Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting)
Tuesday 10th February 2026
(4 days, 6 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
The Chair
Good morning, everyone. I remind Members to send their speaking notes via email to Hansard and to switch electronic devices to silent. Beverages are not allowed. I ask people to speak clearly and precisely for the benefit of other colleagues and Hansard. Were they to give an early indication that they wish to speak, that would be much appreciated.
Lincoln Jopp (Spelthorne) (Con)
On a point of order, Dr Murrison. In Thursday’s session, I asked the Minister why pupil data was not within the remit of this Bill. He said:
“On the question of schools, and more broadly the question of public sector authorities, I entirely accept that the handling of pupil data in schools is a critical aspect of our public service operations. The reason why public service authorities have largely been left out of the Bill’s scope is because we do not need to wait for the legislative process to act. We have been working, not least closely with the Government’s cyber-security strategy and the cyber action plan, to ensure that pupil data is kept securely and robustly.” ––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 5 February 2026; c. 137.]
Since then, I have been researching any action taken in respect of the Government’s cyber-security strategy and the cyber action plan, and can find no record of them dealing with the issue of pupil data. I wonder whether, this morning, the Minister could specify what he meant last Thursday or commit to coming back to the Committee with that detail.
The Chair
I am sure that the Minister will have heard what the hon. Member has said. He may wish to reflect on it, but it is not really a matter for the Chair. Nevertheless, it is on the record.
Lincoln Jopp
On a point of order, Dr Murrison. Yesterday, I spoke in a petition debate in Westminster Hall. The petition was signed by 114,000 members of the public calling for a public inquiry into Russian influence in British democracy. In researching my response on behalf of His Majesty’s Opposition, I came upon the Government’s statement about this Bill, which said that it would
“require organisations in critical sectors to further protect their IT systems”.
The split infinitive notwithstanding, I do not believe that the Bill requires any organisations in critical sectors to further protect their IT systems. If the Minister thinks that the Government are correct in saying that, would he like to direct us to that requirement in the Bill?
The Chair
Once again, if the Minister wishes to respond to that, it is open to him to do so. The hon. Member for Spelthorne, who is very adept at these things, will be able to weave any further comments he might have into his contributions during our proceedings.
Clause 15
Reporting of incidents by regulated persons
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss:
Clause 16 stand part.
New clause 6—Inclusion of ransomware attacks in the NIS Regulations—
“In regulation 1(2) (interpretation) of the NIS Regulations—
(a) in the definition of ‘incident’, after ‘systems’ insert ‘or a ransomware attack which is targeted at the security of network and information systems’;
(b) after the definition of ‘online search engine’ insert—
‘ransomware attack’ means a cyber-attack involving a type of malicious software that infects a victim's computer systems, can prevent the victim from accessing systems or data, impairs the use of systems or data or facilitate theft of data, and in relation to which a ransom is demanded for access to be restored or for data not to be published.”
This new clause would include ransomware attacks in the definition of “incident” in the NIS Regulations.
New clause 7—Impact of reporting requirements on relevant bodies—
“(1) The Secretary of State must, within 12 months of the passing of this Act, publish and lay before Parliament—
(a) a review of the impact, on relevant bodies, of—
(i) the requirements relating to the notification of incidents in Parts 3 and 4 of the NIS Regulations (as amended by this Act); and
(ii) any additional incident notification requirements made by regulations under this Act; and
(b) proposals for the creation of a single cyber incident reporting channel for relevant bodies.
(2) A review under this section must consider –
(a) the costs of requirements on relevant bodies; and
(b) interactions with other incident reporting regimes.
(3) In this section, ‘relevant bodies’ means operators of essential services, critical suppliers or digital service providers, as defined by the NIS Regulations.”
This new clause would require the Secretary of State to review the impact of incident reporting requirements on relevant bodies, and to set out proposals for a single incident reporting channel.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I will begin by discussing clauses 15 and 16. Clause 15 updates the incident reporting provisions in the Network and Information Systems Regulations 2018. Under the current regulations, organisations are required to report incidents only once they have had a significant impact on service continuity. It is widely recognised that this is too narrow, and results in a range of concerning incidents going unreported and a distorted picture of how secure and resilient the UK’s essential services actually are.
To take two examples: a ransomware attack where confidential data has been exfiltrated from an organisation without an immediate impact on service would not be reportable; nor would a pre-positioning attack, where a hostile actor has hacked into a network and is in a position to cause significant disruption down the line, such as to the provision of drinking water. That cannot be right, and does not reflect the cyber-threats that critical services face.
To ensure such incidents are caught, the clause sets a new, wider definition of incidents that must be reported. The focus is now on incidents that have successfully affected the security or operation of an organisation’s network and are likely to have a significant UK impact, which will ensure that regulators and the National Cyber Security Centre are fully aware of the range of cyber-threats affecting the UK’s essential services.
The Bill sets out the factors that should be considered when assessing whether an incident has had, or is likely to have, a significant impact in the UK—including, crucially, whether the confidentiality, authenticity, integrity and availability of data has been compromised. The Government will provide further clarity in secondary legislation, setting out thresholds for each sector for when an incident is considered to have had, or be likely to have, a significant impact. That will be consulted on before it is introduced. Taken together, it means that only meaningful incidents are reported. Over-reporting has been a concern raised by hon. Members throughout the Bill’s progress, so I stress this point: things such as unsuccessful phishing emails will clearly not be reportable, as they would not be likely to have a significant impact.
Given our economy’s systemic dependence on data centre facilities, for that sector alone we will also ensure that Ofcom and the NCSC receive reports on a wider range of potential incidents and near misses. That ensures that not only immediate disruptions but incidents posing future risks are reported.
Clause 15 also streamlines the reporting process for all NIS sectors. It ensures that incident notifications and reports go to the NCSC at the same time as the regulator. It also sets out what those organisations can do with the information they receive, including how the information can be shared to manage the wider impacts of an incident or prevent future incidents. Finally, the clause introduces faster reporting, so that the NCSC and regulators are informed within 24 hours of entities becoming aware that a reportable incident is taking place.
The 24-hour notification will be light touch, but will enable the NCSC and regulators to offer faster support to minimise the negative impacts of the incident. Fuller details will need to be reported within 72 hours of the entity becoming aware that a reportable incident is happening. The changes will protect the UK’s essential services, ensuring that the NCSC and regulators are able to provide the best support that they can.
Clause 16 sets out requirements for managed service providers, relevant digital service providers, and operators of data centres to inform customers who are likely to have been adversely affected by a reportable incident. Under the current regulations, there is no requirement for any regulated entity to inform its customers if it has been impacted by a reportable incident. That may have made sense when the NIS regulations were more heavily focused on operators of essential services and the primary concern was service disruption, but it would be an inexcusable omission now that the Bill is expanding to include managed service providers and operators of data centres, in addition to the digital service providers already in scope.
These are organisations that, if compromised, could leave their customers’ systems, data or services exposed or inaccessible. In such circumstances, it is vital that their customers are notified, so that they can take whatever steps they need to in order to mitigate those risks.
Bradley Thomas (Bromsgrove) (Con)
I have two points for the Minister to address. First, could he clarify whether an organisation would face repercussions if a regulator believed in retrospect that notification should have been provided sooner? Secondly, on customer notification, can the Minister address the concern around striking the right balance between informing the customer and ensuring that the update that they receive is meaningful and not so vague that it causes further distress or worry?
Kanishka Narayan
I thank the hon. Member for those two thoughtful points. On the first, in terms of retrospective regulatory action on the adequacy of notification, I expect that the regulators will set out—in their guidance and by working closely with the entities in scope—their expectations about the nature and timeliness of the notification. That will be one input into a regulator’s broader assessment of entities’ compliance with the regime. I expect that timely notification will be assessed on an ongoing basis by the regulator, but I would not expect it to be an exclusive or primary aspect.
On the question of customer notifications being proportionate, I share the hon. Member’s concern about ensuring that it is timely and efficient and at the same time meaningful for the relevant customers. I hope that exactly those principles are embodied in the guidance that regulators share about notification requirements.
Customers being notified is all the more important given that in many cases, those customers will themselves be operators of essential services and other critical national infrastructure. The Bill therefore places new transparency requirements on managed service providers, relevant digital service providers and operators of data centres. Similar requirements were introduced under the NIS2 regulations in the European Union.
Clause 16 requires those regulated entities to take steps to establish which of their customers, if any, are likely to be adversely affected by a reported incident. It then sets out the information that the entity must share with those identified customers. These new requirements will support the overall resilience of the UK’s essential services and economy, which depend so heavily on these services, and reduce the overall impact of disruptive cyber-attacks.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
New clauses 6 and 7 sit together and are linked by the same practical concern regarding clarity and workability when an incident is unfolding.
I will start with new clause 6. Ransomware is no longer an occasional or unusual cyber-event; it is now one of the most common and disruptive threats facing essential services, digital providers and their supply chains. Written evidence to this Committee was clear that ransomware incidents are now routine, high-impact events, and that uncertainty at the outset of an attack often makes the consequences worse. The Bill rightly broadens the definition of an incident to capture events that are capable of causing harm, not just those that already have. That is the right direction of travel, but when organisations are under pressure, particularly in the first 24 hours of an incident, uncertainty slows action. Time is lost debating definitions rather than focusing on containment, escalation and reporting.
New clause 6 addresses that problem directly. It makes it explicit that a ransomware attack is an incident for the purposes of the NIS regulations, and sets out clearly what is meant by ransomware attack. It would not create a new duty; it would remove doubt from an existing one. Clear definitions support better behaviour when organisations are operating under real pressure.
New clause 7 follows naturally from that point. If we want faster and clearer reporting, the system into which organisations are reporting has to work in practice, not just on paper. The Bill expands reporting requirements and introduces new notification duties. That is understandable, but UK Finance told the Committee that many firms already support cyber-incidents under multiple regulatory regimes and that additional reporting layers risk duplication rather than resilience. When an incident is live, that duplication causes friction, slows the response and increases costs. It can reduce the quality of information being shared because teams are stretched across parallel processes rather than focused on managing the incident itself.
We do not seek in new clause 7 to reopen the policy intent of the Bill; the new clause would require a review, once these changes are in force, of how the reporting requirements are working in practice. That review would consider costs and interactions with other reporting frameworks. The new clause would also require that proposals for a single cyber-incident reporting channel be published. That is not a bureaucratic exercise; it reflects concerns raised in evidence that resilience is undermined, not strengthened, when reporting becomes fragmented at moments of stress.
Taken together, new clauses 6 and 7 are about making the system clearer at the front end and more usable overall. Clear definitions encourage timely reporting and coherent reporting channels make that reporting effective. I hope that the Committee will give serious consideration to both new clauses.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Dr Murrison, and it is always a pleasure to follow my hon. Friend the Member for Bognor Regis and Littlehampton. I will speak to clauses 15 and 16 and to new clauses 6 and 7, tabled in my name on behalf of His Majesty’s loyal Opposition.
The previous Government stated in their consultation covering the subject of cyber-incident reporting that security breaches that did not result in a successful attack could still leave organisations open to follow-up attacks. It was identified that reporting how the breach took place would also allow regulators and other organisations to prepare for similar attacks in the future. It is therefore a welcome development that clause 15 significantly increases the scope and speed of cyber-incident reporting by regulated entities to competent authorities and the NCSC.
That increase in scope is achieved by broadening the definition of reportable incidents from the current position, where only cyber-attacks having an actual adverse effect are reportable, to a position to where cyber-incidents that are capable of having an adverse effect on the operation or security of network and information systems must also be reported. The Government’s explanatory notes for the Bill state that this change in definition
“is designed to include incidents that have compromised the integrity or security of a system without causing significant disruption yet, but that could have potential significant impacts in the future.”
This has been broadly welcomed by industry stakeholders as a measure that should provide regulators with greater intelligence about emerging threats, leading to improved risk management and hardened resilience in their sectors.
On the importance of intelligence gathering, we heard evidence from David Cook of DLA Piper and Chung Ching Kwong of the Inter-Parliamentary Alliance on China, among others, about the increasing use of prepositioning and “live off the land” technologies deployed by malicious actors. Once systems are infiltrated, attackers remain in systems, sometimes harvesting data, waiting for the moment when they can cause maximum harm and disruption. Those serious risks should be flagged to regulators wherever they are identified.
Dr Sanjana Mehta of ISC2 described problems of underreporting in relation to the existing NIS regulations regime, and welcomed the principle of expanding reporting, as did Jill Broom of techUK. However, both cautioned that while some high-level factors have been provided as to the criteria indicating whether an attack should be reported, such as the number of users, impact, duration of interruption and geographical reach, what is not clear at present are the thresholds that are linked to those criteria. Those details are vital if reporting is to be successful in ensuring that regulators are kept appraised of the most serious threats.
Dr Mehta summarised that concern succinctly in her comment:
“In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators”. ––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 16, Q14.]
Likewise, techUK has stated in its written briefings on the Bill that
“technically any phishing email is ‘capable of’ having a significant impact if the organisation lacks adequate detection or response capabilities. This will lead to over-reporting of low-level incidents and potentially overwhelm regulators, thereby distracting attention from genuinely significant threats.”
As in many aspects of the Bill, the problem is not on the principle but in the detail. We heard in oral evidence about the concerns of industry and regulators regarding the availability of suitably qualified personnel to build capacity for effective regulatory oversight. We must be alive to that important consideration in ensuring that thresholds are proportionate and risk-based.
The Government have stated in their factsheets on the Bill that they intend
“to introduce thresholds through secondary legislation before this measure is brought into in force”
and after a period of consultation. They have also said that those thresholds will
“clarify the points at which we would consider the impact of an incident to be ‘significant’, and therefore reportable to regulators”.
What discussions has the Minister had to date with regulated entities and regulators about the approach to consultation on these thresholds? What is the feedback on what those organisations consider to be reporting priorities?
Chris Vince
I thank the shadow Minister for remembering my consistency—I have not mentioned Harlow. How is the new clause helpful, given the potential confusion it causes with listing a specific kind of incident as well as the generic one?
Dr Spencer
The Opposition are trying to make it clear that ransomware needs to be in the scope of the reporting. It is really for the Minister to answer if he thinks there are problems with the new clause, and if so, how the Government will go about taking that forward. The widespread and highly damaging nature of ransomware attacks—which are often perpetrated by criminal groups at scale and speed—means that regulators need to have a detailed oversight of this area to prevent those attacks from being deployed more widely. Therefore, the new clause is intended to ensure that all ransomware attacks on regulated entities are reported, regardless of severity or potential severity, so that the risks are picked up.
In tabling new clause 6, I am acutely aware of the existing reporting burden for regulated entities and regulators. Since tabling it, we have heard impactful evidence from Carla Baker from Palo Alto, who highlighted the number of cyber incidents and false positives that many companies encounter each day. As I said in response to an intervention, in the absence of measures brought forward by the Government to address the widespread and urgent risks presented by ransomware attacks—and as the Government themselves identify as part of the Home Office’s review—it would be proportionate to make specific reference to ransomware in the reporting requirements on regulated entities in the Bill.
New clause 7 reflects the concerns of regulated bodies and industry representatives who have set out many, many times—in oral evidence and beyond—the need to ensure that reporting obligations are clear and, as far as possible, simplified across the many different incident reporting regimes that exist for providers of digital services. The new clause would compel the Secretary of State to publish an assessment of the impact of the new reporting regime on regulated entities in the Bill within 12 months of Royal Assent. Importantly, in line with the clear requests articulated by many stakeholders who gave evidence last Tuesday, it requires the Government to publish proposals for the creation of a single cyber incident reporting channel for relevant bodies.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
I worked for the AI and digital regulations service in the NHS. We were linking with all of the regulators to try to have a one stop, one shop door approach to how we do things. It was incredibly difficult, and three years on we were still ironing out all the glitches. New clause 7 is laudable, but because I know how difficult it is, a 12-month proposal is a very tight timeframe in which to try to get this right.
Dr Spencer
I thank the hon. Lady for her intervention. New clause 7 puts forward an assessment of the impact. It is not intended to make definitive changes, but to give time. I have confidence in the Government and the Minister that within 12 months—it is the kiss of death to say that one has confidence at the minute, is it not? [Laughter.] I apologise to the Minister.
Dr Gardner
I will defend myself: my point was not a criticism of the Government. I just know how hard it is for regulators to work together and iron out cross-working. They were very confident in their information-sharing skills, but it is more difficult than that. It was just a kindly meant reminder that there is not an easy solution, and that 12 months is a bit of a tight timeframe.
Dr Spencer
I very much take the hon. Lady’s point and the constructive spirit in which it was presented. Twelve months is a long time for the operations of Government to function, and I have faith—I will change my words—in the Government and all of their powers if they wanted to put their minds to bringing this forward. If there are concerns about the ability of the Department for Science, Innovation and Technology to take this forward, those concerns would spill over into all of the consultation requirements that have to be met to make sure that this Bill functions in the correct way. The argument on what we are debating today could swing both ways.
Industry stakeholders have expressed strong concerns regarding the diverse incident reporting requirements that exist in several pieces of legislation, including UK GDPR, sector-specific regulation and the Telecommunications (Security) Act 2021. As we have already discussed, the Home Office may also bring forward guidelines for reporting ransomware incidents in future. Additional reporting requirements and procedures included in the Bill are viewed as adding a further layer of complexity to a legislative environment that is already very challenging to navigate. Stakeholders report that the current approach, with multiple different reporting procedures and platforms, increases regulatory compliance costs on businesses and detracts from the resources available to implement effective improvements in cyber-resilience. In view of that, will the Minister support this urgently needed review clause to assure industries that the Government have heard their serious and vital concerns on the matter?
Bradley Thomas
It is a pleasure to serve under your chairmanship, Dr Murrison.
When introducing new legislation, it is essential that those who fall under its new regulations be clearly identified and given adequate time to prepare for compliance. However, despite the aims of the Bill and the wish to avoid worsening a cyber-attack incident, the Bill still presents far too much ambiguity. It is right to recognise the cyber landscape as continuously evolving. There is no dispute that this terrain becomes increasingly complex each day, requiring a level of flexibility in legislation to ensure that it keeps pace. However, this desire to safeguard such adaptability, and the goal of future-proofing, must not come at the expense of the effectiveness of legislation in the present day.
The powers afforded to the Secretary of State to change the classification of essential activity, and to bring new sectors into scope of the Bill at any time, undoubtedly create uncertainty for many sectors and cast a shadow over long-term compliance. To be clear, we want organisations to comply with this legislation. We want to improve national cyber-resilience, gather vital intelligence and restore public confidence in our security. Why, then, would there not be a significant effort to make these regulations as easy to apply as possible, rather than leaving thousands of businesses second-guessing whether they fall within scope, with the pressure of large financial penalties hanging over their heads?
In addition, many will know that I am a firm supporter of parliamentary process. I support the notion that all legislation should receive the scrutiny it is due by the democratically elected Members of the House of Commons. That is why I believe the Bill must not only set out clearer guidelines for who is in scope, but require an official amendment, debated in the House, to permanently bring any new sectors into scope after the Bill has been passed.
I understand that, in times of emergency, the longer process of House of Commons scrutiny may not always be possible. That is why the Secretary of State should have powers to bring in sectors necessary in an emergency temporarily into scope, with less imposing of non-compliance penalties until their inclusion is made permanent by the House. Such an approach would not only allow for the quick reactions that cyber-security demands, but respect parliamentary processes and safeguard against organisations’ being unaware that they had suddenly been brought into scope until they received a potentially financially ruinous penalty notice for non-compliance.
Looking at the need for more definitive guidelines on who will be regulated under the Bill, we have already heard from numerous industry stakeholders that are unsure whether they, or other organisations in their sector, will fall within the mandatory scope. In addition, industry experts have publicly shared concerns about how far the net may be cast in some sectors, leading to the unintentional inclusion of organisations that are critical only to a single larger organisation, rather than to our national security, while ignoring other essential sectors altogether. Looking at recent cyber-attacks that have had a significant impact on our country, it is concerning that the definition of essential services may not include them within scope.
While it is predicted that many of Jaguar Land Rover’s supply chains will be in scope, it has been publicly questioned whether it will be included. As the largest car manufacturer in the United Kingdom, it directly employs over 30,000 people across the UK and supports around 100,000 jobs indirectly. It is therefore no surprise that the cyber-attack it endured, estimated to have had a financial impact of over £1 billion, was significant to many, including more than 5,000 organisations impacted and many of my constituents, with JLR being one of the largest direct and indirect employers in the west midlands region. How, then, if a key aim of the Bill is to ensure that all essential services whose disruption would profoundly impact our nation in the event of a cyber-attack report all major incidents, can the vagueness of the definition of essential services be allowed to stand—especially when it creates a situation in which previous key victims are excluded?
Of course, JLR is not the only victim where questions of inclusion remain. Also potentially falling outside the regulatory reach is Marks & Spencer, whose recent cyber-attack was another stark reminder of the rapidly advancing cyber-crimes scene and caused significant disruption, with costs estimated to run into the millions of pounds. Having met with M&S representatives recently, I had the opportunity to discuss their experience of enduring such an attack. Archie Norman, M&S chair, gave evidence to the Business and Trade Sub-Committee on Economic Security, Arms and Export Controls, where he said that “a growth economy” is “a cyber-resilient economy”.
Having a cyber-resilient UK, and making the UK the safest place to do business, is a competitive advantage. I agree with that sentiment and firmly believe that increasing our cyber-resilience can only benefit our economy. It is imperative that we get this right. These cyber-threats are not going away; they are only going to get stronger and more technically advanced. We have seen that in the past year, with the National Cyber Security Centre reporting a 50% increase in British cyber-incidents deemed highly significant. Indeed, representatives of M&S told me that, at times, they found it much easier to get updates and information from the United States FBI than they did from our own authorities. We also know that foreign hostile states are becoming bolder in their actions against us.
A few months ago—as a reason for introducing my ten-minute rule Bill, the Cyber Extortion and Ransomware (Reporting) Bill—I stated that research had revealed that 74% of UK IT leaders cited China and 71% cited Russia as their top cyber-security concerns. It is undisputable that last year’s espionage trials threw a harsh spotlight on the threatening scale of state-sponsored cyber-attacks.
Improving our national cyber-resilience, and safeguarding all our infrastructure and essential services, including in the private sector, is vital in order to secure a prosperous economy and reinforce public confidence in our ability to defend ourselves against such threats.
Emily Darlington (Milton Keynes Central) (Lab)
I have a few questions for the Minister. I appreciate the clarity that the Bill brings to many of the services in its scope. I would like to understand how the definition of “incidents” will relate to hardware vulnerabilities that are discovered within a company, as we heard from some of the people who gave evidence to the Committee. It is unclear in the Bill. Perhaps it will be further defined in secondary legislation.
I want to understand how an incident in which someone discovers a vulnerability in hardware—such as in a system-in-package—is reported, and how that information is then delivered by the regulator to other companies in the sector that may have similar technology, and to the other regulators, which may also want to flag that technology as a particular vulnerability. Is that defined as an “incident” or is it defined somewhere else in the Bill? I am a bit confused and am looking for some clarity.
Kanishka Narayan
Having been promoted from a position of mere confidence to faith, I will tackle questions from the hon. Member for Runnymede and Weybridge first and foremost. On the question of thresholds of incident, the Bill sets out the severity of the sorts of incidents that we expect reporting obligations to apply to, and at the same time it ensures that it is proportionate in understanding that sector-specific thresholds ought to be precisely that—sector specific, set closely with relevant entities in that sector, and working with the expertise of the relevant regulators. For that reason, it has not been specified more fully on the face of the Bill.
On information sharing, not only is there provision for the specific sets of purposes for which information sharing ought to take place between regulators, but there is a further check on the proportionality of that, through a particular requirement, to ensure that information that is shared in incident contexts is done precisely for the purposes set out in the Bill, and in a way that is proportionate.
My hon. Friend the Member for Milton Keynes Central raised the question of hardware impacts. While the focus of the Bill is primarily on network and information systems, the test, as I think of it, would look at whether any compromise in network and information systems related to a piece of hardware triggers the severity of the impact, or potential impact, to be reportable. In the event that it is reportable, in its severity and potential impact, it will require notification—to the regulator and, when customers are directly impacted in the way that is set out in the Bill, also to the customers. The test is focused on whether network and information systems are engaged, and whether the impact of any incident is likely to be severe enough, in light of the thresholds set out in the Bill.
Lincoln Jopp
My hon. Friend the Member for Bromsgrove raised the case of M&S, which would clearly be out of the scope of the Bill. However, it has a managed service provider, so it is a bit like the JLR case. I am still looking for some certainty as to whether JLR and M&S would come within the scope of the Bill by dint of the fact that they have managed service providers, which are within the scope. I am still not 100% clear on the answer to that question. I would be grateful for greater clarity from the Minister.
Kanishka Narayan
I hope this does offer the clarity that the hon. Member seeks. While I will not refer to specific businesses, broadly speaking the sector of food supply is not within the scope of the Bill; the obligations on operators of essential services or direct entities that are within the scope of the Bill will not apply.
However, if—in a hypothetical situation—a managed service provider within the scope of the Bill supplies to that business, the managed service provider would be within the scope of the Bill’s requirements. The customer—in this case, the food supply business—may, if the severity applies, be in receipt of reports from the relevant MSP, in this particular context. They will not be caught up in the full set of obligations in the Bill, but we would expect customers to be notified of incidents where the severity thresholds are met. I hope that gives the hon. Member some clarity.
Lincoln Jopp
I am grateful to the Minister for giving way a second time. I understand his answer, but, to be clear, if an incident that meets the severity threshold is reported to a client who is out of scope, would that bring any obligation to report in the normal way?
Kanishka Narayan
Under the provisions of this Bill alone, only the entities specified as critical suppliers or operators of essential services—the relevant digital providers and so on—would be caught up in obligations if an event occurred. Assuming neither of those is true of a food supply business, the Bill’s provisions would not apply.
At the same time, in the sort of incident that the hon. Member describes, we would expect the NCSC to be deeply engaged, assuming severity thresholds and wider risks are applied. We would work closely on that operationally and I am sure we would look at how that business could be supported more widely. But the Bill’s provisions are really focused on the sectors, and entities within those sectors, that have an immediate threat to day-to-day operations such as a potential threat to life. There are reasons, which we can get into later, as we have done previously, why we set the sectoral scope in that way.
New clause 6 seeks to clarify that a ransomware attack falls under the definition of “incident” within the NIS regulations. I share the concerns of the shadow Minister and the hon. Member for Bognor Regis and Littlehampton about the significant disruption that ransomware attacks can cause. Indeed, last year we saw the impact of the ransomware attack on Synnovis, a supplier to the NHS, which resulted in the delay of 11,000 out-patient and elective procedure appointments. The hon. Member for Bognor Regis and Littlehampton and the shadow Minister are quite right that this kind of attack should be considered an incident under the NIS regime. Because of the changes to incident reporting introduced by the Bill, I can confirm to the Committee that ransomware attacks will be in scope.
The Bill updates the definition of “incident” so that it applies to any event that has, or is capable of having, an adverse effect on the operation or security of network and information systems. Ransomware attacks already fall well within that definition. Although I welcome the principle and intent behind the new clause, its content is already addressed by the Bill. I hope that assures hon. Members across the Committee.
New clause 7 would require the Government to publish a review of the new incident reporting regime within a year of the Bill’s receiving Royal Assent. It is important that the effectiveness of the NIS regulations, including the reforms to incident reporting introduced by the Bill, should be reviewed periodically. That is why the Bill requires the Government to conduct a review and lay it before Parliament once every five years. That timeframe will enable the new regime to bed in and allow a meaningful period of time to measure change before the Government report on its effectiveness. As my hon. Friend the Member for Stoke-on-Trent South said, notwithstanding her and the shadow Minister’s confidence in me and the Government, to publish a review after only one year would risk giving an incomplete picture, as regulators and regulated entities may still be transitioning to the new processes.
The new clause would also require the Government to publish proposals for a single reporting platform for cyber-incidents, again within a year of the Bill’s passing. We have heard the clear ask from businesses to minimise the time they spend filling in different reporting templates following an attack, to ensure they can prioritise the technical response. I share the concerns of the hon. Member for Bognor Regis and Littlehampton, and we are exploring all options to enable a proportionate and efficient reporting system. That said, setting a fixed time limit of one year to develop proposals does not reflect the inherent complexity of the task and the need to get it absolutely right for the businesses in scope of the Bill, not least because the proposals will need to be rigorously evidenced, consulted on and tested. For those reasons, I am unable to accept the new clause.
Question put and agreed to.
Clause 15 accordingly ordered to stand part of the Bill.
Clause 16 ordered to stand part of the Bill.
Clause 17
Powers to impose charges
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 17 introduces new charging powers for NIS regulators, enabling them to recover the full costs of their regulatory functions under the NIS regime. This is an important reform that will help to ensure that regulators are effectively funded as they take on their expanded responsibilities under the Bill. It will allow them to move away from a funding model that relies on ad hoc invoicing or Government grants, and to approach their duties with greater confidence and certainty.
The clause sets out detailed procedural requirements that determine how and when the charging powers can be used. These will ensure that regulated organisations know what to expect from regulators; fees will be set proportionately and regulators will provide satisfactory accounting for the sums they have charged.
The first requirement is that regulators consult and publish a charging scheme. It must specify what functions the fees are covering, the amount of fees being charged or how those fees will be calculated, and the charging period they cover. Crucially, regulators will be able to set different levels of fee for different types of organisations—for example, varying charges according to size or turnover, or excluding organisations from the charging scheme if it would be disproportionate or counter-productive to include them.
Bradley Thomas
I have two points for the Minister to address. First, can he address concerns around whether funds raised will be directly reinvested into improving cyber-security, rather than covering administrative overheads? Secondly, there is no specific reference to turnover thresholds, so how can the Minister be sure that a one-size-fits-all approach will not be used, causing many similar organisations to suffer financially?
Kanishka Narayan
I thank the hon. Member for those thoughtful points. On the first question, the charging scheme applies to relevant costs, which are costs that regulators incur precisely when they carry out functions under the NIS regulations relating to cyber-security specifically. Those can include the cost of audits, inspections, handling incident reports or enforcement action, as well as other aspects, such as assessments of cyber-security and the provision of advice. It is important to acknowledge that regulators can decide to recover costs in relation to specific functions or their costs relating in particular to the Bill’s provisions. I hope to have assured the hon. Member that the charging scheme has a clear, tight scope that is related to cyber-security functions.
On the second question, regulators probably ought to look at turnover in a way that is sector-specific, in part because there are already a range of ways in which other regulatory regimes define turnover in particular sectors, so the appropriate definitions for their sectors will be familiar to both regulators and regulated entities. At a later date, secondary legislation may be used if it is found necessary to set out factors that regulators ought to consider in setting up charging schemes, including the possibility of nuanced definitions of turnover. Any future regulations for this purpose will be subject to consultation requirements and the affirmative procedure. I would very much expect, at a sector level, a clear and proportionate definition and charging structure in relation to turnover.
The second requirement is to set out, transparently and clearly, what fees have been paid, what fees are still due, and what costs have been incurred in a given charging period. On Second Reading, many hon. Members discussed the need for properly resourced regulators to successfully implement the Bill. I share that concern, and this clause seeks to achieve exactly that, in a way that is fair and proportionate to regulated organisations.
I commend the clause to the Committee.
Dr Spencer
Clause 17 will amend the NIS regulations to provide a framework for regulators to impose charges on regulated entities to recover the costs incurred by them in carrying out their supervision and enforcement functions. The Government’s explanatory factsheet supporting the Bill suggests that those changes are needed to ensure that regulators are
“better resourced to carry out their responsibilities.”
We have heard at length from witnesses in oral evidence sessions that resourcing is a key consideration for regulators in meeting their new and expanded obligations under the Bill. The concept of our regulators’ being better funded is good. However, as with much of the Bill, the lack of detail around the regulator charging model is causing uncertainty among regulated entities that would be liable to meet the associated costs.
Kanishka Narayan
The shadow Minister raised two main points that I am keen to address. The first was about ensuring that I committed to next steps on potential guidance for the charging scheme. I can confirm that the Government will issue guidance for competent authorities. That will include general directions on how the fee regime ought to be implemented. At the same time, we do not intend to be prescriptive as to how competent authorities should recover costs to benefit from their experience and practice in setting up these regimes. It is important that each regulator is able to tailor their fee regime in a way that is consistent with and complementary to the state of their sector.
Lincoln Jopp
On the subject of charging and money, has the Minister had the opportunity to revisit his own impact assessment on the basis that there might be a glitch in the matrix? It says on multiple occasions that the hourly salary for a contract lawyer is £34 an hour. When we discussed it last week, I contended that this was totally unrealistic, probably to a factor of 10.
