrowding, the availability and performance of any internet connection or power sockets, and toilet facilities,
(h) affordability and value for money of passenger services, including fare levels, availability of discounted or flexible fares, transparency of fare information, and passenger perception of value for money.”—(Jerome Mayhew.)
This amendment would require the Passengers’ Council to set standards relating to the reliability, safety and security, comfort and on-board experience and affordability of railway passenger services.
Question put, That the amendment be made.
Jerome Mayhew
I beg to move amendment 74, in clause 47, page 25, line 23, leave out from “Council” to the end of line 32 and insert
“take such action (if any) as it thinks appropriate for the purpose of remedying the contravention, or avoiding it taking place or being repeated.”
This amendment would give the Passengers’ Council the power to enforce improvement plans.
The Chair
With this it will be convenient to discuss the following:
Clause stand part.
New clause 45—Passengers’ Council: enforcement powers—
“(1) Within 6 months beginning on the day on which this Act is passed, the Secretary of State must by regulations make provisions for the enforcement powers of the Passengers’ Council.
(2) Regulations under this section must make provision about—
(a) the making of orders by the Passengers’ Council relating to operator compliance with its purpose;
(b) procedural requirements relating to orders under paragraph (a);
(c) the validity and effect of orders under paragraph (a); and
(d) penalties associated with orders under paragraph (a).
(3) In making regulations under this section, the Secretary of State must have particular regard to sections 55 to 57A of the Railways Act 1993.
(4) Regulations under this section may amend provision made by or under—
(a) the Railways Act 1993;
(b) the Railways Act 2005.
(5) Regulations under this section are to be made by statutory instrument.
(6) Regulations under this section may not be made unless a draft of the statutory instrument has been laid before, and approved by a resolution of, each House of Parliament.”
This new clause would require the Secretary of State to provide the Passengers’ Council with enforcement powers broadly equivalent to those of the Office of Rail and Road under the Railways Act 1993.
Jerome Mayhew
Clause 47 deals with improvement plans. It allows the passengers’ council to request improvement plans from licensed rail operators
“where it judges them to be, or likely to be, non-compliant with the standards it sets and therefore, the consumer licence conditions”—
not that we have seen them. The clause continues:
“The improvement plans would be requested from operators to allow them to explain their planned improvements before issues were referred to the ORR or potential enforcement action”—
although we do not know whether they would choose to enforce either.
The clause highlights—again—just how toothless the passengers’ council will be. It still has no direct enforcement powers, and the explanatory notes confirm that these plans are only a precursor to possible ORR action. If an operator ignores a plan, the council can do nothing about it at all, except refer the matter to the ORR, which may
“take such action (if any) as it thinks appropriate”.
This is another two-stage approach from the Government, with no guaranteed remedy, and it leaves the council structurally dependent on the ORR for all meaningful enforcement. There is no requirement for the ORR to do anything at all, when provided with a file from the passengers’ council. There is no ability for the ORR to adopt a passengers’ council investigation as its own, and any enforcement action will be required to consider the matter afresh. I accept the Minister’s earlier point that the ORR will be able to read documentation presented by the passengers’ council, but that is it. That will take time and add cost, and it will fail the consumer all the way through the process. It is not the ORR’s fault; it is how the Government are designing the system, which falls well short of the Government’s stated aim of creating a genuinely empowered passenger watchdog. Subsection (2) says:
“If the person fails to take the steps set out”
in the improvement plan, or does not prepare one
“within a reasonable time, the Passengers’ Council must refer the matter to the ORR”.
That part is mandatory, but the ORR’s response is not mandatory. Why is that? Perhaps the Minister can help us out.
The new system needs to be able to stand up for passengers, with a watchdog worthy of the name. Amendment 74 would give the passengers’ council the power to enforce improvement plans, and new clause 45 sets out how that will be achieved. It would require the Secretary of State to provide the passengers’ council with enforcement powers broadly equivalent to those of the Office of Rail and Road under the 1993 Act. The Government want to put passengers at the heart of the railway, but they have created a passenger watchdog with no teeth—or power—to enforce any of its decisions. To give an advance indication, I will seek to divide on both amendment 74 and new clause 45.
Keir Mather
I thank the shadow Minister for amendment 74 and new clause 45. Amendment 74 would give the passenger watchdog enforcement powers when it issues requests for improvement plans, and new clause 45 would give the passenger watchdog enforcement powers broadly equivalent to those of the ORR.
