Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting)
Tuesday 10th February 2026
(5 days, 20 hours ago)
Public Bill CommitteesCyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
The Chair
Good morning, everyone. I remind Members to send their speaking notes via email to Hansard and to switch electronic devices to silent. Beverages are not allowed. I ask people to speak clearly and precisely for the benefit of other colleagues and Hansard. Were they to give an early indication that they wish to speak, that would be much appreciated.
Lincoln Jopp (Spelthorne) (Con)
On a point of order, Dr Murrison. In Thursday’s session, I asked the Minister why pupil data was not within the remit of this Bill. He said:
“On the question of schools, and more broadly the question of public sector authorities, I entirely accept that the handling of pupil data in schools is a critical aspect of our public service operations. The reason why public service authorities have largely been left out of the Bill’s scope is because we do not need to wait for the legislative process to act. We have been working, not least closely with the Government’s cyber-security strategy and the cyber action plan, to ensure that pupil data is kept securely and robustly.” ––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 5 February 2026; c. 137.]
Since then, I have been researching any action taken in respect of the Government’s cyber-security strategy and the cyber action plan, and can find no record of them dealing with the issue of pupil data. I wonder whether, this morning, the Minister could specify what he meant last Thursday or commit to coming back to the Committee with that detail.
The Chair
I am sure that the Minister will have heard what the hon. Member has said. He may wish to reflect on it, but it is not really a matter for the Chair. Nevertheless, it is on the record.
Lincoln Jopp
On a point of order, Dr Murrison. Yesterday, I spoke in a petition debate in Westminster Hall. The petition was signed by 114,000 members of the public calling for a public inquiry into Russian influence in British democracy. In researching my response on behalf of His Majesty’s Opposition, I came upon the Government’s statement about this Bill, which said that it would
“require organisations in critical sectors to further protect their IT systems”.
The split infinitive notwithstanding, I do not believe that the Bill requires any organisations in critical sectors to further protect their IT systems. If the Minister thinks that the Government are correct in saying that, would he like to direct us to that requirement in the Bill?
The Chair
Once again, if the Minister wishes to respond to that, it is open to him to do so. The hon. Member for Spelthorne, who is very adept at these things, will be able to weave any further comments he might have into his contributions during our proceedings.
Clause 15
Reporting of incidents by regulated persons
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss:
Clause 16 stand part.
New clause 6—Inclusion of ransomware attacks in the NIS Regulations—
“In regulation 1(2) (interpretation) of the NIS Regulations—
(a) in the definition of ‘incident’, after ‘systems’ insert ‘or a ransomware attack which is targeted at the security of network and information systems’;
(b) after the definition of ‘online search engine’ insert—
‘ransomware attack’ means a cyber-attack involving a type of malicious software that infects a victim's computer systems, can prevent the victim from accessing systems or data, impairs the use of systems or data or facilitate theft of data, and in relation to which a ransom is demanded for access to be restored or for data not to be published.”
This new clause would include ransomware attacks in the definition of “incident” in the NIS Regulations.
New clause 7—Impact of reporting requirements on relevant bodies—
“(1) The Secretary of State must, within 12 months of the passing of this Act, publish and lay before Parliament—
(a) a review of the impact, on relevant bodies, of—
(i) the requirements relating to the notification of incidents in Parts 3 and 4 of the NIS Regulations (as amended by this Act); and
(ii) any additional incident notification requirements made by regulations under this Act; and
(b) proposals for the creation of a single cyber incident reporting channel for relevant bodies.
(2) A review under this section must consider –
(a) the costs of requirements on relevant bodies; and
(b) interactions with other incident reporting regimes.
(3) In this section, ‘relevant bodies’ means operators of essential services, critical suppliers or digital service providers, as defined by the NIS Regulations.”
This new clause would require the Secretary of State to review the impact of incident reporting requirements on relevant bodies, and to set out proposals for a single incident reporting channel.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I will begin by discussing clauses 15 and 16. Clause 15 updates the incident reporting provisions in the Network and Information Systems Regulations 2018. Under the current regulations, organisations are required to report incidents only once they have had a significant impact on service continuity. It is widely recognised that this is too narrow, and results in a range of concerning incidents going unreported and a distorted picture of how secure and resilient the UK’s essential services actually are.
To take two examples: a ransomware attack where confidential data has been exfiltrated from an organisation without an immediate impact on service would not be reportable; nor would a pre-positioning attack, where a hostile actor has hacked into a network and is in a position to cause significant disruption down the line, such as to the provision of drinking water. That cannot be right, and does not reflect the cyber-threats that critical services face.
To ensure such incidents are caught, the clause sets a new, wider definition of incidents that must be reported. The focus is now on incidents that have successfully affected the security or operation of an organisation’s network and are likely to have a significant UK impact, which will ensure that regulators and the National Cyber Security Centre are fully aware of the range of cyber-threats affecting the UK’s essential services.
The Bill sets out the factors that should be considered when assessing whether an incident has had, or is likely to have, a significant impact in the UK—including, crucially, whether the confidentiality, authenticity, integrity and availability of data has been compromised. The Government will provide further clarity in secondary legislation, setting out thresholds for each sector for when an incident is considered to have had, or be likely to have, a significant impact. That will be consulted on before it is introduced. Taken together, it means that only meaningful incidents are reported. Over-reporting has been a concern raised by hon. Members throughout the Bill’s progress, so I stress this point: things such as unsuccessful phishing emails will clearly not be reportable, as they would not be likely to have a significant impact.
Given our economy’s systemic dependence on data centre facilities, for that sector alone we will also ensure that Ofcom and the NCSC receive reports on a wider range of potential incidents and near misses. That ensures that not only immediate disruptions but incidents posing future risks are reported.
Clause 15 also streamlines the reporting process for all NIS sectors. It ensures that incident notifications and reports go to the NCSC at the same time as the regulator. It also sets out what those organisations can do with the information they receive, including how the information can be shared to manage the wider impacts of an incident or prevent future incidents. Finally, the clause introduces faster reporting, so that the NCSC and regulators are informed within 24 hours of entities becoming aware that a reportable incident is taking place.
The 24-hour notification will be light touch, but will enable the NCSC and regulators to offer faster support to minimise the negative impacts of the incident. Fuller details will need to be reported within 72 hours of the entity becoming aware that a reportable incident is happening. The changes will protect the UK’s essential services, ensuring that the NCSC and regulators are able to provide the best support that they can.
Clause 16 sets out requirements for managed service providers, relevant digital service providers, and operators of data centres to inform customers who are likely to have been adversely affected by a reportable incident. Under the current regulations, there is no requirement for any regulated entity to inform its customers if it has been impacted by a reportable incident. That may have made sense when the NIS regulations were more heavily focused on operators of essential services and the primary concern was service disruption, but it would be an inexcusable omission now that the Bill is expanding to include managed service providers and operators of data centres, in addition to the digital service providers already in scope.
These are organisations that, if compromised, could leave their customers’ systems, data or services exposed or inaccessible. In such circumstances, it is vital that their customers are notified, so that they can take whatever steps they need to in order to mitigate those risks.
Bradley Thomas (Bromsgrove) (Con)
I have two points for the Minister to address. First, could he clarify whether an organisation would face repercussions if a regulator believed in retrospect that notification should have been provided sooner? Secondly, on customer notification, can the Minister address the concern around striking the right balance between informing the customer and ensuring that the update that they receive is meaningful and not so vague that it causes further distress or worry?
Kanishka Narayan
I thank the hon. Member for those two thoughtful points. On the first, in terms of retrospective regulatory action on the adequacy of notification, I expect that the regulators will set out—in their guidance and by working closely with the entities in scope—their expectations about the nature and timeliness of the notification. That will be one input into a regulator’s broader assessment of entities’ compliance with the regime. I expect that timely notification will be assessed on an ongoing basis by the regulator, but I would not expect it to be an exclusive or primary aspect.
On the question of customer notifications being proportionate, I share the hon. Member’s concern about ensuring that it is timely and efficient and at the same time meaningful for the relevant customers. I hope that exactly those principles are embodied in the guidance that regulators share about notification requirements.
Customers being notified is all the more important given that in many cases, those customers will themselves be operators of essential services and other critical national infrastructure. The Bill therefore places new transparency requirements on managed service providers, relevant digital service providers and operators of data centres. Similar requirements were introduced under the NIS2 regulations in the European Union.
Clause 16 requires those regulated entities to take steps to establish which of their customers, if any, are likely to be adversely affected by a reported incident. It then sets out the information that the entity must share with those identified customers. These new requirements will support the overall resilience of the UK’s essential services and economy, which depend so heavily on these services, and reduce the overall impact of disruptive cyber-attacks.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
New clauses 6 and 7 sit together and are linked by the same practical concern regarding clarity and workability when an incident is unfolding.
I will start with new clause 6. Ransomware is no longer an occasional or unusual cyber-event; it is now one of the most common and disruptive threats facing essential services, digital providers and their supply chains. Written evidence to this Committee was clear that ransomware incidents are now routine, high-impact events, and that uncertainty at the outset of an attack often makes the consequences worse. The Bill rightly broadens the definition of an incident to capture events that are capable of causing harm, not just those that already have. That is the right direction of travel, but when organisations are under pressure, particularly in the first 24 hours of an incident, uncertainty slows action. Time is lost debating definitions rather than focusing on containment, escalation and reporting.