Kanishka Narayan
I am reminded of the hon. Member’s point last week. I am happy to write to him on the basis of the precise figure in the impact assessment, which I understand to be based on not just an extensive survey but the application of subsequent uplifts. I am more than happy to continue that conversation in correspondence.
On factors that ought to be considered in setting up charging schemes, I mentioned some, such as size and turnover, but I will flag that those are suggestive and indicative rather than exhaustive factors that regulators may consider. Regulators ought to be able to set different levels of fee for different types of organisations. There is also provision to exclude organisations from a charging scheme altogether if it would be disproportionate or counterproductive to include them. It is appropriate that regulators and competent authorities can vary their charging schemes in the light of that.
On current regulatory performance and its correlation with charging schemes, I have not observed any direct correlation. What I have seen, simply, is that some regulators are clearly doing well. We heard in evidence from a range of participants that in some cases things are working particularly well and that, in others, there is more scope for improvement. That is precisely why the Bill sets no fundamental lowest common denominator for how regulators ought to approach either charging or their enforcement duties; instead, it ensures that we are conducting oversight of each regulator as robustly as possible. I assure hon. Members that the question of regulatory enforcement is central and that the motivation behind the charging scheme is precisely to ensure that regulators are well resourced to implement the Bill.
Question put and agreed to.
Clause 17 accordingly ordered to stand part of the Bill.
Clause 18
Sharing and use of information under the NIS regulations etc
Kanishka Narayan
I beg to move amendment 14, in clause 18, page 38, line 31, at end insert—
“(aa) otherwise in connection with—
(i) the security and resilience of network and information systems, or
(ii) any other matter relating to cyber security and resilience,”.
This amendment would allow NIS enforcement authorities to share information with persons listed in regulation 6(2) (inserted by clause 18), and such persons to share information with NIS enforcement authorities, for purposes relating to the security and resilience of network and information systems or cyber security and resilience.
The Chair
With this it will be convenient to discuss the following:
Government amendments 15 to 18
Clause stand part.
Kanishka Narayan
The clause introduces vital reforms to how information can be shared in the context of the NIS framework. Right now, as we have heard again and again from both hon. Members across the Committee and witnesses, the NIS regulations have limitations that restrict how and with whom information can be shared. That has serious implications for the effectiveness and efficiency of the regime including business burdens as well as the ability of the UK’s authorities to act on national security or criminal intelligence.
One important limitation in the current regulations is the inability of regulators to share information with many public authorities in the UK and vice versa. For example, NIS regulators currently cannot share information to support the evaluation of the NIS framework or policy development relating to cyber-resilience and national security. The clause addresses those concerns by enabling information to be shared between NIS regulators and UK public authorities, including the Government. That will be done for the purposes of supporting the NIS regulations as well as wider objectives alike, reducing business burdens and for national security and crime purposes.
The clause also imposes strict requirements and safeguards on how the information can be further shared. The net effect of the changes will be fewer burdens on business, better and more informed regulatory decision making, joined-up incident response and improved security for the United Kingdom.
Government amendment 14 makes targeted but important changes to the clause. It proposes a further ground for sharing information focused on wider cyber-security and resilience outside the context of the NIS regulations and NIS sectors. In practice, it means that NIS regulators will be able to share information with regulators who are responsible for overseeing the cyber-security and resilience of other vital sectors under different regulatory frameworks and vice versa.
The amendment is a crucial addition to the Bill. It means that the UK’s regulators can think holistically about the risks that their sectors are facing, the interventions they propose to take and the obligations they are placing on business. That in turn will mean better outcomes, more effective and informed incident response, more co-ordinated oversight and lower business burdens.
The amendment will be particularly important in supporting co-ordination with the financial regulators responsible for the critical third parties regime, which could be used to designate organisations already in scope of the NIS regulations such as cloud service providers. It also anticipates the need for co-ordination for other sectors, such as civil nuclear and space, in the future. In short, the amendment is necessary to ensure that UK regulators can take a more co-ordinated approach to protecting the UK’s most essential services.
Government amendments 15 to 18 are consequential on amendment 14. I urge the Committee to support the amendments, and I commend clause 18 to the Committee.
Dr Spencer
Clause 18, which the Government seek to modify through amendments 14 to 18, creates new pathways for information sharing between regulators, public authorities and Government Departments. It also creates a power for NIS enforcement authorities to share information with relevant overseas authorities for specified purposes. The new regime is intended to remove gaps and ambiguities in the existing framework governing the sharing of information obtained in the course of competent authorities and the oversight role of NCSC, and to create legal certainty in this domain.
In turn, it is anticipated that greater information sharing will assist with the detection of crime, enforcement activity and awareness of emerging cyber-risks and with ascertaining the effectiveness of the NIS regulations in building UK cyber-resilience. In particular, the Bill creates a new gateway to ensure that NIS regulators can share information with UK public authorities, and vice versa, as well as sharing and receiving information from organisations outside of the NIS framework, for example other regulators or bodies such as Companies House.
The Bill strengthens safeguards on how information can be used once it has been shared under the NIS regulations by restricting onward disclosure. More effective information sharing will be vital for competent authorities to keep up to date with emerging risks and building resilience in their sectors, and the new measures were broadly welcomed by regulators in our oral evidence session.
However, industry bodies such as techUK have called for further detail on the new information-sharing regime. What steps are the Government taking to ensure that regulators share responsibility for protecting sensitive data, and that information-sharing processes are coherent, proportionate and secure? Could the Minister elaborate on the discussions he has had with regulators on those matters, and on how secure information sharing will work in practice?
Finally, on the detail of the text in Government amendment 14, proposed new paragraph (aa)(ii) refers to persons
“otherwise in connection with…any other matter relating to cyber security and resilience,”.
Given that this is an information-sharing power, that seems a remarkably broad “any other matter” provision. What disclosures that are not already covered in the Bill does the Minister conceive will come up in that scope? What guidance or consultation will the Minister produce to make sure that such powers are proportionate and not at risk of abuse?
Emily Darlington
Again, I welcome the Government amendments and clause 18; they are important to enabling us to share our vulnerabilities in an appropriate way with those people who may be involved. However, some of the aspects of those vulnerabilities that security services—GCHQ, His Majesty’s Government Communications Centre and others—raised with us relate particularly to not only foreign interference, but the potential for interference through technology embedded in our networks. How does the Minister see the measures working within our co-operation with different foreign nations, particularly during these volatile times?
Kanishka Narayan
In response to the shadow Minister’s first question about ensuring sensitive handling of shared information and proportionality, all information handled by regulators ought to be treated carefully and with awareness of its importance. The regulators have to act reasonably, and the NIS regulations specifically require information obtained from inspections to be held securely. Of course, data protection laws apply to regulators as well. Alongside that, regulators will be required to consider the relevance and proportionality of sharing their information to the purposes set out in the Bill; as I have mentioned, the Bill includes specific purposes for why information might be shared.
Kanishka Narayan
Clause 19 sets out that regulators must provide guidance on specific issues, including security requirements and incident reporting notifications. Guidance already plays an important role in supporting the implementation of the NIS regime. We have, however, identified some areas where regulated entities would benefit from additional clarity. The clause ensures that every regulated sector has the guidance they need from their sectoral regulators to help them to comply. To ensure consistency across regulators, the clause also requires regulators to co-ordinate with each other when preparing guidance relating to designating critical suppliers. The clause also requires regulators to consider guidance published by the Secretary of State such as the code of practice when preparing guidance on the security and resilience requirements. That will ensure that regulators consider good practice recommendations and take more consistent approaches to preparing guidance.
Dr Spencer
Clause 19 amends the NIS regulations and will require regulators to publish guidance on the security and instant reporting requirements of regulated sectors. In formulating their guidance, regulators are under a duty to co-ordinate and consult with other regulators to ensure consistency as far as is reasonably possible. Relevant provisions in the code of practice, to be issued by the Secretary of State under clause 36, must also be taken into account. Newly regulated entities will, no doubt, welcome proportionate guidance on meeting obligations, and existing regulated entities will appreciate any streamlining that comes from consultation between regulators and their approach. Can the Minister provide further details about whether consultation between regulators and the Secretary of State is under way on a consistent approach to regulation?
Kanishka Narayan
As I have mentioned to the shadow Minister, the Minister for Digital Economy, the Secretary of State and I have engaged with a number of the regulators in scope here. Both those conversations, and the broader framework of this Bill, are intended to drive consistency across sectors through common security requirements, clear guidance and a statement of strategic priorities, which will set objectives that regulators must seek to achieve. I hope that is sufficient assurance not only that those conversations have started, but that they will be a fundamental focus as we ensure consistent regulation across the board.
Question put and agreed to.
Clause 19 accordingly ordered to stand part of the Bill.
Clause 20
Powers to require information
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 20 introduces important updates to the information-gathering powers that regulators have under the NIS regime. It ensures that regulators are able to collect any information that they might reasonably require to exercise, or to decide whether to exercise, their functions under the regulations.
While the clause sets out some of the purposes for which a regulator might particularly wish to collect information—for example, to determine whether an organisation should be designated as a critical supplier—this is an explicitly non-exhaustive list. The clause also allows regulators to collect information through the issuing of an information notice. It sets out the details that must be included in such a notice, and the form that it may take. An information notice must, for example, explain why the information is being sought and the form in which it must be provided.
New regulation 15A, as introduced by the clause, makes clear that an information notice can be given to an organisation based outside the UK and can apply to information held outside the UK. An information notice may require the obtaining, generating, collecting or retaining of information or documents. Those changes are critical in ensuring that regulators can access the information they need properly to enforce the NIS regulations. I commend this clause to the Committee.
Bradley Thomas
Can the Minister elaborate on how he will ensure that regulators have the capacity to cope with large-scale data reports?
Dr Spencer
Clause 20 grants regulators wide-ranging information-gathering powers, in relation both to regulated entities and to organisations currently outside the scope of the regulations. These new powers will be important to competent authorities in gaining access to the information necessary to consider which businesses should be designated as critical suppliers for their sectors. The Minister will remember that we had a very extensive discussion about the allocation, or otherwise, of critical suppliers. What assurance can he give that requests for information under this new clause will be exercised proportionately? That is especially relevant for SMEs, which might struggle administratively to meet broad requests for information within short deadlines.
I know I will be told off by the Chair if I try to rehash the previous debate on clause 12, but one of the points I made during that debate was that the scope of what could fall under the definition of a critical supplier could, in my view, include any supplier to an operator of an essential service. Potentially, therefore, a request for information under this provision could be incredibly broad. Can the Minister give some reassurance about how this will work in practice, relating to the proportionality of data collection? The concern is that this could become a fishing or dredging exercise, rather than something that is proportionate and targeted on the most high-risk suppliers.
Lincoln Jopp
In terms of scope, could the Minister give us some sense, when it comes to managed service providers, whether the purpose behind this clause is to enable regulators to find out their entire client list? I would be grateful for some clarity on that point.
Kanishka Narayan
I will take each of those three questions in order. The hon. Member for Bromsgrove raised a very important point—shared, I think, in sentiment across the House—about ensuring that regulators have the capacity to deal with the volume and quality of information they might receive under the provisions of this clause. Precisely for that reason, we have set out a charging scheme possibility here that allows regulators to equip themselves. Of course, that is initially a question of resourcing, rather than the quality or capability of that resourcing. We will therefore continue to ensure, through our oversight of regulators in appropriate ways, that we are pressing home the importance of enforcement quality and regulatory capability.
To the shadow Minister’s point on proportionality, I share the focus on ensuring that designation and information requirements are proportionate, not least for critical suppliers. Like him, I will avoid repeating the previous debate, but the five-step test for the designation of critical suppliers, combined with the fact that the Bill allows for secondary legislation and guidance to specify more proportionate burdens on them, rather than on key regulated entities, alongside the fact that information notices ought to be proportionate and focus primarily on the purposes of the Bill, gives me—and, I hope, him—assurance about the proportionality embedded in the Bill.
Dr Spencer
Will the Minister talk through what the data exchange flow chart will look like? How will it work in practice? Will the OES proactively contact the regulator and say, “We have all these suppliers—go play”? Will the regulator contact the OES and say, “Give us a list of all your suppliers, and then we are going to start an investigation programme and decide what data we need”? What is the direction of communication in practice? Or—perhaps even worse—will the burden be on suppliers to an OES to contact the regulator and say, “Could we possibly be in scope?” How will it shake out in practice?
Kanishka Narayan
Although I will not specify prescriptively what the activity and flow ought to be, I can share from my experience that many large-scale businesses—and indeed many medium and small-sized businesses—have a very clear business continuity plan mapping their critical suppliers. In this case, I would expect the regulator and the regulated entities to engage. Who sends the email first is an open question, and I would not want to specify it in the Bill, but I would expect each regulator and their regulated entities to work very closely to understand the critical suppliers that meet the tests specified in the Bill, and to engage with those critical suppliers as a consequence.
Dr Spencer
The Minister has mentioned business continuity plans a second time as a justification for not going into detail on this, but the whole reason for the Government bringing in the powers in clause 12, and the designation of critical suppliers, is that there was no business continuity plan in place in the example of Synnovis. I do not see how that argument gets away from the need for clarity, for organisations that could be at risk of being in scope of being assessed and designated as a critical supplier, about what actions they have to take in response to regulation, proactively or otherwise, and the burdens on them. We have just discussed the cost of enforcement, which risks essentially becoming a cyber-security tax.
Kanishka Narayan
I would not want to imply that every organisation has a business continuity plan, but the simple point is that the framework for assessing critical third-party suppliers is established in business and other regulatory regimes, as I have mentioned. The novelty or ambiguity that the shadow Minister suggests simply does not apply. That is not to say that there will not be cases in which new critical third-party suppliers will be designated—that is the point of the provisions of the Bill. The practice will of course need rigour, efficiency and proportionality, but it will be grounded in existing, widely understood frameworks.
I need the hon. Member for Spelthorne to remind me of his question, if I might ask him to do that.
Lincoln Jopp
I might have to remind myself. I asked the Minister whether the purpose of this clause is for a regulator to be able to ask a managed service provider what their entire client list is, in order to make various assessments.
Kanishka Narayan
I thank the hon. Member for asking and repeating the question. The purposes of the provisions on information requirements are focused on ensuring that regulators can conduct their duties as provided by the Bill. I would not expect information notices to require an exhaustive list in every instance, but instead to primarily focus on a more proportionate set of asks relating to risk vectors to the security of the regulated entities and to wider national security and cyber-security.
Question put and agreed to.
Clause 20 accordingly ordered to stand part of the Bill.
Clause 21
Financial penalties
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 21 reforms the enforcement regime for the NIS regulations. It seeks to ensure that providers of the UK’s most essential services are complying with their obligations under those regulations. Where they are not, it will allow for more meaningful penalties that reflect the risks they introduce to our society and economy as a whole. To do that, the clause makes a number of critical changes.
First, the clause introduces a new penalty maximum based on turnover. The current maximum penalty is £17 million, which can appear disproportionately large for smaller organisations, but could also easily be absorbed by larger ones as the “cost of doing business.” The clause therefore increases the penalty limits from £17 million to a maximum of £17 million or 4% of annual turnover, whichever is higher. I am confident that that strikes the right balance within the UK regulatory context. It brings the regime in line with other UK legislation that regulates cyber-security, such as part 1 of the Product Security and Telecommunications Infrastructure Act 2022, without rushing uncritically to the more severe penalties we see in other CNI regulation.
The second change is to create a simple two-band penalty structure that will provide much-needed clarity to regulators and industry about the penalty tiers for specific acts of non-compliance.
Bradley Thomas
On the point about banding, can the Minister assure us that there will be consistency applied across regulators so that different events are not differentially penalised depending on the regulatory body? On the question of turnover and the financial penalty, can the Minister elaborate on how the figure was derived?
Kanishka Narayan
I thank the hon. Member on both fronts. On the penalty bands, clearly defined parameters are set out in the Bill, and my hope is that that increases the effectiveness, the clarity and—at the heart of it, to his question—the consistency of application we expect across regulatory regimes.
As I mentioned, the 4% figure for the maximum penalty in part referenced existing UK regulatory regimes and legislation that were felt to be the most comparable. In part, it was judged to be an appropriate, proportionate maximum, based on relevant concerns around the appropriate level of deterrent effect, the proportionate level of fine, the regulatory precedent and the broader impact on investment and the economy as a whole, notwithstanding the significant cyber-security costs businesses already experience.
The second change in the clause is intended to eliminate the confusion surrounding the definition of a “material contravention” in the current regulations. Finally, the clause ensures that regulators can consider a wider range of factors when determining what constitutes an appropriate penalty. Where mitigating steps have been taken to address a breach, that should be acknowledged, but so too should the impacts of the breach and any history of compliance or non-compliance.
To conclude, an effective regulatory regime must be backed by fair but effective penalties to ensure that it is followed.
Lincoln Jopp
This is really where the regulatory rubber hits the road. Earlier, we described cases involving a client who is not in the Bill’s scope but who employs a managed service provider that is, and that is therefore vulnerable to these charges. What happens when there is an interface between a client employee operating an IT system and what the managed service provider does? For example, someone could bring in a data stick, shove it in the side of a computer and break the rules, eliciting some form of ransomware. How will it work when the regulator goes to the managed service provider and says, “Here’s your £10 million fine,” and the client says, “That is down to you”? It is going to be a lawyer-fest, isn’t it? Even lawyers who get paid more than £34 an hour are going to make quite a lot of money.
Kanishka Narayan
Just so that I am clear, not least for future records, I think the case described is one where the client is not in the Bill’s scope but is provided to by an MSP that is in the Bill’s scope, and where the relevant responsible individual is in the client business as an employee or agent of that business. The hon. Gentleman raises an important point. Both the obligations and the defined focus of the Bill are on regulated entities. In this instance, if the individual is not in the regulated entity and the regulated entity has complied with the entirety of the wider cyber-security reporting obligations in the Bill, we would look to other venues of legal action against the individual in question. It would be challenging for a Bill that does not regulate the entire economy to ensure that every individual and firm unregulated by it are brought into its scope as well. But that is not to diminish the significance of requiring other pieces of law to act on individuals elsewhere.
Dr Spencer
I will come to my speech, but as we are having a debate on this point, but does the Minister’s answer not risk a gilded defensive posture being set up by MSPs? If they list terms and conditions for the use of their services that essentially bar everything, they can say that any liability—if there is ransomware or they get hacked—is completely on the client, as opposed to themselves. Does the Minister’s explanation not risk MSPs taking a very defensive posture to ensure that the client is liable for any problem? Given that the clients are usually not regulated entities, this provision effectively becomes meaningless.
Kanishka Narayan
I can see the shadow Minister’s hypothetical point, but I assure him that if there is some universal, consistent practice on the part of an MSP to avoid liability, where liability should reside with them, that should be in scope of how the regulator assesses the performance of that MSP. Secondly, I assure him that there remains a degree of competition in the MSP market, given the attractiveness of the UK customer and end user market for MSPs. I would therefore very much expect any MSP that adopts a falsely defensive posture of the sort that the shadow Minister describes not only to be assessed as doing so by the regulator, but to fall foul of the competitive market context that we have and want in the UK.
To conclude, an effective regulatory regime must be backed by fair but effective penalties to ensure that it is followed. The clause ensures that that is the case for NIS regulations, and for that reason I commend it to the Bill.
Dr Spencer
I think I will follow up in writing on my intervention to try to dig down into the explanation of how liability will be laid down when the client is not a regulated entity but is receiving services from regulated entities. That is an important point, because these are quite hefty fines. As my hon. Friend the Member for Spelthorne pointed out, even with £34 an hour lawyers, there will be a lot of industry activity to try to avoid liability in the context of a substantial cyber breach, which can be significant.
More generally, the clause makes significant changes to enforcement practices under the NIS regulations, including to increase the financial penalties regulators can impose for infringement of the regulations, and to set out a clearer system of tiered penalties, based on the severity of infringements. The Government’s impact assessment states that these changes have been made because of concerns reported by regulators that
“enforcement under the NIS Regulations has been constrained by unclear band structures and a maximum penalty which is insufficient to deter non-compliance across all NIS sectors”,
which goes back to my previous point. Enforcement activity under the NIS regulations has been sparse, inconsistent and insufficiently effective to increase cyber-resilience to the levels necessary to meet the proliferating cyber-security risks to our most critical sectors.
Fundamentally, the existing approach to enforcement has not achieved the necessary change in attitude to cyber-risk at the highest levels of regulated entities. It is concerning that board level responsibility for cyber-security has steadily declined among businesses since 2021, with 38% of businesses having a board member responsible for cyber-security in 2021, compared with 27% in 2025.
The enforcement model clearly needs to be more effective, and increasing fines is only one part of that. Regulatory capacity to undertake supervision and enforcement remains a concern, as does perceived reticence on the part of regulators to impose fines on critical infrastructure providers, due to the risk of destabilising essential services and increasing costs for consumers. In our oral evidence sessions, many witnesses, including Richard Starnes of the Worshipful Company of Information Technologists, raised the issue of greater responsibility at the highest levels of management for cyber-resilience. What assessment has the Secretary of State undertaken of whether changes to the penalty regime are likely to influence board-level attitudes towards cyber-security?
Kanishka Narayan
The shadow Minister makes a really important point: cyber-security must be taken seriously at the highest level—at board level. It is part of the cyber assessment framework, which the Government have put at the heart of how we think about assessing cyber-security in firms as well as public sector organisations. It is also part of the guidance we are looking at in the cyber action plan and our wider cyber-security strategy. I take those very seriously. In terms of making sure that businesses have a razor sharp focus, the intent of the fine regime is to ensure that there is a deterrent effect and that it is felt at decision-making levels, which must include boards.
Question put and agreed to.
Clause 21 accordingly ordered to stand part of the Bill.
Clause 22
Enforcement and appeals
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Government amendment 19.
Schedule 1.
Kanishka Narayan
Clause 22 sets out, through schedule 1, consequential changes to the regulations in relation to enforcement and appeals. That is to ensure that the regulations work effectively in relation to the new entities brought into scope, such as managed service providers, data centres and large load controllers, so that the enforcement and appeal systems work as intended. Government amendment 19 makes a minor drafting correction. I commend clause 22 and schedule 1 to the Committee.
Question put and agreed to.
Clause 22 accordingly ordered to stand part of the Bill.
Schedule 1
Enforcement and appeals
Amendment made: 19, in schedule 1, page 86, line 33, at end insert—
“(ea) in sub-paragraph (da), after ‘14A;’ insert ‘or’;”.—(Kanishka Narayan.)
This amendment would make a minor drafting correction.
Schedule 1, as amended, agreed to.
Clause 23
Minor and consequential amendments etc
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Government amendments 20 to 22.
Schedule 2.
Kanishka Narayan
Clause 23, through schedule 2, introduces a number of minor and consequential amendments to the NIS regulations, necessitated by the more substantive changes introduced by the Bill. Among other technical changes, the schedule revokes assimilated EU legislation, removes the requirement for an NIS national strategy to be published once a statement of strategic priorities has been designed in its place, and updates references in the regulations to reflect the new clause numbering. Government amendments 20 and 21 make minor drafting corrections.
Government amendment 22 aligns the process for issuing documents, notices and directions under the NIS regulations with the Bill. As it stands, regulators will be required to follow two different procedures for issuing documents, notices and directions under the NIS regulations and under the national security powers in part 4 of the Bill, which is unnecessarily confusing for regulators and regulated entities. Amendment 22 resolves the issue by aligning regulation 24 with clause 57, as amended by Government amendments 23 and 24. I commend amendments 20 to 22, clause 23 and schedule 2 to the Committee.
Question put and agreed to.
Clause 23 accordingly ordered to stand part of the Bill.
Schedule 2
Minor and consequential amendments etc
Amendments made: 20, in schedule 2, page 89, line 35, at end insert—
“(ia) omit the ‘and’ at the end of the definition of ‘relevant law-enforcement authority’;”.
This amendment would make a minor drafting correction to regulation 1(2) of the Network and Information Systems Regulations 2018.
Amendment 21, in schedule 2, page 89, line 37, at end insert—
“(iia) omit the ‘and’ at the end of the definition of ‘representative’;”.
This amendment would make a minor drafting correction to regulation 1(2) of the Network and Information Systems Regulations 2018.
Amendment 22, in schedule 2, page 91, line 4, at end insert—
“11A (1) Regulation 24 (service of documents) is amended as follows.
(2) In paragraph (1)—
(a) in the words before sub-paragraph (a)—
(i) for ‘or notice’ substitute ‘, notice or direction’;
(ii) after ‘served on’ insert ‘or given to’;
(iii) after ‘served’, in the second place it occurs, insert ‘or given’;
(b) omit the ‘or’ at the end of sub-paragraph (b);
(c) for sub-paragraph (c) substitute—
‘(c) sending it by post to the person’s proper address or by email to the person’s email address.’
(3) In each of paragraphs (2) and (3)—
(a) after ‘document’ insert ‘, notice or direction’;
(b) after ‘served on’ insert ‘or given to’.
(4) In paragraph (4), for ‘service’ substitute ‘documents, notices and directions’.
(5) For paragraph (5) substitute—
‘(5) For the purposes of this regulation, a person’s “proper address” is—
(a) in a case where the person is a body corporate with a registered office in the United Kingdom, that office;
(b) in a case where paragraph (a) does not apply and the person is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office;
(c) in any other case, an address in the United Kingdom at which the person serving or giving the document, notice or direction believes, on reasonable grounds, that it will come to the attention of the person on whom it is to be served or to whom it is to be given.
(5A) For the purposes of this regulation, a person’s email address is—
(a) an email address provided to a NIS enforcement authority as an address for contacting that person,
(b) an email address published for the time being by that person as an address for contacting that person, or
(c) if no email address has been so provided or published, an email address by means of which the person serving or giving the document, notice or direction believes, on reasonable grounds, that it will come to the attention of that person.’
(6) After paragraph (5A) (inserted by sub-paragraph (5)) insert—
‘(5B) A document, notice or direction sent to a person by email is, unless the contrary is proved, to be treated as having been served or given at 9am on the working day immediately following the day on which it was sent.
(5C) In paragraph (5B) “working day” means a day other than a Saturday, a Sunday, Christmas Day, Good Friday or a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom.’”—(Kanishka Narayan.)
This amendment would align regulation 24 of the NIS Regulations with the provisions about giving of directions and notices in clause 57 of the Bill, as amended by Amendments 23 and 24.
Schedule 2, as amended, agreed to.
Clause 24
Key definitions in Part 3
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following: ‘Food supply Food supply chain The Secretary of State for Environment, Food and Rural Affairs (United Kingdom)’ ‘Local Government Local Government The Secretary of State for Housing, Communities and Local Government’ ‘Elections Electoral infrastructure The Electoral Commission’ ‘Government Political parties The Secretary of State for Housing, Communities and Local Government’
New clause 1—Food supply chain to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The food supply chain subsector
11 — (1) This paragraph describes the threshold requirements which apply to essential services in the food supply chain subsector.
(2) For the essential service of the food supply chain in the United Kingdom the threshold requirement is that the person is in the food supply chain and does not qualify as small or a micro-entity (or is excluded) within the meaning of Part 15 of the Companies Act 2006.
(3) after paragraph 10 insert—
(a) a “food supply chain” is a supply chain for providing individuals with items of food or drink for personal consumption, where the items consist of or include, or have been produced to any extent using—
(i) anything grown or otherwise produced in carrying on agriculture, or
(ii) anything taken, grown or otherwise produced in carrying on fishing or aquaculture;
(b) a person is “in” a food supply chain if that person is a producer or an intermediary in a food supply chain.
(4) In paragraph (3)(b)—
(a) “producer” means a person who is carrying on agriculture, fishing or aquaculture;
(b) “intermediary” means a person in the food supply chain between a producer and the individuals referred to in paragraph (3)(a).
(5) In this paragraph—
“agriculture” includes any growing of plants, and any keeping of animals, for the production of food or drink;
“aquaculture” means the breeding, rearing, growing or cultivation of—
(a) any fish or other aquatic animal,
(b) seaweed or any other aquatic plant, or
(c) any other aquatic organism;
“plants” include fungi.
(6) In regulation 8A of the NIS Regulations (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
(c) provides an essential service of a kind referred to in paragraph 12 of Schedule 2 (food supply chain sector) within the United Kingdom.’”
This new clause would designate those in the food supply chain that rely on network and information systems as “operators of essential services” within the meaning of the Network and Information Systems Regulations 2018, thereby placing them under duties to manage risks to those systems and to provide notification regarding any incidents that have an impact on the food supply chain.
New clause 8—Local authorities to be regulated as essential services—
“(1) The NIS Regulations are amended as follows.
(2) In table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The Local Government Sector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector.
(2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register.
(3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records.
(4) In this paragraph “local authority means”—
(a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly;
(b) in Wales, a county council or a county borough council;
(c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994;
(d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.’”
This new clause would bring local authorities within the scope of the NIS Regulations as operators of essential services in relation to their functions managing electoral rolls and social care records. This ensures that public sector bodies holding sensitive data such as electoral rolls and social care records are subject to the same statutory protections as other critical infrastructure.
New clause 9—Critical manufacturing and retail sectors—
“(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities—
(a) the manufacture of critical transport equipment;
(b) the industrial production and processing of food products; and
(c) the retail sale of food and essential goods via large-scale distribution chains.
(2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors.”
This new clause would require the Secretary of State to designate the manufacturing of critical transport equipment and retail of food and essential goods (when part of a large-scale distribution chain) as essential activities, bringing them within the scope of Part 3 of the Bill.
New clause 11—Electoral infrastructure to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The electoral infrastructure subsector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector.
(2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to—
(a) maintain a register of electors containing more than 50,000 entries;
(b) issue, receive, or process postal ballots for a parliamentary or local government election; or
(c) count or aggregate votes cast in a parliamentary, mayoral or local government election.
(3) In this paragraph—
“parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom;
“network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026.
(4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
“(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.”’”
This new clause would designate the administration of elections and maintenance of voter registers as an “essential service” within the meaning of the NIS Regulations.
New clause 12—Political parties to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The political parties subsector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector.
(2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons
(3) In this paragraph—
“registered political party” means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000.’”
This new clause would designate political parties as providing essential services for the purposes of cyber security.
Kanishka Narayan
Clause 24 defines key terms for this part of the Bill, and in doing so introduces two delegated powers. Those powers enable the Government to bring new sectors into the scope of the NIS regime and to designate regulators to oversee them. The power will be used only in relation to activities that are truly essential to our society and economy—in other words, where disruption could pose risks to life or the economic stability of the UK.
The powers are essential in the rapidly changing world we occupy. As we have seen with data centres and managed service providers, our society and economy can quickly become reliant on new services that are acutely vulnerable to cyber-attacks and system outages. Our legislation must be able to keep up with those changes and protect the services that matter most to our country.
Alison Griffiths
I want to use new clause 1 as a lens to view a wider question that sits underneath clause 24, rather than as a verdict on the clause itself. That question is how we decide, in a disciplined and credible way, which activities are sufficiently critical to be brought into the scope of the regime, and how that judgment is applied consistently over time.
New clause 1 would bring much of the food supply chain directly into scope through primary legislation. I understand the instinct behind that. Food supply is fundamental to public confidence, and disruption would be felt very quickly. However, if the underlying test for inclusion is systemic impact, food is not the only sector that raises these questions. I am vice-Chair of the Business and Trade Committee, and over the past year we have taken evidence on economic security from major UK firms that have experienced serious cyber-incidents. One example everyone here will be familiar with is Jaguar Land Rover. Evidence to our Committee indicated that the cyber-incident there contributed to UK GDP being around 0.1% lower than expected in the third quarter last year, which was not a marginal effect. That reflected disruption to tightly integrated manufacturing systems, with production lines brought to a halt and knock-on impacts across just-in-time supply chains and regional economies.
I make that point to underline something simple: cyber-risk presents simultaneously as operational, financial and reputational risk, and in combination those effects can be felt economy-wide. If that is the rationale for bringing food into scope early, it inevitably raises questions about other high-value sectors where a single incident can have national economic consequences.
That brings us back to clause 24 and the role of the Secretary of State. The Bill is clearly designed to allow scope for provisions to evolve through secondary legislation as risks change. That flexibility is sensible, but flexibility works only if the criteria for widening scope are clear, predictable and capable of being explained to industry, regulators and Parliament. If decisions appear to be reactive or driven by the most recent or most visible incident, confidence in the regime will suffer rather than strengthen.