We are creating a strong passenger watchdog, which will have real powers to monitor passenger experience and hold GBR and others to account. It will be able to demand information from GBR to a deadline, investigate problems and demand improvement plans to encourage improvements. Finally, it can refer cases for enforcement to the ORR.
It is important to have one clear enforcement body for the entire sector to avoid duplication or confusion for industry. If there were two bodies with enforcement powers, the risk of conflicting enforcement steers would be too high. The ORR will therefore enforce GBR’s new, streamlined licence, ensuring that the organisation meets its industry obligations and all minimum standards, including passenger standards. As it does today, the ORR will also enforce all other railway licences, to ensure that there is an independent, consistent enforcement body for the sector. That is fair and rational.
If operators did not comply with their consumer licence conditions—for example, relating to accessible travel standards—the passenger watchdog would directly engage with them and request an improvement plan. We would naturally expect operators to comply with that request, because if they do not, they will be aware that the ORR can simply take action against them for the original licence breach. That mirrors what happens in practice today, where most compliance issues are resolved through direct engagement and improvement plans rather than resorting to enforcement.
Jerome Mayhew
I am interested in the Minister’s repeated insistence that there would be confusion if there were more than one enforcement body for rail activities. What is his proposed solution to the Competition and Markets Authority and its enforcement competency for the railways, which currently is shared with the Office of Rail and Road? Is it his plan to amend the competencies of the Competition and Markets Authority? If not, why is the argument so overwhelming to prevent the passenger watchdog from having teeth, when he allows the CMA to have teeth?
Keir Mather
The shadow Minister previously made a point that related to whether the ORR and the passenger watchdog had an equivalent power when they sought to enforce against railway licences. My point there was that we could have contradictory steers arising out of these licences being in conflict with each other. That is where the route of not having dual licence- enforcing capabilities lies, and it is the argument against amendment 74.
Turning back to operators’ co-operation, we expect our GBR licence proposals to include a licence condition requiring operators to co-operate with the passenger watchdog, which will strengthen these provisions further. I hope that that reassures the shadow Minister that the system will work effectively to hold operators to account. I cannot support any amendments that confuse the enforcement landscape, as two enforcement bodies would be duplicative, burdensome on operators and potentially very confusing. That is not a system that would drive good performance. I therefore urge the shadow Minister not to press his proposals.
Let me turn now to clause 47, which will give the passenger watchdog the power to require improvement plans from train and station operators where it judges that an operator might be breaching its standards and, therefore, the consumer licence conditions. Demanding improvement plans from operators will allow them to set out the steps they plan to take to address the issues and meet their licence conditions before non-compliance is referred to the ORR for potential enforcement action.
The clause will allow the watchdog to work with operators to seek improvements collaboratively. Improvement plans are a crucial element of this engagement, as they allow operators to set out a plan to achieve compliance and to have a dialogue with the passenger watchdog. The watchdog can represent the passenger by making suggestions for improvements and advocating sensible solutions. Enforcement is the last resort to ensure compliance, and it is important that the watchdog has sufficient means to encourage operators to do the right thing before it refers any persistent or serious issues to the ORR.
Jerome Mayhew
I am unpersuaded. As I previously indicated, I will press amendment 74 to a vote.
Question put, That the amendment be made.
The Chair
With this it will be convenient to discuss the following:
Amendment 75, in clause 49, page 26, line 28, at end insert—
“(h) passenger service reliability, including punctuality, cancellations, short-forming, delays and the reliability of key connections,
(i) safety and security, including safety incidents, security incidents affecting passengers, staff presence, and delivery of safety-critical maintenance,
(j) comfort and on-board experience on passenger services, including cleanliness, the functioning of heating, air-conditioning and lighting, overcrowding, the availability and performance of any internet connection or power sockets, and toilet facilities,
(k) affordability and value for money of passenger services, including fare levels, availability of discounted or flexible fares, transparency of fare information, and passenger perception of value for money.”
This amendment would require GBR to consult the Passengers’ Council when it is developing or changing its policies or procedures with reference to the passenger-focussed KPIs proposed in NC2.
Clauses 49 to 52 stand part.