New clause 6 addresses that problem directly. It makes it explicit that a ransomware attack is an incident for the purposes of the NIS regulations, and sets out clearly what is meant by ransomware attack. It would not create a new duty; it would remove doubt from an existing one. Clear definitions support better behaviour when organisations are operating under real pressure.
New clause 7 follows naturally from that point. If we want faster and clearer reporting, the system into which organisations are reporting has to work in practice, not just on paper. The Bill expands reporting requirements and introduces new notification duties. That is understandable, but UK Finance told the Committee that many firms already support cyber-incidents under multiple regulatory regimes and that additional reporting layers risk duplication rather than resilience. When an incident is live, that duplication causes friction, slows the response and increases costs. It can reduce the quality of information being shared because teams are stretched across parallel processes rather than focused on managing the incident itself.
We do not seek in new clause 7 to reopen the policy intent of the Bill; the new clause would require a review, once these changes are in force, of how the reporting requirements are working in practice. That review would consider costs and interactions with other reporting frameworks. The new clause would also require that proposals for a single cyber-incident reporting channel be published. That is not a bureaucratic exercise; it reflects concerns raised in evidence that resilience is undermined, not strengthened, when reporting becomes fragmented at moments of stress.
Taken together, new clauses 6 and 7 are about making the system clearer at the front end and more usable overall. Clear definitions encourage timely reporting and coherent reporting channels make that reporting effective. I hope that the Committee will give serious consideration to both new clauses.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Dr Murrison, and it is always a pleasure to follow my hon. Friend the Member for Bognor Regis and Littlehampton. I will speak to clauses 15 and 16 and to new clauses 6 and 7, tabled in my name on behalf of His Majesty’s loyal Opposition.
The previous Government stated in their consultation covering the subject of cyber-incident reporting that security breaches that did not result in a successful attack could still leave organisations open to follow-up attacks. It was identified that reporting how the breach took place would also allow regulators and other organisations to prepare for similar attacks in the future. It is therefore a welcome development that clause 15 significantly increases the scope and speed of cyber-incident reporting by regulated entities to competent authorities and the NCSC.
That increase in scope is achieved by broadening the definition of reportable incidents from the current position, where only cyber-attacks having an actual adverse effect are reportable, to a position to where cyber-incidents that are capable of having an adverse effect on the operation or security of network and information systems must also be reported. The Government’s explanatory notes for the Bill state that this change in definition
“is designed to include incidents that have compromised the integrity or security of a system without causing significant disruption yet, but that could have potential significant impacts in the future.”
This has been broadly welcomed by industry stakeholders as a measure that should provide regulators with greater intelligence about emerging threats, leading to improved risk management and hardened resilience in their sectors.
On the importance of intelligence gathering, we heard evidence from David Cook of DLA Piper and Chung Ching Kwong of the Inter-Parliamentary Alliance on China, among others, about the increasing use of prepositioning and “live off the land” technologies deployed by malicious actors. Once systems are infiltrated, attackers remain in systems, sometimes harvesting data, waiting for the moment when they can cause maximum harm and disruption. Those serious risks should be flagged to regulators wherever they are identified.
Dr Sanjana Mehta of ISC2 described problems of underreporting in relation to the existing NIS regulations regime, and welcomed the principle of expanding reporting, as did Jill Broom of techUK. However, both cautioned that while some high-level factors have been provided as to the criteria indicating whether an attack should be reported, such as the number of users, impact, duration of interruption and geographical reach, what is not clear at present are the thresholds that are linked to those criteria. Those details are vital if reporting is to be successful in ensuring that regulators are kept appraised of the most serious threats.
Dr Mehta summarised that concern succinctly in her comment:
“In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators”. ––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 16, Q14.]
Likewise, techUK has stated in its written briefings on the Bill that
“technically any phishing email is ‘capable of’ having a significant impact if the organisation lacks adequate detection or response capabilities. This will lead to over-reporting of low-level incidents and potentially overwhelm regulators, thereby distracting attention from genuinely significant threats.”
As in many aspects of the Bill, the problem is not on the principle but in the detail. We heard in oral evidence about the concerns of industry and regulators regarding the availability of suitably qualified personnel to build capacity for effective regulatory oversight. We must be alive to that important consideration in ensuring that thresholds are proportionate and risk-based.
The Government have stated in their factsheets on the Bill that they intend
“to introduce thresholds through secondary legislation before this measure is brought into in force”
and after a period of consultation. They have also said that those thresholds will
“clarify the points at which we would consider the impact of an incident to be ‘significant’, and therefore reportable to regulators”.
What discussions has the Minister had to date with regulated entities and regulators about the approach to consultation on these thresholds? What is the feedback on what those organisations consider to be reporting priorities?
Chris Vince
I thank the shadow Minister for remembering my consistency—I have not mentioned Harlow. How is the new clause helpful, given the potential confusion it causes with listing a specific kind of incident as well as the generic one?
Dr Spencer
The Opposition are trying to make it clear that ransomware needs to be in the scope of the reporting. It is really for the Minister to answer if he thinks there are problems with the new clause, and if so, how the Government will go about taking that forward. The widespread and highly damaging nature of ransomware attacks—which are often perpetrated by criminal groups at scale and speed—means that regulators need to have a detailed oversight of this area to prevent those attacks from being deployed more widely. Therefore, the new clause is intended to ensure that all ransomware attacks on regulated entities are reported, regardless of severity or potential severity, so that the risks are picked up.
In tabling new clause 6, I am acutely aware of the existing reporting burden for regulated entities and regulators. Since tabling it, we have heard impactful evidence from Carla Baker from Palo Alto, who highlighted the number of cyber incidents and false positives that many companies encounter each day. As I said in response to an intervention, in the absence of measures brought forward by the Government to address the widespread and urgent risks presented by ransomware attacks—and as the Government themselves identify as part of the Home Office’s review—it would be proportionate to make specific reference to ransomware in the reporting requirements on regulated entities in the Bill.
New clause 7 reflects the concerns of regulated bodies and industry representatives who have set out many, many times—in oral evidence and beyond—the need to ensure that reporting obligations are clear and, as far as possible, simplified across the many different incident reporting regimes that exist for providers of digital services. The new clause would compel the Secretary of State to publish an assessment of the impact of the new reporting regime on regulated entities in the Bill within 12 months of Royal Assent. Importantly, in line with the clear requests articulated by many stakeholders who gave evidence last Tuesday, it requires the Government to publish proposals for the creation of a single cyber incident reporting channel for relevant bodies.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
I worked for the AI and digital regulations service in the NHS. We were linking with all of the regulators to try to have a one stop, one shop door approach to how we do things. It was incredibly difficult, and three years on we were still ironing out all the glitches. New clause 7 is laudable, but because I know how difficult it is, a 12-month proposal is a very tight timeframe in which to try to get this right.
Dr Spencer
I thank the hon. Lady for her intervention. New clause 7 puts forward an assessment of the impact. It is not intended to make definitive changes, but to give time. I have confidence in the Government and the Minister that within 12 months—it is the kiss of death to say that one has confidence at the minute, is it not? [Laughter.] I apologise to the Minister.
Dr Gardner
I will defend myself: my point was not a criticism of the Government. I just know how hard it is for regulators to work together and iron out cross-working. They were very confident in their information-sharing skills, but it is more difficult than that. It was just a kindly meant reminder that there is not an easy solution, and that 12 months is a bit of a tight timeframe.
Dr Spencer
I very much take the hon. Lady’s point and the constructive spirit in which it was presented. Twelve months is a long time for the operations of Government to function, and I have faith—I will change my words—in the Government and all of their powers if they wanted to put their minds to bringing this forward. If there are concerns about the ability of the Department for Science, Innovation and Technology to take this forward, those concerns would spill over into all of the consultation requirements that have to be met to make sure that this Bill functions in the correct way. The argument on what we are debating today could swing both ways.
Industry stakeholders have expressed strong concerns regarding the diverse incident reporting requirements that exist in several pieces of legislation, including UK GDPR, sector-specific regulation and the Telecommunications (Security) Act 2021. As we have already discussed, the Home Office may also bring forward guidelines for reporting ransomware incidents in future. Additional reporting requirements and procedures included in the Bill are viewed as adding a further layer of complexity to a legislative environment that is already very challenging to navigate. Stakeholders report that the current approach, with multiple different reporting procedures and platforms, increases regulatory compliance costs on businesses and detracts from the resources available to implement effective improvements in cyber-resilience. In view of that, will the Minister support this urgently needed review clause to assure industries that the Government have heard their serious and vital concerns on the matter?
Bradley Thomas
It is a pleasure to serve under your chairmanship, Dr Murrison.
When introducing new legislation, it is essential that those who fall under its new regulations be clearly identified and given adequate time to prepare for compliance. However, despite the aims of the Bill and the wish to avoid worsening a cyber-attack incident, the Bill still presents far too much ambiguity. It is right to recognise the cyber landscape as continuously evolving. There is no dispute that this terrain becomes increasingly complex each day, requiring a level of flexibility in legislation to ensure that it keeps pace. However, this desire to safeguard such adaptability, and the goal of future-proofing, must not come at the expense of the effectiveness of legislation in the present day.