That concern is reflected in the written evidence we have received. The Association of British Insurers, for example, supports higher standards of cyber-resilience, but it also emphasises the importance of clear definitions and coherence between regimes, particularly where firms are already subject to overlapping regulatory requirements. Its point is not about resisting regulation, but about avoiding uncertainty and duplication, which do not improve resilience.
My questions are ones of principle rather than position. First, what is the settled test that the Secretary of State will apply when deciding to bring a sector into scope under the clause 24 powers, and how will that judgment be made transparent to Parliament? Secondly, if Parliament were to require rapid expansion of scope, how confident are the Government that regulators would have the capacity to supervise a much larger and more diverse population without diluting oversight elsewhere?
I am not seeking to land a conclusion on new clause 1 today—I understand why it has been tabled and I recognise the seriousness of the issues that it highlights—but if we are going to widen scope, to food or otherwise, the Committee is entitled to press the Government on the discipline and guardrails that will sit behind those decisions. This needs to remain a targeted and credible regime, rather than one that expands without a clear and consistent logic.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
New clauses 8 and 9 would close a dangerous gap at the heart of the Government’s cyber-security strategy. Right now, the Bill creates a two-tier system. Private companies running critical national infrastructure face strict legal duties, enforcement and oversight, yet the very public institutions that hold our democracy together and protect our most vulnerable citizens are left outside statutory protection. Nowhere is that more alarming than with our local authorities. Indeed, that is where the Government’s approach diverges from some EU member states. For example, the Netherlands is applying its equivalent legislation to local authorities.
When a council suffers a cyber-attack, it is not just an IT inconvenience; it means real life grinding to halt. Members of the Committee who have served on local authorities will be well aware that a cyber-attack hitting a local authority creates problems with welfare payments, housing services, processing benefits payments, accessing social care for the most vulnerable in our society and collecting bins. Those are crucial activities in the day-to-day life of our society and our democracy. A cyber-attack can leave families without support, vulnerable children without protection and elderly residents without care, yet the Minister has suggested that these services are not necessary to the day-to-day functioning of society. I disagree with that.
We have already seen the consequences at Tewkesbury borough council, where a cyber-attack was so severe that it triggered a major incident and crippled core services. Likewise, the attack on Gloucester city council cost the taxpayer more than £1 million and put at risk some of the most sensitive information held on UK residents, particularly if one considers the nature of employment in Gloucestershire. The reporting from those attacks showed that local authorities, which are cash-strapped and struggling to make do as they are, had to divert staffing resources into addressing those incidents.
Bradley Thomas
I have much sympathy with the hon. Gentleman’s arguments about the importance of local government, and I believe that it should be within scope of the Bill. Essential services are provided by councils on a day-to-day basis, but local councils are increasingly cash-strapped. Does he share my concern about the burden of compliance falling on councils, many of which differ in size and scale from their adjacent neighbours? They have differing degrees of IT infrastructure capability. We run the risk of increasing the compliance and regulatory burden on councils at a time when they may already have stretched budgets and lack the resource and capacity in the system to accommodate that additional burden.
David Chadwick
The hon. Gentleman makes an important point. We cannot allow these services to be interrupted. He will be well aware of the impact that bins not being collected has on our streets.
Councils are being targeted because they hold sensitive personal data and provide much-needed services to the most vulnerable in society, yet they are being left as soft targets, without statutory requirements and the ringfenced resources that accompany them. We cannot claim to be building a cyber-secure Britain while leaving the frontline of public services unprotected. Resilience must extend beyond councils.
Our new clauses also ask that our political parties and electoral infrastructure are properly protected, because we know that hostile states and non-state actors are actively seeking to undermine democratic systems. An attack does not need to change an electoral result to be devastating; it need only cast doubt on the integrity of the count or prevent legitimate voters from casting their ballots. We know that trust, once lost, is extraordinarily hard to rebuild. The security of our elections is too important to be left to secondary legislation made at some future date.
Finally, our new clauses would require the Government to bring critical manufacturing, food production and large-scale retail distribution into scope. When British companies such as JLR lose billions to cyber-incidents, or when national retailers such as Marks & Spencer are paralysed, it is not just a private commercial issue, but a blow to national economic security, and there is no economic security without cyber-security. The Minister will be aware that the ramifications of the JLR attack were felt across south Wales because of the link to the steel industry supply chain. Our neighbours in the European Union already recognise this issue through the NIS2 framework, which covers food production and transport manufacturing as essential sectors. The new clauses simply ask the Government to match that seriousness.
At their heart, our new clauses are about ending the two-tier approach. We seek the Government’s recognition that councils, political parties, electoral infrastructure and core supply chains are just as critical to national resilience as power stations and data centres. A country is not secure if its public services, at any level, are exposed. Its elections are vulnerable, and its economy can be brought to a standstill by a single cyber-attack. These new clauses hope to close those gaps and make Britain safer.
Dr Spencer
Part 3 is a very important part of the Bill. It gives the Secretary of State a range of powers, including ones to bring additional sectors into the scope of regulation, to update the NIS regulations, to publish statements of strategic priorities for regulators and to publish codes of practice that set out cyber-security measures for entities to comply with their regulatory duties.
Clause 24 includes a power enabling the Secretary of State to specify new services that can be brought into the scope of the NIS regulations, and to designate additional regulatory authorities. Those powers are intended to allow the Secretary of State to identify additional critical sectors and respond to emerging threats quickly. That agility introduced by this measure has been broadly welcomed as appropriate, given the fast-evolving nature of malicious cyber-activity.
Given the extent of the Secretary of State’s new powers, however, it is important to put in place guardrails to ensure that the appropriate response to emerging threats is indeed further regulation, rather than market-led or insurance-based mitigations. Can the Minister provide any further information at this stage about the procedure that will be followed in deciding whether to expand the scope of regulation to ensure consistency and transparency?
Hon. Members have tabled several new clauses that would prompt the Secretary of State to use her duties under clause 24. I will speak to new clause 1, tabled by the hon. Member for Warwick and Leamington (Matt Western), and new clause 9, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe, together, as they have some thematic overlap. New clause 1 seeks to bring all entities, other than small businesses and microbusinesses, in the food production, distribution and retail supply chain into the scope of regulation as operators of essential services. New clause 9 also touches on the regulation of food supply chains. It would require the Secretary of State to designate retailers of
“food and essential goods (when part of a large-scale distribution chain)”
and manufacturers of “critical transport equipment” as providers of essential services to be brought into the scope of regulation.
Those new clauses reflect concerns about the cyber-attacks targeting the food retailers M&S and Co-op last year. New clause 9 reflects issues raised by the major attack on JLR, which cause such disruption and threatened the stability of regional jobs and supply chains. Those attacks caused significant public concern, but they would all remain out of scope after the Bill comes into effect.
Railways Bill (Thirteenth sitting)
Tuesday 10th February 2026
(4 days, 6 hours ago)
Public Bill CommitteesRead Full debate Railways Bill 2024-26 View all Railways Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
The Committee divided: - Ayes: 4 / Noes: 8 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 8 - Question accordingly negatived.
The Committee divided: - Ayes: 3 / Noes: 8 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 8 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 8 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 8 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 8 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 1 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 1 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 1 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 1 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 1 / Noes: 9 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 8 - Question accordingly negatived.
The Committee divided: - Ayes: 4 / Noes: 8 - Question accordingly negatived.
The Chair
We are now sitting in public and the proceedings are being broadcast. Before we begin, I remind Members to please switch electronic devices to silent and that tea and coffee are not allowed during sittings. The selection and grouping document shows the way in which amendments and new clauses have been arranged for debate. Any Divisions on amendments and new clauses will take place in the order that they appear on the amendment paper.
Clause 80
Duty to consult Scottish and Welsh Ministers
Jerome Mayhew (Broadland and Fakenham) (Con)
I beg to move amendment 103, in clause 80, page 47, line 13, leave out subsection (1) and insert—
“(1) Great British Railways must inform Scottish Ministers before making a decision within subsection (2), and if, in the view of Scottish Ministers, the decision would significantly affect the interests of Scotland’s economy or of persons living in, working in, or visiting Scotland, Great British Railways must consult Scottish Ministers before making that potential decision.”
This amendment would ensure that Scottish Ministers, rather than GBR, decided whether a GBR decision would significantly affect Scotland’s economy or persons living in, working in, or visiting Scotland.
The Chair
With this it will be convenient to discuss the following:
Amendment 104, in clause 80, page 47, line 21, leave out subsection (3) and insert—
“(3) Great British Railways must inform Welsh Ministers before making a decision within subsection (4), and if, in the view of Welsh Ministers, the decision would significantly affect the interests of Wales’ economy or of persons living in, working in, or visiting Wales, Great British Railways must consult Scottish Ministers before making that potential decision.”
This amendment would ensure that Welsh Ministers, rather than GBR, decided whether a GBR decision would significantly affect Wales’ economy or persons living in, working in, or visiting Wales.
Clause stand part.
Amendment 105, in clause 81, page 47, line 35, leave out subsection (1) and insert—
“(1) Great British Railways must inform a mayoral combined authority prior to making a decision within subsection (2), and if, in the view of the mayoral combined authority, the decision would significantly affect the economy of the authority’s area or of persons living in, working in, or visiting the area, Great British Railways must consult the mayoral combined authority before making that potential decision.”
This amendment would ensure that mayoral combined authorities, rather than GBR, decided whether a GBR decision would significantly affect the authority’s economy or persons living in, working in, or visiting the authority.
Clause 81 stand part.
Amendment 106, in clause 82, page 48, line 25, leave out subsection (1) and insert—
“(1) Great British Railways must inform Transport for London prior to making a decision within subsection (2), and if, in the view of Transport for London, the decision would significantly affect Greater London’s economy or of persons living in, working in, or visiting Greater London, GBR must consult Transport for London before making that potential decision.”
This amendment would ensure that TfL, rather than GBR, decided whether a GBR decision would significantly affect the Greater London’s economy or persons living in, working in, or visiting Greater London.
Government amendments 158 to 160.
Clause 82 stand part.
New clause 25—Local infrastructure change reporting—
“(1) The Secretary of State must, at least once every five years, publish a report assessing long term-changes needed to local rail-related infrastructure.
(2) The Secretary of State must consult local authorities prior to the publication of any report under subsection (1) and ensure that any such report considers proposals made by local authorities.
(3) A copy of a report published under subsection (1) must be laid before Parliament and sent to—
(a) the Transport Committee of the House of Commons,
(b) the Housing, Communities and Local Government Committee of the House of Commons.
(4) Reference in this section to the Transport Committee and Housing, Communities and Local Government Committee of the House of Commons—
(a) if the name of either Committee changes, are references to that Committee by its new name, and
(b) if the functions of either Committee (or substantially corresponding functions) become functions of a different Committee of the House of Commons, are to be treated as references to the Committee by which the functions are exercisable.”
This new clause requires collaborative strategic planning between central government and local authorities.
Jerome Mayhew
That will teach me to go away for a day; the Committee finished off half the Bill without me. Anyway, we will go back to the usual slow progress today!
Clause 80 is pretty straightforward. Great British Railways will have a duty to consult Scottish Ministers before making decisions that relate to cross-border services designated under clause 25, where—this is the important bit—
“the decision will significantly affect…Scotland’s economy or…persons living in, working in or visiting Scotland.”
Similarly, the clause requires GBR to consult Welsh Ministers where its decisions relate to services designated by the Secretary of State that are provided in Wales under a similar process.
Most of the clause is pretty unremarkable, but there is one glaring issue with it: it asserts that GBR will decide for itself when a decision will “significantly affect” the Scottish or Welsh economies. The Minister will recognise that GBR is not an economic forecasting or policymaking body and cannot credibly assess national economic impact internally. The clause therefore makes the duty discretionary and risks major decisions proceeding without any meaningful consultation of either Welsh or Scottish Ministers. How is it sensible for GBR to have the duty to assess whether a proposed action is likely to affect the economies of either Scotland or Wales?
That brings me neatly on to amendments 103 and 104. Amendment 103 would ensure that Scottish Ministers, rather than GBR, decided whether a GBR decision would significantly affect Scotland’s economy or persons living in, working in or visiting Scotland. Surely that is the correct approach. Similarly, amendment 104 would ensure that Welsh Ministers, rather than GBR, took the decision. Effectively, instead of GBR having the responsibility to say, “This affects Scotland and/or Wales, and therefore we should consult,” the amendments would give the power to the Scottish or Welsh Ministers to call in a decision on their assessment of their own economy. Surely that is the better approach. I look forward to hearing the Minister’s rebuttal.
Clause 81, which introduces a duty to consult mayoral combined authorities, is pretty similar to clause 80. In the interest of speed, I will skip straight on to amendment 105, which would ensure that mayoral combined authorities, and not GBR, decided whether a GBR decision would significantly affect the authority’s economy. I am repeating a similar argument, but it is an important one—one of process rather than any political issue. Again, we are talking about a rail body making an assessment of the impact of its activities on an economy that it is not a specialist in.
Clause 82 creates a duty to consult Transport for London. Again, we have the same concerns as we had regarding clauses 80 and 81. Under the franchise system, the Mayor of London, and other mayors for that matter, were able to drag in rail operators to question them about their performance and standards; however, that right of consultation seems to have been removed. Is this a deliberate decision by the Minister to reduce the rights of mayors and mayoral combined authorities in relation to consultation? If it is, I would be grateful if he could explain why he has reduced powers, as opposed to increasing them.
Amendment 106 would ensure that TfL, rather than GBR, decided whether a GBR decision would significantly affect the Greater London economy or persons living in, working in or visiting Greater London. I am sure the Minister will speak to Government amendments 158 to 160 in a moment, but to anticipate his comments, they provide a duty to consult Transport for London to cover designated railway passenger services that operate to, from or within Greater London. The Opposition have no objection to these clarifying amendments.
Finally, I understand that new clause 25, tabled by the hon. Member for Didcot and Wantage, is intended to facilitate collaborative strategic planning between central Government and local authorities, and would require the Secretary of State to publish a report every five years assessing the long-term changes needed to local rail-related infrastructure. We support the principle of the new clause, but I recognise that a five-year reporting requirement is an onerous task to impose if no concrete improvements follow. I look forward to hearing what the hon. Member has to say in support of his new clause.
Olly Glover (Didcot and Wantage) (LD)
It is a pleasure to serve under your chairship once again, Sir Alec. Before I speak to new clause 25, let me make a few comments about the Government and Conservative amendments. I see nothing to object to in the Government amendments, which seem to tidy up some aspects of the Bill surrounding interfaces relating to TfL; I await the Minister’s comments. We support the Conservative amendments, which would strengthen the role of devolved Scottish and Welsh Ministers, mayoral authorities and TfL in relation to GBR’s decisions. That is the right principle because, as I shall argue, for too long decisions about our rail network have been focused on London and the south-east, sometimes to the detriment of regional development.
Our new clause 25 would require the Secretary of State to publish a report at least once every five years on the long-term rail infrastructure changes needed at a local level. It would force the Secretary of State to consult with local authorities and would ensure that those views are properly considered, reported and laid before Parliament. Local authorities understand where infrastructure is holding back growth, connectivity and reliability. Whether it is the need for additional passing loops—were my hon. Friend the Member for West Dorset present I am sure that he would talk about the west of England line—station upgrades or better integration with local bus services, such issues are often well known locally but struggle to be given a proper voice under our current arrangements. The new clause would create a formal mechanism to surface those priorities and ensure that they are not overlooked.
The powers in the Bill are not just for this Government and this Parliament, so it is important that appropriate checks and balances are put in place. The new clause would restore balance by embedding local government and parliamentary scrutiny into long-term rail planning, while making sure that local people’s voices are heard by the Government on the changes that they want to see. By requiring reports to be shared with relevant Select Committees, new clause 25 would strengthen accountability and transparency. It would support joined-up, evidence-based planning and help to ensure that Great British Railways delivers the improvements that reflect local need.
To address the shadow Minister’s point, I understand where he is coming from, but were somebody to be punished by being required to tot up the reports that would have to be laid before Parliament under amendments that he and I have tabled, I think it is possible that he might win. In that context, we do not think that this is overly onerous, but we look forward to hearing the Minister’s comments on how the local authority voice can be strengthened.
The Parliamentary Under-Secretary of State for Transport (Keir Mather)
Good morning, Sir Alec; it is a pleasure to serve under your chairship once again. I thank the hon. Member for Broadland and Fakenham for amendments 103 to 106, which would require GBR to inform the relevant devolved Ministers and bodies before taking a decision that affected them, and the relevant Minister or body to decide whether consultation is necessary, if they deemed the decision to be significant. Each of the amendments does the same thing, for Scottish Ministers, Welsh Ministers, mayoral combined authorities and TfL respectively. They would reverse provisions in the Bill as drafted that require GBR to consult the relevant devolved Minister or body if it considers a decision significant.
The Committee has heard that GBR will be the directing mind of the railways. I fully recognise the need for Scottish and Welsh Ministers, mayoral combined authorities and TfL to be suitably informed and consulted on decisions of GBR that relate to them. GBR is already required by the Bill to have regard to the Scottish Ministers’ rail strategy, statement of objectives, and directions and guidance; to the Welsh Ministers’ transport strategy; to the local transport plans of MCAs; and to the Mayor of London’s transport strategy. Furthermore, in the case of Scotland and Wales, the memorandums of understanding required by the Bill will ensure that any significant decision affecting Scotland or Wales is not made without the proper engagement of the relevant Government and transport body. In the case of mayoral combined authorities and TfL, there is a clear intention for GBR to work closely in partnership with mayoral authorities including TfL. An industry-developed practitioner guide on how GBR could work in partnership locally was published on 13 January, and GBR will be a proactive partner with all those bodies.
Clauses 80 to 82 already require consultation on significant decisions. Rather than improving the Bill, amendments 103 to 106 would fundamentally hamstring GBR’s decision-making powers by creating unnecessary additional requirements. Decision making would become inefficient and less responsive to passengers and freight. Consultation will ensure that Scottish and Welsh Ministers can share their views, perspectives and expertise on the economic impact of GBR’s decision making.
Jerome Mayhew
The Minister asserts that the amendments would make the process inefficient. Will he please explain why giving mayoral combined authorities or the Scottish or Welsh Ministers the power to call in consultation would make the process less efficient?
Keir Mather
Enabling mayoral combined authorities to be consulted on GBR’s proposals creates a basis on which MCAs and GBR can engage with each other to explore challenges as could relate to economic impact. The issue with calling in consultation in every instance is that it might not always be appropriate to do so. Where a more iterative process is possible, and Scottish Government and Welsh Government colleagues, for example, are best able to feed in and solve problems through consultation, it is not necessary to layer more formal processes on top.
It is worth restating for the benefit of the Committee that the Welsh and Scottish Governments are pleased with the basis on which the devolved arrangements have proceeded in the creation of the Bill. Clauses 80 to 82 as drafted will ensure that GBR engages on issues of importance, and that it consults Scottish and Welsh Ministers, rather than drowning in irrelevant detail. I urge the hon. Member for Broadland and Fakenham to withdraw amendment 103 and not to move amendments 104 to 106.
I thank the hon. Member for Didcot and Wantage for tabling new clause 25, which would require the Secretary of State to publish a report
“at least once every five years…assessing long term-changes needed to local rail-related infrastructure.”
Across this Parliament, the Government are making a record £120 billion capital investment in long-awaited infrastructure projects—including road, rail and green energy projects—that will generate the jobs of the future and drive growth. The Government also hugely support collaboration to encourage a more locally focused railway. Insights from local communities, who know their areas best, will play a significant part in achieving that.
The Bill requires GBR to consult with mayoral strategic authorities and to have regard to their local transport plans. GBR will agree partnerships with mayoral strategic authorities to enable effective collaboration and local influence. That will mark a change in approach in how the railway engages locally, providing single-point accountability and enabling GBR to better meet the needs of areas and wider communities. Furthermore, all tiers of local government will benefit from empowered local GBR business units that are outward-facing and engage local authorities on their priorities and local transport plans. Such engagement and partnerships will ensure that there is sufficient opportunity for local authorities and mayoral strategic authorities to be collaborative with GBR on their priorities and to consider proposals.
Government amendments 158 to 160, which are a continuation of the technical amendments that we debated when considering the group led by amendment 165 to clause 6, will support more effective co-operation on local railway matters. They clarify the definition of a London passenger railway service to provide consistency in geographical scope with other duties and powers in the Greater London Authority Act 1999. They expand the scope of the duty on GBR to consult with TfL so that it applies to passenger services to, from and within Greater London, and not just those within it.
In summary, clauses 80 to 82 introduce statutory duties on GBR to consult Scottish and Welsh Ministers, MCAs and TfL before it makes a decision about services or infrastructure that would significantly affect the interests of their areas. The rationale for the clauses is compelling. They provide assurance to the relevant people and organisations that they will be properly engaged when GBR makes decisions that significantly impact their areas. By embedding such a broad duty in legislation for the first time, we ensure that engagement is not optional but a requirement. That will lead to better decision making, stronger relationships and outcomes that take account of the needs of communities across Great Britain.
Jerome Mayhew
The Minister has heard my submissions. In the interest of time, I will not press my amendments to a vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 80 ordered to stand part of the Bill.
Clause 81 ordered to stand part of the Bill.
Clause 82
Duty to consult Transport for London
Amendments made: 158, in clause 82, page 48, line 30, after “a” insert “London”.
This amendment and amendments 159 and 160 provide for the duty to consult Transport for London to cover designated railway passenger services that operate to, from or within Greater London.
Amendment 159, in clause 82, page 48, line 30, after “service” insert—
“(within the meaning of section 175 of the Greater London Authority Act 1999)”.
See the explanatory statement for amendment 158.
Amendment 160, in clause 82, page 48, line 30, leave out
“which is provided in Greater London”.—(Keir Mather.)
See the explanatory statement for amendment 158.
Clause 82, as amended, ordered to stand part of the Bill.
Clause 83
Advice from relevant local government bodies
Keir Mather
I beg to move amendment 161, in clause 83, page 49, leave out line 11 and insert—
“(a) railways in the body’s area, or
(b) railway services—
(i) between places in the body’s area, or
(ii) between places in the body’s area and places outside that area.”
This amendment provides for advice to be given by local government bodies to GBR about railway services that operate to, from or within their areas.
The Chair
With this it will be convenient to discuss the following:
Clause stand part.
Government amendments 184, 162 and 163.
Clause 84 stand part.
Keir Mather
The Government are committed to a more locally focused railway under GBR, and provisions in the Bill, and ongoing engagement with local government partners, demonstrate the strength of that commitment. The amendments are primarily technical in nature, but will support more effective co-operation on local railway matters. I will briefly summarise their purpose and effect.
Amendment 161 widens the scope of services about which relevant local government bodies may be required to provide advice to GBR under clause 83. This is achieved by including reference to services between places in the body’s area and those outside it, rather than only services operating exclusively within the body’s area. Amendment 162 has the same effect in relation to Greater London. All the amendments are consistent with the original policy intent of the Bill and simply clarify the drafting. Amendments 163 and 184 include important and relevant definitions from other primary legislation, namely the Railways Act 1993 and this Bill.
Clause 83 introduces statutory requirements on mayoral combined authorities, mayoral combined county authorities and passenger transport executives to provide advice to the Secretary of State and GBR where they reasonably require it on matters connected with the exercise of their respective railway functions. This duty ensures that GBR and the Secretary of State can have access to advice from local authorities, which have detailed knowledge of their areas, including in relation to local transport. Ultimately, that will support GBR and the Secretary of State in obtaining relevant local insights.
Clause 84 replicates that approach for Transport for London by amending the Greater London Authority Act 1999 to insert a new section 176A after section 176. The new section introduces a statutory requirement on Transport for London to provide advice to the Secretary of State and GBR where they reasonably require it on matters connected with the exercise of their respective railway functions. This change ensures that GBR and the Secretary of State will have access to Transport for London’s expertise and its detailed knowledge of transport in the Greater London area.
Jerome Mayhew
These are two unremarkable clauses. We have no objections to either of them. As for the Government amendments, they are technical in nature and we also support them.
Keir Mather
While I reject the charge that the amendments are unremarkable, I thank the shadow Minister for his support.
Amendment 161 agreed to.
Clause 83, as amended, ordered to stand part of the Bill.
Clause 84
Advice from Transport for London
Amendments made: 184, in clause 84, page 49, line 30, after “function” insert
“(within the meaning of the Railways Act 2026)”.
This amendment defines GBR’s statutory functions in the new section 176A(3) of the Greater London Authority Act 1999.
Amendment 162, in clause 84, page 49, line 31, leave out
“railways or railway services in”
and insert—
“(a) railways in Greater London, or
(b) railway services—
(i) between places in Greater London, or
(ii) between places in Greater London and places outside”
This amendment and amendment 163 provide for advice to be given by Transport for London to GBR about railway services that operate to, from or within Greater London.
Amendment 163, in clause 84, page 49, line 31, at end insert—
“(4) Expressions used in this section and in Part 1 of the Railways Act 1993 have the same meaning in this section as in that Part.”—(Keir Mather.)
See the explanatory statement for amendment 162.
Clause 84, as amended, ordered to stand part of the Bill.
Clause 85
Licensing etc of train drivers
Jerome Mayhew
I beg to move amendment 107, in clause 85, page 50, leave out line 3.
This amendment would prevent the Secretary of State from changing the body that gives licences certificates so that it remains the ORR.
Jerome Mayhew
Clause 85 relates to the licensing of train drivers, and other matters relating to them. It gives the Secretary of State the power to amend the Train Driving Licences and Certificates Regulations 2010 and related assimilated law through regulations. The Secretary of State, by interest, has also been empowered to appoint a person or a body to publish and maintain technical standards in a document separate from the regulations.
The regulations set out the requirements that ensure train drivers are competent, medically and psychologically fit, trained on the infrastructure, rolling stock and routes that they are to be deployed on, and generally able to drive trains safely. The power to amend that legislation is required to ensure that the train driver licensing regime can be updated to reflect technological, clinical and medical advancements. The ability to update the legislation on an enduring basis will help to modernise the framework and support health and safety outcomes for train drivers, as well as avoiding operational impacts such as train drivers being unable to be deployed on account of not passing outdated medical tests. The ability to designate a person or body, for example the Office of Rail and Road or GBR, to publish and maintain technical standards will allow the train driving regime to remain adaptable and effective. We are therefore support that.
Subsection (2)(b) does not confirm the ongoing role of the ORR to issue licences or certificates. That is much bigger. Through its omission, it opens the door to the removal of the ORR’s role on this important issue. Unions would clearly fall under the definition in subsection (6)(a), but the drafting effectively ringfences them as the primary consultees while shutting out operators, GBR, passenger groups and safety bodies from the mandatory list. There is a non-mandatory ability to consult, but it seems very odd to identify unions but not any of these other very important organisations as part of a mandatory consultation list. That creates an odd imbalance for regulations that directly affect service delivery and safety, giving one group a guaranteed seat at the table while everyone else is included only at the Secretary of State’s discretion.
Amendment 107 would prevent the Secretary of State from changing the body that gives licences and certificates, so that it remains the Office of Rail and Road, once again restoring power to the independent regulator with experience and expertise in this space. That is a small but important point. It may have been an oversight on the part of the drafters that the ORR is not mentioned. If the intention is to remove that responsibility from the ORR, and that is the Government’s ambition as a result of the clause, perhaps the Minister could make that clear? If not, amendment 107 makes it clear that the ORR is the anticipated body.
Amendment 108 is not part of this group but would affect the clause, and would require the Secretary of State to consult passenger and freight service operators, groups representing passengers and railway rail safety organisations before making regulations about the licensing or certification of train drivers. That would mean that not just Labour’s union colleagues would be consulted. I mention the amendment in passing because it is relevant to the discussion of this clause, and I see the Minister nodding sagely.
I intend to seek a Division on amendment 107 if the Government are not minded to accept it.
Keir Mather
I will begin by attempting to assuage some of the shadow Minister’s concerns in this space as it relates to the ORR and licensing. There are no plans to transfer the train driving licensing and certification functions from the ORR, railway undertakings and infrastructure managers to other bodies. However, while there are no plans to transfer functions at this stage, it is possible that changes may be needed or sought by future Governments to reflect wider changes to the structure, responsibilities and roles in the rail industry—as has happened before. For that reason, these powers are vital to ensure the regime for train driving can function as intended and with the appropriate bodies responsible for issuing licences and certificates.
I thank the shadow Minister for his amendment, and understand the importance of what he is driving at when it comes to the all-important issue of safety. His amendment would ensure that only the ORR may issue train driving licences. It would remove the ability to update the arrangements for issuing train driving licences and certificates in the future, for example, to reflect a change in the name of the issuing authority or a transfer of functions from one body to another. It is important that the licensing and certification regime can be adapted and changed if needed, including who issues that documentation, because it may be needed to reflect future changes to industry structures, roles and responsibilities.
The Government’s position is supported by the ORR, which is the current licensing authority. Removing the power to change the arrangements for issuing licences and certificates could undermine our ability to ensure driver licensing and certification arrangements stay fit for purpose as the industry, technology and ways of working evolve. If such proposals were brought forward, the clause as drafted would ensure that any changes are subject to a full public consultation followed by parliamentary scrutiny under the draft affirmative procedure before becoming law. That process affords multiple opportunities for stakeholders’ views to be considered. I therefore urge the shadow Minister to withdraw the amendment.
Clause 85 allows the Secretary of State to amend the Train Driving Licences and Certificates Regulations 2010 by means of secondary legislation. Those regulations establish the requirements for train drivers in Great Britain, which presently cannot be updated regularly without primary legislation, which is a lengthy and inefficient process. The powers in the clause are critical if the Government are to ensure that the framework for train driving remains robust, responsive and fit for purpose in the years ahead.
The Committee may be aware that legislation is due to be laid today to lower the minimum age for train drivers. However, that is being done using time-limited powers in the Retained EU Law (Revocation and Reform) Act 2023, which will expire in June 2026. Without this clause, such changes to the law, which will help us to address the shortage in train drivers, will not be possible. The power will allow the regime to evolve in line with best practice, incorporating advances in technology, innovation, operations and safety knowledge, for instance by regularly revising eyesight and hearing requirements to reflect advances in corrective technologies, improved testing methods and emerging medical conditions. Without those powers, the industry will be less effective at integrating new technologies, scientific methods or innovations into the train driving regime as they emerge. I therefore commend clause 85 to the Committee.
Jerome Mayhew
As I mentioned, we support the intention behind these clauses, but I stand firm in defending the need for the ORR to be the issuing body, so I will press my amendment to a Division.
Question put, That the amendment be made.
Keir Mather
Amendments 201 and 202 in my name will allow the Government to extend clause 86, on the Cape Town convention and the Luxembourg protocol to the convention as they relate to railway rolling stock, and part 4 of the Bill to the Isle of Man. We have consulted the Isle of Man and the other Crown dependencies on whether they would like us to extend this section of the Bill to them. The Isle of Man alone asked that we extend the protocol and these provisions to it. Given that the Government traditionally agree to such requests, we have tabled these amendments.
Extending this section of the Bill will grant the Isle of Man power to make regulations under clause 86. Alternatively, regulations made by the UK Government can be extended to apply to it with appropriate modifications. That would eliminate the need for the Isle of Man to legislate for itself, but it would still have the benefit of having the convention and protocol applying to it. I therefore urge the Committee to support the Government amendments.
Clause 86 will allow the United Kingdom to implement and ratify the Cape Town convention and the Luxembourg rail protocol, as they relate to railway rolling stock, via secondary legislation. The convention and the protocol aim to provide more security for creditors financing rolling stock by reducing the risk to those involved in such transactions and providing greater security over their interests.
The agreements establish an international legal framework for the creation and registration of international interests in rolling stock and make provision for legal remedies in the event of default or insolvency. Implementing the agreements will therefore make the UK a more attractive place for investors to hold financial interests in rolling stock with UK-based lenders, who will also be able to benefit from the protection of the protocol when they invest in overseas markets.
The UK signed the Luxembourg protocol in 2016. That power allows the UK to meet its international obligations, especially now that the protocol has come into force as a number of states have ratified it. These agreements are supported by the industry and I therefore commend the clause to the Committee.
Jerome Mayhew
As we have just heard, the Luxembourg protocol is designed to provide access to cheaper rolling stock in the UK and overseas, as finance can be secured and/or rolling stock leased from non-UK sources, and UK rolling stock companies can lease abroad at lower risk.