New clause 68—Duty to co-operate—
“(1) The Secretary of State may direct Great British Railways to co-operate with transport authorities and other specified persons where such cooperation would—
(a) reduce transport disruption, and
(b) ensure the effective operation of transport networks.
(2) Before the end of 12 months of the passing of this Act and every subsequent 12 months, the Secretary of State must lay before both Parliament an annual report on any direction that has been taken under subsection (1).
(3) The report must include—
(a) an assessment of expected transport disruption resulting from—
(i) maintenance;
(ii) construction;
(iii) any other work;
related to railways infrastructure operated by Great British Railways and ancillary services.
(4) The report must be laid before both Houses of Parliament.”
This new clause gives the Secretary of State the power to direct GBR to co-operate with transport authorities to ensure the effective operation of transport networks and to reduce disruption.
New clause 70—Service changes: consultation—
“(1) Before making any planned changes to passenger services, Great British Railways must—
(a) publish a statement on the compatibility of the changes with—
(i) its functions under Section 1;
(ii) its regard to strategies under Section 16;
(b) publish notice of the impact of the changes on any station or routes;
(c) make provision for compensation claims for passengers affected by the changes;
(d) consult—
(i) local stakeholders,
(ii) passenger groups, and
(iii) groups representing those with accessibility requirements
about those changes.
(2) In this section, ‘service changes’ has such meaning as the Secretary of State must by regulations specify, provided that it include changes to rail—
(a) timetables;
(b) routes;
(c) service capacity.
(3) Regulations under this section must specify the framework for any compensation under subsection 1(c).
(4) Regulations under this section are subject to the affirmative resolution procedure.”
This new clause sets out requirements for Great British Railways to ensure any planned changes to passenger services are only made with due consideration of its objectives and following communication with stakeholders.
Keir Mather
I will speak first to the clause and then to the amendments, once I have heard hon. Members’ comments on them.
Clause 48 will establish the passenger watchdog as a statutory adviser, able to advise Ministers and industry bodies on matters of importance to passengers. The clause places a duty on the watchdog to provide advice to certain bodies, including the Secretary of State, rail operators and devolved Governments; they may also refer matters to it. The watchdog will also have a duty to provide advice without a referral if it considers it appropriate. The watchdog will be in a unique position to understand passenger experience because of its research and investigations functions, as well as its access to complaints and core industry performance data.
We wish to establish the watchdog as the central body that Ministers, mayoral strategic authorities, the ORR, GBR and other train and station operators can go to for advice on passengers’ interests, needs and priorities. We also want to ensure that the watchdog is an authority on all passenger matters, so that Ministers and others take its advice seriously. This will be the first time that the rail industry has had a statutory adviser covering all passenger matters.
Clause 49 will place a duty on GBR to consult the passenger watchdog when developing or changing policies or procedures that significantly affect the interests of passengers. The clause sets out an indicative list of matters on which GBR should consult the watchdog. Those include passenger rights, handling disruption to rail services, determining fares, and arrangements for the sale of tickets. By feeding the watchdog’s insight to GBR when central policies and procedures are being developed, it will support GBR in creating better policies that prioritise passenger needs.
I return briefly to the official Opposition’s wise words about culture last week, because the Government absolutely agree that getting culture right is essential to the success of the railway. The watchdog’s role here will be critical in influencing the culture of the reformed rail industry, being involved in all relevant policymaking to ensure that the focus on passengers is at the heart of everything the railway does. I therefore commend clause 49 to the Committee.
Clause 50 will give the passenger watchdog the power to publish any information or advice it considers that passengers, or potential passengers, may find useful. For example, this could include publishing information on train operator performance to encourage improvements, such as league tables or the naming and shaming of poorly performing operators or routes. It could involve setting out complaint handling processes or advising passengers on their rights.
Before publishing information or advice, the watchdog must consider whether it is necessary to exclude any matter relating to an individual or body that would have a serious and negative impact on their interests. This could include sensitive, personal or market information. This power will be central to the watchdog’s ability to hold operators to account publicly.