The powers afforded to the Secretary of State to change the classification of essential activity, and to bring new sectors into scope of the Bill at any time, undoubtedly create uncertainty for many sectors and cast a shadow over long-term compliance. To be clear, we want organisations to comply with this legislation. We want to improve national cyber-resilience, gather vital intelligence and restore public confidence in our security. Why, then, would there not be a significant effort to make these regulations as easy to apply as possible, rather than leaving thousands of businesses second-guessing whether they fall within scope, with the pressure of large financial penalties hanging over their heads?
In addition, many will know that I am a firm supporter of parliamentary process. I support the notion that all legislation should receive the scrutiny it is due by the democratically elected Members of the House of Commons. That is why I believe the Bill must not only set out clearer guidelines for who is in scope, but require an official amendment, debated in the House, to permanently bring any new sectors into scope after the Bill has been passed.
I understand that, in times of emergency, the longer process of House of Commons scrutiny may not always be possible. That is why the Secretary of State should have powers to bring in sectors necessary in an emergency temporarily into scope, with less imposing of non-compliance penalties until their inclusion is made permanent by the House. Such an approach would not only allow for the quick reactions that cyber-security demands, but respect parliamentary processes and safeguard against organisations’ being unaware that they had suddenly been brought into scope until they received a potentially financially ruinous penalty notice for non-compliance.
Looking at the need for more definitive guidelines on who will be regulated under the Bill, we have already heard from numerous industry stakeholders that are unsure whether they, or other organisations in their sector, will fall within the mandatory scope. In addition, industry experts have publicly shared concerns about how far the net may be cast in some sectors, leading to the unintentional inclusion of organisations that are critical only to a single larger organisation, rather than to our national security, while ignoring other essential sectors altogether. Looking at recent cyber-attacks that have had a significant impact on our country, it is concerning that the definition of essential services may not include them within scope.
While it is predicted that many of Jaguar Land Rover’s supply chains will be in scope, it has been publicly questioned whether it will be included. As the largest car manufacturer in the United Kingdom, it directly employs over 30,000 people across the UK and supports around 100,000 jobs indirectly. It is therefore no surprise that the cyber-attack it endured, estimated to have had a financial impact of over £1 billion, was significant to many, including more than 5,000 organisations impacted and many of my constituents, with JLR being one of the largest direct and indirect employers in the west midlands region. How, then, if a key aim of the Bill is to ensure that all essential services whose disruption would profoundly impact our nation in the event of a cyber-attack report all major incidents, can the vagueness of the definition of essential services be allowed to stand—especially when it creates a situation in which previous key victims are excluded?
Of course, JLR is not the only victim where questions of inclusion remain. Also potentially falling outside the regulatory reach is Marks & Spencer, whose recent cyber-attack was another stark reminder of the rapidly advancing cyber-crimes scene and caused significant disruption, with costs estimated to run into the millions of pounds. Having met with M&S representatives recently, I had the opportunity to discuss their experience of enduring such an attack. Archie Norman, M&S chair, gave evidence to the Business and Trade Sub-Committee on Economic Security, Arms and Export Controls, where he said that “a growth economy” is “a cyber-resilient economy”.
Having a cyber-resilient UK, and making the UK the safest place to do business, is a competitive advantage. I agree with that sentiment and firmly believe that increasing our cyber-resilience can only benefit our economy. It is imperative that we get this right. These cyber-threats are not going away; they are only going to get stronger and more technically advanced. We have seen that in the past year, with the National Cyber Security Centre reporting a 50% increase in British cyber-incidents deemed highly significant. Indeed, representatives of M&S told me that, at times, they found it much easier to get updates and information from the United States FBI than they did from our own authorities. We also know that foreign hostile states are becoming bolder in their actions against us.
A few months ago—as a reason for introducing my ten-minute rule Bill, the Cyber Extortion and Ransomware (Reporting) Bill—I stated that research had revealed that 74% of UK IT leaders cited China and 71% cited Russia as their top cyber-security concerns. It is undisputable that last year’s espionage trials threw a harsh spotlight on the threatening scale of state-sponsored cyber-attacks.
Improving our national cyber-resilience, and safeguarding all our infrastructure and essential services, including in the private sector, is vital in order to secure a prosperous economy and reinforce public confidence in our ability to defend ourselves against such threats.
Emily Darlington (Milton Keynes Central) (Lab)
I have a few questions for the Minister. I appreciate the clarity that the Bill brings to many of the services in its scope. I would like to understand how the definition of “incidents” will relate to hardware vulnerabilities that are discovered within a company, as we heard from some of the people who gave evidence to the Committee. It is unclear in the Bill. Perhaps it will be further defined in secondary legislation.
I want to understand how an incident in which someone discovers a vulnerability in hardware—such as in a system-in-package—is reported, and how that information is then delivered by the regulator to other companies in the sector that may have similar technology, and to the other regulators, which may also want to flag that technology as a particular vulnerability. Is that defined as an “incident” or is it defined somewhere else in the Bill? I am a bit confused and am looking for some clarity.
Kanishka Narayan
Having been promoted from a position of mere confidence to faith, I will tackle questions from the hon. Member for Runnymede and Weybridge first and foremost. On the question of thresholds of incident, the Bill sets out the severity of the sorts of incidents that we expect reporting obligations to apply to, and at the same time it ensures that it is proportionate in understanding that sector-specific thresholds ought to be precisely that—sector specific, set closely with relevant entities in that sector, and working with the expertise of the relevant regulators. For that reason, it has not been specified more fully on the face of the Bill.
On information sharing, not only is there provision for the specific sets of purposes for which information sharing ought to take place between regulators, but there is a further check on the proportionality of that, through a particular requirement, to ensure that information that is shared in incident contexts is done precisely for the purposes set out in the Bill, and in a way that is proportionate.
My hon. Friend the Member for Milton Keynes Central raised the question of hardware impacts. While the focus of the Bill is primarily on network and information systems, the test, as I think of it, would look at whether any compromise in network and information systems related to a piece of hardware triggers the severity of the impact, or potential impact, to be reportable. In the event that it is reportable, in its severity and potential impact, it will require notification—to the regulator and, when customers are directly impacted in the way that is set out in the Bill, also to the customers. The test is focused on whether network and information systems are engaged, and whether the impact of any incident is likely to be severe enough, in light of the thresholds set out in the Bill.
Lincoln Jopp
My hon. Friend the Member for Bromsgrove raised the case of M&S, which would clearly be out of the scope of the Bill. However, it has a managed service provider, so it is a bit like the JLR case. I am still looking for some certainty as to whether JLR and M&S would come within the scope of the Bill by dint of the fact that they have managed service providers, which are within the scope. I am still not 100% clear on the answer to that question. I would be grateful for greater clarity from the Minister.
Kanishka Narayan
I hope this does offer the clarity that the hon. Member seeks. While I will not refer to specific businesses, broadly speaking the sector of food supply is not within the scope of the Bill; the obligations on operators of essential services or direct entities that are within the scope of the Bill will not apply.
However, if—in a hypothetical situation—a managed service provider within the scope of the Bill supplies to that business, the managed service provider would be within the scope of the Bill’s requirements. The customer—in this case, the food supply business—may, if the severity applies, be in receipt of reports from the relevant MSP, in this particular context. They will not be caught up in the full set of obligations in the Bill, but we would expect customers to be notified of incidents where the severity thresholds are met. I hope that gives the hon. Member some clarity.
Lincoln Jopp
I am grateful to the Minister for giving way a second time. I understand his answer, but, to be clear, if an incident that meets the severity threshold is reported to a client who is out of scope, would that bring any obligation to report in the normal way?
Kanishka Narayan
Under the provisions of this Bill alone, only the entities specified as critical suppliers or operators of essential services—the relevant digital providers and so on—would be caught up in obligations if an event occurred. Assuming neither of those is true of a food supply business, the Bill’s provisions would not apply.
At the same time, in the sort of incident that the hon. Member describes, we would expect the NCSC to be deeply engaged, assuming severity thresholds and wider risks are applied. We would work closely on that operationally and I am sure we would look at how that business could be supported more widely. But the Bill’s provisions are really focused on the sectors, and entities within those sectors, that have an immediate threat to day-to-day operations such as a potential threat to life. There are reasons, which we can get into later, as we have done previously, why we set the sectoral scope in that way.
New clause 6 seeks to clarify that a ransomware attack falls under the definition of “incident” within the NIS regulations. I share the concerns of the shadow Minister and the hon. Member for Bognor Regis and Littlehampton about the significant disruption that ransomware attacks can cause. Indeed, last year we saw the impact of the ransomware attack on Synnovis, a supplier to the NHS, which resulted in the delay of 11,000 out-patient and elective procedure appointments. The hon. Member for Bognor Regis and Littlehampton and the shadow Minister are quite right that this kind of attack should be considered an incident under the NIS regime. Because of the changes to incident reporting introduced by the Bill, I can confirm to the Committee that ransomware attacks will be in scope.