I learned an interesting fact over the weekend. I thought that this proposal would affect only ROSCOs operating in this country, but it actually affects the Government too. I learned that the Government own the freehold of one train in the UK, which is on the Canvey Island miniature railway in the constituency of my hon. Friend the Member for Castle Point (Rebecca Harris), who was very keen to point out to me that the Government have skin in the game on this clause. I have read that into the record, so I hope she is pleased with that.
We have no objections to the clause. As for Government amendments 201 and 202, which deal with the Isle of Man, I was slightly surprised by them. I am sorry to say that I have never visited the Isle of Man, so I had to do some research on its rail infrastructure, and it turns out that it is entirely heritage in nature, with Victorian rolling stock including a horse-drawn tramway. I would therefore be grateful if the Minister could explain why Victorian rolling stock and horse-drawn tramways need the benefit of the Cape Town convention and the Luxembourg protocol. I am sure that he has that at his fingertips.
Keir Mather
Later in the Bill, we will turn to different forms of traction, but I doubt whether we will cover the horse-drawn variety, so I am glad that the shadow Minister found the opportunity to weave that into our debate. We support the aspiration for every single part of the United Kingdom and Crown dependencies to realise the full benefits of a reformed railway, with regulation that is fit for the future and that allows them to realise their aspirations, however they see fit, to make rail more accessible and more efficient for passengers. That extends to the Isle of Man, so we were pleased to table amendment 201, which will extend those powers to it. I hope that the Isle of Man can benefit in its own way.
Question put and agreed to.
Clause 86 accordingly ordered to stand part of the Bill.
New Clause 23
Charging for removal etc of road vehicles
“(1) Costs incurred by the operator of a network or station in relation to removing or storing a road vehicle that has been parked or left—
(a) on land or other property comprised in the network or station, and
(b) in contravention of bye-laws having effect in relation to the land,
are recoverable by the operator from the person in charge of the road vehicle, where removal or storage is carried out in accordance with bye-laws having effect in relation to the land.
(2) In this section ‘road vehicle’ means a motor vehicle, bicycle or other conveyance.”—(Keir Mather.)
This new clause provides that, where road vehicles are causing an obstruction on railway land, charges may be imposed for the removal etc of those vehicles.
Brought up, and read the First time.
Keir Mather
I beg to move, That the clause be read a Second time.
The clause will ensure that network or station operators can recover the costs of removing a road vehicle that is causing disruption or presenting a safety risk on the railway. It applies in situations where a car or bicycle must be removed from an access road, level crossing or any other location that is critical to the safe operation of the railway or the movement of passengers around the network. Any recovery of costs must reflect the actual expenses incurred by the railway operator in resolving the obstruction.
Passengers should be able to use the railway without disruption caused by obstruction on railway land. Network or station operators must be able to ensure that such obstructions are removed promptly, and the cost of doing so should rightly fall on the person in charge of the road vehicle involved. I urge the Committee to support the new clause.
Jerome Mayhew
We have no objection in principle to the new clause, but, as we have learned to our cost as consumers in the similar approach taken to car parking charges and the removal of vehicles badly parked elsewhere, this will all come down to the operators contracted by GBR to undertake that function. It is merely asserted that the costs are related to those incurred in the removal, but we all know that such costs can be inflated by unscrupulous operators. Although we do not object to the new clause in principle, I would be grateful for the Minister’s assurance that reputable companies will be used and that this measure will not be used as a secondary source of income for GBR or its contractors.
Keir Mather
The shadow Minister is right to champion the interests of users of the railway and to ensure that the people who enforce such charges are scrupulous. Network and station operators, including GBR, will be required to use their judgment to determine whether the person responsible for a vehicle should bear the cost of removing the obstruction from railway land in the first place. I am happy to commit that we will engage closely to ensure that is done in a proportionate way that protects the interests of passengers and users of railway services.
By including this provision in the Bill, Parliament will have the opportunity to scrutinise and comment on the proposals. As part of that process, the shadow Minister is welcome to hold my feet to the fire to make sure that the interests of consumers are protected.
Question put and agreed to.
New clause 23 accordingly read a Second time, and added to the Bill.
New Clause 61
Transfer schemes made by Secretary of State
“(1) The Secretary of State may, for any purpose connected with railways or the provision of railway services, make one or more schemes for the transfer of property, rights and liabilities—
(a) from the Secretary of State, a government department or a company wholly owned by the Crown, to—
(i) Great British Railways,
(ii) a company wholly owned by Great British Railways,
(iii) a proposed GBR,
(iv) a company wholly owned by a proposed GBR, or
(v) a company jointly owned by two or more of the Secretary of State, the Scottish Ministers, the Welsh Ministers, Great British Railways and a proposed GBR;
(b) from Great British Railways, or a company wholly owned by Great British Railways, to—
(i) the Secretary of State,
(ii) a company wholly owned by the Crown,
(iii) a proposed GBR,
(iv) a company wholly owned by a proposed GBR, or
(v) a company jointly owned by two or more of the Secretary of State, the Scottish Ministers, the Welsh Ministers, Great British Railways and a proposed GBR;
(c) from a former GBR, or a company wholly owned by a former GBR, to—
(i) the Secretary of State,
(ii) a company wholly owned by the Crown,
(iii) Great British Railways,
(iv) a company wholly owned by Great British Railways,
(v) a company jointly owned by two or more of the Secretary of State, the Scottish Ministers, the Welsh Ministers and Great British Railways;
(d) from a company jointly owned by two or more of the Secretary of State, the Scottish Ministers, the Welsh Ministers, Great British Railways and a proposed GBR to—
(i) another such company,
(ii) Great British Railways,
(iii) a company wholly owned by Great British Railways,
(iv) a proposed GBR, or
(v) a company wholly owned by a proposed GBR;
(e) from the Secretary of State or a government department to a company wholly owned by the Crown, or vice versa.
(2) The Secretary of State must obtain the consent—
(a) of the Scottish Ministers before making a scheme that contains provision for the transfer of property, rights and liabilities to or from a company jointly owned by the Scottish Ministers and one or more other persons, and
(b) of the Welsh Ministers before making a scheme that contains provision for the transfer of property, rights and liabilities to or from a company jointly owned by the Welsh Ministers and one or more other persons.”—(Keir Mather.)
This new clause allows the Secretary of State to make schemes transferring property, rights and liabilities in connection with the designation of a body corporate as Great British Railways.
Brought up, and read the First time.
The Chair
With this it will be convenient to discuss the following:
Government new clause 62—Transfer schemes made by Scottish Ministers.
Government new clause 63—Transfer schemes made by Welsh Ministers.
Government new clause 64—Further provision about transfer schemes.
Government new clause 65—Transfer of staff to the Passengers’ Council.
Government new schedule 1—Transfer scheme.
Government amendment 263.
Keir Mather
All the provisions in this group relate to transfer schemes. New clause 61 sets out the Secretary of State’s powers to make one or more transfer schemes to transfer property, rights and liabilities, including contracted employment between public entities. The new clause is important, as it will enable transfers to and from GBR. Transfer schemes are regularly used for highly complex transfers and can avoid undue delay and costs in getting the right assets into the right place at the right time.
Transfer schemes will provide a framework for the consistent treatment of workers, in line with Cabinet Office Statement of Practice on Staff Transfers in the Public Sector and Transfer of Undertakings (Protection of Employment) principles. GBR will bring together activities from more than 17 existing organisations, including Network Rail, the Rail Delivery Group, DfT Operator and 14 separate train operating companies, into a single organisation. It is therefore important that transfers be managed in the simplest, clearest and most efficient way possible to protect the staff involved and the taxpayers’ investment.
New schedule 1 provides further detail on transfer schemes. The schedule is important, as it sets out the scope of what may be included in a transfer scheme. This follows standard drafting practice and will prevent individual or piecemeal issues from slowing down the delivery of an integrated railway that better serves the public as a whole.
New clauses 62 and 63 will enable Scottish and Welsh Ministers to make one or more schemes for the transfers involved to enable GBR to run devolved services on their behalf. The provisions require the consent of the Secretary of State to protect their interests and the transfer of liabilities or assets in or out of GBR that they wholly own. The provisions also provide for Scottish and Welsh Ministers to make transfers between companies that they themselves wholly own. That will enable a smooth transition between delivery models for devolved services by devolved Governments. Such transfers would not require the consent of the Secretary of State, as they only involve companies owned by the Scottish or Welsh Ministers.
We have worked in partnership with the devolved Governments to ensure that they can share in the benefits of an integrated railway and, if they so choose, use GBR for the delivery of devolved railway services. These transfer scheme provisions reflect the approach that we have agreed with Scottish and Welsh Ministers.
New clause 65 will allow for the transfer of employment contracts from the ORR to the new passenger watchdog. The watchdog will take over most current ORR consumer roles, including the setting and oversight of standards. The new clause is important as it allows for the transfer of contracts of employment, provides protection for impacted ORR staff in line with TUPE principles, and will allow the watchdog to have the expertise that it needs to get up and running as soon as possible.
Finally, new clause 64 and amendment 263 make further provision for transfer schemes. New clause 64 introduces new schedule 1 and will allow transfers into GBR to begin before GBR is fully designated to allow for sensible operational preparation ahead of establishment. Amendment 263 is required to ensure consistency of terminology with other railways legislation and to ensure that the definitions of “wholly owned” and other similar wording are accurate and make sense in the context of previous Acts.
Taken together, the provisions are essential to ensure that GBR can be established quickly so that we can bring the benefits that we have promised to the public. They will allow the Government to minimise the cost of the transfer to the taxpayer and ensure that staff are protected. I commend them to the Committee.
Jerome Mayhew
I have nothing to add.
Question put and agreed to.
New clause 61 accordingly read a Second time, and added to the Bill.
New Clause 62
Transfer schemes made by Scottish Ministers
“(1) The Scottish Ministers may, for any purpose connected with railways or the provision of railway services, make one or more schemes for the transfer of property, rights and liabilities—
(a) from the Scottish Ministers, or a company wholly owned by the Scottish Ministers, to—
(i) Great British Railways,
(ii) a company wholly owned by Great British Railways,
(iii) a proposed GBR,
(iv) a company wholly owned by a proposed GBR, or
(v) a company jointly owned by two or more of the Scottish Ministers, the Secretary of State, Great British Railways and a proposed GBR;
(b) from Great British Railways, a company wholly owned by Great British Railways or a company jointly owned by the Scottish Ministers and Great British Railways to—
(i) the Scottish Ministers,
(ii) a company wholly owned by the Scottish Ministers,
(iii) a proposed GBR,
(iv) a company wholly owned by a proposed GBR, or
(v) a company jointly owned by the Scottish Ministers and a proposed GBR;
(c) from a former GBR, a company wholly owned by a former GBR or a company jointly owned by the Scottish Ministers and a former GBR, to—
(i) the Scottish Ministers,
(ii) a company wholly owned by the Scottish Ministers,
(iii) Great British Railways,
(iv) a company wholly owned by Great British Railways, or
(v) a company jointly owned by the Scottish Ministers and Great British Railways;
(d) from a company wholly owned by the Scottish Ministers to another company wholly owned by them;
(e) from the Scottish Ministers to a company wholly owned by them, or vice versa.
(2) The Scottish Ministers must obtain the Secretary of State’s consent before making a scheme under subsection (1)(a), (b) or (c).”—(Keir Mather.)
This new clause allows the Scottish Ministers to make schemes transferring property, rights and liabilities in connection with the designation of a body corporate as Great British Railways.
Brought up, read the First and Second time, and added to the Bill.
New Clause 63
Transfer schemes made by Welsh Ministers
“(1) The Welsh Ministers may, for any purpose connected with railways or the provision of railway services, make one or more schemes for the transfer of property, rights and liabilities—
(a) from the Welsh Ministers, or a company wholly owned by the Welsh Ministers, to—
(i) Great British Railways,
(ii) a company wholly owned by Great British Railways,
(iii) a proposed GBR,
(iv) a company wholly owned by a proposed GBR, or
(v) a company jointly owned by two or more of the Welsh Ministers, the Secretary of State, Great British Railways and a proposed GBR;
(b) from Great British Railways, a company wholly owned by Great British Railways or a company jointly owned by the Welsh Ministers and Great British Railways to—
(i) the Welsh Ministers,
(ii) a company wholly owned by the Welsh Ministers,
(iii) a proposed GBR,
(iv) a company wholly owned by a proposed GBR, or
(v) a company jointly owned by the Welsh Ministers and a proposed GBR;
(c) from a former GBR, or a company wholly owned by a former GBR, to—
(i) the Welsh Ministers,
(ii) a company wholly owned by the Welsh Ministers,
(iii) Great British Railways,
(iv) a company wholly owned by Great British Railways, or
(v) a company jointly owned by the Welsh Ministers and Great British Railways;
(d) from a company wholly owned by the Welsh Ministers to another company wholly owned by them;
(e) from the Welsh Ministers to a company wholly owned by the Welsh Ministers, or vice versa.
(2) The Welsh Ministers must obtain the Secretary of State’s consent before making a scheme under subsection (1)(a), (b) or (c).”—(Keir Mather.)
This new clause allows the Welsh Ministers to make schemes transferring property, rights and liabilities in connection with the designation of a body corporate as Great British Railways.
Brought up, read the First and Second time, and added to the Bill.
New Clause 64
Further provision about transfer schemes
“(1) Schedule (Transfer schemes) contains further provision about transfer schemes under sections (Transfer schemes made by Secretary of State), (Transfer schemes made by Scottish Ministers) and (Transfer schemes made by Welsh Ministers).
(2) In sections (Transfer schemes made by Secretary of State), (Transfer schemes made by Scottish Ministers) and (Transfer schemes made by Welsh Ministers) and Schedule (Transfer schemes)—
(a) ‘a former GBR’ means a body corporate formerly designated as Great British Railways under section 1;
(b) ‘a proposed GBR’ means a body corporate that the Secretary of State proposes to designate as Great British Railways under that section.”—(Keir Mather.)
This new clause makes supplementary provision about transfer schemes under new clauses NC61, NC62 and NC63.
Brought up, read the First and Second time, and added to the Bill.
New Clause 65
Transfer of staff to the Passengers’ Council
“(1) The Secretary of State may make one or more schemes under which persons who hold employment in the civil service of the State become employees of the Passengers’ Council (but this is subject to any provision contained in the scheme that allows a person to object to becoming an employee of the Council).
(2) A scheme made under this section—
(a) may make provision for giving full effect to a person’s transfer into the employment of the Passengers’ Council as a result of the scheme, and
(b) may (in particular) include provision that is the same as, or similar to, the provision made by the Transfer of Undertakings (Protection of Employment) Regulations 2006 (S.I. 2006/246).”—(Keir Mather.)
This new clause makes provision about transfers of staff from the civil service to the Passengers’ Council.
Brought up, read the First and Second time, and added to the Bill.
New Clause 1
Purpose of Great British Railways
“(1) The purpose of Great British Railways is defined by the following objectives—
(a) prioritising the needs of Great British Railways passengers in decision-making,
(b) delivering reliable, safe and accessible railway passenger services,
(c) providing value for money for passengers and taxpayers, including consideration of the affordability of fare prices,
(d) increasing passenger numbers and growing usage of the network year-on-year,
(e) expanding and improving the network, including services, connectivity, and restoring or adding routes,
(f) modernising working practices and innovating to improve productivity, efficiency, and passenger experience,
(g) supporting economic growth, national productivity and improving connections between towns, cities and employment centres,
(h) improving the experience of disabled and vulnerable passengers and ensuring consistent access to assistance,
(i) ensuring fair and transparent treatment of open access, freight and devolved operators when allocating access and charges,
(j) growing rail freight, including supporting delivery of the national freight growth target,
(k) strengthening the financial sustainability of the railways, reducing reliance on operating subsidy over time,
(l) integrating track and train, simplifying structures, and avoiding duplication, and
(m) supporting multimodal integration with buses, trams and local transport networks.
(2) The Secretary of State and Great British Railways must have regard to the purpose set out in subsection (1) in exercising their functions under this Act.”—(Jerome Mayhew.)
This new clause defines Great British Railways’ purpose.
Brought up, and read the First time.
Question put, That the clause be read a Second time.
The Chair
With this it will be convenient to discuss the following:
New clause 48—Train guard patrols: requirements—
“(1) This section applies to passenger train services which operate with the supervision of a train manager or guard.
(2) The train manager or guard has a duty to patrol any train on which they are working at such intervals as are, in the opinion of the train manager or guard, reasonable for the purposes of supporting—
(a) passenger safety;
(b) the accessibility needs of any individual passenger;
(c) detection of incidents including—
(i) possible criminal behaviour;
(ii) possible anti-social behaviour;
(iii) obstruction of doors, or other obstruction to the safe and routine operation of the train,
provided that doing so is practicable for the guard or train manager in question.”
This new clause would require guards or train managers to routinely patrol trains provided it is practicable for them to do so.
New clause 57—Anti-social noise—
“(1) Within six months of the passing of this Act, the Secretary of State must by regulations make provision to—
(a) prohibit any individual on passenger rail services from purposefully playing content with audio from personal electronic devices without the use of headphones in such a way that causes a disturbance to other passengers.
(b) The regulations must ensure that any person that contravenes the prohibition set out under subsection 1(a) is liable to a fine not exceeding level 3 on the standard scale set out in Section 122 of the Sentencing Act 2020.
(2) Regulations under this section are subject to the affirmative resolution procedure.”
This new clause would require the Secretary of State to introduce statutory regulations on the use of electronic audio devices on rail services.
Olly Glover
Before I go into the detail of new clause 10, let me say why we think it is important. Passenger safety on our railway is important not only in absolute terms—it is absolutely right that people who are paying to take the train be safe, have their safety taken seriously and feel safe—but because, as always, public transport is competing with the private motor car, which is often associated, rightly or wrongly, with safety. Many people feel that it is a safer option, particularly late at night.
Our new clause would therefore require the Secretary of State to undertake, within six months of the Act’s passing, a comprehensive review of passenger safety, with a particular focus on the safety of female passengers and passengers with disabilities. It would need to look at staffing levels at stations and on trains, particularly for services that run late at night or that could give rise to a higher risk to passenger safety, such as services around special events. Lighting is a key consideration, as are opening hours and accessibility of health points. CCTV coverage is already significant across our railway, but the processes in place to access it and obtain evidence promptly are not always there.
We want to look at the merits of ideas such as real-time reporting applications for incidents in which a passenger is harassed. There are such initiatives at the moment—I really ought to know the number by now, given the endless announcements: 61016, perhaps—but there is more that can be done. I have just made the point covered in our proposed subsection (3)(f): that public awareness of the methods to report concerns should be promoted. Perhaps they are working better than I thought.
There is a lot to be done on making sure that travel connections from the train for onward journeys are strong, particularly bus waiting points and points to pick up taxis. Staffing is also a key consideration that requires some thought. If the review were to recommend any action to improve safety, it would be down to GBR to make efforts to implement those actions. I look forward to the Minister’s comments.
New clause 48, in the name of my hon. Friend the Member for Wimbledon (Mr Kohler), would mandate some provisions on train guards. It has been tabled because, alas, the current general customer experience of the visibility of guards, conductors, train managers or whatever we want to call them, where they are present, is patchy at best—that is the most polite way I can put it. New clause 48 is a modest, practical proposal that puts passenger safety and accessibility at the heart of our railways.
Guards, train managers, conductors, senior conductors and all the other job titles—including on-board supervisors on Southern; I must not forget those—are uniquely placed to provide reassurance to passengers and to identify problems at an early stage, whether that is vulnerable passengers needing assistance, antisocial behaviour escalating or obstructions that compromise the safe operation of the train.
By placing a clear duty to patrol where practicable, at reasonable intervals, this new clause would support staff in doing what many already strive to do, while giving passengers reassurance that someone is present, visible and responsive. That visible presence offers peace of mind, particularly for those who may feel anxious or unsafe while travelling, and helps to build confidence in the rail network as a public space. The benefit is a safer, more inclusive travelling environment, with early intervention preventing minor issues from becoming serious incidents and providing a safer, more welcoming environment.
New clause 57 would deal with antisocial noise. This is a very grave matter. Passengers are frequently plagued by the imposition of people’s often dubious taste in music or TikTok videos, which may sometimes include the soothing sound of cats miaowing but quite often takes the form of a great deal of other raucous things. It may seem disproportionate to suggest legislation to counter the problem, but sometimes our own human weaknesses let us down. That is why new clause 57 would require regulations to be made to
“prohibit any individual on passenger rail services from purposefully playing content with audio from personal electronic devices without the use of headphones in such a way that causes a disturbance to other passengers.”
I look forward to the Minister’s comments.
Keir Mather
New clause 10 would place a duty on the Secretary of State for Transport to undertake a review of passenger safety within six months of the Act passing and to make all reasonable efforts to implement any actions identified. I appreciate the sentiment behind the new clause—passenger safety is of the utmost importance as we transition the railway into public ownership—but I do not think the new clause necessary, as the Government are taking action even before the Bill is passed.
As the hon. Member for Didcot and Wantage will be aware, we already have a range of security measures and guidance in place across the railway and the wider transport network, addressing the issues raised. Those will be maintained under public ownership and are kept under continuous review to ensure that they meet the challenges of the day.
I highlight the recently reviewed and updated long-running public security campaign, “See it. Say it. Sorted”, which increases public awareness and makes clear how to report suspicious activity to the British Transport police via the 61016 text reporting service; I am not sure I need to remind Members of that, as it will probably be seared into every one of our minds from travelling on the railway. I am confident that in giving GBR strategic responsibility for rail workforce planning, we will create more resilient staffing and provide greater visibility and assurance to passengers, both on trains and at stations.
As part of the Government’s safer streets mission, we have already committed to reduce violence against women and girls by half over the next decade. That will be tracked by Government through the violence against women and girls strategy, recently published by the Home Office, which includes ambitious measures to enhance the safety of women and girls on the rail network. That includes improving live access to CCTV images by the British Transport Police, and establishing consistent personal safety criteria across the rail network.
We are also already working to improve Passenger Assist and to support staff with better tools and more consistent training across the network. The ORR also monitors and reports on Passenger Assist and releases statistics quarterly. Finally, the ORR already has general safety duties that include carrying out inspections to ensure that the train and freight operating companies and Network Rail manage passenger and occupational health and safety risks appropriately. Those remain unchanged by the Bill. Given that, a further review of safety requirements would only serve to drive attention and resource away from the action that is already being taken.
Similarly, I fully agree with the principle of new clause 48, which aims further to ensure that passengers experience journeys free from disruption, harassment and criminality. I pay tribute to the train managers and guards across the network who work tirelessly in the interests of passengers to ensure their safety and wellbeing. I know the friendly and reassuring faces of the train manager on my regular trips between Parliament and my constituency. However, as I hope the hon. Member for Wimbledon will appreciate, changing the role of train managers and guards through a legal duty could be a change to the nature of individuals’ contractual terms and conditions of employment. Such matters are for the employer and the employees, through their trade unions, to negotiate under collective bargaining agreements. It would be up to GBR to consider what is appropriate at the time. Consequently, I do not agree with the new clause.
Finally, new clause 57 would require the Secretary of State to make regulations about the use of electronic audio devices on rail services. I cannot begin to express the depths to which I agree with the sentiment behind the new clause. The Government recognise the nuisance that irresponsibly used personal electronic devices can cause to other passengers, and I appreciate the importance of ensuring that passengers are not disturbed by excessive noise while travelling on the railways.
I am pleased, however, to confirm that the matter is already addressed under existing national railway byelaws. Railway byelaw 7 states that people “on the railway” shall not “to the annoyance of” others
“sing; or…use any instrument, article or equipment”
to produce sound without
“written permission from an Operator”.
Any person who breaches that byelaw commits an offence and may be liable to a penalty of up to £1,000.
Rebecca Smith (South West Devon) (Con)
I appreciate that the Minister is trying to reassure us that the methods that the hon. Member for Didcot and Wantage wants to implement already exist, but I do not believe that the hon. Gentleman would have tabled new clause 57 if those byelaws were being routinely implemented on trains, which is what he seeks. We have all been on trains where no one around is empowered, equipped or minded—because they are not confident enough, or are intimidated by the person—to act in that way. Can the Minister spell out a little more what the statistics are for that byelaw being used, and whether it is utilised to its fullness? Will he commit to see whether it is adequate? Ultimately, if train staff do not feel empowered, we can have all the byelaws in the world that we like—we have them on buses and in the streets, too—but they need people to feel empowered, able and confident to take action under them. I am not convinced that we have that at the moment.
Keir Mather
The hon. Lady is right to raise that challenge. It is important that the byelaws are in place, but we have all experienced them being flagrantly disregarded on the railway network. I believe that the answer is to ensure that the byelaws that exist are regularly and robustly enforced. I do not believe that we need to add more to the statute book to solve the problem, because the principle of making enforcement work is the more important and operationally demanding one. That needs to be done in the shortest order. I am happy to take that away and to engage with officials about how we can more robustly enforce the byelaws.
GBR having a holistic responsibility for the network will grant it the opportunity to think in a more holistic way about how byelaws can be enforced across the piece, I am sure in close collaboration with the British Transport Police. The Government consider that the issue is more appropriately a matter for train operators to manage and enforce at an operational level, rather than through additional Government regulation. As such, it is better dealt with through the existing railway byelaws rather than through regulations.
Rebecca Smith
The point is that responsibility currently sits with train operators to enforce the byelaws. Just yesterday, I was sitting in a quiet carriage, and it did not say anywhere that making noise would break byelaws. If the Minister is suggesting that the operators will maintain that responsibility, I do not see how the status quo will change with the existence of Great British Railways.
Perhaps this is an opportunity to give the responsibility to Great British Railways rather than the transport operators, and to improve signage to ensure that people know that violence against women and girls or adverse noise will not be tolerated. We cannot just have posters; it has to be in places where people can see it and understand it. A simple “Please be quiet” does not seem to be doing the job at the moment.
Keir Mather
The hon. Lady raises another valid point. It is right that train operators manage and enforce the byelaws and that GBR will have the added benefit that I have identified of holistic responsibility across the network, but she is right to point out that there is much further to go. Sometimes, there are complexities around subjectivity, where somebody on the train will have to determine what they believe constitutes an unreasonable level of noise, but that does not stop the fact that there are clear incidents in which the noise is totally unacceptable. We have further to go in this space, and the signage issue that the hon. Lady raises is interesting and something that I will reflect on. With that in mind, I urge the hon. Member for Didcot and Wantage to withdraw the new clauses.
Olly Glover
I will press new clause 10 to a vote.
Question put, That the clause be read a Second time.
The Chair
With this it will be convenient to discuss the following:
New clause 35—Report on long-term pipeline for works—
“(1) Within 12 months beginning on the day on which this Act is passed, Great British Railways must publish a report containing a long-term pipeline of infrastructure and rolling stock work affecting any line or service operated by Great British Railways (‘the works pipeline’).
(2) Great British Railways must publish further such reports within twelve months of the publication of the last such report under subsection (1).
(3) The Secretary of State must lay a report under this section before Parliament.
(4) Each report laid under this section must provide a works pipeline for the period of the following 15 years.
(5) Each works pipeline must include details of—
(a) infrastructure renewals;
(b) enhancements, including capacity schemes;
(c) digital signalling and technology programmes;
(d) major station works;
(e) rolling stock procurement;
(f) upgrade and refurbishment programmes.
(6) The works pipeline must specify the expected—
(a) timing,
(b) scope, and
(c) sequencing,
of renewal programmes, enhancements, and major technology transitions.
(7) The works pipeline must align with—
(a) The Rail Strategy’s objectives, and
(b) the funding provided for infrastructure and rolling stocks works during each Control Period.
(8) Each report laid under this section must include an assessment of—
(a) how the works pipeline will reduce inefficiencies in delivery of works, specifically in relation to—
(i) irregularity of gaps in funding, and
(ii) unstable or unreliable management of projects and programmes.
(b) how the works pipeline—
(i) has supported, and will support UK supply chain capacity;
(ii) has impacted protection of specialist skills within the rail industry; and
(iii) will support employment and apprenticeships.
(9) Each report must contain an assessment, during the year prior to its publication, of—
(a) progress in delivering any projects or programmes included in the works pipeline,
(b) any changes to projects or programmes included in the works pipeline, and reasons for those changes,
(c) the impact of the works pipeline on—
(i) industry investment,
(ii) inflation of costs in the rail sector, and
(iii) delivery capacity in the rail sector.
(10) Before publishing a report under this section, Great British Railways must consult—
(a) participants in the rail sector supply chain,
(b) rail industry bodies,
(c) the Scottish Ministers,
(d) the Welsh Ministers, and
(e) the Office of Rail and Road.
(11) Great British Railways has a duty to ensure that its integrated business plan and long-term procurement strategies pay due regard to the works pipelines included in the most recent report published under this section.
(12) On the day on which a report is laid before Parliament under this Section, a Minister of the Crown must make a statement to each House about how the works pipeline—
(a) aligns with the long-term rail strategy, and
(b) supports whole-network delivery priorities.”
This new clause would require Great British Railways to create a long-term pipeline of infrastructure works.
New clause 71—Nationally significant infrastructure projects—
“(1) An application for a nationally significant infrastructure project may not be proceeded with unless the Secretary of State has published a report on the impact of the project on rail infrastructure and services.
(2) A report under subsection (1) must consider—
(a) capacity of the rail network,
(b) the potential need for new lines or services,
(c) level crossings, and
(d) the accessibility of the rail network.
(3) The report must be laid before Parliament prior to a decision being made on the application.
(4) In this section, ‘nationally significant infrastructure project’ has the meaning given in section 14 of the Planning Act 2008.”
This new clause requires the Secretary of State to review provision of rail infrastructure and services before an application for a nationally significant infrastructure project can be approved, to ensure the rail network remains able to meet the needs of passengers.
Olly Glover
Our new clause 11 would create a fund for future railway improvement, which would have multiple intentions. First, it would create a stable pipeline of enhancements in infrastructure for the years and perhaps even decades ahead, which the supply chain is so loudly clamouring for, given that the rail networks enhancements pipeline has not been updated for many years. During Transport Committee visits around the country, we talked to supply chain businesses. Many of them reported never feeling quite so despairing about the outlook for their trades given the uncertainty with railway investment and enhancements. The fund would also create hope for communities. It would create a mechanism for them to submit their ideas for consideration, so they form part of the pipeline.
In anticipation of the Government or the Conservatives accusing me of being fiscally reckless, careful observation of the wording highlights that the new clause does not stipulate an amount for what should go into the fund. That is for the Government of the day to decide, but the principle is clear: there should be a longer-term process and mechanism for local authorities and communities to get their ideas on the table.
What would the fund involve? The new clause would require the Secretary of State to create the fund, which could be for new or reopened railways or just stations. We would call it the tomorrow’s railway fund. Local and regional transport authorities would have the right to apply to the Secretary of State to receive a grant of monies from the fund. That could be simply to develop an idea to the next level or to implement construction of something that has already gained support. I look forward to hearing the Minister’s comments on that.
I would also be inclined to support the Conservatives’ new clause 35, which would explicitly intend to create a long-term pipeline project. As I have alluded, we think that is a good idea for our railway and our supply chain, and it is exactly the sort of thing that the Government should welcome, given their oft-stated but rarely implemented commitment to economic growth and getting our country moving.
Jerome Mayhew
I seek a bit of advice here, Sir Alec: I presume this is the right time to talk about new clause 35 as well.
Jerome Mayhew
Thank you, Sir Alec. On new clause 11, I hear what the hon. Member for Didcot and Wantage says about fiscal responsibility, but it seems a bit strange to set up a fund with no funds in it. Although, as Committee members have seen in the new clauses I have tabled, I support the principle of having a long-term approach to infrastructure development and investment in rolling stock and skills in this country, I cannot support the creation of a new fund without fully understanding where that money would come from.
Olly Glover
Given the shadow Minister’s criticism of the new clause, is he willing to condemn the previous Government’s restoring your railway fund for the same reasons?
Jerome Mayhew
The answer is no, because money was involved. A shining example of the restoring your railways project is the Northumberland line, which was created under and funded by the restoring your railways project, and which is now open and a great success.
New clause 35, which is in my name, is relatively long, and would require Great British Railways to create a long-term pipeline of infrastructure works. If our “Certainty of Funding” new clause is added to the Bill, new clause 35 would fit nicely with it. The new clause would provide more certainty to the supply chain, and would make provision for a visible pipeline of works, allowing for long-term investment in UK manufacturing, specialist engineering skills, apprenticeships and workforce development.