I now turn to clauses 51 and 52. Clause 51 will give the Secretary of State the power to exclude certain rail services from the duties imposed by clauses 37 to 43, 45 and 48. This power mirrors an existing power in the Railways Act 1993 and has been included because it is not appropriate, nor a proportionate use of resources, to require the watchdog to investigate services that are not part of the wider national network, are not licensed and mainly operate for tourism or leisure purposes—such as heritage trains. As service providers change over time, the clause can also be used to include new services in the watchdog’s remit, or to modify its duties in relation to specific services. In the future, there may be new services that the watchdog ought to monitor, or which it ought to monitor in a slightly different way. The power therefore exists to ensure that all relevant operators can be appropriately held to account by the passenger champion. The clause does not mean that the watchdog is prevented from monitoring any excluded services, just that the watchdog is not obliged to do so.
Clause 52 provides additional clarity by defining some of the terms used in this chapter. For example, the clause defines a “disabled person” as
“a person who is a disabled person for the purposes of the Equality Act 2010”.
I commend clauses 48 to 52 to the Committee.
Jerome Mayhew
The Minister has described the function of clause 48, the lead measure in this group, but there is one notable exception from the list of bodies that can refer to the council for advice under clause 48(1)(a) as drafted. It includes mayoral combined authorities, Transport for London and Ministers—whether the Secretary of State, Welsh or Scottish Ministers—but there is no room for local transport authorities. I am sorry that my hon. Friend the Member for South West Devon is not in her place, because she made the point powerfully in previous sittings of the Committee that some areas of the country do not have mayoral combined authorities and never will, because of their geographic or demographic set-up—that is particularly the case in the south-west. Those areas still have local transport needs, and a local transport authority, yet under the Bill as drafted, those authorities are excluded from asking the advice of the passenger body. We have heard that there are many areas that will never have an MCA but that still have rail-related concerns and issues. I seek advice from the Minister: what is the thinking of the Government, that they have deliberately excluded local transport authorities from the clause?
Clause 49 deals with “Consultation about railway passenger services and station services”. Again, I have left it to the Minister to explain what the clause does, but it sets out the policies and procedures that GBR should consider consulting the passengers’ council on. It gives GBR discretion to decide whether to do so based on its assessment of the impact on passengers. That is, again, quite important. The clause creates a duty on GBR to consult the passengers’ council, but only where GBR itself decides that a policy change will significantly affect passengers. The explanatory notes confirm that that judgment is entirely for GBR. GBR, the Secretary of State and Scottish Ministers will all owe consultation duties to the council, but the Bill imposes a duty only on GBR, and even then only on GBR’s own assessment of significance. There is no parallel duty on Ministers, meaning that major ministerial decisions affecting passengers could fall entirely outside statutory consultation. The list in clause 49(2) once again seeks to sideline the passengers’ council by limiting its remit. The list does not cover the issues that
“significantly affect the interests of the public in relation to…passenger services or station services”,
as described in clause 49(1)(b); far from it.
Amendment 75 would require GBR to consult the passengers’ council when GBR is developing or changing its procedures, with reference to the passenger-focused KPIs outlined in proposed new clause 2:
“reliability, including punctuality…short-forming…key connections… safety and security…comfort and on-board experience”
and
“affordability and value for money”.
Those are issues at the heart of the passenger experience. Let the passengers’ council do a proper job.
Clause 50 gives the passengers’ council the power to publish information and advice for
“users or potential users of railway passenger services”.
The clause only allows the passengers’ council to publish information; it does not require it to publish information. That means the council can choose not to publish anything at all. The clause also gives no sense of what should be published, or how often. Perhaps the Minister could expand on the reasons he has not decided to require publication when it is about information and advice; that seems a bit odd.
Clause 51, which is on the power to make exclusions, will be watched by many, as it is really important to rail enthusiasts. Committee members should be careful when commenting on it, because people are keenly interested in this power. Actually, on this occasion I think the Government have got it about right. The clause replicates similar provisions in the 1993 Act—specifically, sub-sections (7B) and (7C) in section 76.
Clause 51 enables the Secretary of State to exclude services from one or more of the duties imposed by clauses 37 to 43, 45 and 48 through regulations, or modify those duties for particular services. However, before making changes, the Secretary of State must consult the passengers’ council and the London Transport Users Committee.
There are currently two exemptions from the similar requirements in the 1993 Act in place, one of which excludes services without through-ticketing facilities and which are exempt from holding a licence. Charter and heritage railway operators fall under this exemption. The Government assert in the explanatory notes to the clause that,
“it would be burdensome and unnecessary for the Passengers’ Council to be required to investigate heritage railway operators,”
which only operate for tourism and recreational purposes, not for the mainline network. I agree that those potential exclusions are reasonable. The Government rightly point out that burdening heritage rail with unnecessary regulation when the hospitality and tourism sector is facing serious challenges—admittedly, because of this Government—would be disproportionate.