The Bill updates the definition of “incident” so that it applies to any event that has, or is capable of having, an adverse effect on the operation or security of network and information systems. Ransomware attacks already fall well within that definition. Although I welcome the principle and intent behind the new clause, its content is already addressed by the Bill. I hope that assures hon. Members across the Committee.
New clause 7 would require the Government to publish a review of the new incident reporting regime within a year of the Bill’s receiving Royal Assent. It is important that the effectiveness of the NIS regulations, including the reforms to incident reporting introduced by the Bill, should be reviewed periodically. That is why the Bill requires the Government to conduct a review and lay it before Parliament once every five years. That timeframe will enable the new regime to bed in and allow a meaningful period of time to measure change before the Government report on its effectiveness. As my hon. Friend the Member for Stoke-on-Trent South said, notwithstanding her and the shadow Minister’s confidence in me and the Government, to publish a review after only one year would risk giving an incomplete picture, as regulators and regulated entities may still be transitioning to the new processes.
The new clause would also require the Government to publish proposals for a single reporting platform for cyber-incidents, again within a year of the Bill’s passing. We have heard the clear ask from businesses to minimise the time they spend filling in different reporting templates following an attack, to ensure they can prioritise the technical response. I share the concerns of the hon. Member for Bognor Regis and Littlehampton, and we are exploring all options to enable a proportionate and efficient reporting system. That said, setting a fixed time limit of one year to develop proposals does not reflect the inherent complexity of the task and the need to get it absolutely right for the businesses in scope of the Bill, not least because the proposals will need to be rigorously evidenced, consulted on and tested. For those reasons, I am unable to accept the new clause.
Question put and agreed to.
Clause 15 accordingly ordered to stand part of the Bill.
Clause 16 ordered to stand part of the Bill.
Clause 17
Powers to impose charges
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 17 introduces new charging powers for NIS regulators, enabling them to recover the full costs of their regulatory functions under the NIS regime. This is an important reform that will help to ensure that regulators are effectively funded as they take on their expanded responsibilities under the Bill. It will allow them to move away from a funding model that relies on ad hoc invoicing or Government grants, and to approach their duties with greater confidence and certainty.
The clause sets out detailed procedural requirements that determine how and when the charging powers can be used. These will ensure that regulated organisations know what to expect from regulators; fees will be set proportionately and regulators will provide satisfactory accounting for the sums they have charged.
The first requirement is that regulators consult and publish a charging scheme. It must specify what functions the fees are covering, the amount of fees being charged or how those fees will be calculated, and the charging period they cover. Crucially, regulators will be able to set different levels of fee for different types of organisations—for example, varying charges according to size or turnover, or excluding organisations from the charging scheme if it would be disproportionate or counter-productive to include them.
Bradley Thomas
I have two points for the Minister to address. First, can he address concerns around whether funds raised will be directly reinvested into improving cyber-security, rather than covering administrative overheads? Secondly, there is no specific reference to turnover thresholds, so how can the Minister be sure that a one-size-fits-all approach will not be used, causing many similar organisations to suffer financially?
Kanishka Narayan
I thank the hon. Member for those thoughtful points. On the first question, the charging scheme applies to relevant costs, which are costs that regulators incur precisely when they carry out functions under the NIS regulations relating to cyber-security specifically. Those can include the cost of audits, inspections, handling incident reports or enforcement action, as well as other aspects, such as assessments of cyber-security and the provision of advice. It is important to acknowledge that regulators can decide to recover costs in relation to specific functions or their costs relating in particular to the Bill’s provisions. I hope to have assured the hon. Member that the charging scheme has a clear, tight scope that is related to cyber-security functions.
On the second question, regulators probably ought to look at turnover in a way that is sector-specific, in part because there are already a range of ways in which other regulatory regimes define turnover in particular sectors, so the appropriate definitions for their sectors will be familiar to both regulators and regulated entities. At a later date, secondary legislation may be used if it is found necessary to set out factors that regulators ought to consider in setting up charging schemes, including the possibility of nuanced definitions of turnover. Any future regulations for this purpose will be subject to consultation requirements and the affirmative procedure. I would very much expect, at a sector level, a clear and proportionate definition and charging structure in relation to turnover.
The second requirement is to set out, transparently and clearly, what fees have been paid, what fees are still due, and what costs have been incurred in a given charging period. On Second Reading, many hon. Members discussed the need for properly resourced regulators to successfully implement the Bill. I share that concern, and this clause seeks to achieve exactly that, in a way that is fair and proportionate to regulated organisations.
I commend the clause to the Committee.
Dr Spencer
Clause 17 will amend the NIS regulations to provide a framework for regulators to impose charges on regulated entities to recover the costs incurred by them in carrying out their supervision and enforcement functions. The Government’s explanatory factsheet supporting the Bill suggests that those changes are needed to ensure that regulators are
“better resourced to carry out their responsibilities.”
We have heard at length from witnesses in oral evidence sessions that resourcing is a key consideration for regulators in meeting their new and expanded obligations under the Bill. The concept of our regulators’ being better funded is good. However, as with much of the Bill, the lack of detail around the regulator charging model is causing uncertainty among regulated entities that would be liable to meet the associated costs.
Kanishka Narayan
The shadow Minister raised two main points that I am keen to address. The first was about ensuring that I committed to next steps on potential guidance for the charging scheme. I can confirm that the Government will issue guidance for competent authorities. That will include general directions on how the fee regime ought to be implemented. At the same time, we do not intend to be prescriptive as to how competent authorities should recover costs to benefit from their experience and practice in setting up these regimes. It is important that each regulator is able to tailor their fee regime in a way that is consistent with and complementary to the state of their sector.
Lincoln Jopp
On the subject of charging and money, has the Minister had the opportunity to revisit his own impact assessment on the basis that there might be a glitch in the matrix? It says on multiple occasions that the hourly salary for a contract lawyer is £34 an hour. When we discussed it last week, I contended that this was totally unrealistic, probably to a factor of 10.
Kanishka Narayan
I am reminded of the hon. Member’s point last week. I am happy to write to him on the basis of the precise figure in the impact assessment, which I understand to be based on not just an extensive survey but the application of subsequent uplifts. I am more than happy to continue that conversation in correspondence.
On factors that ought to be considered in setting up charging schemes, I mentioned some, such as size and turnover, but I will flag that those are suggestive and indicative rather than exhaustive factors that regulators may consider. Regulators ought to be able to set different levels of fee for different types of organisations. There is also provision to exclude organisations from a charging scheme altogether if it would be disproportionate or counterproductive to include them. It is appropriate that regulators and competent authorities can vary their charging schemes in the light of that.
On current regulatory performance and its correlation with charging schemes, I have not observed any direct correlation. What I have seen, simply, is that some regulators are clearly doing well. We heard in evidence from a range of participants that in some cases things are working particularly well and that, in others, there is more scope for improvement. That is precisely why the Bill sets no fundamental lowest common denominator for how regulators ought to approach either charging or their enforcement duties; instead, it ensures that we are conducting oversight of each regulator as robustly as possible. I assure hon. Members that the question of regulatory enforcement is central and that the motivation behind the charging scheme is precisely to ensure that regulators are well resourced to implement the Bill.
Question put and agreed to.
Clause 17 accordingly ordered to stand part of the Bill.
Clause 18
Sharing and use of information under the NIS regulations etc
Kanishka Narayan
I beg to move amendment 14, in clause 18, page 38, line 31, at end insert—
“(aa) otherwise in connection with—
(i) the security and resilience of network and information systems, or
(ii) any other matter relating to cyber security and resilience,”.
This amendment would allow NIS enforcement authorities to share information with persons listed in regulation 6(2) (inserted by clause 18), and such persons to share information with NIS enforcement authorities, for purposes relating to the security and resilience of network and information systems or cyber security and resilience.
The Chair
With this it will be convenient to discuss the following:
Government amendments 15 to 18
Clause stand part.
Kanishka Narayan
The clause introduces vital reforms to how information can be shared in the context of the NIS framework. Right now, as we have heard again and again from both hon. Members across the Committee and witnesses, the NIS regulations have limitations that restrict how and with whom information can be shared. That has serious implications for the effectiveness and efficiency of the regime including business burdens as well as the ability of the UK’s authorities to act on national security or criminal intelligence.
One important limitation in the current regulations is the inability of regulators to share information with many public authorities in the UK and vice versa. For example, NIS regulators currently cannot share information to support the evaluation of the NIS framework or policy development relating to cyber-resilience and national security. The clause addresses those concerns by enabling information to be shared between NIS regulators and UK public authorities, including the Government. That will be done for the purposes of supporting the NIS regulations as well as wider objectives alike, reducing business burdens and for national security and crime purposes.
The clause also imposes strict requirements and safeguards on how the information can be further shared. The net effect of the changes will be fewer burdens on business, better and more informed regulatory decision making, joined-up incident response and improved security for the United Kingdom.
Government amendment 14 makes targeted but important changes to the clause. It proposes a further ground for sharing information focused on wider cyber-security and resilience outside the context of the NIS regulations and NIS sectors. In practice, it means that NIS regulators will be able to share information with regulators who are responsible for overseeing the cyber-security and resilience of other vital sectors under different regulatory frameworks and vice versa.