That would prevent the loss of specialist skills during funding gaps, which we heard much about in the oral evidence session. Not only that, but I have been lucky enough to be in my role for considerably over a year now, during which I have met many organisations related to the railway supply chain. One overwhelming piece of feedback I get is on the feast and famine we have with the relatively short control periods, and the lack of visibility on what the next control period will have. The new clause seeks to address one of our structural problems, supporting stable employment, rather than cyclical redundancies, and encourages suppliers to invest in new technologies and productivity improvements.
In the recent past, this country has not had a very good reputation for delivering large infrastructure works, and having the ability to carry them out quickly and cheaply. The new clause would help, meaning that when we say we will do something, we have a better chance of it actually happening.
Keir Mather
I thank the hon. Members for Didcot and Wantage and for Broadland and Fakenham for tabling the new clauses, which relate to enhancements on the rail network or the impacts of other projects on rail.
New clause 11 would establish a fund for future railway improvements. Local and regional transport authorities could then bid for funding from the pot for their local areas. I certainly share the support the hon. Member for Didcot and Wantage has for improving the railway across the whole country, and I believe that the railway can bring benefits to the places it serves. However, it should be for GBR, as the organisation run by experts and charged with running railways, to maintain close relationships with local and regional authorities, including the local commissioning of infrastructure projects where agreements can be reached.
The fund the hon. Member proposes risks removing GBR’s opportunity to organise, design and implement enhancements, which is a job that it is best placed to do, as the directing mind. Of course, GBR will engage closely with local and regional authorities when planning, and should invest where real benefits would be gained. Enhancements funding should continue to be set at the spending review; that is appropriate where projects are discretionary. GBR’s integrated business plan will ensure that enhancement projects align with operational delivery.
I also expect the publication of GBR’s integrated business plan to provide further transparency on the enhancements GBR plans to undertake, and the associated funding. That should help set the roadmap for the five-year funding period. I hope the hon. Member can agree that such decisions should be made by GBR, working with local authorities and with mind to the long-term rail strategy.
New clause 35 would establish a report on a long-term pipeline of infrastructure and rolling stock work, on a line-by-line or service-by-service basis, and with considerable detail on the specific timing, scope and sequencing of works over a 15-year period. I share the intention of the hon. Member for Broadland and Fakenham to create transparency around GBR’s spending, and certainty for the railway supply chain. We are already working to develop a long-term strategy for rolling stock and supporting infrastructure, such as electrification, that will provide clear direction for the supply chain. As I am sure he already knows, the Bill contains a duty for GBR to consider certainty for railway service providers. However, I disagree that this needs to be in statute and that a pipeline containing the level of detail proposed in this amendment, over 15 years, would be a good way of achieving the goals of transparency and certainty for GBR.
GBR will have a five-year integrated business plan, backed by five years of funding for infrastructure operations, maintenance and renewals. That has been established as the appropriate balance between long-term planning and the realities of a changing operational environment. Forecasting specific infrastructure works beyond five years becomes increasingly unreliable, potentially leading to instability for the supply chain and for GBR—the exact thing this amendment is trying to avoid. Enhancements funding will continue to be set at the spending review, while GBR’s integrated business plan will ensure that enhancement projects align with operational delivery. That ensures that larger projects have longer term certainty. The current process has resulted in £2 billion being invested in the railway network every year, from 2019 to 2024. I hope that the hon. Member for Broadland and Fakenham can understand that creating a stable long-term rail strategy and business planning environment will do more to achieve these aims.
Finally, I turn to new clause 71, which raises the importance of understanding rail impact when considering major infrastructure projects. I thank the hon. Member for Runnymede and Weybridge (Dr Spencer) for raising this issue, but I do not agree with it primarily because the matters that the amendment seeks to mandate are already comprehensively addressed in the existing statutory framework. Under the Planning Act 2008 and the National Policy Statements applying to Nationally Significant Infrastructure Projects in the transport, energy, waste and water sectors, the Secretary of State will consider requirements to mitigate adverse impacts on transport networks arising from any developments. For transport projects, promoters must provide detailed assessments of the impact of their proposals on transport networks, including rail capacity, demand and operational implications. These assessments are a routine and established part of the development consent order process, which the Secretary of State must consider. This amendment would introduce an entirely new statutory reporting step before an application could be examined, which would go against the Government's reforms to streamline the consenting regime following the Planning and Infrastructure Act 2025, which aims to make the system quicker and more efficient. Instead of adding value, this new requirement would instead risk adding delay in introducing uncertainty, which could hinder timely progress on Nationally Significant Infrastructure Projects. Having laid out the Government’s arguments to these amendments, I hope that hon. Members will see fit to withdraw them.
Olly Glover
We would like to press new clause 11.
Question put, That the clause be read a Second time.
The Chair
With this it will be convenient to discuss the following:
New clause 58—Rails to Trails Programme—
(1) The Secretary of State must, within 12 months of the passing of this Act, establish a programme to facilitate the conversion of disused railway lines, sidings and associated land into active travel routes for—
(a) walkers,
(b) wheelers,
(c) cyclists, and
(d) horse riders.
(2) The programme must include—
(a) a national statutory framework to support community groups and local authorities to acquire and convert the land set out in subsection (1),
(b) a long-term fund to provide financial incentives and resources for local authorities and public bodies to convert the land for such use;
(c) mechanisms to ensure landowners are fairly compensated for any land that is acquired or converted.
(3) The programme under this section is to be referred to as the “Rails to Trails Programme”.”
This new clause would require the Government to turn disused railways into active travel paths.
New clause 60—Safe bicycle storage at railway stations—
(1) Great British Railways and all passenger railway service operators have a duty to provide sufficient safe bicycle storage facilities at all stations that they operate.
(2) In this section “safe bicycle storage” means cycle lockers or cycle hangers.
(3) For the purposes of this section, safe bicycle storage is sufficient if each railway station has—
(a) at least one safe bicycle storage facility on or adjacent to its premises, and
(b) at least one additional safe bicycle storage facility for every 30 vehicle parking spaces at the station.”
This new clause would require every station to have safe bike storage in place for passengers.
New clause 66—Reopening of services to underserved areas—
(1) Great British Railways must establish a department for the purpose of identifying areas underserved and unserved by railway services.
(2) In meetings its purpose, the department must consider—
(a) options to restore and reopen any lines closed after March 1963, and
(b) the potential to add stations onto existing lines.
(3) The department must cooperate with relevant transport authorities.
(4) In subsection (3), relevant travel authorities means—
(a) Scottish Ministers;
(b) Welsh Ministers;
(c) in England—
(i) any—
(a) mayoral strategic authority,
(b) combined authority, or
(c) combined county authority
with responsibility for rail transport or integration of services with rail transport, and
(ii) in relation to Greater London, the Mayor of London.”
This new clause would require GBR to establish a department to look at options to reopen closed lines, or add new stations to existing lines, to increase service to underserved and unserved places.
Olly Glover
I shall be concise because we have perhaps started discussing this new clause unwittingly in the previous segment. New clause 12 would require a review of the previous Government’s restoring your railway fund. Given the comments made by the shadow Minister, I am not sure that the wider populace would be quite so effusive about the success of the program—for £500 million, it delivered just 11 miles of reopened line and two new stations. Having said that, the heart of the idea was positive and that is exactly why we tabled our new clause 11, which we have debated previously. New clause 12 would require the Secretary of State to undertake a review of the now cancelled restoring your railway fund, to understand the pearls of wisdom that could be salvaged from its wider failure, to improve things for the future.
New clause 58 is about our rails to trails programme, which would create the potential for communities to more easily acquire disused railway lines and turn them into walking and cycling routes. Of course, lots of disused railways in the country are no longer owned by railway organisations, but some are. The new clause would facilitate acquisitions so that we can create more spaces on routes that are segregated from traffic for people to enjoy.
Rebecca Smith
It is a pleasure to serve under your chairmanship, Sir Alec. I had not planned to speak to the new clauses, but as they are pertinent to things going on in my constituency, I will make the most of the opportunity to have the floor.
In principle, new clause 12, on the restoring your railway fund, is a good idea. The hon. Member for Didcot and Wantage was cynical about the scheme, but it has had some significant successes. It reallocated money that was being spent exclusively in the north of the country to other parts of the country, such as the south-west.
I believe the Minister will admit that the Dartmoor line has been hugely successful. The latest statistics show that 775,000 journeys were made between its opening and March 2025, so I assume we will have probably hit the magic million mark by now. The line goes from Exeter to Okehampton, which is slap bang in the middle of Dartmoor and not very easy to access by road, and has allowed people who live there to get to work, leisure and whatever else in Exeter.
The Dartmoor line is also why the reopening of Tavistock station was being looked into, as part of the restoring your railway fund, before the new Government scrapped it, with the money being put back into HS2 and the Manchester to Crewe line. The restoring your railway fund was a success, even if it was not as successful as the hon. Member for Didcot and Wantage would have liked—but it only existed for a few years. Knowing what we do about the timescales for railway works, it was very good.
Whether we call it restoring your railway or not, I call on the Minister to ensure that we continue to look at branch lines, particularly for Tavistock, which would link Plymouth dockyard, and all the defence work going on there, to the wider population, and enable cars to come off the road. Yesterday, the A386 in my constituency was closed for the majority of the day because of a car that flipped, meaning that commuters, schoolchildren and people going about their daily business were trapped and could not get in or out of Plymouth, which is the 15th or 16th largest city in the country. I do not think that is acceptable. All we need is an additional railway station.
Let me turn to the rails to trails programme, which I did not think would be relevant but unfortunately has become so. Plymouth city council is eager to install a cycle path in my constituency, but because it will use an old railway track, the road will have to be closed for 14 months. I was unable to attend a public meeting in my constituency last night at which more than 50 constituents turned up to say how unimaginative the council is being about the diversion required.
In principle, rails to trails is a good idea, but let us not be naive about the impact on communities where we seek to turn old infrastructure into a path suitable for walkers, wheelers, cyclists and horse riders. There is always a cost to taxpayers and a physical impact on their daily life. Although I am not against rails to trails—indeed, there are similar successful schemes in my constituency—such projects can be deeply inconvenient to develop. I wanted to be able to tell my constituents that I raised that with the Minister.
Keir Mather
I thank the hon. Member for Didcot and Wantage for speaking to the new clauses. New clause 12 would require the Secretary of State to publish a report on the restoring your railway fund, which was set up by the previous Government and wound up in July 2024. Unfortunately, I do not believe it would be a good use of time for the Secretary of State to publish reports about the previous Government’s policies instead of getting on with the business of reforming the railway.
Edward Argar (Melton and Syston) (Con)
Will the Minister gently give way on that point?
Edward Argar
I gently take the Minister to task on that. Were not some of the first actions of Secretaries of State of this Government, when they came into office, to publish reports in which they—one can question how accurately—sought to look backwards over what the previous Government had done?
Keir Mather
Now that we have dispensed with that important work, we can get on with the business of running the railway. The Government are doing more to improve things for passengers and freight than any Government have in decades. We are creating GBR to be the directing mind for the railway, cutting out the needless waste and duplication that has characterised the model.
Olly Glover
If the Minister’s Wikipedia profile is correct, he studied history and politics. As an historian, does he not agree that to get the future right, we must learn from the past, and that we should therefore review the activities of past Governments?
Keir Mather
It is continuously important to bear in mind where the last Government may have strayed from the path of productive policymaking, and we have done so robustly in reflecting on the 14 wasted years of the Conservative Government. We must now turn to the future and think about how we can build a railway that serves the interests of passengers now and in the decades to come.
GBR will take robust decisions on the use of the network, leading to better co-ordination of the timetable, which could reduce delays and costs over time and improve reliability. Those decisions could well see the opportunity for new routes or services and, where appropriate, the restoration of railway services that were previously closed. Nothing in the Bill will prevent GBR from doing that; indeed, quite the opposite is true. We have already seen the Government’s commitment to doing just that with the continued support for the reintroduction of passenger services on the Northumberland line and the confirmation of new stations at Haxby, Wellington and Cullompton, without the need for a specific restoring your railway fund. Having a guiding mind for the railway that is properly empowered to make decisions is better for everyone—for passengers, freight and open access operators.
New clause 58 would require the Secretary of State to establish a programme to facilitate the conversion of disused railway land into active travel routes. I know the importance of such conversions, because there is a wonderful converted railway from Selby through to York, on the old rail route for the Selby coalfield. The DFT has already created Active Travel England to co-ordinate cycling, walking and other leisure uses in England. The funding of active travel in Scotland and Wales is, of course, a matter for their devolved Governments.
I agree with the hon. Member for Didcot and Wantage that active travel is an important potential reuse of redundant railway land, but other potential options—including regeneration such as housing, along with heritage lines and retaining the land for future use—should be considered in the round. All the options need to be assessed against objective criteria, including considerations such as funding and safety. New clause 58 would unbalance those considerations by making active travel a priority over other potential uses of railway land.
The Government have been clear that they intend to transfer historical railways estates and other former railway properties to GBR, which will absolutely be expected to look for opportunities to reuse redundant railway land. The new clause would take away GBR’s independence to do that and its ability to look at a wide range of alternative uses for former railway property, including its potential reuse for railway, commercial opportunities and regeneration.
New clause 60 would require Great British Railways and all passenger service operators to provide a minimum level of secure bicycle storage facilities at every station they operate. The Government are committed to improving the integration of transport across the network and are already working to improve facilities to support those who cycle to stations. The Government encourage station operators to engage with local stakeholders when considering the provision of facilities to support those who cycle to and from stations. Funding for cycle storage is already available from a range of local transport funds, including the active travel fund.
With the forthcoming establishment of GBR, we want to ensure appropriate bicycle facilities that are suitable for local circumstances and provided where needed, while retaining operational flexibility and minimising unnecessary expenditure. The new clause would impose on GBR and all passenger service operators a rigid requirement that fails to take into consideration local circumstances such as station size, passenger numbers and demand for bicycle spaces, which could result in unnecessary cost. I therefore urge the hon. Member for Didcot and Wantage to withdraw the new clause.
Olly Glover
I enjoyed the debate with the Minister, but I beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.
New Clause 13
Report on the potential merits of customer loyalty programmes
“(1) Within twelve months beginning on the day on which this Act is passed, the Secretary of State must lay before Parliament a report on the potential merits of customer loyalty programmes for rail passengers (‘rail miles programmes’).
(2) A review under this section must consider any beneficial effect on the growth of rail passenger numbers of introducing rail miles programmes.”—(Olly Glover.)
This new clause would ensure the Secretary of State conducts a report into potential benefits of a “rail miles” programme for passenger numbers.
Brought up, and read the First time.
Question put, That the clause be read a Second time.
The Chair
With this it will be convenient to discuss new clause 19—Rail climate resilience and decarbonisation framework—
“(1) The Secretary of State must, within 12 months beginning on the day on which this Act is passed, publish a framework that seeks to meet the following objectives—
(a) reduce the carbon footprint of the rail network;
(b) identify sections of the network vulnerable to climatic risks including drought, soil moisture deficit, flooding, heat and cold.
(2) The framework must include a schedule of required infrastructure improvements to the sections of network identified under subsection (1)(b).
(3) Great British Railways must publish a report on the progress of the objectives set out in subsection (1) every two years beginning on the date on which the framework is published.
(4) The Secretary of State must lay before Parliament each report as set out in subsection (3).”
This new clause establishes a statutory climate resilience and decarbonisation framework and requires regular reporting on progress made against the objectives set out in the framework.
Olly Glover
New clause 14 would require the Secretary of State to lay before Parliament a report on types of traction within a year of the Bill having passed, because the UK seems very committed to pursuing the somewhat anomalous obsession of replacing existing diesel trains with something called discontinuous electrification.
I will try not to bore the Committee too much with the technical detail, but historically the solution to avoiding diesel trains on railways has been to fully electrify them, which brings a huge raft of advantages. Electric trains are significantly more reliable than diesel trains. They are lighter, and therefore easier on the track. They have an impressive power-to-weight ratio, which is of particular benefit to freight trains; the acceleration of electrically hauled freight trains is incomparable with diesel. They also have a lower whole-life cost. Yet, with a couple of noble exceptions, there seems to be a real aversion to full electrification. I can entirely understand that for lightly used branches, where some of the novel solutions, such as battery trains or discontinuous electrification with batteries, would be entirely suitable. However, it currently feels like there is no clear criteria or logic as to which type of traction solution is pursued.
I have attempted to find answers through written questions and other means; I simply seek reassurance that the only consideration is not saving capital costs. I hope the Minister agrees that it is important that we consider whole-life cost as well as capital cost. It therefore ought to be possible to logically define the criteria by which a line will be chosen to be subject to electrification, no electrification or partial electrification. I look forward to hearing the Minister’s comments on that.
Keir Mather
I thank the hon. Member for Didcot and Wantage for tabling the new clauses, which I will address in turn. New clause 14 would require the Secretary of State to lay before Parliament a report setting out the implications of diesel, electric, battery and other alternative rolling stock options. The proposed report is unnecessary because the Government are already working to develop a long-term strategy—the first in over 30 years—for rolling stock and related infrastructure. The strategy will pursue modern standards of carbon-friendly traction, passenger comfort and accessibility. We expect to publish it this summer.
In developing the strategy, we are carefully considering the case for different traction types. In particular, we recognise that recent progress with battery technology offers a significant opportunity—along with, I am afraid to say, partial electrification—to reduce the subsidy cost of the railway, improve reliability and comfort for passengers, and deliver on our environmental obligations. We are considering that opportunity carefully and will set out our conclusions as part of the strategy. Once Great British Railways is up and running, we will expect it, not the Secretary of State, to take the lead in maintaining, updating and implementing the strategy.
New clause 19 proposes that the Secretary of State sets out a framework to reduce the carbon footprint of the rail network and to detail infrastructure improvements for climate resilience. As one of the greenest modes of transport, rail is key in helping to reduce emissions. The Climate Change Act 2008 places a duty on the Secretary of State for Energy Security and Net Zero to prepare policies and proposals to enable cross-economy carbon budgets to be met, and to lay a plan before Parliament to set out those policies and proposals. The October 2025 plan includes policies to decarbonise transport, including the railways. Given the existing duties, it would be duplicative to place a duty on the Secretary of State for Transport to publish a plan to reduce the carbon footprint of the rail network.
As the directing mind, GBR will identify sections of the network that are vulnerable to climate-related risks and set out how infrastructure improvements will be made. Throughout the business planning process, where infrastructure planning is captured, GBR will have a general duty to make decisions in the public interest, including in respect of environmental considerations. In signing off the business plan, the Secretary of State is under the same shared duty.
When making decisions on infrastructure, GBR will also have regard to the Secretary of State’s long-term rail strategy, which will be framed by a number of strategic objectives, including an environmental sustainability objective that includes delivering rail net zero and protecting transport links by investing in climate adaptation. These mechanisms, alongside wider environmental frameworks, will ensure that the key strategic decisions on infrastructure are made with climate resilience in mind. I urge the hon. Member for Didcot and Wantage not to press the new clauses.
Olly Glover
I am content to not to press new clause 14—we will save that battle for another day—but I will move new clause 19 formally when the time comes. I beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.
New Clause 16
Access for All programme: review
“(1) Within a year of the passing of this Act the Secretary of State must conduct a review of the Access for All programme.
(2) The review as set out in subsection (1) must identify the level of investment required to support accessibility improvements.
(3) Accessibility improvements as set out in subsection (2) include ensuring step-free access to all—
(a) platforms;
(b) entrances to stations;
(c) exits from stations.
(4) The review must identify all stations with fewer than 1,000,000 entries and exits a year, as recorded by the estimates of station usage published by the Office for Rail and Road, that do not have step-free access as set out in subsection (3).
(5) The review must set out an explanation for spending decisions on the Access for All programme between the period 25 October 2022 and 24 May 2024.
(6) The review must set out recommendations with the objective of facilitating the level of investment required to support accessibility improvements.”—(Olly Glover.)
This new clause would mandate a review of the Access for All programme. The review would seek to ensure that step-free access at railway stations is provided under the programme. The review would explain spending decisions on the programme under the previous Government and set out recommendations for future spending.
Brought up, and read the First time.
Question put, That the clause be read a Second time.
Olly Glover
I beg to move, That the clause be read a Second time.
New clause 21, in the name of my hon. Friend the Member for Newbury (Mr Dillon), would require a review of public road level crossings. It addresses similar themes to those raised by the new clauses in the name of the hon. Member for Runnymede and Weybridge that we have previously discussed.
We are seeking an annual review of high-delay level crossings, such as the one at Thatcham on what is known as the Berks and Hants line between Reading and Westbury and beyond. That is because we need to undertake proper analysis of the local economic cost and social impact caused by congestion, which admittedly is often necessary to facilitate railway services. It is sometimes perceived—whether the perception is accurate is another matter—that level crossing down times can be excessive. There may be opportunities to improve that, although ultimately to alleviate the local impact of the railway going through those communities, the high-delay level crossings would need to be replaced with an alternative means of crossing.
My hon. Friend the Member for Newbury and other signatories to the new clause are concerned about the wasted time and fuel resulting from long periods of idling traffic while the barriers are down, which can also lead to lost time for commuters, shoppers and business travellers. Road congestion across the UK is estimated to cost the economy tens of billions of pounds a year—some estimates exceed £30 billion—and high-impact level crossings are major contributors to local congestion hotspots, which can result in increased operating costs, particularly for commercial vehicles, such as delivery vans and lorries, and tradespeople. That, in turn, can reduce business productivity, leading to supply chain disruption, and can undermine labour productivity. Of course, there can also be a significant impact on emergency and public services.
The presence of a highly congested level crossing can act as a physical constraint on local planning. Local authorities are often unable to approve major housing or commercial developments that would increase local road traffic, as that would exacerbate the existing gridlock. That therefore stifles economic and housing growth. The Government have been very clear about their commitment to economic growth and highly ambitious housing targets that some consider to be undeliverable, so I hope that argument holds some weight with the Minister if none of the others do.
Let me say a bit more about Thatcham as a case study. Local reports and studies frequently say that the Thatcham level crossing is typically lowered for more than 30 minutes every hour at peak times, leading to significant congestion. The crossing is known as an MCB-CCTV. I have an ongoing commitment to waging war against acronyms, so let me say that that means a manually controlled barrier with CCTV monitoring. It is located on the busy Berks and Hants line, with approximately 133 trains per day passing over it. The line speed is high, at 100 mph—it is definitely an example of a railway that has benefited from full electrification—which requires the barriers to be lowered earlier than on slower lines, to allow sufficient warning time and ensure safe signal clearance.
Thatcham town council and West Berkshire council have formally acknowledged the serious traffic delays at the crossing. These delays have been specifically noted in the development of the local transport plan and the local plan review—the issue of the level crossing delays is identified as a critical factor that must be addressed and mitigated before any major new developments can proceed.
A study assessing the viability of replacing the level crossing with a new road bridge over the railway and canal estimated the cost to be in the region of £16.5 million, with that proposal ultimately declared not financially viable as a stand-alone public project. We do not intend to divide the Committee on the new clause, but we will be interested to hear the Minister’s comments on the issue that it highlights.
Jerome Mayhew
The Conservatives are very supportive of the intention behind the new clause. The replacement for Network Rail within GBR cannot bring the same, frankly uninterested, culture to these assessments that Network Rail is notorious for. I salute the tireless campaigning of my hon. Friend the Member for Runnymede and Weybridge, who has tabled a number of new clauses on this issue to highlight the problems that his constituents and, as we have just heard, many others have faced.
The hon. Member for Didcot and Wantage says that he will not press the new clause to a Division. I think that is sensible, given that the requirement for an annual review may well be too onerous, but we look to the Minister to acknowledge the problems faced by those communities that are cut in half by very impactful level crossings, and to provide assurances that the Government will address this significant concern.
Keir Mather
I thank the hon. Member for Didcot and Wantage for the new clause, which would require GBR to produce annual reports and technical studies relating to road crossings, with the aim of easing congestion. It is our view that the new clause would add highly disproportionate administrative and reporting burdens on to Great British Railways that we do not believe are necessary to manage level crossings and mitigate any of the impacts on communities that the shadow Minister and the hon. Member for Didcot and Wantage so powerfully described.
The new clause would require GBR to undertake an annual review of every public road level crossing in Britain, assessing the social and economic effects on each area, and would mandate feasibility and engineering studies for any site judged to have high levels of congestion. That would create a substantial and ongoing workload that would divert time, staff and funding away from the core functions of managing the railway, including by requiring GBR to develop proposals for engineering solutions even when there is no clear business case for intervention. That would increase costs, reduce flexibility and limit GBR’s ability to prioritise investment where it delivers the greatest benefits.
Network Rail has a statutory duty to minimise risks to the public and keep level crossings safe. I reassure the hon. Member that GBR will continue to be bound by those duties, while also taking full account of the wider economic and social impacts that level crossing down time can have on local communities. In support of that, as is the case now, GBR will be expected to keep level crossing operations under review, support continuous improvements in safety, and reduce unnecessary disruption so far as is reasonably practicable.
GBR will remain directly accountable to the Secretary of State and the Office of Rail and Road, the independent rail safety regulator on this work. As is the case now, effective consultation, robust evidence gathering and meaningful engagement with communities and local authorities will ensure that decisions are well informed and responsive to local needs. Through that approach, GBR will manage level crossings in a way that maintains high levels of safety for all users, reflects local priorities and is firmly grounded in evidence. I therefore urge the hon. Member to withdraw the motion.
Olly Glover
I beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.
New Clause 24
Great British Railways Board
“(1) The Secretary of State must appoint a Board to review decisions taken in respect of Great British Railways (“the Board”).
(2) The Secretary of State must appoint to the Board persons who are employees of, or otherwise represent—
(a) Great British Railways,
(b) open access passenger operators,
(c) freight operators,
(d) The Office for Rail and Road,
(e) The Passengers’ Council, and
(f) an organisation or campaign group representing passengers with accessibility requirements.
(3) The Board must comprise at least six members and no more than half of its membership may be employed by, or otherwise represent, Great British Railways.
(4) Great British Railways must determine the frequency of board meetings in any year.
(5) Any—
(a) decision by the Secretary of State concerning, or
(b) direction given by the Secretary of State to,
Great British Railways must be notified to the Board prior to the making of the decision or issuing of the direction, and such decision or direction may only be made if a majority of the Board approves of it being made.
(6) The Board must publish any decision or direction it considers, and whether it has approved any such decision or direction.
(7) Where the Board has not approved a decision taken by, or direction given by, the Secretary of State to Great British Railways—
(a) the Board must notify the Secretary of State that it has not approved the decision or direction, and its reasons for not doing so;
(b) the Secretary of State may proceed to make any such direction or decision provided that, in their opinion, it is necessary to do so.
(8) Where subsection (7)(b) applies, the Secretary of State must publish a statement setting out reasons for proceeding with the direction or decision.”—(Olly Glover.)
This new clause would require the creation of a GBR Board, constituted of relevant internal and external stakeholders and regulatory bodies, which the Secretary of State would have to consult on major decisions and changes.
Brought up, and read the First time.
Question put, That the clause be read a Second time.
The Chair
With this it will be convenient to discuss the following:
New clause 32—Working Practices and Productivity Modernisation Framework—
“(1) Within 12 months of the passing of this Act, the Secretary of State must publish a Working Practices and Modernisation Framework (“the Framework”).
(2) The Framework must include measures to—
(a) enable all passenger routes to be planned and delivered as a seven-day service, within the pay and conditions for standard working hours;
(b) enable drivers to operate train doors without additional payments in locations where this is not yet standard practice;
(c) require Great British Railways to establish a train driving school with updated training methods, with the purposes of reducing route-knowledge training times and increasing driver availability;
(d) end practices including—
(i) short-notice holiday approvals;
(ii) dependency on overtime to compensate for sickness absence or annual leave;
(iii) the prohibition on driving more than one journey over the same rails;
(e) introduce multi-disciplinary and flexible maintenance teams in GBR;
(f) support the adaptation of drone-based and digital inspection of railway infrastructure;
(g) prohibit unnecessary delays in introducing new rolling stock arising from route-learning requirements or working practices that exceed what is reasonably required for the safe operation of the railway, ensuring new fleets can deploy when manufactured;
(h) permit driver managers to drive trains when required;
(i) require maintenance and operational teams based in a specified areas to assist teams in neighbouring areas;
(j) prevent the Secretary of State from awarding general pay rises to any area of the rail workforce where—
(i) workforce productivity has fallen, or
(ii) where actions required in the Framework have not been implemented.
(3) Great British Railways has a duty to secure compliance with the Framework.
(4) Where the duty on Great British Railways under subsection (3) applies in respect of services which are run by any person other than Great British Railways, Great British Railways must fulfil the duty via access agreements with the person running those services.
(5) Within 12 months of this Act coming into force and within every subsequent 12 months, Great British Railways must publish an annual report on the measures in the Framework.
(6) Any report produced under subsection (5) must include—
(a) a summary of measures taken to reform the rail workforce as a result of provisions of the Framework;
(b) data on—
(i) workforce productivity,
(ii) cost savings,
(iii) changes in overtime expenditure, and
(iv) reasons for any delays in implementation of the provisions of the Framework.
(7) The Secretary of State must lay before Parliament a copy of any report produced under subsection (5).
(8) The Secretary of State may issue directions to Great British Railways under section 7 of this Act where, in the opinion of the Secretary of State, it has not met its duty under subsection (3).”
This new clause makes provision for a Working Practices and Productivity Modernisation Framework.
New clause 55—Mutual and co-operative structures—
“(1) Great British Railways must publish a report on the potential benefits to passenger railways services of mutual or co-operative corporate structures.
(2) The report under subsection (1) must consider the impact of mutual and co-operative corporate structures on employee engagement and governance.
(3) The report must be laid before each House of Parliament within six months of this Act being passed.”
This new clause requires GBR to explore and consider mutual and/or cooperative corporate structures with regards to employee engagement and governance.
Jerome Mayhew
New clause 31 seeks to reimpose minimum service levels. It would require the Secretary of State to make regulations to impose minimum service levels on passenger rail services, and for GBR to enforce them. The previous Government passed the Strikes (Minimum Service Levels: Passenger Railway Services) Regulations 2023, and the new clause essentially makes the railways subject to those regulations once more.
The purpose of the new clause is to reduce the impact of rail strike action on the ability of passengers to access their place of work and essential services, and to reduce the negative impacts on the wider economy, by setting minimum service levels—MSLs—for passenger rail during strikes. The intention is that the new clause will lead to an improved and more consistent level of service for passengers during rail strikes, when work notices are issued by employers to secure MSLs.
Public transport is critical for the everyday lives of citizens in Great Britain. The transport system supports all sectors of the economy and is a crucial enabler of economic growth. Rail is an important public transport mode as it enables passengers to make vital journeys, such as commuting to work or accessing essential services. Strike action on the passenger rail network can lead to disproportionate disruption to millions of people who rely on these services. A survey conducted by the Department for Transport in 2022 found that most rail users’ journeys were impacted by strike action, with some passengers reporting an adverse financial impact as a result.
Strike action usually takes place when there is a dispute between the employee and the employer, and the dispute cannot be resolved by other means. It is intended to cause disruption to the employer and, in some cases, the wider economy. Strike action in the rail sector, however, affects ordinary rail users, who are not party to the dispute. In December 2022, a report by the Centre for Economics and Business Research estimated that rail strikes between June ’22 and January ’23 would result in a loss of UK economic output of around £500 million due to people outside the rail sector not being able to work. Several sectors, including hospitality, have reported loss of revenue directly from the impact of rail strike action.
Government intervention is intended to mitigate disproportionate impacts of strike disruption on the railway, rail users and the wider economy. While the rail industry has put in place contingency plans to run a limited number of services during previous strike action, the level of service that it can deliver varies. Setting MSLs for passenger rail services will provide an important tool for employers to be able to deliver an overall improvement on the service levels that are typically seen during strike periods, and provide passengers with more certainty and consistency, which is just as important. This is intended to mitigate the adverse impacts of passenger rail strike action on users’ access to their place of work and to essential services, and the impact on the wider economy, while balancing that with the ability of workers to take strike action.
New clause 32, also in my name, would provide for a working practices and productivity modernisation framework. It would implement a number of provisions to make running GBR easier and more cost-effective for the Government and the taxpayer. Currently, there are a number of historical terms and conditions in train driver contracts that are outdated and allow drivers to hold their employers to ransom over pay. They make the railway inefficient to run and drivers slow to train, and end up costing taxpayers and fare payers more.
Let us look at some examples of improvements—this is a non-exhaustive list. We could get drivers to operate train doors without additional payments, and provide a train driving school with updated training methods to speed up route knowledge and training times. At the moment, it takes a lot less time to train a pilot to fly a jumbo jet from scratch than it takes to train a train driver. We could deal with the prohibition on driving more than one journey over the same rails, and introduce multidisciplinary flexible maintenance teams that support other local teams when needed. We could permit driver managers to drive trains when required, and link general pay rises to productivity gains.