Very few constituencies do not boast a heritage railway, so I declare an interest, Mrs Hobhouse: the Bure Valley Railway and the start—or the finish, depending on which way a person is going—of the Wells and Walsingham Light Railway run in my constituency of Broadland and Fakenham.
Jerome Mayhew
I am interested to hear that the hon. Gentleman has been on that railway. I would continue on that, but I have gone on long enough by saying, “and another thing—I remember”.
Rail charter services are a different matter that must also be considered. Those with children may have travelled on one of the many Christmas polar expresses that are chartered services. They are very important to tourism and to the financing of the railway, as they make an economic contribution to the running of it. They sit in a unique space of quasi-open access and are a useful component of the railway. Mainline heritage rail routes, such as the Cambrian express—although the Minister of State for Rail, Lord Hendy, still needs to do some work to restore steam, rather than diesel, locomotives to that heritage route—as well as services with the Flying Scotsman, or Sir Nigel Gresley, which is the last working version of the Mallard class, the A4s, are very important, and crowds of people gather to watch them steam past.
I applaud the Government for that sensible exemption. All I ask is that they continue to do what they can to facilitate and support heritage and chartered railways, and I would be grateful to hear the Government’s plans to do so, if there are any. I would propose no amendments to clause 51. Clause 52 is the interpretation chapter, and I am happy for that to continue without amendment.
That leaves me solely with the pleasure of discussing new clauses 68 and 70, tabled by my hon. Friend the Member for Runnymede and Weybridge. New clause 68 would give the Secretary of State the power to direct GBR to co-operate with transport authorities to ensure the effective operation of transport networks and to reduce disruption. Network Rail is often cited as a poor neighbour, with no interest in co-operating with other transport modes, or frankly with adjacent landowners— I have had more than one letter of complaint from constituents on that—to minimise disruption not on the railway. The Opposition support the intentions behind the new clause. Culture change is needed in the successor to Network Rail, and a duty to co-operate would at least help. The Minister needs to recognise the existing problem of Network Rail’s culture being—I think it is fair to say—deeply suboptimal in relation to this, and set out his proposals for improvement.
New clause 70, also in the name of my hon. Friend the Member for Runnymede and Weybridge, sets out the requirements for GBR to ensure that any planned changes to passenger services are only made with due consideration of its objectives and are fully communicated with stakeholders. I read the new clause into the record, but I do not propose to press it to a Division when the time comes.
Keir Mather
I start by addressing two points that the shadow Minister made. First, on the publication of information and advice, I set out in my original arguments surrounding the new clauses that there might be instances where, for professional or personal reasons, it might be best not to publish confidential information.
On a broader issue, the shadow Minister asked why local transport authorities were not listed directly under clause 48. On the question of the devolution of rail services, the Committee has rehearsed at length the Government’s view that mayoral strategic authorities provide the right unit of economic activity to be able to engage with productively. Nevertheless, this is not an exclusive list of those that might be consulted, and there is provision written into the Bill for the council, where it considers it appropriate, to consider consultation without such a reference as is listed in the clause. Local transport authorities could fall within that frame of reference.
Amendment 75 would ensure that GBR consulted the passenger watchdog when developing key performance indicators. GBR will set out its proposed activities over a five-year period in its business plan, setting KPIs for itself there based on how it intends to deliver the business plan and, through that delivery, meet the high-level goals in the Secretary of State’s funding objectives and her long-term rail strategy. The ORR will independently scrutinise GBR’s business plan and advise the Secretary of State on its quality, which will give the Secretary of State the right information to support her decision on whether to approve the plan. All advice on the business plan can and should be published, so the public can also be aware of how that is developing. This constructive challenge process will ensure that GBR’s KPIs are realistic, measurable and ambitious.
Additionally, as we have discussed, there is already a requirement in clause 49 for GBR to consult the watchdog on policies or procedures affecting users or potential users of the railway. This would also cover consultation on any KPIs about passenger services. Therefore, this amendment is duplicative of the drafting already in the Bill, and I urge the shadow Minister to withdraw it.