The amendment is a crucial addition to the Bill. It means that the UK’s regulators can think holistically about the risks that their sectors are facing, the interventions they propose to take and the obligations they are placing on business. That in turn will mean better outcomes, more effective and informed incident response, more co-ordinated oversight and lower business burdens.
The amendment will be particularly important in supporting co-ordination with the financial regulators responsible for the critical third parties regime, which could be used to designate organisations already in scope of the NIS regulations such as cloud service providers. It also anticipates the need for co-ordination for other sectors, such as civil nuclear and space, in the future. In short, the amendment is necessary to ensure that UK regulators can take a more co-ordinated approach to protecting the UK’s most essential services.
Government amendments 15 to 18 are consequential on amendment 14. I urge the Committee to support the amendments, and I commend clause 18 to the Committee.
Dr Spencer
Clause 18, which the Government seek to modify through amendments 14 to 18, creates new pathways for information sharing between regulators, public authorities and Government Departments. It also creates a power for NIS enforcement authorities to share information with relevant overseas authorities for specified purposes. The new regime is intended to remove gaps and ambiguities in the existing framework governing the sharing of information obtained in the course of competent authorities and the oversight role of NCSC, and to create legal certainty in this domain.
In turn, it is anticipated that greater information sharing will assist with the detection of crime, enforcement activity and awareness of emerging cyber-risks and with ascertaining the effectiveness of the NIS regulations in building UK cyber-resilience. In particular, the Bill creates a new gateway to ensure that NIS regulators can share information with UK public authorities, and vice versa, as well as sharing and receiving information from organisations outside of the NIS framework, for example other regulators or bodies such as Companies House.
The Bill strengthens safeguards on how information can be used once it has been shared under the NIS regulations by restricting onward disclosure. More effective information sharing will be vital for competent authorities to keep up to date with emerging risks and building resilience in their sectors, and the new measures were broadly welcomed by regulators in our oral evidence session.
However, industry bodies such as techUK have called for further detail on the new information-sharing regime. What steps are the Government taking to ensure that regulators share responsibility for protecting sensitive data, and that information-sharing processes are coherent, proportionate and secure? Could the Minister elaborate on the discussions he has had with regulators on those matters, and on how secure information sharing will work in practice?
Finally, on the detail of the text in Government amendment 14, proposed new paragraph (aa)(ii) refers to persons
“otherwise in connection with…any other matter relating to cyber security and resilience,”.
Given that this is an information-sharing power, that seems a remarkably broad “any other matter” provision. What disclosures that are not already covered in the Bill does the Minister conceive will come up in that scope? What guidance or consultation will the Minister produce to make sure that such powers are proportionate and not at risk of abuse?
Emily Darlington
Again, I welcome the Government amendments and clause 18; they are important to enabling us to share our vulnerabilities in an appropriate way with those people who may be involved. However, some of the aspects of those vulnerabilities that security services—GCHQ, His Majesty’s Government Communications Centre and others—raised with us relate particularly to not only foreign interference, but the potential for interference through technology embedded in our networks. How does the Minister see the measures working within our co-operation with different foreign nations, particularly during these volatile times?
Kanishka Narayan
In response to the shadow Minister’s first question about ensuring sensitive handling of shared information and proportionality, all information handled by regulators ought to be treated carefully and with awareness of its importance. The regulators have to act reasonably, and the NIS regulations specifically require information obtained from inspections to be held securely. Of course, data protection laws apply to regulators as well. Alongside that, regulators will be required to consider the relevance and proportionality of sharing their information to the purposes set out in the Bill; as I have mentioned, the Bill includes specific purposes for why information might be shared.
Kanishka Narayan
Clause 19 sets out that regulators must provide guidance on specific issues, including security requirements and incident reporting notifications. Guidance already plays an important role in supporting the implementation of the NIS regime. We have, however, identified some areas where regulated entities would benefit from additional clarity. The clause ensures that every regulated sector has the guidance they need from their sectoral regulators to help them to comply. To ensure consistency across regulators, the clause also requires regulators to co-ordinate with each other when preparing guidance relating to designating critical suppliers. The clause also requires regulators to consider guidance published by the Secretary of State such as the code of practice when preparing guidance on the security and resilience requirements. That will ensure that regulators consider good practice recommendations and take more consistent approaches to preparing guidance.
Dr Spencer
Clause 19 amends the NIS regulations and will require regulators to publish guidance on the security and instant reporting requirements of regulated sectors. In formulating their guidance, regulators are under a duty to co-ordinate and consult with other regulators to ensure consistency as far as is reasonably possible. Relevant provisions in the code of practice, to be issued by the Secretary of State under clause 36, must also be taken into account. Newly regulated entities will, no doubt, welcome proportionate guidance on meeting obligations, and existing regulated entities will appreciate any streamlining that comes from consultation between regulators and their approach. Can the Minister provide further details about whether consultation between regulators and the Secretary of State is under way on a consistent approach to regulation?
Kanishka Narayan
As I have mentioned to the shadow Minister, the Minister for Digital Economy, the Secretary of State and I have engaged with a number of the regulators in scope here. Both those conversations, and the broader framework of this Bill, are intended to drive consistency across sectors through common security requirements, clear guidance and a statement of strategic priorities, which will set objectives that regulators must seek to achieve. I hope that is sufficient assurance not only that those conversations have started, but that they will be a fundamental focus as we ensure consistent regulation across the board.
Question put and agreed to.
Clause 19 accordingly ordered to stand part of the Bill.
Clause 20
Powers to require information
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 20 introduces important updates to the information-gathering powers that regulators have under the NIS regime. It ensures that regulators are able to collect any information that they might reasonably require to exercise, or to decide whether to exercise, their functions under the regulations.
While the clause sets out some of the purposes for which a regulator might particularly wish to collect information—for example, to determine whether an organisation should be designated as a critical supplier—this is an explicitly non-exhaustive list. The clause also allows regulators to collect information through the issuing of an information notice. It sets out the details that must be included in such a notice, and the form that it may take. An information notice must, for example, explain why the information is being sought and the form in which it must be provided.
New regulation 15A, as introduced by the clause, makes clear that an information notice can be given to an organisation based outside the UK and can apply to information held outside the UK. An information notice may require the obtaining, generating, collecting or retaining of information or documents. Those changes are critical in ensuring that regulators can access the information they need properly to enforce the NIS regulations. I commend this clause to the Committee.
Bradley Thomas
Can the Minister elaborate on how he will ensure that regulators have the capacity to cope with large-scale data reports?
Dr Spencer
Clause 20 grants regulators wide-ranging information-gathering powers, in relation both to regulated entities and to organisations currently outside the scope of the regulations. These new powers will be important to competent authorities in gaining access to the information necessary to consider which businesses should be designated as critical suppliers for their sectors. The Minister will remember that we had a very extensive discussion about the allocation, or otherwise, of critical suppliers. What assurance can he give that requests for information under this new clause will be exercised proportionately? That is especially relevant for SMEs, which might struggle administratively to meet broad requests for information within short deadlines.
I know I will be told off by the Chair if I try to rehash the previous debate on clause 12, but one of the points I made during that debate was that the scope of what could fall under the definition of a critical supplier could, in my view, include any supplier to an operator of an essential service. Potentially, therefore, a request for information under this provision could be incredibly broad. Can the Minister give some reassurance about how this will work in practice, relating to the proportionality of data collection? The concern is that this could become a fishing or dredging exercise, rather than something that is proportionate and targeted on the most high-risk suppliers.
Lincoln Jopp
In terms of scope, could the Minister give us some sense, when it comes to managed service providers, whether the purpose behind this clause is to enable regulators to find out their entire client list? I would be grateful for some clarity on that point.
Kanishka Narayan
I will take each of those three questions in order. The hon. Member for Bromsgrove raised a very important point—shared, I think, in sentiment across the House—about ensuring that regulators have the capacity to deal with the volume and quality of information they might receive under the provisions of this clause. Precisely for that reason, we have set out a charging scheme possibility here that allows regulators to equip themselves. Of course, that is initially a question of resourcing, rather than the quality or capability of that resourcing. We will therefore continue to ensure, through our oversight of regulators in appropriate ways, that we are pressing home the importance of enforcement quality and regulatory capability.
To the shadow Minister’s point on proportionality, I share the focus on ensuring that designation and information requirements are proportionate, not least for critical suppliers. Like him, I will avoid repeating the previous debate, but the five-step test for the designation of critical suppliers, combined with the fact that the Bill allows for secondary legislation and guidance to specify more proportionate burdens on them, rather than on key regulated entities, alongside the fact that information notices ought to be proportionate and focus primarily on the purposes of the Bill, gives me—and, I hope, him—assurance about the proportionality embedded in the Bill.
Dr Spencer
Will the Minister talk through what the data exchange flow chart will look like? How will it work in practice? Will the OES proactively contact the regulator and say, “We have all these suppliers—go play”? Will the regulator contact the OES and say, “Give us a list of all your suppliers, and then we are going to start an investigation programme and decide what data we need”? What is the direction of communication in practice? Or—perhaps even worse—will the burden be on suppliers to an OES to contact the regulator and say, “Could we possibly be in scope?” How will it shake out in practice?