All those examples, which are listed in the new clause, are eminently sensible improvements to the ability of GBR to run an effective, modern railway. Most people agree that having a seven-day timetable with a six-day roster is ridiculous, because it means that the Sunday service is voluntary. As a result, drivers are always paid overtime even though the service is part of the standard schedule. That does not happen anywhere else in the public or private sector. The new clause would mean that GBR could be run more cost-effectively. Many train companies have historical disputes with drivers over this issue, and have been unable to remove it from their trip terms and conditions as the drivers would simply go on strike. Now is a perfect time to change approach, with the full backing of the Government, in primary legislation. This wholesale reform of the railways is an opportunity for the Government to reset the terms and conditions for train operation.
As I have said, it is currently quicker to qualify to fly a commercial jet than to qualify to drive a train, and once a pilot has their licence they can fly almost anywhere in the world, while qualified train drivers are restricted to a specific route. We want to make it quicker and easier to become a train driver so that more people have access to the job. That is why the new clause legislates for GBR to establish a train driving school with updated methods. It would decrease dependency on overtime for sick days and for leave. GBR would be directly accountable to Parliament on the success of the framework, which we believe to be important.
Olly Glover
Let me say a couple of words on the shadow Minister’s new clauses. I entirely understand what he is trying to achieve and he asks some valid questions about the nature of industrial relations in the rail industry and how they are managed. I gently suggest, though, that the complexity of those things is perhaps greater than it might appear. This is not the place for me to share my extensive war stories of negotiating on a whole range of things with ASLEF, RMT and TSSA—the three main railway trade unions—but on that basis, my view is that these are exactly the sorts of things that are best left to GBR, with appropriate support and leadership from the Secretary of State.
Our new clause 55 is a different way of tackling a similar problem. It would require GBR to examine the benefits of mutual and co-operative structures and what they might be able to achieve. It is true that industrial relations in the rail industry are often fraught and subject to frayed tempers. As well as continuing constructive dialogue with the unions, are there other ways of looking at things? Perhaps we could draw on experiences both here and abroad, particularly in Germany, where mutual and co-operative structures, making sure that the worker has a voice on boards, and so on, can create a stronger footing for positive dialogue and secure employee buy-in to the wider objectives of the organisation. I look forward to hearing the Minister’s comments.
Cyber Security and Resilience (Network and Information Systems) Bill (Sixth sitting)
Tuesday 10th February 2026
(4 days, 6 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
The Chair
I remind the Committee that with this it will be convenient to discuss the following: ‘Food supply Food supply chain The Secretary of State for Environment, Food and Rural Affairs (United Kingdom)’ ‘Local Government Local Government The Secretary of State for Housing, Communities and Local Government’ ‘Elections Electoral infrastructure The Electoral Commission’ ‘Government Political parties The Secretary of State for Housing, Communities and Local Government’
New clause 1—Food supply chain to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The food supply chain subsector
11 — (1) This paragraph describes the threshold requirements which apply to essential services in the food supply chain subsector.
(2) For the essential service of the food supply chain in the United Kingdom the threshold requirement is that the person is in the food supply chain and does not qualify as small or a micro-entity (or is excluded) within the meaning of Part 15 of the Companies Act 2006.
(3) after paragraph 10 insert—
(a) a “food supply chain” is a supply chain for providing individuals with items of food or drink for personal consumption, where the items consist of or include, or have been produced to any extent using—
(i) anything grown or otherwise produced in carrying on agriculture, or
(ii) anything taken, grown or otherwise produced in carrying on fishing or aquaculture;
(b) a person is “in” a food supply chain if that person is a producer or an intermediary in a food supply chain.
(4) In paragraph (3)(b)—
(a) “producer” means a person who is carrying on agriculture, fishing or aquaculture;
(b) “intermediary” means a person in the food supply chain between a producer and the individuals referred to in paragraph (3)(a).
(5) In this paragraph—
“agriculture” includes any growing of plants, and any keeping of animals, for the production of food or drink;
“aquaculture” means the breeding, rearing, growing or cultivation of—
(a) any fish or other aquatic animal,
(b) seaweed or any other aquatic plant, or
(c) any other aquatic organism;
“plants” include fungi.
(6) In regulation 8A of the NIS Regulations (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
(c) provides an essential service of a kind referred to in paragraph 12 of Schedule 2 (food supply chain sector) within the United Kingdom.’”
This new clause would designate those in the food supply chain that rely on network and information systems as “operators of essential services” within the meaning of the Network and Information Systems Regulations 2018, thereby placing them under duties to manage risks to those systems and to provide notification regarding any incidents that have an impact on the food supply chain.
New clause 8—Local authorities to be regulated as essential services—
“(1) The NIS Regulations are amended as follows.
(2) In table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The Local Government Sector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector.
(2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register.
(3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records.
(4) In this paragraph “local authority means”—
(a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly;
(b) in Wales, a county council or a county borough council;
(c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994;
(d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.’”
This new clause would bring local authorities within the scope of the NIS Regulations as operators of essential services in relation to their functions managing electoral rolls and social care records. This ensures that public sector bodies holding sensitive data such as electoral rolls and social care records are subject to the same statutory protections as other critical infrastructure.
New clause 9—Critical manufacturing and retail sectors—
“(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities—
(a) the manufacture of critical transport equipment;
(b) the industrial production and processing of food products; and
(c) the retail sale of food and essential goods via large-scale distribution chains.
(2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors.”
This new clause would require the Secretary of State to designate the manufacturing of critical transport equipment and retail of food and essential goods (when part of a large-scale distribution chain) as essential activities, bringing them within the scope of Part 3 of the Bill.
New clause 11—Electoral infrastructure to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The electoral infrastructure subsector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector.
(2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to—
(a) maintain a register of electors containing more than 50,000 entries;
(b) issue, receive, or process postal ballots for a parliamentary or local government election; or
(c) count or aggregate votes cast in a parliamentary, mayoral or local government election.
(3) In this paragraph—
“parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom;
“network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026.
(4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
“(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.”’”
This new clause would designate the administration of elections and maintenance of voter registers as an “essential service” within the meaning of the NIS Regulations.
New clause 12—Political parties to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The political parties subsector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector.
(2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons
(3) In this paragraph—
“registered political party” means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000.’”
This new clause would designate political parties as providing essential services for the purposes of cyber security.
Lincoln Jopp (Spelthorne) (Con)
It is a pleasure to serve under your chairship, Mr Stringer. When we left off, we were considering the powers of the Secretary of State to bring new organisations within scope. I am a Conservative, and my view is that the best form of regulation is usually competition, so I am not actually volunteering these sectors for the guards. However, I want to understand the underlying logic as to why certain things have been included and certain things have not.
We have a fairly good guide as to what is essential. The reason we do is that we went through a global pandemic, and the following groups and organisations were designated as absolutely essential for the running of the state: health and social care, which is included; education and childcare, which is not; anything to do with the justice system; religious staff; public service broadcasters; local and national Government, which again is not in the Bill; food and other goods, which, as we discussed, are also not in the Bill, although they are in the new clauses; public safety and national security; transport; utilities; communications; financial services; and postal services.
That is the analogue I am putting to the Minister: we found out which things we really needed, we designated them as essential and we allowed them to continue during the covid pandemic. None of us particularly relishes being reminded of that time, but we owe it to the people who will be subject to the Bill to ask the Minister exactly what has been argued in and what has been argued out of scope, to understand how vulnerable the blank cheque we are issuing to the Secretary of State is to their including more and more in it, come the day of the races.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I will start by addressing the questions raised by hon. Members, including the hon. Member for Spelthorne, who concluded by setting out a general philosophy of how we thought about what is in and out of scope, and then I will address some of the more specific concerns in the new clauses.
The overarching philosophy has not at all been to deny, as the hon. Members for Spelthorne and for Brecon, Radnor and Cwm Tawe argued, that there are a series of services that are absolutely essential. There is a category of critical national infrastructure, and there is a category of essential sectors and services that we identified in the pandemic. Although there is some overlap, a distinct segment for the Bill is operators of essential services such as digital services and managed service providers. The assessment there has been more about the immediacy and severity of the impact, and the availability of alternative provision in a very short time, which has meant that those sectors have been ruled in. I will lay out the logic of our position on the new clauses, which might help clarify this question, although I would be happy to engage further with hon. Members on it.
I am conscious that the hon. Member for Bognor Regis and Littlehampton and the shadow Minister raised very appropriate points about robustness and proportionality in relation to the Secretary of State exercising the powers in the Bill, so I will lay out the process and the role of Parliament.
In terms of the process for bringing new sectors or activities in scope, something must meet a specific, rigorous test to be defined as a new essential activity for the purposes of the Bill. The Secretary of State must be satisfied that the activity is essential to our economy or society. As I have mentioned, that is reserved for the most vital activities to our nation and acts as a high bar for inclusion, on the terms I mentioned to the hon. Member for Spelthorne.
In reaching a decision, the relevant Departments will need to carry out risk assessments and impact assessments and consider whether inclusion of those sectors and activities is proportionate. That is part of the normal policy development process. After that, the proposals will be subject to consultations and the affirmative procedure, ensuring the necessary scrutiny. Parliament will have the final say on the use of any expansive powers, as the vast majority of the changes I mentioned will be made through delegated powers and subject to the affirmative procedure. If a new sector is then brought into scope, we will undertake a phased implementation wherever possible, and organisations will be given adequate time to comply. Alongside that, regulations will be made in a controlled way and include consultations with relevant stakeholders before secondary legislation is laid before Parliament.
I make one final observation on the points that have been made, not least about Jaguar Land Rover. The UK Export Finance export development guarantee is not a bailout. UKEF receives payments for providing its guarantees, ensuring that the Government are appropriately compensated for the risk taken. In that context, a different assessment was made, as I hope to come to shortly.
More broadly, the Committee heard from expert witnesses that although the purpose of the Bill is clear, and its impact is a significant help for our national cyber-security and essential services, it or any other singular move is no silver bullet when it comes to our cyber-security. Different levers are effective in different parts of the economy and must be applied appropriately.
The most stringent lever the Government have at their disposal is legislation. As we have discussed in this and prior sittings, proportionality is key to the exercise of that lever. Regulation creates obligations and requires resources, so the pros of regulating must outweigh the costs. In the context of the Bill, that means protecting our society and economy from unacceptable risks with an immediacy of threat to our day-to-day life, not least our national security. That means things like keeping the lights on, the taps running and the NHS going, where there is little or no alterative provision of such services. We must also avoid creating unnecessary burdens where other measures are available.
In that context, I turn first to new clauses 1 and 9. The Government and the National Cyber Security Centre are clear that all organisations, whether a food supplier, an automotive giant, a supermarket or any other business operating in the UK, should take steps to protect their cyber-security and increase their resilience. That is why in October the Government wrote to FTSE 350 companies urging them to take three actions to strengthen their defences. First, they should make cyber-risk a board-level priority, and I know that that sentiment is shared across the Committee. Secondly, they should require suppliers to have baseline cyber-security through Cyber Essentials. Thirdly, they should sign up to the NCSC’s early-warning service.
The response has been encouraging already. A significant proportion of organisations have responded, with many of those responses coming directly from chief executive officers and chairs, showing the seriousness accorded to this by boards. Following the letter, we have seen increased interest in the Cyber Essentials website, uptake in early-warning registrations, and uptake in registrations for the IASME supplier check tool, which organisations can use to identify suppliers with Cyber Essentials certificates.
Beyond that, Departments and the NCSC deliver sector-specific support for key parts of the economy. On food specifically, the Department for Environment, Food and Rural Affairs and the wider Government have worked with the food and retail sector on cyber-resilience for many years, and we always stand ready to protect the UK food supply chain. During last year’s incidents involving Marks & Spencer and the Co-op, the NCSC and DEFRA worked closely with the affected retailers to support their response, to communicate advice and guidance and to assess the risk to food security. Following the attack, DEFRA Ministers wrote to major retailers to invite further collaboration on cyber-matters. Officials from both the NCSC and DEFRA are working with retailers to understand how we can best support them and the resilience of our food supply chain in the future.
Crucially, the food sector is unique among critical sectors for its high levels of industrial and geographic diversity. There are approximately 20,000 small and medium-sized food manufacturers alone spread across the UK, and many more farms, distribution centres, retailers and other types of businesses that form the UK’s food supply chain. As a result, it is a sector with few single points of failure. Its resilience is further strengthened by the steps that individual operators and suppliers are taking.
Finally, it is worth mentioning that the cyber-attack on Marks & Spencer last year, which hon. Members have raised, specifically involved the social engineering of a third party managed service provider. As the Committee is aware, the Bill brings large and medium-sized managed service providers into scope. That important change delivers downstream benefits across the wider economy, including for food retailers.
I will move on to new clause 8. The Government recognise that a step change in cyber and digital resilience is required across the public sector, including in local authorities. The Government’s cyber action plan is the overarching strategy to improve the cyber-resilience of Government. It will hold the public sector, including local government, to equivalent requirements to organisations regulated by the Bill. At the outset, the hon. Member for Spelthorne raised a question about schools and pupil data; where local authorities are the lead affected departments in that context, they would be expected to maintain very close oversight and compliance with the requirements and asks of the cyber plan, including in schools and the maintenance of pupil data.
Local authorities in England are accountable for their own cyber-security and resilience. The Ministry of Housing, Communities and Local Government, as the lead Government Department, is accountable for the sector-wide resilience of English local government, and is already taking a range of steps to support the sector, strengthen its cyber-resilience and manage its risks more effectively. For example, MHCLG has already provided £23 million of cyber grant funding and technical support to local government. That includes the delivery of clear cyber-security standards through the adoption of the cyber assessment framework—CAF—for local government. It is also aligned with the wider approach taken by organisations already in scope of the network and information systems regulations.
On social care specifically, as the lead Government Department for adult social care, the Department of Health and Social Care is working to ensure that the standards applied by adult social care providers are consistent with those used across Government and the wider public sector. The DHSC is investing a further £21 million over this Parliament to give care providers the support and guidance they need to improve their cyber-resilience and to enhance cyber-security standards to align with the cyber assessment framework. The MHCLG has also launched a local government cyber-incident response service to support English local authorities to respond to severe cyber-incidents, helping to limit the impact these have on data and services.
I now move on to new clauses 11 and 12, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe. The joint election security and preparedness unit—JESP—sits jointly between the MHCLG and the Cabinet Office. It was created by the defending democracy taskforce, a cross-Government unit, and works to protect UK elections and referendums by co-ordinating work across Government to respond to threats, including on cyber-security.
I know that the shadow Minister takes a keen interest in these questions on the run-up to elections, and he raised some important points. JESP works closely with the NCSC, which produces guidance for organisations involved in delivering elections, including local authorities. That includes advice to help IT practitioners implement security measures that will help prevent common cyber-attacks, as well as offers for direct NCSC support, including the NCSC’s active cyber-defence services.
The MHCLG as a whole is responsible for centrally managed digital electoral services covering voter registration, a postal or proxy vote, or a voter authority certificate. All systems and suppliers involved in developing and maintaining digital electoral services must meet strict cyber-security requirements, not least the MHCLG cyber-security assurance framework.
I will move on to political parties. JESP and the NCSC regularly engage with political party representatives to understand their requirements, monitor any cyber-infrastructure vulnerabilities and raise awareness about Government cyber-defence services. The NCSC’s active cyber-defence programme provides free security tools to help UK organisations, including political parties and local authorities, reduce exposure to common cyber- threats. The NCSC encourages all political parties to sign up to these, and offers individual candidate briefings to parties that wish to take them up.
Everything I have said reflects the Government’s current assessment of where regulation is needed to protect the core of our society and economy. Of course, we have seen that what is considered an essential service can change, and we also know that cyber-threats are constantly evolving. That is why the Bill will enable the Government to bring more essential activities and services into scope in future, and to take swift action if UK national security is at risk, in scenarios where the evidence suggests the pros outweigh the costs. However, at this stage we do not think that that is the case for new sectors. I therefore ask hon. Members not to press their new clauses.
Question put and agreed to.
Clause 24 accordingly ordered to stand part of the Bill.
Clause 25
Statement of strategic priorities etc
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 25 introduces a power for the Secretary of State to designate a statement of strategic priorities for the implementation of the NIS regulations. The NIS regulations are enforced by 12 different sectoral regulators. Although that allows each regulator to apply its sectoral expertise, it also means that at times they have taken divergent approaches to their regulatory responsibilities. Clause 25 addresses that by allowing the Secretary of State to set overarching objectives for regulators in the wider context of a statement of strategic priorities. The statement will replace the NIS national strategy, which the Government were previously required to produce under the NIS regulations. It will set out the Government’s priorities for the security and resilience of essential services.
To ensure that the objectives remain stable enough to enable regulators to plan their work, the clause will prevent a statement from being withdrawn or amended within three years of its designation. However, that three-year rule will not apply if there has been a general election, or a significant change in the threat landscape or in Government policy. That will allow for flexibility where appropriate. In sum, clause 25 empowers the Government to drive a more effective and consistent application of the NIS regulations.
Clause 26 establishes the process through which a statement of strategic priorities can be designated. It requires that there must be consultation with regulators, and that the statement be laid before Parliament, where it will be subject to the negative procedure. It establishes that the Government must share a draft of a proposed statement with the NIS regulators, and that the regulators must be given at least 40 days to provide comments to the Government on that draft statement. The Government must consider whether it is appropriate to make any changes to the draft statement in the light of that consultation. Once any changes have been made, they must lay the statement before Parliament, where it will be subject to the negative procedure. Following that, the Secretary of State may designate the statement.
Clause 27 establishes the legal duties that regulators will have in relation to a statement of strategic priorities. It sets out that regulators must
“have regard to the statement”
when carrying out their NIS functions, as introduced by parts 3 and 4 of the Bill. It also introduces a requirement for regulators to “seek to achieve” the objectives included in the statement.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
As we heard in written evidence from the ABI, clarity about roles really matters. Can the Minister confirm that the statement of strategic priorities is not intended to operate as indirect instruction, and that regulators will retain clear discretion where sector evidence points in a different direction?
Kanishka Narayan
I thank the hon. Member for her point. Perhaps I can give a flavour of the objectives I might expect in a statement and assure her of the independence of sector regulators. Subject to consultation, which we would expect in the build-up to any such statement, a statement might include objectives such as encouraging regulators to seek to ensure that their sectors have plans in place to increase security, or focusing on regulatory activity in areas of greatest horizontal risk. To the hon. Member’s point about sector-specific expertise and the independence of regulators, the statement is intended to set objectives to be achieved within the parameters of regulators’ existing statutory duties, and what the overarching risks are. Of course, regulators will be free to do that in the ways they think most appropriate for their sectors, in the light of their own expertise and experience. I hope that gives the hon. Member some assurance.
Clause 28 requires the Secretary of State to publish an annual report setting out, in general terms, how NIS regulators have complied with their duties in relation to a statement of strategic priorities over the previous 12 months, and how they intend to meet their duties in the following 12 months.
Alison Griffiths
As the Minister is saying, clause 28 is meant to help Parliament understand how regulators are responding to the statement of strategic priorities. Can he say a little about how substantive that reporting will be, and whether it will genuinely allow Parliament to assess how those duties are being exercised in practice?
Kanishka Narayan
The hon. Member raises a very important point. We want Parliament to play an important role in the scrutiny of the overarching regime as a whole, but particularly in the operation of the statement. Perhaps I can break it into two parts: scrutiny of the statement in the first instance, and scrutiny of regulators’ compliance with the statement. Once a draft statement has been consulted on, the Government will be required to lay it before Parliament, and that will be subject to the negative procedure. Parliament will have 40 days to scrutinise the proposed statement and express disagreement with it, which is very similar to the procedure for statements of strategic priorities in other areas—not least online safety. In terms of confidence in Parliament about actions that regulators have taken, the Secretary of State will be required to publish an annual report setting out, in general terms, the activity undertaken by regulators in the prior 12 months, alongside activity planned for the following 12 months. My expectation is that, very similarly, Parliament will have sight of that, and have the ability to scrutinise it and ask questions of the Secretary of State in the usual way.
Kanishka Narayan
I am grateful to my hon. Friend the Member for Harlow for his affirmation of that important point of parliamentary scrutiny.
As I mentioned, the report in question will set out how NIS regulators have sought and will seek to achieve the objectives in the statement through the exercise of their regulatory functions. The clause requires the Secretary of State to lay the annual report before Parliament, as well as to publish it in an appropriate manner. Clause 28 also introduces information-gathering powers for the Secretary of State so that they can collect the necessary information from regulators to draft the report. I commend the clauses to the Committee.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Stringer.
Clause 25 introduces a power for the Secretary of State to issue a statement of the Government’s strategic priorities in relation to the security and resilience of network and information systems with regard to essential activities. The statement will set out the responsibilities of regulators and specify objectives to secure the Government’s priorities. Competent authorities must be consulted in the drafting of the statement, and the Secretary of State must issue a report in every 12-month period on regulators’ compliance with meeting the objectives within it.
The changes aim to address important challenges around consistency in the approach to regulation that were identified by the previous Government’s second post-implementation review of the NIS regulations. Importantly, the measures also provide for a regular review of competent authorities’ approach to discharging their regulatory obligations. That measure is necessary given the inconsistent approach to oversight and enforcement of the NIS regulations so far.
We know that there are existing challenges relating to the capacity of competent authorities and there is the ongoing issue of securing sufficient cyber-security professionals to staff the teams. It is all well and good making statements, but they need to be followed. What strategies does the Minister anticipate will be needed and used to support—and, where necessary, drive up—standards of regulatory oversight when competent authorities fall short of the aims set out in the statement?
Kanishka Narayan
I thank the shadow Minister for raising an important point. His broader question is one of the most important in this context: Bills are only as good as the ultimate enforcement capability, capacity and framework in which regulators enforce them. Particular aspects of the Bill are focused on that question. One ensures that regulators have not just the resource through the cost recovery and charging schemes that the Bill allows for, but the information through the information-gathering powers—and not just the information, but a statement of strategic priorities as new horizontal risks emerge across sectors. So regulators are armed with resource, information and strategic priorities that emerge from time to time.
Alongside all those resources, data and information powers, regulators need also to have accountability, of course. In that context, the statement of strategic priorities is intended to be one vehicle through which regulators’ compliance with overarching objectives of the Bill will be looked at as well, alongside ongoing oversight of each of the regulators through the usual departmental channels.
Alison Griffiths
Having worked in business, I know that the words we use to ensure that the capabilities are there are easy to say but not always easy to deliver. How will the Minister ensure that when we have a multi-sector issue, which could easily come up—particularly, as we have already discussed, around OT and the use of IEDs across multiple sectors—the National Cyber Security Centre and other regulators will have access to the skills, people and resources necessary to manage what could be a catastrophic incident? We already know that cyber-skills are in short supply as it is, even in the commercial sector.
Kanishka Narayan
The hon. Member raises an important point. Two or three things are really important channels of impact when it comes to skills. First, the NCSC as a convening body across regulatory areas will be able to make sure that different regulators come together and learn by being able to share information not just between themselves, but through the NCSC itself as the convening body for sharing good and prompt understanding of emerging risks.
Secondly, on broader skills, the cost recovery schemes allowed under the Bill create a way for regulators to ensure they are resourced up and have the ultimate financial firepower to be able to enforce the requirements of the Bill.
Alison Griffiths
I thank the Minister for his patience. He mentions a specific example of where he will ensure that the NCSC is resourced up. Do we have specific examples that have happened already of those powers having been put in place successfully? From conversations with the NCSC, I understand that it is reliant on its accredited bodies across the country, but we have not yet—I am touching the wood of my desk, as I speak—had to respond to a complex multi-sector issue. I challenge the Minister on whether he is confident about our capability to respond to one.
Kanishka Narayan
I share the hon. Member’s recognition and her gratitude that we have not experienced the sort of incident that she described. The NCSC has told her, me and other Committee members that it brings regulators together and has done so on a number of occasions in the past to share cross-sectorally an understanding of emerging risks as well as incident-specific impacts. I take no sense of complacency from that precedent, but I do take some confidence from it. As the Minister in charge, I will ensure that the Department keeps a close eye on the ongoing implementation of the co-ordination powers under the Bill.
Dr Spencer
The Minister is being generous with his time during this important debate. I was just thinking through his earlier response to the point made by my hon. Friend the Member for Bognor Regis and Littlehampton about using the cost reclaims to employ cyber-security professionals. That goes to the heart of the concerns about the Bill and its approach to regulation.
We have heard that the industry, including regulators, is struggling to recruit cyber-security professionals. What gives the Minister confidence that, just because some money will be sloshing around in the regulators, there will be the ability to recruit cyber-security professionals, who are going to be essential to the implementation of the Bill?
Kanishka Narayan
First, I will provide some context for agreement. We want more people to be trained in cyber-security so that they can serve in the public and private sectors. Through the Bill, as well as a range of other initiatives, we are making sure that at every stage of the pipeline, there is resourcing, confidence and a demand signal that so more people can benefit from cyber-skills and serve in the industry.
There is a clear financing path for regulators to at least start to hire. Earlier in the pipeline, we are looking at a series of cyber-skills programmes all the way from schools through CyberFirst—I think about 415,000 students have gone through that programme. Ultimately, we want to create a long-term pipeline so that regulators and private companies can make the most of those skills.
Chris Vince
I am going to mention Harlow, because Harlow has young people with amazing potential. The point that the shadow Minister and other Opposition Members have made is really important. We need to make sure that this and the next generation of young people are trained up in these skills, because this is an emerging threat. I encourage the Minister to promote the Bill and what the Government are doing in cyber-security, because it is important that the wider public know that these important skills and jobs are available.
Kanishka Narayan
I am, of course, very happy to take on my hon. Friend’s recommendation that I be the promoter and ambassador for the Bill across the country. I am only sad not to have been invited to visit his constituency in the act of promoting said Bill, but I take his point seriously.
On the broader point about skills, I entirely agree with both my hon. Friend and the Opposition in recognising that skills are central to the enforcement of the programme. I hope that the funding and the earlier focus on skills across the life cycle give some assurance that the Government are committed to that.
Question put and agreed to.
Clause 25 accordingly ordered to stand part of the Bill.
Clauses 26 to 28 ordered to stand part of the Bill.
Clause 29
Regulations relating to security and resilience of network and information systems
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 29 is the key pillar of the Bill’s future-proofing powers. It allows the Secretary of State to update, amend or replace the NIS regulatory framework by creating new regulations. This is a critical provision. Due to the way in which the NIS regulations were transposed into UK law, the Government lack a way of updating the framework other than through primary legislation. As a result, our regulations have remained static amid a rapidly evolving threat landscape, leaving our essential and digital services vulnerable to attack and our resilience falling behind the EU. The clause is an important response to that problem. It will ensure that the Government can take swift action so that our cyber regulations remain relevant. It is a more proportionate and effective approach than always relying on primary legislation.
I know the use of delegated powers can be a source of concern, so I will be clear that the clause is not a carte blanche—or a blank cheque, which the hon. Member for Spelthorne might be worried about—to smuggle in anything and everything under the guise of cyber-security. It is tightly constrained to ensure that any new regulations align with the original purposes of the NIS regulations. New regulations can be made only for the purposes of strengthening the cyber-security and resilience of the UK’s most critical activities, and only where they are genuinely essential to the functioning of the UK’s society and economy. Cyber-criminals will always find ways around regulations, but with this power we can stop them in their tracks.
I have already explained the critical role that clause 29 plays in enabling new regulations to be made for the purposes of cyber-security and resilience. However, I want to be clear about how those regulations will be used and reassure the Committee of their checks and balances. Clauses 30 to 35 set out what the regulations can do.
Clause 30 enables the Secretary of State to use the regulation-making powers to impose requirements on regulated persons. It clarifies who can be made subject to requirements and the types of requirement that can be imposed on them.
Alison Griffiths
My question relates to clause 29 but also clause 30. As the Minister says, the powers are deliberately wide. The Institution of Engineering and Technology noted in evidence that predictability matters more than compliance. Will the Minister explain exactly how the Government will judge when risks require new statutory duties rather than updated guidance, so that businesses are not left guessing?
Kanishka Narayan
Any legislation made under clause 29 will need to align with the Bill’s clearly specified purposes to protect the systems that underpin our vital services. In any case, secondary legislation will require deep consultation to ensure that businesses have the sense of clarity that they require. There is a specific bar to pass for the scope of any further provisions, and it is a high bar given the definition of the sectors and the activities covered in the Bill.
Clause 30 has been designed with some clear use cases in mind. It will enable the security duties on regulated organisations to be updated with appropriate technical details. It will also ensure that more detailed thresholds for incident reporting can be set, and it is the mechanism through which we will set out the regulatory requirements for designated critical suppliers. In other words, the clause will help us to operationalise the provisions of the Bill and update the technical details of regulatory requirements in response to new risks or technology.
Clause 31 enables the Secretary of State to confer functions on regulators through the Bill’s regulation-making powers. These may be existing NIS regulators or newly appointed regulators. The types of functions that can be conferred are those concerned with compliance: monitoring and securing compliance, and investigating and managing non-compliance. To carry out such functions effectively, regulators must be able to impose penalties. Clause 31 also provides for that while putting in place important safeguards so that regulated organisations have a means of appealing penalties. The clause is essential for future-proofing the regulatory regime. It ensures that regulators can be equipped with the functions and powers they need to ensure the compliance and security of the UK’s most essential services.
Clause 32 sets out details and safeguards for how the regulation-making powers can be used when they impose or amend financial penalties. Crucially, it establishes upper limits on what the penalties can be—the greater of £17 million or 10% of turnover for an undertaking, or £17 million for a non-undertaking, or £17 million for an undertaking adjusted as needed to account for inflation. The 10% threshold has been chosen as a defensible outer limit for a regulatory regime concerned with national resilience and security. It aligns with penalties for non-compliance in legislation regulating critical national infrastructure and with the Bill’s own national security powers.
The clause further clarifies that regulations can define “turnover” and “undertaking”, where needed, to calculate a penalty. Together, these provisions create important safeguards and flexibility. They establish proportionate and transparent parameters within which penalty amounts can be set. They also enable the Secretary of State to define and consult on terms that are essential for operationalising the Bill’s new turnover-based penalties.
Like clause 31, clause 33 enables the Secretary of State to make regulations conferring functions on regulators. The functions specified in clause 33 complement the core compliance functions outlined in clause 31. They relate to the disclosure of information, issuing of guidance, record-keeping, preparation of reports, undertaking of reviews, and co-operation. The clause also enables the Secretary of State to impose functions on organisations that are not regulators but that play a public role related to the cyber-security and resilience of essential services. GCHQ, in its capacity as the UK’s computer security incident response team and technical authority, is the most important. Like clause 31, this clause is essential for future-proofing NIS regulations. It allows organisations that oversee and facilitate the cyber-security and resilience of essential services to be equipped with the tools and functions they need.
Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs using the powers under clause 29(1). These are the costs incurred through their functions under the NIS regulations or other obligations imposed through parts 3 and 4 of the Bill.
In practice, the clause ensures that the Secretary of State can make changes and updates to the way that regulators carry out their cost recovery function under the NIS regime. It could, for example, be used to specify further factors that regulators need to consider when establishing approaches for charging fees in the charging schemes, in addition to those already set out in clause 17. That might be needed to deliver greater consistency in how the cost recovery measures are being applied and is something that the Government will keep under review.
Alison Griffiths
As the Association of British Insurers has highlighted in its written evidence, the way cost recovery operates will shape behaviour on the ground. Can the Minister reassure the Committee that changes made under clause 34 will be transparent and proportionate and will not inadvertently discourage investment in cyber-resilience, particularly for smaller firms in supply chains?
On a personal point, could I ask him to speak more slowly? I am really struggling to hear him.
Kanishka Narayan
I apologise for the pace of my speech; I will try to make sure I am speaking more slowly.
On the particular point on transparency and ensuring that any amendments to cost recovery are both transparent and grounded in specific provisions, I can set out the sorts of expectations we have had for circumstances in which amendments might be made. In particular, the Bill’s powers will enable regulators to set up charging schemes, but it is not prescriptive—
Kanishka Narayan
The Bill’s new powers enable regulators to set up charging schemes, but it is not prescriptive about how it should do that beyond certain baseline requirements. More specific requirements, as provided for in the Bill, could become clear, such as if cost recovery mechanisms are not working effectively or if regulators are diverging unhelpfully.