New clause 68 would give the Secretary of State the power to direct GBR to co-operate with transport authorities to reduce disruption. First, it is clearly critically important that we reduce disruption for all passengers and stakeholders on the railway. I agree with the hon. Member for Runnymede and Weybridge that GBR should collaborate with local authorities to reduce transport disruption across modes. I am aware of his efforts to campaign for more joined-up planning in his area, and I hope that the Bill will improve the system for him.
I would point out to the hon. Member for Runnymede and Weybridge, however, that there are mechanisms elsewhere in the Bill that will enable the sort of collaboration and co-operation that the amendment envisages. The Government are supportive of a more locally focused railway and an enhanced role for mayoral strategic authorities. Local partners know their areas best, which is why GBR will be able to agree partnerships with MSAs to enable close collaboration and joint working on local priorities.
Together, the provisions in the Bill create a framework for significant levels of co-operation between GBR and transport authorities. GBR will be organised to work collaboratively with devolved leaders, and I would expect that potential disruptions would be discussed between them as a result of those closer working relationships, enabling them to explore possible measures to reduce disruption and contribute to the effective operation of transport networks.
I thank the shadow Minister for speaking to new clause 70, which seeks to impose several requirements on GBR before it can make service changes, such as publishing a statement, publishing a notice of changes on stations or routes, providing compensation for passengers and consulting various stakeholders.
Let me address each of those elements in turn. It is redundant for GBR to publish a statement about whether service changes are compatible with its functions. The Bill assigns GBR the function of providing railway passenger services, and planning service changes is inherent in that. There is no need to affirm that separately through a published statement.
GBR will not plan service changes in a vacuum. Clauses 80 to 82 require GBR to consult Scottish and Welsh Ministers, mayoral combined authorities and Transport for London before making decisions that will significantly affect the interests of the economy and people in those areas. GBR will also be required through its duties to consider local transport plans when making service changes.
As for publishing notices, it is for GBR to determine the best approach to communicating service changes to the public, and GBR should be able to adapt its communications approaches in line with stakeholder needs and technological advances. The consumer standards set by the passenger watchdog will cover passenger information. I hope that reassures the shadow Minister that appropriate information will be provided to passengers. The watchdog will have powers to request improvement plans and refer issues to the ORR for enforcement when GBR falls short.
I now turn to planned service changes. For clarity, as the new clause indicates, that relates to when GBR chooses to replan services in advance, for example timetables and stopping patterns. It does not relate to service disruption. I cannot see a feasible or a necessary solution to providing compensation to passengers affected by service changes of this nature. Clearly, the development of an effective timetable requires the need for service changes, for example to make the most of infrastructure enhancements for the benefit of passengers and communities. That will especially be the case under GBR, as GBR can review the network and timetable holistically and make joined-up decisions in a way that has been impossible in previous years.
In relation to compensation, quite apart from the undeliverable practicalities of funding and administering such a scheme, at the heart of this is the fact that GBR is being established as the expert-led directing mind of the railway, in charge of planning the best use of the network and balancing its statutory duties. Those duties include promoting the interests of users and potential users of railway passenger services and acting in the public interest. Any planned service changes by GBR will therefore be the result of that new system and guided by those duties. Forcing GBR to compensate all those affected by service changes would therefore cut across GBR’s ability to balance its duties in the round, and could create perverse incentives not to make changes and to allow services to stagnate.
I add one point of assurance: service change and service closure are separate issues. The Railways Act 2005 contains the specific processes that must be followed for full service closures, with a decision-making role for Ministers who are the relevant railway funding authority for a given service. Closure proposals must also be ratified by the ORR. The Bill does not change the fundamentals of this process, which protects our important passenger services. I thank hon. Members for their contributions.
Jerome Mayhew
I have thought long and hard about this, Mrs Hobhouse, and given the time of day, we will let it pass.
Question put and agreed to.
Clause 48 accordingly ordered to stand part of the Bill.
Clauses 49 to 52 ordered to stand part of the Bill.
Clause 53
General duties of the LTUC
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to consider the following:
Clause 54 stand part.
Government amendment 173.
Clauses 55 to 58 stand part.
Keir Mather
Committee members will be very pleased that I have considerably less to say about this group than the previous one.
Government amendment 173 corrects a small naming error in the Bill: a clause for the London Transport Users Committee incorrectly refers to the passengers’ council. The correction ensures that the Bill is drafted correctly.