Kanishka Narayan
Although I will not specify prescriptively what the activity and flow ought to be, I can share from my experience that many large-scale businesses—and indeed many medium and small-sized businesses—have a very clear business continuity plan mapping their critical suppliers. In this case, I would expect the regulator and the regulated entities to engage. Who sends the email first is an open question, and I would not want to specify it in the Bill, but I would expect each regulator and their regulated entities to work very closely to understand the critical suppliers that meet the tests specified in the Bill, and to engage with those critical suppliers as a consequence.
Dr Spencer
The Minister has mentioned business continuity plans a second time as a justification for not going into detail on this, but the whole reason for the Government bringing in the powers in clause 12, and the designation of critical suppliers, is that there was no business continuity plan in place in the example of Synnovis. I do not see how that argument gets away from the need for clarity, for organisations that could be at risk of being in scope of being assessed and designated as a critical supplier, about what actions they have to take in response to regulation, proactively or otherwise, and the burdens on them. We have just discussed the cost of enforcement, which risks essentially becoming a cyber-security tax.
Kanishka Narayan
I would not want to imply that every organisation has a business continuity plan, but the simple point is that the framework for assessing critical third-party suppliers is established in business and other regulatory regimes, as I have mentioned. The novelty or ambiguity that the shadow Minister suggests simply does not apply. That is not to say that there will not be cases in which new critical third-party suppliers will be designated—that is the point of the provisions of the Bill. The practice will of course need rigour, efficiency and proportionality, but it will be grounded in existing, widely understood frameworks.
I need the hon. Member for Spelthorne to remind me of his question, if I might ask him to do that.
Lincoln Jopp
I might have to remind myself. I asked the Minister whether the purpose of this clause is for a regulator to be able to ask a managed service provider what their entire client list is, in order to make various assessments.
Kanishka Narayan
I thank the hon. Member for asking and repeating the question. The purposes of the provisions on information requirements are focused on ensuring that regulators can conduct their duties as provided by the Bill. I would not expect information notices to require an exhaustive list in every instance, but instead to primarily focus on a more proportionate set of asks relating to risk vectors to the security of the regulated entities and to wider national security and cyber-security.
Question put and agreed to.
Clause 20 accordingly ordered to stand part of the Bill.
Clause 21
Financial penalties
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 21 reforms the enforcement regime for the NIS regulations. It seeks to ensure that providers of the UK’s most essential services are complying with their obligations under those regulations. Where they are not, it will allow for more meaningful penalties that reflect the risks they introduce to our society and economy as a whole. To do that, the clause makes a number of critical changes.
First, the clause introduces a new penalty maximum based on turnover. The current maximum penalty is £17 million, which can appear disproportionately large for smaller organisations, but could also easily be absorbed by larger ones as the “cost of doing business.” The clause therefore increases the penalty limits from £17 million to a maximum of £17 million or 4% of annual turnover, whichever is higher. I am confident that that strikes the right balance within the UK regulatory context. It brings the regime in line with other UK legislation that regulates cyber-security, such as part 1 of the Product Security and Telecommunications Infrastructure Act 2022, without rushing uncritically to the more severe penalties we see in other CNI regulation.
The second change is to create a simple two-band penalty structure that will provide much-needed clarity to regulators and industry about the penalty tiers for specific acts of non-compliance.
Bradley Thomas
On the point about banding, can the Minister assure us that there will be consistency applied across regulators so that different events are not differentially penalised depending on the regulatory body? On the question of turnover and the financial penalty, can the Minister elaborate on how the figure was derived?
Kanishka Narayan
I thank the hon. Member on both fronts. On the penalty bands, clearly defined parameters are set out in the Bill, and my hope is that that increases the effectiveness, the clarity and—at the heart of it, to his question—the consistency of application we expect across regulatory regimes.
As I mentioned, the 4% figure for the maximum penalty in part referenced existing UK regulatory regimes and legislation that were felt to be the most comparable. In part, it was judged to be an appropriate, proportionate maximum, based on relevant concerns around the appropriate level of deterrent effect, the proportionate level of fine, the regulatory precedent and the broader impact on investment and the economy as a whole, notwithstanding the significant cyber-security costs businesses already experience.
The second change in the clause is intended to eliminate the confusion surrounding the definition of a “material contravention” in the current regulations. Finally, the clause ensures that regulators can consider a wider range of factors when determining what constitutes an appropriate penalty. Where mitigating steps have been taken to address a breach, that should be acknowledged, but so too should the impacts of the breach and any history of compliance or non-compliance.
To conclude, an effective regulatory regime must be backed by fair but effective penalties to ensure that it is followed.
Lincoln Jopp
This is really where the regulatory rubber hits the road. Earlier, we described cases involving a client who is not in the Bill’s scope but who employs a managed service provider that is, and that is therefore vulnerable to these charges. What happens when there is an interface between a client employee operating an IT system and what the managed service provider does? For example, someone could bring in a data stick, shove it in the side of a computer and break the rules, eliciting some form of ransomware. How will it work when the regulator goes to the managed service provider and says, “Here’s your £10 million fine,” and the client says, “That is down to you”? It is going to be a lawyer-fest, isn’t it? Even lawyers who get paid more than £34 an hour are going to make quite a lot of money.
Kanishka Narayan
Just so that I am clear, not least for future records, I think the case described is one where the client is not in the Bill’s scope but is provided to by an MSP that is in the Bill’s scope, and where the relevant responsible individual is in the client business as an employee or agent of that business. The hon. Gentleman raises an important point. Both the obligations and the defined focus of the Bill are on regulated entities. In this instance, if the individual is not in the regulated entity and the regulated entity has complied with the entirety of the wider cyber-security reporting obligations in the Bill, we would look to other venues of legal action against the individual in question. It would be challenging for a Bill that does not regulate the entire economy to ensure that every individual and firm unregulated by it are brought into its scope as well. But that is not to diminish the significance of requiring other pieces of law to act on individuals elsewhere.
Dr Spencer
I will come to my speech, but as we are having a debate on this point, but does the Minister’s answer not risk a gilded defensive posture being set up by MSPs? If they list terms and conditions for the use of their services that essentially bar everything, they can say that any liability—if there is ransomware or they get hacked—is completely on the client, as opposed to themselves. Does the Minister’s explanation not risk MSPs taking a very defensive posture to ensure that the client is liable for any problem? Given that the clients are usually not regulated entities, this provision effectively becomes meaningless.
Kanishka Narayan
I can see the shadow Minister’s hypothetical point, but I assure him that if there is some universal, consistent practice on the part of an MSP to avoid liability, where liability should reside with them, that should be in scope of how the regulator assesses the performance of that MSP. Secondly, I assure him that there remains a degree of competition in the MSP market, given the attractiveness of the UK customer and end user market for MSPs. I would therefore very much expect any MSP that adopts a falsely defensive posture of the sort that the shadow Minister describes not only to be assessed as doing so by the regulator, but to fall foul of the competitive market context that we have and want in the UK.
To conclude, an effective regulatory regime must be backed by fair but effective penalties to ensure that it is followed. The clause ensures that that is the case for NIS regulations, and for that reason I commend it to the Bill.
Dr Spencer
I think I will follow up in writing on my intervention to try to dig down into the explanation of how liability will be laid down when the client is not a regulated entity but is receiving services from regulated entities. That is an important point, because these are quite hefty fines. As my hon. Friend the Member for Spelthorne pointed out, even with £34 an hour lawyers, there will be a lot of industry activity to try to avoid liability in the context of a substantial cyber breach, which can be significant.
More generally, the clause makes significant changes to enforcement practices under the NIS regulations, including to increase the financial penalties regulators can impose for infringement of the regulations, and to set out a clearer system of tiered penalties, based on the severity of infringements. The Government’s impact assessment states that these changes have been made because of concerns reported by regulators that
“enforcement under the NIS Regulations has been constrained by unclear band structures and a maximum penalty which is insufficient to deter non-compliance across all NIS sectors”,
which goes back to my previous point. Enforcement activity under the NIS regulations has been sparse, inconsistent and insufficiently effective to increase cyber-resilience to the levels necessary to meet the proliferating cyber-security risks to our most critical sectors.
Fundamentally, the existing approach to enforcement has not achieved the necessary change in attitude to cyber-risk at the highest levels of regulated entities. It is concerning that board level responsibility for cyber-security has steadily declined among businesses since 2021, with 38% of businesses having a board member responsible for cyber-security in 2021, compared with 27% in 2025.
The enforcement model clearly needs to be more effective, and increasing fines is only one part of that. Regulatory capacity to undertake supervision and enforcement remains a concern, as does perceived reticence on the part of regulators to impose fines on critical infrastructure providers, due to the risk of destabilising essential services and increasing costs for consumers. In our oral evidence sessions, many witnesses, including Richard Starnes of the Worshipful Company of Information Technologists, raised the issue of greater responsibility at the highest levels of management for cyber-resilience. What assessment has the Secretary of State undertaken of whether changes to the penalty regime are likely to influence board-level attitudes towards cyber-security?