All regulators must consult on charging schemes. In doing so, the industry should have ample opportunity to scrutinise the approach that regulators are taking and, importantly, Parliament should be able to add to that scrutiny as well. Like clause 31, clause 34 is essential for the future-proofing of NIS regulations.
Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs; I have mentioned examples of the sorts of factors we might specify in that context. Together with clauses 29 to 33, 35 and 41, clause 34 is necessary to ensure that the Secretary of State can update and amend the functions of regulators as needed in the future, and is an integral part of the Bill’s future-proofing powers.
Clause 35 is the final clause that clarifies the limits and prospective uses of the regulation-making power in clause 29. It confirms that the regulations may confer functions and allow certain functions to be delegated to others—for example, it could enable a regulator to delegate functions to inspectors. It also clarifies that regulations can be made to require a person to have regard to guidance or codes of practice, or that make provision by reference to another document or piece of guidance. In short, the clause provides helpful clarity about how the regulations could be applied.
Sarah Russell (Congleton) (Lab)
On a point of order, Mr Stringer. I am not sure whether this strictly meets the criteria for a point of order, but it is clear that some people in the room cannot hear what is happening. I know the convention is that only the Whips and Ministers sit on the front row, but if those who are struggling to hear wish to sit closer, could we abandon that convention? It would be a reasonable adjustment so that everyone can participate properly, because this is discriminatory.
The Chair
I thank the hon. Lady for her point of order. It is a convention, and if the hon. Lady or any other Member wishes to sit on the Front Bench to make life easier, they certainly have my permission to do so.
Alison Griffiths
Further to that point of order, Mr Stringer. Genuinely, I simply need the Minister to speak slowly and clearly. Yes, I am wearing hearing aids; I am sure that others wear them too. I am doing my very best to make sure that I can lip-read, but that is almost impossible given the speed the Minister is speaking at. One cannot lip read when he is looking down all the time either.
The Chair
I thank the hon. Lady for her point of order. I know the Minister is trying very hard; his normal rate of speech is much faster, so he is trying. If you catch my eye, I will interrupt the Minister, or anybody else who is speaking, and remind them. It is important that every Member can hear so that they can participate in the debate.
Dr Spencer
I confess, Mr Stringer, that I suspect I am also guilty of speaking a bit fast in our previous debates. I will do my best to slow down and speak in a lower tone, as I know that can also help, particularly with certain types of hearing impairment.
To continue the theme of agile regulation, clause 29 enables the Secretary of State to update the NIS regulations through secondary legislation. Clause 30 enables the Secretary of State to impose requirements on regulated entities, which may include directions to take specific actions to increase cyber-resilience, to report on certain matters and to appoint a UK representative if the entity is based outside the UK.
Furthermore, clause 31 specifies that the Secretary of State may direct competent authorities to undertake certain activities, including mandating functions in connection with monitoring and securing compliance with relevant requirements, investigating suspected non-compliance and mitigating the effects of non-compliance on the part of regulated entities. Clauses 32 to 35 provide for the Secretary of State to issue ancillary directions to facilitate information-gathering, investigation and enforcement activities on the part of regulators.
Taken together, the clauses give the Secretary of State a strong suite of powers to respond to emerging cyber-security risks. Again, I recognise the necessity of being able to respond quickly in fast-changing circumstances. However, the Government should clearly be reporting on the Secretary of State’s exercise of the powers at regular intervals to ensure transparency. We will discuss that in due course when we come to clause 40, on the report on network and information systems legislation.
Kanishka Narayan
No.
Question put and agreed to.
Clause 29 accordingly ordered to stand part of the Bill.
Clauses 30 to 35 ordered to stand part of the Bill.
Clause 36
Code of practice
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 36 sets out that the Secretary of State may issue a code of practice for regulated entities. The code will describe recommended steps to help these entities to comply with their duties and requirements under the NIS regulations and any new regulations made under the Bill. This will make it simpler for regulated persons to understand what is expected of them, thereby driving consistency and complementing sector-specific guidance from regulators.
The clause will also make enforcement clearer and more effective, as regulators must take the code into account when they assess compliance. The code is designed to be flexible: it can be updated as threats and technology change, and can be tailored to different types of organisations, ensuring that guidance is current, relevant and practical for all.
Given the importance of the measure in providing practical recommendations to regulated entities, it must be consulted on before it is prepared or revised, and this process is set out in clause 37. Before the code can be brought into force, a draft must be laid before Parliament, providing ample opportunity to scrutinise and, if necessary, reject it within a 40 day period. If either House objects, the Secretary of State cannot proceed with that version and may prepare a new draft. If the draft is approved by Parliament, the Secretary of State may issue it and must publish it, and it then comes into effect immediately, unless otherwise specified. The clause also clarifies how the 40-day period is calculated, to ensure consistency and transparency in the process.
As we know too well, cyber-threats continue to evolve as new tactics and technologies are deployed, which is why the clause includes a power for the Secretary of State to amend the procedure for issuing the code. The Secretary of State may, for example, wish to add or amend consultation requirements or extend the 40-day period.
Clause 38 establishes how the code of practice will be used and treated in legal and regulatory settings, to ensure it has the intended effect. For regulated persons, the code of practice is intended to be formal guidance, with recommendations on how to comply with their duties, but not to be legally binding itself.
As we know, there can be more than one way for businesses to meet their obligations and ensure that they have in place appropriate and proportionate security and resilience measures. It is therefore important that there is a degree of flexibility in how they do this, to accommodate sector-specific nuances and business needs. None the less, it is crucial that the code has sufficient legal status and that the good practice it contains is not simply ignored. That is why the code can be admissible as evidence in court when deciding whether legal obligations have been met, and why the courts and regulators must consider it as evidence when assessing compliance.
Clause 39 establishes a formal process for the withdrawal of the code of practice, in case that is ever needed.
Dr Spencer
Clause 36 provides that the Secretary of State may issue a code of practice for regulated entities to set out measures that they should take to demonstrate compliance with their duties under the NIS regulations, or any requirements imposed by the Secretary of State under clause 29. If done well, the code could be a repository of best practice, setting proportionate, consistent and effective standards for regulated industries. That will require constructive and open consultation with regulated sectors to identify the challenges facing those sectors and how best to address them.
One issue that came up in oral evidence was the question of the lag between regulation making and industry adoption. David Cook of DLA Piper commented that, after laws come into effect, the process of businesses understanding where they need to get to
“often requires a multi-year programme of reform.”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 5, Q1.]
The code of practice is not envisaged to be legally binding, in the sense that a failure to comply is not of itself evidence of a failure to meet obligations under the NIS regulations or the Bill. However, clause 38 states that it would be admissible as evidence in legal proceedings so, in that sense, the code is binding in all but name. In view of that, and the fact that codes can be revoked and reissued, can the Minister provide reassurance to regulated industries that a lead-in time will be built into any requirements to allow businesses to prepare to achieve full compliance?
Kanishka Narayan
First, to ensure that the shadow Minister and I are representing the intent behind the code clearly, in legal terms it is not the case that an organisation that fails to follow the code of practice is automatically a regulated organisation that has broken the law. Clause 38 makes it clear that not following the code does not by itself constitute a breach of duty or mean that an organisation is automatically liable to legal action. Organisations can take different approaches to complying with security duties, but if they adopt an approach that is not within the code, they may need to explain why their approach still meets the required standards set out in the regulations, and regulators will be required to take the code into account when preparing guidance.
On the shadow Minister’s question about ensuring appropriate timing and preparation for companies, I would very much expect that the regulators in question would be closely regulated entities to ensure the proportionate implementation of codes.
Alison Griffiths
We heard from the Information Systems Audit and Control Association that codes work best when they reflect operational reality. Given their evidential status, can the Minister reassure the Committee that codes will remain practical and iterative and not quietly harden into rigid compliance rules?
Kanishka Narayan
I am very happy to give the broad assurance that we will keep codes under review from time to time, and that any changes to the code will require deep consultation with regulators and businesses to ensure that the codes keep in touch with moving technology.
Dr Spencer
For the sake of clarity on the legal status of the codes, I entirely agree with the Minister that it is important to get this right, and my understanding of codes of practice in a different area—statutory codes of practice relating to the Mental Health Act—is that case law says that deviation from the code of practice should be done only for cogent reasons. That is a pretty high bar to pass in terms of deviations. I should declare an interest as a former consultant psychiatrist and someone who operated subject to that particular code of practice.
For absolute certainty, will the Minister write to the Committee and make the status very clear, along with reference to relevant case law in terms of other codes of practice? Does the clause override that jurisprudence or not? That would settle the question as the Bill goes through Parliament.
The Chair
Order. Interventions are getting a bit out of control again. I remind hon. Members that they should be brief.
Kanishka Narayan
I agree with the shadow Minister. The Bill’s focus is on the assessment of compliance with ultimate security duties. The codes of practice will set out approaches to do so, but they will not be the only approaches. I would be happy to write to the shadow Minister and the Committee on the particular legal interpretation, and any relevant case law that might apply.
Question put and agreed to.
Clause 36 accordingly ordered to stand part of the Bill.
Clauses 37 to 39 ordered to stand part of the Bill.
Clause 40
Report on network and information systems legislation
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
I beg to move amendment 26, in clause 40, page 63, line 7, leave out “5” and insert “3”.
This amendment would increase the frequency of the reports that must be published under Clause 40, from every five years to every three years.
David Chadwick
Amendment 26, tabled by my hon. Friend the Member for Henley and Thame, seeks to ensure that the Bill keeps pace with the reality that it seeks to regulate. In the world of cyber-security, five years is a lifetime. In the past five years, the size and scale of cyber-attacks has continued to advance at pace, and we can expect the next five years to be the same. In that context, waiting five years for the first formal parliamentary review of the Bill seems dangerous. It risks leaving us with a regulatory framework designed for the threats of yesterday and not tomorrow. The cyber-threat is real, evolving and urgent.
The NCSC has reported that nationally significant cyber-incidents more than doubled in 2025 alone. That is why the amendment would change the reporting cycle to once every three years. That is a pragmatic timeline, which allows the Government to identify gaps and close them before they are exploited. The EU’s NIS2 directive explicitly mandates a review by the Commission every three years, and it is not clear why the Government have decided to diverge from that standard. Is it because they believe that the cyber-threat here is considerably less than the one facing European member states? It is simply not clear, which adds to the general sense of bewilderment about this provision. If our European neighbours are reviewing their cyber-security approach every three years, why are the UK Government content to wait for five?
Dr Spencer
Clause 40 requires the Secretary of State to publish a report every five years on the operation of the NIS regulations and parts 3 and 4 of the Bill. Reports should include a review of any exercise of powers under parts 3 and 4 by the Secretary of State. Given the wide-ranging powers granted to the Secretary of State under those parts, I have some sympathy for amendment 26, tabled by the hon. Member for Henley and Thame, which seeks to reduce reporting intervals from five years to three.
The shadow Secretary of State, my hon. Friend the Member for Hornchurch and Upminster (Julia Lopez), raised this issue on Second Reading. She suggested that annual or biannual reviews might allow for effective parliamentary scrutiny of the NIS regulations and of the Secretary of State’s exercise of powers to respond to emerging threats. In view of the concerns voiced by the hon. Members for Henley and Thame and for Brecon, Radnor and Cwm Tawe, and by the shadow ministerial team, will the Minister explain why five-year intervals have been selected and whether the Government will look at this important issue again?
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for moving amendment 26, in the name of the hon. Member for Henley and Thame. It seeks to reduce the period for publishing a report on the operation of the legislation from at least every five years to at least every three. I reassure him that the Government recognise the importance of regular assessments of the regime to ensure that it is as effective as possible. The legislation sets five years as the minimum period. That is an appropriate and proportionate timeframe in which to meaningfully assess the progress, at a regular frequency, of the entire regime set out in the Bill, following the approach set by existing legislation such as the Online Safety Act 2023.
David Chadwick
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 40 ordered to stand part of the Bill.
Clause 41
Regulations under section 24 or Chapter 3
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 41 gives further detail on the sorts of provisions that can be included in regulations made under clause 24 and chapter 3 as a whole. It confirms that regulations can make different provisions for different purposes, different categories of person or different areas; can make provisions for how those regulations apply to the Crown or UK territorial waters; and can include consequential, supplementary, incidental, transitional or saving provisions. The clause also defines how certain terms used in regulations should be interpreted, such as “relevant UK waters” or “primary legislation”. In summary, the clause provides important points of clarification about how the regulation-making powers in the Bill can operate. I propose that clause 41 stand part of the Bill.
Clause 42 sets out the consultation requirements and parliamentary procedure that apply where regulations are used to designate new essential services or regulators, to impose regulatory requirements or change regulator functions, or to amend requirements for the five-yearly legislative review.
Alison Griffiths
These procedures are standard, but the powers they apply to are significant. Where regulations under part 3 would materially expand duties or bring new actors into scope, have the Government considered whether those should receive deeper scrutiny in practice, even if the formal procedure remains the usual one?
Kanishka Narayan
I thank the hon. Member for that important point. The expectation is that the powers used here are scrutinised appropriately. If it helps, I can set out which uses of the power, particularly under clause 42, will trigger consultation requirements and the affirmative procedure, which will perhaps give her the assurance she seeks.
In essence, all changes that may have considerable impact on how the NIS regime operates will be subject to consultation and the affirmative procedure. In practice, this means that regulations concerning the designation of essential services, as well as changes to the duties of regulated entities and functions of regulators, will be subject to both consultation and affirmative procedure requirements.
In each of the cases I mentioned, clause 42 requires the Secretary of State to undertake consultation with appropriate persons before any regulations can be made. It also specifies that regulations of this kind can be approved only through the affirmative parliamentary procedure. These provisions ensure that any substantive regulations made through the Bill’s future-proofing powers will be properly tested. They provide the necessary checks and balances that such wide-ranging powers require, and they will ensure the credibility and legitimacy of future regulations made using these powers. For those reasons, I propose that clause 42 stand part of the Bill.
Dr Spencer
I have two questions for the Minister. Given the impact on devolved legislation, can he confirm that the consultation will extend to devolved authorities should it impact on them? My second question is more generally on the theme of devolved authorities. Can he confirm that, as part of the publicised “reset” negotiations with the European Union, bringing Northern Ireland into scope of NIS2 regulations is totally off the table?
Kanishka Narayan
On the broader point about application to the devolved Administrations, changes in UK legislation may indeed need to be reflected in devolved legislation, such as where it refers to and references the name of UK legislation. In those contexts, it is important that consequential provision can be made to ensure coherence. We will continue to engage with our devolved colleagues on the implementation. I am very happy to write to the hon. Gentleman and the Committee, particularly on the Northern Ireland point.
Question put and agreed to.
Clause 41 accordingly ordered to stand part of the Bill.
Clause 42 ordered to stand part of the Bill.
Clause 43
Directions to regulated persons
David Chadwick
I beg to move amendment 27, in clause 43, page 66, line 11, at end insert—
“(fa) a requirement to remove, disable or modify hardware, software or other facilities;”
This amendment would enable the Secretary of State to issue directions to remove, disable or modify hardware, software or other facilities for national security purposes.
David Chadwick
Amendment 27, which I move on behalf of my hon. Friend the Member for Henley and Thame, would give the Government the ability to remove, disable or modify hardware and software that could be used to infiltrate British national infrastructure, such as the cables underneath the now approved Chinese mega-embassy in Tower Hamlets.
The Prime Minister’s greenlighting of the Chinese super-embassy in the heart of London is a grave mistake that presents an open door for the ramping up of Chinese espionage in our country. It sends a regrettable and shameful message to Hongkongers—many of whom have already been targeted, intimidated and coerced by the Chinese Communist party—that trade deals are being prioritised over their safety. The Government must take a robust stance with hostile states such as China.
Dr Spencer
Clause 43 grants the Secretary of State powers to issue directions to regulate entities where there is a risk to national security, or where an action must be taken in the interests of national security. Directions can include requirements relating to the management of systems, the yielding of information and the removal or modification of goods and services. The Secretary of State may also require a regulated entity to engage the services of a skilled person to comply with directions issued. The Secretary of State has wide discretion to dispense with providing reasons for directions or consulting with the affected parties on the basis of national security considerations.
Clause 44 clarifies that the Secretary of State’s directions under part 4 prevail if there is a conflict between those directions and another statutory requirement. The exercise of these powers by the Secretary of State could have far-reaching consequences for businesses, which may experience interruption to their commercial activities, as well as the potentially considerable time and expense in adhering to a request made on national security grounds.
I have spoken on several occasions in the House and in this Committee about the critical risks posed to our cyber-security and national security by hostile state actors and their affiliates. It is, of course, right that the Secretary of State should have this power, but it should be used only in extremis. Like other extensive powers granted to the Secretary of State under part 3, it must be subject to oversight and guardrails. A report to Parliament, which may well be redacted, on the exercise of functions under part 4 will not be sufficient to ensure that this power is used proportionately. Has the Department considered introducing an obligation for the Secretary of State to report to the Intelligence and Security Committee when she exercises powers under part 4?
We discussed the Chinese super-embassy earlier. Later in the Committee’s proceedings, I will talk about an Opposition new clause that would deal with that problem effectively.
Emily Darlington (Milton Keynes Central) (Lab)
As the Minister will be aware, I have spoken consistently of my concern about our reliance on hardware and tech that comes from potentially non-favourable state actors abroad. That also relates to Government procurement, which I have raised before, as the Minister will know.
The Committee has already discussed how local government and Government Departments are not covered by this legislation, and how there is a separate strategy and document. Can the Minister expand on how protections against a reliance on foreign tech within critical infrastructure, in either the private or the public sector, are being dealt with in the Bill or in the strategy that has been published for the public sector? How will that be continually reviewed as our global geopolitical situation remains unstable?
Kanishka Narayan
I will start by addressing amendment 27, moved by the hon. Member for Brecon, Radnor and Cwm Tawe, which would add to the non-exhaustive list of requirements that could be included in a national security direction. It specifies that a direction could include requirements to
“remove, disable or modify hardware, software or other facilities”.
I reassure him that the Bill, as currently drafted, allows the Secretary of State to impose those types of requirements. Clause 43(3)(f) specifies that a direction may include
“a requirement relating to removing, disabling or modifying goods or facilities or modifying services”.
That already encompasses the types of requirements specified in amendment 27.
Furthermore, clause 43(3) lists the requirements that may “in particular” be included in a direction. The list is therefore not exhaustive, and for good reason. It is not possible or desirable to specify every action that might be needed to address a national security risk. That would restrict the Government’s potential avenues to address urgent national security threats, and would risk the legislation being too narrow to address novel threats to the UK’s national security.
Dr Spencer
I really do not understand the Minister’s answer. If it has not been published on national security grounds, how will we know that it has been laid? The whole thing could be entirely secret. Surely it has to go to the ISC as an accountability mechanism.
Kanishka Narayan
The Bill currently provides for clear parliamentary scrutiny. The Secretary of State is responsible for coming to Parliament, although some information may not be able to be presented in public. I am happy to write to the shadow Minister about the mechanisms that other similar regimes have used to ensure that Parliament’s scrutiny is informed in those cases, whether in Committee or otherwise. The primary mechanism is the one we use for constant parliamentary scrutiny, and it would be unfair for any of us to suggest that most of those channels would not be appropriate for the sort of scrutiny we are looking at.
Dr Spencer
I think the Minister is saying that there will be a parliamentary scrutiny mechanism under these powers. Is that what he is saying?
Kanishka Narayan
To repeat, exactly as I said: once a direction is issued, it will be laid before Parliament for scrutiny. If there is any misunderstanding, I am happy for the shadow Minister to write to me so that I can confirm it.
Dr Spencer
I really think we should be very critical about this. What we are doing now is parliamentary scrutiny. There will be directions in future, which we expect to be laid, and they will also be subject to parliamentary scrutiny. Even where they are redacted because of national security concerns, somebody, or some mechanism of Parliament, will be able to scrutinise them. Can the Minister confirm that?
Kanishka Narayan
To return to the point made by my hon. Friend the Member for Milton Keynes Central about the Bill’s provisions, the Bill looks at particular risks posed by hostile states, related actors and a wide range of other actors. Network and information systems for essential services and the identity of risk sources may be one consideration for organisations and regulators as well as the NCSC. The Bill does not look at specific actors but the outcome of the risk. Of course, hostile actors are an important part of that. I am happy to write to my hon. Friend about wider initiatives outside the Bill, particularly in the public sector, which I know is an important concern for her in relation to hostile state actors. There are a range of initiatives that the Government are taking forward in that context.
Clause 43 grants the Secretary of State the power to direct an NIS-regulated entity to take necessary and proportionate actions in response to national security threats. The power can be used where the entity’s network and information systems have been compromised or there is a threat of such compromise. The clause sets out the sorts of action that a direction could require. A direction could, for example, require an energy provider to take action to remove a hostile actor’s presence from their networks, in response to intelligence that a hostile state actor was pre-positioned for an attack.
Cyber-attacks on NIS sectors represent a serious and growing threat to the UK’s national security. High-capability actors and hostile states can mount increasingly targeted and sophisticated attacks. At present, however, the Government lack powers to require regulated entities to take necessary action in response. That gap could be exploited with increasing frequency and impact. The clause will remedy that, ensuring that the Government have the necessary powers to act quickly to protect our national security.
Lincoln Jopp
To take this a little bit beyond the theoretical, is the Minister suggesting that, where it is discovered that, for example, a major offshore wind power generation facility was fitted with remotely triggerable kill switches, triggerable by a foreign state or sub-state actor, the Secretary of State could require that energy company to remove whatever piece of hardware or software was producing that threat?
Kanishka Narayan
I could not judge a specific situation but, broadly speaking, that is the sort of situation, especially if it is an NIS-regulated entity, and in particular where the exercise of the power is focused on the entity’s network and information systems, that I would expect to come in scope of the powers specified here.
Under clause 44, a direction can be issued only when necessary for national security. It is possible that, in some circumstances, what is needed to protect UK national security could conflict with standard regulatory duties. For example, a direction might relate to a particularly sensitive national security risk, where only those involved in addressing the risk should be aware of it. That is to minimise the risk of hostile actors becoming aware of a vulnerability. A direction could therefore require an entity not to report that national security risk for the period in which the risk was being remedied. They may ordinarily have had to report that national security risk to comply with standard reporting requirements. The clause will resolve that conflict and provide certainty to recipients of directions about what they must do to ensure that the national security risks in a direction are addressed.
David Chadwick
Given the reassurances from the Minister, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 43 ordered to stand part of the Bill.
Clause 44 ordered to stand part of the Bill.
Clause 45
Monitoring by regulatory authorities
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
This group of clauses concerns how compliance with national security directions will be monitored. Clause 45 enables the Secretary of State to delegate the task of monitoring compliance with the direction issued under clause 43 to a NIS regulator. Regulators have valuable sectoral expertise and existing relationships with the entities they regulate. As such, it may be effective to delegate monitoring of compliance to the relevant regulator. The Secretary of State will retain the sole ability to make judgments about whether non-compliance has occurred, or if any penalty is appropriate. The regulator would be required to obtain information relating to compliance, to be shared with the Secretary of State. The Secretary of State would then determine how they would like to receive this information—for example, in reports or at regular intervals.
Clause 46 grants information-gathering powers to the Secretary of State and to regulators that are subject to a monitoring direction or request. In order to determine whether an incident or threat meets the bar for issuing a direction, or whether a regulated entity is complying with the direction, the Secretary of State will need information from that entity and potentially other parties. The clause establishes the power for the Secretary of State to request that information. As the monitoring of compliance with the direction may be delegated to NIS regulators, the clause also equips those regulators with the power to request information needed for their monitoring functions.
Clause 47 grants the Secretary of State the power to carry out or delegate inspections needed to assess compliance with a direction, or with a confirmation decision specifying actions to be taken in the event of non-compliance. The Secretary of State is responsible for judging whether a regulated entity is complying with a direction, and therefore needs access to relevant information that the regulated entity holds. In some cases, this may not be possible to verify without physical attendance. To ensure the effective use of time and resources, the Secretary of State will have the power to appoint a person to carry out an inspection on their behalf, or to direct the recipient of a direction to appoint an approved inspector. The clause also grants these powers to regulators, where the regulator has been directed or requested to monitor compliance on behalf of the Secretary of State. This will ensure that they can provide the Secretary of State with the most accurate information. I commend the clauses to the Committee.
Dr Spencer
Clause 45 gives the Secretary of State powers to require regulatory authorities to monitor and report on regulated entities’ compliance with directions given under clause 43 for reasons of national security. Clause 46 provides the Secretary of State with extensive information-gathering powers through the use of information notices to facilitate the giving of directions and monitoring of compliance with directions under clause 45(4). Clause 47 empowers the Secretary of State to conduct inspections to assess whether a regulated entity is complying with directions issued under clause 45(4). The Secretary of State may appoint a third party to conduct the inspection, and require the regulated entity to meet the costs associated with this.
I reiterate the point that these powers are necessary; however, given the potential for significant cost and administrative burden for businesses, they should be subject to contemporaneous or near-contemporaneous oversight by parliamentary authorities, observing the necessary confidentiality protocols. I also make the point that these information-gathering powers apply extraterritorially and may lead to conflict with regulated entities’ data privacy obligations in other jurisdictions. What discussions has the Secretary of State conducted with industry and law enforcement counterparts in other countries about the approach to information sharing for this purpose, and the implications for companies operating services on a cross-border basis?
Kanishka Narayan
I am grateful to the hon. Gentleman for his points about proportionality and scrutiny. I want to give him assurances about that, as I did in our earlier conversation.
On cross-border compliance, the hon. Gentleman rightly points out that relevant information can be requested, regardless of whether it is held the UK. I am very happy to write to him with further detail on our ongoing engagement with counterparts elsewhere. During this process, we have engaged more broadly to understand other regulatory regimes and ensure compliance with them.
Question put and agreed to.
Clause 45 accordingly ordered to stand part of the Bill.
Clauses 46 and 47 ordered to stand part of the Bill.
Clause 48
Notification of contravention
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
This group of clauses concerns the enforcement of directions issued by the Secretary of State. I shall speak to them in turn.
Clause 48 grants the Secretary of State the power to issue a notice of contravention where they believe an entity is failing or has failed to comply with requirements relating to a direction. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will also be able to issue a notification of contravention relating to an information notice or inspection issued by the regulator. It would not be appropriate for a regulator to judge compliance with a direction issued under clause 43 or any other requirement imposed by the Secretary of State.
Lincoln Jopp
What happens when the Secretary of State, via his various proxies—the regulator or whomsoever—gives a direction to a company to do something in the interests of national security, and the entity disagrees and says, “That simply won’t work, and it won’t solve the problem that you are seeking to address”?
Kanishka Narayan
I am reluctant to engage in the specifics of incidents without knowing the full range, but I would expect there to be an initial period of engagement to get to a position of agreement. Where the Secretary of State’s directions are not complied with in the context of a disagreement of the sort that the hon. Gentleman points out, penalties for non-compliance will be available to the Secretary of State. They will have to be justified both in the moment and subsequently, in the light of the particular provisions of the Bill.
The clause sets out the circumstances in which the Secretary of State and relevant regulators can issue a notice of contravention and the details that such a notice should contain, including the steps that an entity should take to rectify or remedy an act of non-compliance and the penalties that are being considered. The ability to issue a notice of contravention is an important procedural mechanism. It gives directed entities the opportunity to address non-compliance before penalties are imposed through a final confirmation decision, and increases the likelihood that the requirements of a direction will be met. That is vital, given the national security risks that a direction is intended to address.
Clause 49 empowers the Secretary of State to determine appropriate and proportionate penalties for non-compliance with a direction. It sets an upper threshold on what the penalties can be. For non-compliance with a direction, penalties are fixed at the greater of £17 million or 10% of turnover for undertakings, subject to turnover and undertaking being defined in regulations, and £17 million for non-undertakings. For requirements concerning the provision of information or inspections, the maximum penalty for non-compliance is set at £10 million.
Clause 49 also provides for daily penalties to be issued. These are set at £100,000 a day for non-compliance with a direction and £50,000 a day for related requirements. They will continue in force until the entity has complied with the relevant requirement. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will be able to issue penalties for non-compliance with an information notice or inspection issued by the regulator.
These provisions have been designed to reflect the gravity of non-compliance with a national security direction and the necessity of ensuring that directed entities comply with the requirements that directions impose. It is also why the maximum penalties have been set at a significantly higher level than they have for the updated NIS enforcement regulations in clause 21. The better comparison in that context is the penalty threshold for national security powers in the Telecommunications (Security) Act 2021, which align with the provisions in clause 49.
Clause 50 grants the Secretary of State and, where relevant, regulators the power to issue a final confirmation notice for non-compliance with a direction or related requirements. The clause specifies that the Secretary of State or regulator can issue a confirmation notice where they have previously notified an entity of suspected non-compliance, and where they are now satisfied that non-compliance has occurred. The notice of confirmation is the mechanism through which the Secretary of State or regulator can issue their final determination about the actions an entity needs to undertake to correct or remedy a contravention, and the penalties it will need to pay, in accordance with the provisions in clause 49.
A confirmation decision can be issued only after a directed entity has had the opportunity to make representations about an earlier notice of contravention. Once it has been issued, the directed entity must comply with it, and this duty can be enforced through civil proceedings. In short, clause 50 ensures that a direction can be enforced effectively and appropriate action taken to penalise non-compliance.
Clause 51 sets out how penalties will be recoverable across the nations of the UK in the event of non-payment. Clause 52 grants the Secretary of State the power to enforce non-disclosure requirements imposed in relation to the issuing of a direction, notice of contravention or final confirmation notice. Failure to respect these requirements could harm national security, for example by exposing vulnerabilities in the UK’s essential services or the security mitigations being put in place to protect their network and information systems. As a result, it is crucial that the Secretary of State has adequate powers to enforce non-disclosure requirements. Clause 52 largely replicates the enforcement process for non-compliance with other requirements of directions issued by the Secretary of State. The maximum penalties will be £10 million or £50,000 per day.
I ask the Committee to support the clauses in order to enable the effective enforcement of directions issued by the Secretary of State to protect the UK’s national security.
Dr Spencer
Clauses 48 to 52 deal with notifications and financial penalties where a regulated entity is deemed not to be compliant with directions issued by the Secretary of State under part 4. In particular, clause 48 would grant enforcement authorities powers to issue a contravention notice if they believe a person has failed to comply with a requirement under part 4. The notice must set out details of remedial steps to address the failure, as well as the financial penalty that the enforcement authority intends to impose.
Clause 49 would require penalties to be set at a level that is appropriate and proportionate, with the maximum penalty being £17 million or 10% of turnover. A maximum daily penalty of £100,000 applies to ongoing breaches. The maximum fines for failing to comply with an information notice or an inspection would be set at £10 million.
Kanishka Narayan
I have two points to make to the shadow Minister on defining turnover. As he will be well aware, “turnover” is a technical term that is best defined in secondary legislation, to keep up to date with accounting principles that at times vary from sector to sector. He asked for factors that might contribute to definitions. The specific determination of turnover will be set out secondary legislation, but we intend to establish a presumption that only the turnover of the regulated entity that breaches the direction will be considered for determining penalties on this point.
Question put and agreed to.
Clause 48 accordingly ordered to stand part of the Bill.
Clauses 49 to 52 ordered to stand part of the Bill.
Clause 53
Power to direct regulatory authorities
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to consider the following:
Clauses 54 to 56 stand part.
Government amendments 23 and 24.
Clauses 57 and 58 stand part.
Kanishka Narayan
This group concerns the power for the Secretary of State to issue directions to the NIS regulators, as well as general provisions relating to the power and the power to direct regulated entities. That includes the procedure for reviewing, varying or revoking directions, the procedure whereby Parliament can scrutinise these directions, how information concerning directions can be shared, the means by which directions can be issued and the clarifications of key terms concerning part 4 of the Bill. I shall speak to each clause in turn.
Clause 53 grants the Secretary of State the power to direct NIS regulators in the exercise of their NIS functions, where it is necessary and proportionate in the interests of national security. The current system requires regulated entities to undertake “appropriate and proportionate” measures to secure themselves against cyber-threats. Regulators issue guidance to their sectors to help them to interpret that duty. However, geopolitical or technological developments could lead to rapid, unexpected increases in the cyber-threat that quickly leave whole sectors vulnerable and create a national security risk.
In such circumstances, it is essential that the Secretary of State can leverage the expertise and powers of NIS regulators to drive the implementation of enhanced security procedures and practices. For example, they may need to direct a regulator to issue an urgent advisory to its sector regarding new cyber-threats or to update guidance on what measures are “appropriate and proportionate” for them to take. This power will not extend to other Government Departments or devolved Governments, for which any actions to mitigate significant national security threats will be agreed through engagement.