Clause 53 will place two general duties on the London Transport Users Committee, which has the operating name London TravelWatch, that it must consider when carrying out its rail functions: to consider the interests and needs of disabled persons, and to consider the costs and efficient use of public funds. The aim of the clause is to align the duties of London TravelWatch with those of the passenger watchdog and ensure that both passenger champions will pay specific attention to the experiences of disabled people. The duties also ensure that the passenger champions take the overall cost of the railway into account, such as when making recommendations for improvement. That will ensure that their recommendations are realistic and actionable and, therefore, carry more weight in the industry. Aligning London TravelWatch’s duties and powers with the passenger watchdog, as many of the clauses do, ensures consistent passenger advocacy across Great Britain.
I now turn to the remaining clauses 54 to 58. Clause 54 expands London TravelWatch’s powers under section 252A of the Greater London Authority Act 1999 by giving it the explicit power to collect information that may be of interest to the public. Clause 55 expands London TravelWatch’s current investigation powers to align it with the powers the Bill grants to the passenger watchdog. That includes expanding the list of people who may refer matters to London TravelWatch for investigation, enabling them to obtain information from operators to a deadline, make representations on behalf of passengers and refer matters to the ORR for enforcement, as well as powers to publish investigation reports.
Clause 56 will designate London TravelWatch as the body to which complaints about potential infringements to retained EU law on rail passenger rights should be addressed within the London railway area. Clause 57 will give London TravelWatch the power to publish information and advice it considers appropriate for users or potential users of the railway in London. That could include information on operator performance—including GBR’s performance in London—such as league tables or naming and shaming, as well as passenger rights and complaint-handling processes. Clause 58 will ensure that London TravelWatch protects sensitive and confidential personal and commercial information obtained during its investigations or through its general power to collect information. I commend these clauses to the Committee.
Jerome Mayhew
We are at the final furlong—for today at least. I will keep the pace up for the last straight. I am not going to make any comments on clause 53, the general duties of the LTUC, because there is nothing to be improved. Clause 54, which amends section 252A of the Greater London Authority Act 1999, mirrors the passengers’ council in many ways. We could take the opportunity to seek to apply the same improvements to the LTUC that we have to the passengers’ council, but I have resisted that temptation given the Government’s reaction to all other proposals to date.
Clause 55 designates the committee as the body to which complaints about potential infringements of retained EU law on rail passengers rights should be addressed. I see no issue with that other than in relation to the criticism we have already outlined regarding the passengers’ council. It is clear that the clause is designed to ensure consistency in London in line with the rest of the United Kingdom, so we have no amendments there. I take on board the Minister’s comments on Government amendment 173 and make no further comment.
Clause 56, which is about complaints to the LTUC, again, allows the LTUC to be the official body in which complaints about retained EU law are handled. As the Minister has pointed out, that clause, like others in this group, mirrors the ability of the passengers’ council, so we have nothing else to add on that one.
I make no comments on clause 57 about the publication of information and advice by the LTUC. That brings us to clause 58—restrictions on disclosure of information by the LTUC. As we come to the last clause of the London Transport Users Committee, we also come to the last amendment to the Greater London Authority Act 1999. For those keeping track of these things at home, we are now amending section 252DC. The clause outlines restrictions in a very similar fashion to that of the passengers’ council, so we consequently have no further amendments to suggest for that clause either.
Keir Mather
I thank the shadow Minister for his constructive approach to the remaining clauses and the Government amendment as part of this group. He and his colleagues have ably and comprehensively outlined any potential concerns that they have in relation to the passenger watchdog, many of which would map over to consideration of these clauses. Therefore, I have put our points in relation to this group on the record.
Question put and agreed to.
Clause 53 accordingly ordered to stand part of the Bill.
Clause 54 ordered to stand part of the Bill.
Clause 55
Investigations by the LTUC
Amendment made: 173, in clause 55, page 31, line 30, leave out “Passengers’ Council” and insert “Committee”.—(Keir Mather.)
This amendment corrects a reference that was made to the incorrect body.
Clause 55, as amended, ordered to stand part of the Bill.
Clauses 56 to 58 ordered to stand part of the Bill.
Ordered, That further consideration be now adjourned.—(Nesil Caliskan.)