Kanishka Narayan
The shadow Minister makes a really important point: cyber-security must be taken seriously at the highest level—at board level. It is part of the cyber assessment framework, which the Government have put at the heart of how we think about assessing cyber-security in firms as well as public sector organisations. It is also part of the guidance we are looking at in the cyber action plan and our wider cyber-security strategy. I take those very seriously. In terms of making sure that businesses have a razor sharp focus, the intent of the fine regime is to ensure that there is a deterrent effect and that it is felt at decision-making levels, which must include boards.
Question put and agreed to.
Clause 21 accordingly ordered to stand part of the Bill.
Clause 22
Enforcement and appeals
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Government amendment 19.
Schedule 1.
Kanishka Narayan
Clause 22 sets out, through schedule 1, consequential changes to the regulations in relation to enforcement and appeals. That is to ensure that the regulations work effectively in relation to the new entities brought into scope, such as managed service providers, data centres and large load controllers, so that the enforcement and appeal systems work as intended. Government amendment 19 makes a minor drafting correction. I commend clause 22 and schedule 1 to the Committee.
Question put and agreed to.
Clause 22 accordingly ordered to stand part of the Bill.
Schedule 1
Enforcement and appeals
Amendment made: 19, in schedule 1, page 86, line 33, at end insert—
“(ea) in sub-paragraph (da), after ‘14A;’ insert ‘or’;”.—(Kanishka Narayan.)
This amendment would make a minor drafting correction.
Schedule 1, as amended, agreed to.
Clause 23
Minor and consequential amendments etc
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Government amendments 20 to 22.
Schedule 2.
Kanishka Narayan
Clause 23, through schedule 2, introduces a number of minor and consequential amendments to the NIS regulations, necessitated by the more substantive changes introduced by the Bill. Among other technical changes, the schedule revokes assimilated EU legislation, removes the requirement for an NIS national strategy to be published once a statement of strategic priorities has been designed in its place, and updates references in the regulations to reflect the new clause numbering. Government amendments 20 and 21 make minor drafting corrections.
Government amendment 22 aligns the process for issuing documents, notices and directions under the NIS regulations with the Bill. As it stands, regulators will be required to follow two different procedures for issuing documents, notices and directions under the NIS regulations and under the national security powers in part 4 of the Bill, which is unnecessarily confusing for regulators and regulated entities. Amendment 22 resolves the issue by aligning regulation 24 with clause 57, as amended by Government amendments 23 and 24. I commend amendments 20 to 22, clause 23 and schedule 2 to the Committee.
Question put and agreed to.
Clause 23 accordingly ordered to stand part of the Bill.
Schedule 2
Minor and consequential amendments etc
Amendments made: 20, in schedule 2, page 89, line 35, at end insert—
“(ia) omit the ‘and’ at the end of the definition of ‘relevant law-enforcement authority’;”.
This amendment would make a minor drafting correction to regulation 1(2) of the Network and Information Systems Regulations 2018.
Amendment 21, in schedule 2, page 89, line 37, at end insert—
“(iia) omit the ‘and’ at the end of the definition of ‘representative’;”.
This amendment would make a minor drafting correction to regulation 1(2) of the Network and Information Systems Regulations 2018.
Amendment 22, in schedule 2, page 91, line 4, at end insert—
“11A (1) Regulation 24 (service of documents) is amended as follows.
(2) In paragraph (1)—
(a) in the words before sub-paragraph (a)—
(i) for ‘or notice’ substitute ‘, notice or direction’;
(ii) after ‘served on’ insert ‘or given to’;
(iii) after ‘served’, in the second place it occurs, insert ‘or given’;
(b) omit the ‘or’ at the end of sub-paragraph (b);
(c) for sub-paragraph (c) substitute—
‘(c) sending it by post to the person’s proper address or by email to the person’s email address.’
(3) In each of paragraphs (2) and (3)—
(a) after ‘document’ insert ‘, notice or direction’;
(b) after ‘served on’ insert ‘or given to’.
(4) In paragraph (4), for ‘service’ substitute ‘documents, notices and directions’.
(5) For paragraph (5) substitute—
‘(5) For the purposes of this regulation, a person’s “proper address” is—
(a) in a case where the person is a body corporate with a registered office in the United Kingdom, that office;
(b) in a case where paragraph (a) does not apply and the person is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office;
(c) in any other case, an address in the United Kingdom at which the person serving or giving the document, notice or direction believes, on reasonable grounds, that it will come to the attention of the person on whom it is to be served or to whom it is to be given.
(5A) For the purposes of this regulation, a person’s email address is—
(a) an email address provided to a NIS enforcement authority as an address for contacting that person,
(b) an email address published for the time being by that person as an address for contacting that person, or
(c) if no email address has been so provided or published, an email address by means of which the person serving or giving the document, notice or direction believes, on reasonable grounds, that it will come to the attention of that person.’
(6) After paragraph (5A) (inserted by sub-paragraph (5)) insert—
‘(5B) A document, notice or direction sent to a person by email is, unless the contrary is proved, to be treated as having been served or given at 9am on the working day immediately following the day on which it was sent.
(5C) In paragraph (5B) “working day” means a day other than a Saturday, a Sunday, Christmas Day, Good Friday or a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom.’”—(Kanishka Narayan.)
This amendment would align regulation 24 of the NIS Regulations with the provisions about giving of directions and notices in clause 57 of the Bill, as amended by Amendments 23 and 24.
Schedule 2, as amended, agreed to.
Clause 24
Key definitions in Part 3
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following: ‘Food supply Food supply chain The Secretary of State for Environment, Food and Rural Affairs (United Kingdom)’ ‘Local Government Local Government The Secretary of State for Housing, Communities and Local Government’ ‘Elections Electoral infrastructure The Electoral Commission’ ‘Government Political parties The Secretary of State for Housing, Communities and Local Government’
New clause 1—Food supply chain to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The food supply chain subsector
11 — (1) This paragraph describes the threshold requirements which apply to essential services in the food supply chain subsector.
(2) For the essential service of the food supply chain in the United Kingdom the threshold requirement is that the person is in the food supply chain and does not qualify as small or a micro-entity (or is excluded) within the meaning of Part 15 of the Companies Act 2006.
(3) after paragraph 10 insert—
(a) a “food supply chain” is a supply chain for providing individuals with items of food or drink for personal consumption, where the items consist of or include, or have been produced to any extent using—
(i) anything grown or otherwise produced in carrying on agriculture, or
(ii) anything taken, grown or otherwise produced in carrying on fishing or aquaculture;
(b) a person is “in” a food supply chain if that person is a producer or an intermediary in a food supply chain.
(4) In paragraph (3)(b)—
(a) “producer” means a person who is carrying on agriculture, fishing or aquaculture;
(b) “intermediary” means a person in the food supply chain between a producer and the individuals referred to in paragraph (3)(a).
(5) In this paragraph—
“agriculture” includes any growing of plants, and any keeping of animals, for the production of food or drink;
“aquaculture” means the breeding, rearing, growing or cultivation of—
(a) any fish or other aquatic animal,
(b) seaweed or any other aquatic plant, or
(c) any other aquatic organism;
“plants” include fungi.
(6) In regulation 8A of the NIS Regulations (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
(c) provides an essential service of a kind referred to in paragraph 12 of Schedule 2 (food supply chain sector) within the United Kingdom.’”
This new clause would designate those in the food supply chain that rely on network and information systems as “operators of essential services” within the meaning of the Network and Information Systems Regulations 2018, thereby placing them under duties to manage risks to those systems and to provide notification regarding any incidents that have an impact on the food supply chain.
New clause 8—Local authorities to be regulated as essential services—
“(1) The NIS Regulations are amended as follows.
(2) In table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The Local Government Sector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector.
(2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register.
(3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records.
(4) In this paragraph “local authority means”—
(a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly;
(b) in Wales, a county council or a county borough council;
(c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994;
(d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.’”
This new clause would bring local authorities within the scope of the NIS Regulations as operators of essential services in relation to their functions managing electoral rolls and social care records. This ensures that public sector bodies holding sensitive data such as electoral rolls and social care records are subject to the same statutory protections as other critical infrastructure.
New clause 9—Critical manufacturing and retail sectors—
“(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities—
(a) the manufacture of critical transport equipment;
(b) the industrial production and processing of food products; and
(c) the retail sale of food and essential goods via large-scale distribution chains.
(2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors.”
This new clause would require the Secretary of State to designate the manufacturing of critical transport equipment and retail of food and essential goods (when part of a large-scale distribution chain) as essential activities, bringing them within the scope of Part 3 of the Bill.
New clause 11—Electoral infrastructure to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The electoral infrastructure subsector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector.
(2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to—
(a) maintain a register of electors containing more than 50,000 entries;
(b) issue, receive, or process postal ballots for a parliamentary or local government election; or
(c) count or aggregate votes cast in a parliamentary, mayoral or local government election.
(3) In this paragraph—
“parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom;
“network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026.
(4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—
“(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.”’”
This new clause would designate the administration of elections and maintenance of voter registers as an “essential service” within the meaning of the NIS Regulations.
New clause 12—Political parties to be regulated as an essential service—
“(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—
(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—
‘The political parties subsector
11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector.