Given the changing nature of national security threats, there may be times at which a national security direction needs to be varied or revoked. Clause 54 introduces powers for the Secretary of State to change the content of a direction, or revoke it altogether, where it is necessary and proportionate to do so in the interests of national security. The Secretary of State will be able to vary a direction to add new requirements, or to simplify directions by removing requirements that are no longer needed. To ensure that regulated entities are able to make representations, the Secretary of State is required to consult them before a direction is varied, where practicable. This requirement does not apply if consultation would be detrimental to the interests of national security.
Dr Spencer
Clause 53 would grant the Secretary of State powers to issue directions to regulators where this is necessary for national security reasons, and to allow a reasonable period for the regulator to comply with that direction. Clause 54 provides that directions may be amended or revoked by the Secretary of State. Under clause 55, directions to regulated entities or regulators must be laid before Parliament unless that
“would be contrary to the interests of national security.”
I repeat my earlier question about the ISC’s role regarding scrutiny. Clause 56 would permit the Secretary of State and regulatory authorities to share any information obtained under part 4 with each other and the NCSC. The provision also allows for the sharing of information with other UK or overseas public authorities with equivalent cyber-security or national security functions. Government amendments 23 and 24 seek to amend that clause to provide for directions and notices issued under this part to be sent by email to relevant persons who provided those contact details to regulatory authorities.
Some reassurance on the extent of information sharing for businesses is delivered through provisions specifying that disclosures of information should be limited to that which is relevant and proportionate. However, those are high-level and subjective terms, open to interpretation by the authority sharing the information. Can the Minister provide any update on the development of protocols between authorities to ensure that information shared is limited to that which is necessary for effective oversight and enforcement in relation to national security risks?
Kanishka Narayan
On the shadow Minister’s first point, I repeat what I said earlier and, of course, acknowledge his concern. I assure him that, while a direction can only be issued out of necessity for national security, it does not follow that public knowledge of that direction or its contents would compromise national security. I would expect a pretty extensive scope of such directions and, therefore, an appropriate channel of scrutiny in Parliament.
On his question of protocols to ensure information shared is not just proportionate in general, but specific to the purpose of national security specified, I am happy to give him the assurance that the Bill contains it and that, in the process of working out implementation, we will make sure that regulators are focused on developing those protocols.
Question put and agreed to.
Clause 53 accordingly ordered to stand part of the Bill.
Clauses 54 to 56 ordered to stand part of the Bill.
Clause 57
Means of giving directions and notices
Amendments made: 23, in clause 57, page 83, line 8, at end insert—
“(za) an email address provided to a regulatory authority as an address for contacting that person,”
This amendment would ensure that a direction or notice can be given to a person using an email address which has been provided to a regulatory authority as a contact email address.
Amendment 24, in clause 57, page 83, line 11, leave out
“there is no such published address”
and insert—
“no email address has been so provided or published”.—(Kanishka Narayan.)
This amendment is consequential on Amendment 23.
Clause 57, as amended, ordered to stand part of the Bill.
Clause 58 ordered to stand part of the Bill.
Clause 59
Extent
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
I will speak to clauses 59, 60 and 61 in turn. Clause 59 clarifies that the Bill’s provisions apply to England and Wales, Scotland and Northern Ireland. That is consistent with the Network and Information Systems Regulations 2018.
Effective implementation is key to a successful regime. Clause 60 outlines the phased commencement timings of the provisions, ensuring that they commence at an appropriate time. Some of the provisions will commence upon Royal Assent, or two months after Royal Assent, allowing the Government to begin implementing the regime without delay. That includes powers for the Secretary of State to lay important secondary legislation required to operationalise some measures in the Bill upon Royal Assent, and the power to publish a statement of strategic priorities at month two. All remaining measures will be brought into force via regulations, allowing the Secretary of State to sequence implementation in a way that is practical and proportionate, allowing for transitional arrangements and business adjustments. That also allows sufficient time for the implementing regulations to be made and scrutinised, and is required to make operational and implement the new, stronger framework.
Clause 61 clarifies that the Bill can be referred to as the Cyber Security and Resilience (Network and Information Systems) Act 2026 once passed.
Question put and agreed to.
Clause 59 accordingly ordered to stand part of the Bill.
Clauses 60 and 61 ordered to stand part of the Bill.
New Clause 2
Register of foreign powers for the purposes of Part 4
“(1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must, by regulations, establish and maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom’s critical network and information systems within six months of the passing of this Act.
(2) Foreign powers designated by the Secretary of State under subsection (1) must include states –
(a) which have been confirmed by GCHQ as having—
(i) perpetrated, or attempted to perpetrate, a cyber-attack in the UK in the preceding seven years,
(ii) targeted, or intended to target, that attack at the network or information systems of one or more operators of an essential service or critical suppliers, or
(iii) carried out, or intended to carry out, that attack through a state department, agency or affiliate group,
(b) which GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.
(3) Regulations under this section are subject to the affirmative resolution procedure.
(4) In this section, “foreign power" means–
(a) the sovereign or other head of a foreign state in their public capacity;
(b) a foreign government, or part of a foreign government;
(c) an agency or authority of a foreign government, or of part of a foreign government;
(d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or
(e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government—
(i) hold those posts as a result of, or in the course of, their membership of the party, or
(ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party.”
This new clause would require the Government to maintain a register of state actors posing a threat to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of the Act, which enable the giving of directions in the interests of national security.—(Dr Spencer.)
Brought up, and read the First time.
The Chair
With this it will be convenient to discuss the following:
New clause 3—Register of foreign powers for the purposes of Part 4: review of nature of risk—
“(1) For each foreign power added to the register established under section [Register of foreign powers for the purposes of Part 4], the Secretary of State must review the extent and nature of the risk posed to the network and information systems of operators of essential services and critical suppliers, including whether the risk arises –
(a) from activities undertaken outside of the UK, or
(b) from foreign owned or controlled infrastructure or locations within the UK.
(2) Within six months of the establishment of the register under section [Register of foreign powers for the purposes of Part 4(1)], the Secretary of State must lay before Parliament a report containing –
(a) the findings and conclusions of the review conducted under subsection (1), and
(b) the Government’s plan for addressing the risks identified.
(3) If the Secretary of State considers that laying a report, or any portion of a report, under subsection (2) would be contrary to the interests of national security, the Secretary of State must make a statement to Parliament confirming that –
(a) a review has been conducted under subsection (1), and
(b) that the report, or a portion of the report, cannot be laid before Parliament for reasons of national security.”
This new clause would require the Government to report on the risk to relevant network and information systems posed by foreign powers appearing on the register established by NC2 considering whether such risks arise from extra-territorial activities and infrastructure or premises owned or controlled by foreign powers.
New clause 13—Statement on risks posed to systems by foreign interference—
“(1) The Secretary of State must, within 12 months of the passing of this Act, publish a statement of the Government’s plans in relation to risks to the security and resilience of network and information systems arising from foreign interference.
(2) Any statement under this section must—
(a) set out the Government’s intentions to assess, manage and mitigate the risks posed, or which could potentially be posed, to the security and resilience of network and information systems by foreign interference in such systems;
(b) include risks associated with—
(i) hardware,
(ii) software,
(iii) supply chains,
(iv) procurement processes, and
(v) the use of, or reliance on, foreign technologies or systems;
(c) include a specific focus on government digital procurement processes.
(d) where risks are identified under (2)(b)(v), state whether the Government intends to address these risks by encouraging or supporting the use of domestic technologies or systems.”
This new clause would require the Government to publish a statement of how it intends to address and mitigate any risks to network and information systems posed by foreign interference.
New clause 15—Review of high-risk bodies—
“(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies.
(2) A review under this section must assess—
(a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise;
(b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and
(c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities.
(3) In this section—
“relevant body” means—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.
“foreign state-owned enterprise” means a body corporate in which a foreign state has a controlling interest;
“network and information systems” has the meaning given by section 24(1).”
This new clause would require the Government to review the security risks posed by critical suppliers and essential service providers linked to foreign states and evaluate whether current powers are sufficient to address these threats.
Dr Spencer
New clause 2 contains an obligation for the Secretary of State to establish and maintain by regulation a list of foreign powers presenting a significant cyber-security risk to the UK. The list must include states that have been confirmed by GCHQ as having perpetrated a cyber-attack, whether by a state department, agency or affiliate, on the UK in the preceding seven years. It must also include foreign powers that GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.
New clause 3 would compel the Secretary of State to review and report to Parliament on the risk to networks and information systems posed by foreign powers appearing on the register under new clause 2, with specific regard to activities undertaken from abroad and the risk posed by locations or premises controlled by those states in the United Kingdom. New clauses 13 and 15, in the name of the hon. Member for Henley and Thame, look as if they have been tabled in the same spirit of genuine concern about the risk of foreign hostile state interference and control in critical systems and supply chains.
There is an established precedent in UK legislation for maintaining registers or lists of hostile state actors and other entities presenting a threat to our national security for use by Government. That includes the foreign influence registration scheme under the National Security Act 2023, which came into effect last year. Russia and Iran were placed on an enhanced tier of the scheme, which applies to foreign powers considered to pose a risk to the UK’s safety or interests. The Government said that that was in response to those countries being identified as presenting an elevated national security risk. China was conspicuous by its absence, despite the director of GCHQ having confirmed in 2024 that her organisation devotes more resource to China than to any other single mission.
Chris Vince
The shadow Minister will forgive me for taking the opportunity to defend the Government and the Prime Minister; I was not expecting to do that in this Committee this week. I reassure Members across the House that this Prime Minister and Government put national security first. The shadow Minister will know that intelligence agencies have been consulted about the relocation of the Chinese embassy. He will also be aware that the proposed new site at Royal Mint Court is actually further away from this place than the current site.
Dr Spencer
Frankly, I find it astounding that, according to my understanding, in response to the planning decision being granted our security services said that they would take measures to start moving sensitive digital cables. It strikes me that a decision about sensitive digital cables should have been pertinent to the planning application in the first place.
The Government remain reluctant to name China as a threat to UK national security, despite the overwhelming and growing portfolio of evidence. In case the Government are still in any doubt, we need look only at the oral testimony given to this Committee by the Inter-Parliamentary Alliance on China for a clear picture of the role of China and its state affiliates at the forefront of the cyber-security threats to our critical sectors.
Given that established and growing threat, new clause 3 would compel the Secretary of State to review, among other matters, the cyber-security risk to surrounding critical networks in the vicinity of the super-embassy site in the City of London. In the Commons debate on the embassy application in June last year, my hon. Friend the Member for Thirsk and Malton (Kevin Hollinrake) reminded the Minister for Housing and Planning that the Government’s own cyber-security experts, Innovate UK, have warned about the threat to the City of London from the embassy. My hon. Friend made specific reference to the Wapping telephone and internet exchange that would be surrounded on three sides by this new embassy—not to mention the fibre cables I referred to earlier, which carry highly sensitive information and run beneath this site.
Chris Vince
I recognise that the shadow Minister cares passionately about the security of this country—as do I, which is why we are discussing the Bill. But does he not recognise that the site was purchased by the Chinese Government in 2018? There is a potential threat whether or not the new embassy is built there.
Dr Spencer
I do not want to repeat the discussion that we had a moment ago. I think it is complete lunacy to permit the building of a super-embassy—one of the biggest in the region—next to highly critical data transmission. I am also concerned by media reports that the Prime Minister’s recent visit to China was greenlighted only following the final approval of the embassy. I am deeply depressed that, following the visit, Jimmy Lai has been effectively sentenced for life. I respect the tone and constructive way in which the hon. Member for Harlow approaches this debate, but it is fair to say that the Government are sadly weak on standing up to hostile state actors such as the Chinese Communist party.
As I said at the start, there is simply no point in granting the Secretary of State powers to issue directions on the basis of national security if the Government are not willing to be clear-eyed about the most critical cyber-security risks to the nation. I therefore submit that the new clauses are a vital addition to the Bill to focus the attentions of the Secretary of State to ensure that her functions under part 4 are carried out in the best interests of our national security. No responsible Government would or should vote against such provisions. Parliament should make it crystal clear that the Chinese Communist party is a threat to the United Kingdom. We must support new clauses 2 and 3.
Ordered, That the debate be now adjourned.— (Taiwo Owatemi.)
Railways Bill (Fourteenth sitting)
(4 days, 6 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Committee divided: - Ayes: 0 / Noes: 0 - Smith, Sarah
The Committee divided: - Ayes: 0 / Noes: 0 - Smith, Sarah
The Committee divided: - Ayes: 0 / Noes: 0 - Smith, Sarah
The Committee divided: - Ayes: 0 / Noes: 0 - Smith, Sarah
The Committee divided: - Ayes: 0 / Noes: 0 - Smith, Sarah
The Committee divided: - Ayes: 0 / Noes: 0 - Smith, Sarah
The Committee divided: - Ayes: 0 / Noes: 0 - Smith, Sarah
The Committee divided: - Ayes: 0 / Noes: 0 - Smith, Sarah
The Committee divided: - Ayes: 1 / Noes: 9 - Question accordingly negatived.
The Chair
With this it will be convenient to discuss the following:
Government amendments 187 to 199.
Schedule 3.
Clause 88 stand part.
Keir Mather
Clause 87 points towards schedule 3, which contains minor and consequential amendments arising from the Bill. The Bill has broadened its scope, and much of the related previous legislation will need altering slightly. These minor and consequential amendments allow for the necessary changes and updates to be made, and will help propel the Bill forward. I therefore commend the clause and schedule 3 to the Committee.
Amendments 188, 191 to 193 and 196 to 199 in my name are consequential amendments to the Railways Act 1993, the Railways Act 2005 and the Greater London Authority Act 1999 that reflect the removal of franchising. The new provisions about railway passenger services and the creation of GBR. For example, it was necessary to make some amendments to the closures regime in the 2005 Act as it was aligned with the franchising system in the 1993 Act, whereas we now need it to align with the Bill. Importantly, there is no change to the outcome to the closures process, and the role of the ORR and Ministers is not changing.
Amendment 190 ensures that documents sent in accordance with the Railways Act 1993 and the Bill can be sent electronically. It is a common and standard amendment to reflect technological developments. Amendments 187, 189, 194 and 195 remove provisions that are no longer necessary.
The last thing I will address in this group is clause 88, which I commend to the Committee. It will give the Secretary of State powers to make amendments that are consequential to the Bill. That will ensure that the statute book is tidy and appropriately reflects the changes the Bill makes. I stress that this power cannot be used to make policy changes and is intended only to ensure that the outcomes of the Bill are not hindered or confused by existing legislation that should have been consequentially amended.
Keir Mather
I thank the shadow Minister for that.
Question put and agreed to.
Clause 87 accordingly ordered to stand part of the Bill.
Schedule 3
Minor and consequential amendments
Amendments made: 186, in schedule 3, page 70, line 27, at end insert—
“7A In section 18, omit subsection (6A).”
This amendment removes provision about franchised and operator of last resort services, which will no longer be necessary.
Amendment 187, in schedule 3, page 70, line 28, at end insert—
“8A In section 22(1), omit ‘or Schedule 4A to this Act’.
8B In section 22C(2), for ‘, subsection (1) above or Schedule 4A to this Act’ substitute ‘or subsection (1) above’.”
This amendment removes provision referring to Schedule 4A to the Railways Act 1993, in consequence of the repeal of that Schedule by the Bill.
Amendment188, in schedule 3, page 72, line 28, at end insert—
22A “(1) Section 130 is amended as follows.
(2) In subsections (1ZA) and (1ZB), omit ‘under Welsh franchise agreements’.
(3) In subsection (1ZC)(a)(ii), omit ‘under a Welsh franchise agreement’.
(4) In subsection (1A), for paragraphs (a) and (b) substitute—
‘(a) a Scotland-only service; or
(b) any other railway passenger service provided or secured to any extent by the Scottish Ministers.’.”
This amendment makes changes to the penalty fare provisions of the Railways Act 1993 that reflect the way passenger services will be provided under Part 2 of the Bill.
Amendment 189, in schedule 3, page 72, line 34, at end insert—“23A Omit section 136.”
This amendment repeals section 136 of the Railways Act 1993, which is no longer necessary.
Amendment 190, in schedule 3, page 73, line 12, at end insert—
“24A (1) Section 149 is amended as follows.
(2) In subsection (1)—
(a) after ‘this Act’ insert ‘or the Railways Act 2026’,
(b) after paragraph (a) insert—
‘(aa) by sending it to the person by agreed electronic means (for example, by email to an agreed address); or’, and
(c) in paragraphs (b) and (c), after ‘paragraph (a)’ insert ‘or (aa)’.
(3) After that subsection insert—
‘(1A) Subsection (1)(aa) does not apply in relation to a document required or authorised by virtue of sections 118 to 120 or 149A to be given or served by the Secretary of State to or on any person.’
(4) After subsection (3) insert—
‘(3A) A notice sent to a person by electronic means is, unless the contrary is proved, to be treated as having been given on the working day immediately following the day on which it was sent.’
(5) At the end of subsection (5) insert—
‘“working day” means any day other than—
(a) a Saturday or a Sunday,
(b) Christmas Day or Good Friday; or
(c) a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom.’”
This amendment allows for the electronic service of documents under the Railways Act 1993 and the Bill.
Amendment 191, in schedule 3, page 73, line 13, at end insert—
“25A (1) Schedule 6 is amended as follows.
(2) Omit paragraph 1(aa).
(3) In paragraphs 3, 7(2) and (4), 8, 9 and 10(5), for ‘appropriate national authority’, in each place it occurs, substitute ‘Secretary of State’.
25B In paragraph 1(1) of Schedule 11, in the definition of ‘eligible person’, in paragraph (a)(ii) for the words from ‘or a body’ to ‘agreement’ substitute ‘, Great British Railways or a subsidiary of Great British Railways’.”
This amendment makes consequential amendments of the provision about railway administration orders and provides for employees of Great British Railways and its subsidiaries to be eligible persons for the purposes of pension schemes.
Amendment 192, in schedule 3, page 73, line 34, at end insert—
“27A (1) Section 163 is amended as follows.
(2) In subsection (4A)—
(a) for ‘Network Rail Limited’, in each place it occurs, substitute ‘Great British Railways’;
(b) for ‘Network Rail’, in both places it occurs, substitute ‘Great British Railways’.
(3) In subsection (8)—
(a) in the definition of ‘land used by Network Rail’, for ‘Network Rail’, in each place it occurs, substitute ‘Great British Railways’;
(b) omit the definition of ‘Network Rail’.”
This amendment amends provisions of the Greater London Authority Act 1999 to reflect the new role of GBR.
Amendment 193, in schedule 3, page 73, line 36, leave out from “(1)(a)(ii)” to the end and insert
“for ‘franchise agreements,’ substitute ‘a public service contract awarded as mentioned in section 31(2) of the Railways Act 2026,’”.
This amendment provides for the duty to co-operate for the purpose of co-ordinating public transport for travel to and in Greater London to apply in relation to services provided under a public service contract awarded under clause 31(2).
Amendment 194, in schedule 3, page 74, line 2, at end insert—“29A Omit section 205.”
This amendment repeals a spent provision of the Greater London Authority Act 1999 relating to franchise agreements.
Amendment 195, in schedule 3, page 74, line 8, at end insert—
“32A Omit sections 3 and 4.”
This amendment repeals provisions of the Railways Act 2005, which are no longer required due to the provision made by this Bill.
Amendment 196, in schedule 3, page 74, line 11, at end insert—
“33A In section 6, omit subsections (5), (6) and (8).
33B (1) Section 8 is amended as follows.
(2) Omit subsections (1), (7) and (8).
(3) In subsection (2) omit—
(a) ‘also’; and
(b) ‘otherwise than under franchise agreements’.
(4) In subsection (5), omit ‘(1) or’.
(5) In the heading, omit ‘Franchising and’.
33C (1) Section 10 is amended as follows.
(2) Omit subsections (1), (3), (6), (10) and (11).
(3) In subsection (4) omit—
(a) ‘also’; and
(b) ‘otherwise than under franchise agreements’.
(4) In subsection (8), omit ‘(3) or’.
(5) In the heading, omit ‘Franchising and’.”
This amendment and amendments 197 and 198 amend provisions of the Railways Act 2005 to account for changes made by this Bill, in particular the ending of the franchise system.
Amendment 197, in schedule 3, page 74, line 12, at end insert—
“34A Omit section 16.
34B Omit section 18.
34C Omit section 20.
34D (1) Section 22 is amended as follows.
(2) In subsection (1)(a), for the words from ‘in’ to the end substitute ‘under section 31 of the Railways Act 2026;’.
(3) Omit subsection (10).
(4) In the heading, omit ‘non-franchised’.
34E (1) Section 23 is amended as follows.
(2) In subsection (1)(a), for the words from ‘in’ to the end substitute ‘under section 31 of the Railways Act 2026;’.
(3) Omit subsection (8).
(4) In the heading, omit ‘non-franchised’.
34F (1) Section 24 is amended as follows.
(2) In subsection (2)(a), for ‘a franchised service’, substitute ‘a service provided under section 31 of the Railways Act 2026’.
(3) In subsection (7), omit ‘franchise agreement or any other’.
(4) For subsection (9) substitute—
‘(9) The duty of the national authority under subsection (8) is discharged without its taking further steps so long as the provisions of any arrangements, in force at the time of the proposal, so far as they require the provision of the services, continue in force without modification.’
(5) In the heading, omit ‘franchised or’.
34G In section 32(12)—
(a) omit ‘franchise agreement or other’;
(b) in paragraph (a), omit ‘franchised service or’;
(c) in the words after paragraph (b), omit ‘agreement or’.
34H In section 34(2B), omit ‘under a Welsh franchise agreement’.
34I In section 35(6C), omit ‘under a Welsh franchise agreement’.
34J For section 36(7) substitute—
‘(7) Where a service is designated as experimental or its designation is extended, the person designating must give notice of the designation or extension to the person who is to provide the service.’
34K (1) Section 37 is amended as follows.
(2) In subsection (1)(a), for ‘a franchise agreement under which’ substitute ‘arrangements under which it is required that’.
(3) In subsection (2)(a), for ‘a franchise agreement’ substitute ‘arrangements of the type mentioned in subsection (1)(a)’.
34L In section 38(2A), omit ‘under a Welsh franchise agreement’.
34M In section 39, omit subsections (1) to (3).
34N (1) Section 40 is amended as follows.
(2) For subsections (4) and (5) substitute—
‘(4) For the purposes of this section the appropriate national authority is—
(a) in a case where the railway passenger service that is interrupted or discontinued is a service which may be designated under section 25 of the Railways Act 2026, the Secretary of State;
(b) in a case where the railway passenger service that is interrupted or discontinued is a service which may be designated under section 26 of that Act, the Scottish Ministers;
(c) in a case where the railway passenger service that is interrupted or discontinued is a service which may be designated under section 27 of that Act, the Welsh Ministers,
and where in any case there is more than one appropriate national authority they shall each have the powers conferred by this section.’
34P (1) Section 41 is amended as follows.
(2) In subsection (2), after ‘Passenger Transport Executive,’ insert ‘a mayoral combined authority, a mayoral combined county authority,’.
(3) In subsection (4), in both places it occurs, after ‘Passenger Transport Executive’, insert ‘, mayoral combined authority or mayoral combined county authority’.
34Q In section 42(1B), omit ‘under a Welsh franchise agreement’.
34R (1) Section 45 is amended as follows.
(2) In subsection (1)—
(a) at the appropriate place, insert—
‘“mayoral combined authority” and “mayoral combined county authority” have the same meanings as in the English Devolution and Community Empowerment Act 2026;’
(b) in the definition of ‘railway funding authority’, after paragraph (d) insert—
‘(da) a mayoral combined authority;
(db) a mayoral combined county authority;’;
(c) in the definition of ‘secured service’ omit paragraph (a).
(3) In subsection (5A) omit ‘under a Welsh franchise agreement’.
(4) In subsection (8), at the end insert ‘or in an Act or a Measure of Senedd Cymru’.”
See the explanatory statement for amendment 196.
Amendment 198, in schedule 3, page 74, line 13, at end insert—
“35A For section 48(4) substitute—
‘(4) In this section “relevant Scottish service” means—
(a) a Scotland-only service;
(b) a railway passenger service that is provided to any extent under section 31(3) of the Railways Act 2026; or
(c) a station service provided in relation to a station in Scotland at which services falling within paragraph (a) or (b) make a scheduled call.’
35B For section 48A(4) substitute—
‘(4) In this section “relevant Welsh service” means—
(a) a railway passenger service that is provided to any extent under section 31(4) of the Railways Act 2026; or
(b) a station service provided in relation to a station at which only services falling within paragraph (a) make a scheduled call.’”
See the explanatory statement for amendment 196.
Amendment 199, in schedule 3, page 74, line 14, at end insert—
“36A Omit Schedule 4.
36B In paragraph 3(2) of Schedule 7, after paragraph (e) insert—
‘(ea) if the proposal affects its area, a mayoral combined authority;
(eb) if the proposal affects its area, a mayoral combined county authority;’”—(Keir Mather.)
This amendment amends the Railways Act 2005 to make consequential provision related to the functioning of GBR.
Schedule 3, as amended, agreed to.
Clause 88 ordered to stand part of the Bill.
Clause 89
Regulations
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Government amendment 200.
Clauses 90 to 93 stand part.
Keir Mather
Clause 89 provides clarity on the regulations that may be made under the powers granted by this Bill by listing the procedures that will apply to them.
Amendment 200, in my name, provides a definition of passenger transport executive for an integrated transport area. This is required in the Bill, as provisions elsewhere repeal a definition included in the 1993 Act that could otherwise have been relied on.
Passenger transport executives were established by the Transport Act 1968 to provide and coordinate public transport across modes in major urban areas. The evolving landscape of devolution has seen some authorities choose to absorb passenger transport executive functions into their mayoral combined authorities. However, the Greater Manchester, Liverpool City Region and North East combined authorities have chosen to retain separate passenger transport executives to deliver transport functions. This is a technical amendment, consistent with existing policy. It provides certainty for areas in England that still operate passenger transport executives, and supports wider Government commitments to close collaboration with local partners. I encourage Members to support it.
I will now address clauses 90, 91, 92 and 93. Clause 90 provides definitions and explanations of the words and phrases used in the Bill. Clause 91 sets out that the Bill extends to England, Wales and Scotland, and that clause 86, on the Luxembourg protocol, also extends to Northern Ireland. Clause 92 sets out the details of when a number of clauses will come into effect; clauses 85, 86, 88 to 91, 92 and 93 will all come into force on the day that the Bill receives Royal Assent, while the remaining provisions will come into force on the day, or days, set by the Secretary of State in regulations. Clause 93 sets out that this Bill, once it has become an Act, can be known as the Railways Act 2026.
For the very final time, I commend the clauses to the Committee.
Jerome Mayhew
Before I respond to that, Mr Western, is this my last opportunity to speak in the Committee?
Jerome Mayhew
In that case, these are all straightforward ancillary parts to the Bill, and I have no comments to make.
Question put and agreed to.
Clause 89 ordered to stand part of the Bill.
Clause 90
General interpretation
Amendments made: 200, in clause 90, page 53, line 12, at end insert—
“‘Passenger Transport Executive for an integrated transport area’ means a body which is the Passenger Transport Executive for an integrated transport area for the purposes of Part 2 of the Transport Act 1968;”
This amendment defines Passenger transport executive for an integrated transport area for the purposes of the Bill.
Amendment 263, in clause 90, page 53, line 31, at end insert
“, except in relation to the expression ‘wholly owned by the Crown’ (as to which see section 151(2) of the Railways Act 1993)”.—(Keir Mather.)
This amendment provides for the meaning in the Bill of “wholly owned by the Crown” to be that given by section 151(2) of the Railways Act 1993.
Clause 90, as amended, ordered to stand part of the Bill.
Clause 91
Extent
Amendments made: 201, in clause 91, page 53, line 32, at end insert—
“(A1) This Act extends to England and Wales and Scotland only, subject to subsections (A2) to (1).
(A2) Section 86 and this Part extend also to Northern Ireland.
(A3) His Majesty may by Order in Council provide for any of the provisions of section 86 and this Part, or any regulations under that section (whether made before or after the making of the Order in Council), to extend with or without modifications to the Isle of Man.
(A4) The power under subsection (A3), so far as relating to regulations, includes power to provide for the regulations as amended from time to time to extend as mentioned in that subsection.”
This amendment allows clause 86 and regulations under it to be extended to the Isle of Man by Order in Council.
Amendment 202, in clause 91, page 53, line 35, leave out subsection (2).—(Keir Mather.)
This amendment is consequential on amendment 201.
Clause 91, as amended, ordered to stand part of the Bill.
Clauses 92 and 93 ordered to stand part of the Bill.
Question proposed, That the Chair do report the Bill, as amended, to the House.
Jerome Mayhew
I am not going to suggest that we do not progress the Bill to its next stage, because I am not sure I would win that vote, but I want to take this opportunity to thank the Minister for the constructive approach that he has taken to addressing the various amendments and new clauses that the Opposition and the Liberal Democrats—I hope I can speak for them, too—have tabled. I am surprised that he did not adopt a single one of them, but he dealt with them in an unfailingly courteous and thoughtful manner, and I am very grateful to him.
I am also grateful to the Chairs—including you, Mr Western—for agreeing to hold the ring, and to the Clerks, who have done an excellent job helping us to navigate a process that, for me, anyway, is just as complex and confusing at the end of the Committee’s proceedings as it was at the beginning. That must make me a very slow learner.
Finally, I am grateful to all the Committee members, particularly those on the Government Benches. Having sat there myself for what felt like years, I know that it is deeply frustrating to be told by the Whips not even to intervene, let alone make a speech, while the shadow Minister expands at length. There are reasons why we do it, and I hope that those Government Members who have been on this side of Committees will remember them, but I am very grateful for the patience that they have shown me and for the work that they have done with the Committee as a whole.
With that, I am happy for the Bill to progress to the next stage.
Olly Glover (Didcot and Wantage) (LD)
It is a pleasure to serve under your chairship, Mr Western, during the final hour of this Bill Committee. May I briefly associate myself with the remarks of the shadow Minister? I thank everybody for their courteous and warm-spirited approach to proceedings, and I thank all the Chairs and the Public Bill Office for all their assistance.
Keir Mather
May I begin by thanking everyone personally for the way that they have conducted themselves and approached the Bill? As a relatively new Minister taking on my first major piece of legislation, I have appreciated enormously the constructive approach of Members across the Committee. I want to read into the record my personal thanks, in particular, to those on the Government Benches: my hon. Friends the Members for Beckenham and Penge, for Bexleyheath and Crayford, for South Dorset, for Truro and Falmouth, for Wrexham, for Derby South, for Hyndburn and for Birmingham Northfield, as well as the Comptroller of His Majesty’s Household, my hon. Friend the Member for Barking, and the Under-Secretary of State for Transport, my hon. Friend the Member for Nottingham South.
I extend my thanks to the shadow Minister, who has worked assiduously to bring forward a number of constructive proposals, which, by virtue of us having had the opportunity debate them at length, I think have teased out interesting questions about how the Bill will progress, provided an important buttress against pre-conceived notions and allowed us to explore some of the issues in depth. I thank him for the constructive way in which he has engaged in the process.
Although he is not in his place, I thank the right hon. Member for Melton and Syston, who approached the Committee in his good-natured way, and I thank the hon. Member for South West Devon, who made many valid and respected contributions. The hon. Member for Didcot and Wantage certainly kept me on my toes on all aspects of railway nerdery—buttressed by his hon. Friend the hon. Member for West Dorset—and I thank him for it. The hon. Member for Isle of Wight East was characteristically forensic in his scrutiny of specific aspects of the Bill, and I thank him for his hard work.
May I also thank my Bill team, who have done an incredible amount of hard work over many months, predating my occupancy of this role, to make this piece of legislation possible? It is enormously appreciated. I thank all the Doorkeepers for facilitating our Divisions and keeping us safe; the Clerks for their assiduous work; and all the Chairs who have been in charge of our proceedings.
It falls to me finally to say that regardless of individual Members’ perspectives on the merits and demerits of certain aspects of the Bill, it is one of the most consequential pieces of railways legislation that have come before this House in the last century. I am very proud to have been a part of it, and I have enjoyed it very much because of the contributions of everyone in this room. Thank you, all.
Question put and agreed to.
Bill, as amended, accordingly to be reported.