(2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons
(3) In this paragraph—
“registered political party” means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000.’”
This new clause would designate political parties as providing essential services for the purposes of cyber security.
Kanishka Narayan
Clause 24 defines key terms for this part of the Bill, and in doing so introduces two delegated powers. Those powers enable the Government to bring new sectors into the scope of the NIS regime and to designate regulators to oversee them. The power will be used only in relation to activities that are truly essential to our society and economy—in other words, where disruption could pose risks to life or the economic stability of the UK.
The powers are essential in the rapidly changing world we occupy. As we have seen with data centres and managed service providers, our society and economy can quickly become reliant on new services that are acutely vulnerable to cyber-attacks and system outages. Our legislation must be able to keep up with those changes and protect the services that matter most to our country.
Alison Griffiths
I want to use new clause 1 as a lens to view a wider question that sits underneath clause 24, rather than as a verdict on the clause itself. That question is how we decide, in a disciplined and credible way, which activities are sufficiently critical to be brought into the scope of the regime, and how that judgment is applied consistently over time.
New clause 1 would bring much of the food supply chain directly into scope through primary legislation. I understand the instinct behind that. Food supply is fundamental to public confidence, and disruption would be felt very quickly. However, if the underlying test for inclusion is systemic impact, food is not the only sector that raises these questions. I am vice-Chair of the Business and Trade Committee, and over the past year we have taken evidence on economic security from major UK firms that have experienced serious cyber-incidents. One example everyone here will be familiar with is Jaguar Land Rover. Evidence to our Committee indicated that the cyber-incident there contributed to UK GDP being around 0.1% lower than expected in the third quarter last year, which was not a marginal effect. That reflected disruption to tightly integrated manufacturing systems, with production lines brought to a halt and knock-on impacts across just-in-time supply chains and regional economies.
I make that point to underline something simple: cyber-risk presents simultaneously as operational, financial and reputational risk, and in combination those effects can be felt economy-wide. If that is the rationale for bringing food into scope early, it inevitably raises questions about other high-value sectors where a single incident can have national economic consequences.
That brings us back to clause 24 and the role of the Secretary of State. The Bill is clearly designed to allow scope for provisions to evolve through secondary legislation as risks change. That flexibility is sensible, but flexibility works only if the criteria for widening scope are clear, predictable and capable of being explained to industry, regulators and Parliament. If decisions appear to be reactive or driven by the most recent or most visible incident, confidence in the regime will suffer rather than strengthen.
That concern is reflected in the written evidence we have received. The Association of British Insurers, for example, supports higher standards of cyber-resilience, but it also emphasises the importance of clear definitions and coherence between regimes, particularly where firms are already subject to overlapping regulatory requirements. Its point is not about resisting regulation, but about avoiding uncertainty and duplication, which do not improve resilience.
My questions are ones of principle rather than position. First, what is the settled test that the Secretary of State will apply when deciding to bring a sector into scope under the clause 24 powers, and how will that judgment be made transparent to Parliament? Secondly, if Parliament were to require rapid expansion of scope, how confident are the Government that regulators would have the capacity to supervise a much larger and more diverse population without diluting oversight elsewhere?
I am not seeking to land a conclusion on new clause 1 today—I understand why it has been tabled and I recognise the seriousness of the issues that it highlights—but if we are going to widen scope, to food or otherwise, the Committee is entitled to press the Government on the discipline and guardrails that will sit behind those decisions. This needs to remain a targeted and credible regime, rather than one that expands without a clear and consistent logic.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
New clauses 8 and 9 would close a dangerous gap at the heart of the Government’s cyber-security strategy. Right now, the Bill creates a two-tier system. Private companies running critical national infrastructure face strict legal duties, enforcement and oversight, yet the very public institutions that hold our democracy together and protect our most vulnerable citizens are left outside statutory protection. Nowhere is that more alarming than with our local authorities. Indeed, that is where the Government’s approach diverges from some EU member states. For example, the Netherlands is applying its equivalent legislation to local authorities.
When a council suffers a cyber-attack, it is not just an IT inconvenience; it means real life grinding to halt. Members of the Committee who have served on local authorities will be well aware that a cyber-attack hitting a local authority creates problems with welfare payments, housing services, processing benefits payments, accessing social care for the most vulnerable in our society and collecting bins. Those are crucial activities in the day-to-day life of our society and our democracy. A cyber-attack can leave families without support, vulnerable children without protection and elderly residents without care, yet the Minister has suggested that these services are not necessary to the day-to-day functioning of society. I disagree with that.
We have already seen the consequences at Tewkesbury borough council, where a cyber-attack was so severe that it triggered a major incident and crippled core services. Likewise, the attack on Gloucester city council cost the taxpayer more than £1 million and put at risk some of the most sensitive information held on UK residents, particularly if one considers the nature of employment in Gloucestershire. The reporting from those attacks showed that local authorities, which are cash-strapped and struggling to make do as they are, had to divert staffing resources into addressing those incidents.
Bradley Thomas
I have much sympathy with the hon. Gentleman’s arguments about the importance of local government, and I believe that it should be within scope of the Bill. Essential services are provided by councils on a day-to-day basis, but local councils are increasingly cash-strapped. Does he share my concern about the burden of compliance falling on councils, many of which differ in size and scale from their adjacent neighbours? They have differing degrees of IT infrastructure capability. We run the risk of increasing the compliance and regulatory burden on councils at a time when they may already have stretched budgets and lack the resource and capacity in the system to accommodate that additional burden.
David Chadwick
The hon. Gentleman makes an important point. We cannot allow these services to be interrupted. He will be well aware of the impact that bins not being collected has on our streets.
Councils are being targeted because they hold sensitive personal data and provide much-needed services to the most vulnerable in society, yet they are being left as soft targets, without statutory requirements and the ringfenced resources that accompany them. We cannot claim to be building a cyber-secure Britain while leaving the frontline of public services unprotected. Resilience must extend beyond councils.
Our new clauses also ask that our political parties and electoral infrastructure are properly protected, because we know that hostile states and non-state actors are actively seeking to undermine democratic systems. An attack does not need to change an electoral result to be devastating; it need only cast doubt on the integrity of the count or prevent legitimate voters from casting their ballots. We know that trust, once lost, is extraordinarily hard to rebuild. The security of our elections is too important to be left to secondary legislation made at some future date.
Finally, our new clauses would require the Government to bring critical manufacturing, food production and large-scale retail distribution into scope. When British companies such as JLR lose billions to cyber-incidents, or when national retailers such as Marks & Spencer are paralysed, it is not just a private commercial issue, but a blow to national economic security, and there is no economic security without cyber-security. The Minister will be aware that the ramifications of the JLR attack were felt across south Wales because of the link to the steel industry supply chain. Our neighbours in the European Union already recognise this issue through the NIS2 framework, which covers food production and transport manufacturing as essential sectors. The new clauses simply ask the Government to match that seriousness.
At their heart, our new clauses are about ending the two-tier approach. We seek the Government’s recognition that councils, political parties, electoral infrastructure and core supply chains are just as critical to national resilience as power stations and data centres. A country is not secure if its public services, at any level, are exposed. Its elections are vulnerable, and its economy can be brought to a standstill by a single cyber-attack. These new clauses hope to close those gaps and make Britain safer.
Dr Spencer
Part 3 is a very important part of the Bill. It gives the Secretary of State a range of powers, including ones to bring additional sectors into the scope of regulation, to update the NIS regulations, to publish statements of strategic priorities for regulators and to publish codes of practice that set out cyber-security measures for entities to comply with their regulatory duties.
Clause 24 includes a power enabling the Secretary of State to specify new services that can be brought into the scope of the NIS regulations, and to designate additional regulatory authorities. Those powers are intended to allow the Secretary of State to identify additional critical sectors and respond to emerging threats quickly. That agility introduced by this measure has been broadly welcomed as appropriate, given the fast-evolving nature of malicious cyber-activity.
Given the extent of the Secretary of State’s new powers, however, it is important to put in place guardrails to ensure that the appropriate response to emerging threats is indeed further regulation, rather than market-led or insurance-based mitigations. Can the Minister provide any further information at this stage about the procedure that will be followed in deciding whether to expand the scope of regulation to ensure consistency and transparency?
Hon. Members have tabled several new clauses that would prompt the Secretary of State to use her duties under clause 24. I will speak to new clause 1, tabled by the hon. Member for Warwick and Leamington (Matt Western), and new clause 9, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe, together, as they have some thematic overlap. New clause 1 seeks to bring all entities, other than small businesses and microbusinesses, in the food production, distribution and retail supply chain into the scope of regulation as operators of essential services. New clause 9 also touches on the regulation of food supply chains. It would require the Secretary of State to designate retailers of
“food and essential goods (when part of a large-scale distribution chain)”
and manufacturers of “critical transport equipment” as providers of essential services to be brought into the scope of regulation.
Those new clauses reflect concerns about the cyber-attacks targeting the food retailers M&S and Co-op last year. New clause 9 reflects issues raised by the major attack on JLR, which cause such disruption and threatened the stability of regional jobs and supply chains. Those attacks caused significant public concern, but they would all remain out of scope after the Bill comes into effect.