Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Alison Griffiths
Main Page: Alison Griffiths (Conservative - Bognor Regis and Littlehampton)Department Debates - View all Alison Griffiths's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
Alison Griffiths Excerpts(1 day, 11 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Stringer. I thank all hon. Members on both sides of the Committee for taking part, and the officials for their work on the Committee stage of this important Bill.
The Bill will significantly update and expand the Network and Information Systems Regulations 2018 by bringing new services within scope of regulation, giving sector regulators the power to designate critical suppliers, updating and expanding the reporting regime for cyber-security incidents and making significant changes to the regulatory funding model and regulators’ information-gathering and sharing powers. The Bill will also grant extensive powers to the Secretary of State to respond to emerging cyber-threats, including the power to bring further sectors within the scope of regulation, giving directions to regulated entities and issuing a code of practice that sets out measures for compliance with duties under the NIS regulations. Recognising the increasing role of malicious cyber-activity as a threat to our national security, part 4 will give the Secretary of State far-reaching powers to issue directions to regulated entities for reasons of national security.
Covid turbocharged the digitalisation of all aspects of the economy and our daily lives, bringing new opportunities but at the same time heightening the exposure of digital systems to exploitation by malicious actors. The previous Government recognised that in their post-implementation reviews of the NIS regulations and in a subsequent series of consultations on proposals to improve the cyber-resilience of the entities that are most important to the UK economy. Those consultations included a review of information security risks relating to outsourced IT provision, data centres and organisations controlling large amounts of electrical load. The last Government’s work assessing those threats has informed this Government’s decision to bring data centres, managed service providers and large load controllers within the scope of the NIS regulations.
Industry stakeholders have welcomed the Bill as essential for bringing the cyber rules governing critical infrastructure in line with modern threats, economic realities and technological developments, and for moving our cyber-security regulatory framework into closer alignment with international partners to ease cross-border operations for businesses that provide services overseas.
In some respects, at least, the Bill identifies the right problems, but, crucially, it falls short of providing workable solutions. In embarking on our scrutiny of the Bill, the Committee should be acutely aware of the raft of digital legislation with which businesses and regulators have been asked to grapple in recent years. Many of those new regulations are necessary, but as lawmakers we should be conscious of the burden that we are placing on industries and particularly on small and medium-sized enterprises, which are the lifeblood of the UK economy and which have fewer resources to navigate complex layers of regulation. It is therefore incumbent on all of us to enact laws that are clear and capable of practical implementation.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Does my hon. Friend agree that, although we support the intent behind the Bill, clause 2 does a lot of framing work but does not necessarily consider the extensive perimeter that is coming through and how proportionality will be applied in practice? I suggest that the Committee keep that in mind as we move through the detail.
Dr Spencer
I thank my hon. Friend for her intervention. I am reminded of the Committee’s evidence session earlier this week, in which expert after expert lined up to raise concerns around the scope of the definition. Although they acknowledged the importance of and appreciated the reasons for leaving some things to secondary legislation in a climate as fast-moving as the IT and digital sector’s, they raised concerns about the uncertainty that is coming for business and the need for extensive consultation so that businesses can feed into and have some degree of influence over the regulations that they will have to abide by.
Kanishka Narayan
Clause 4 of the Bill amends the NIS regulations by creating a new regulated sector, data infrastructure, and designating the Secretary of State for Science, Innovation and Technology and Ofcom as joint regulators. We have received clear feedback from the data infrastructure sector expressing concerns that a dual regulator model could create unnecessary complexity and limit accountability. Amendments 11 and 12 will remove the Secretary of State for Science, Innovation and Technology as a regulator, leaving Ofcom as the sole regulator, which will streamline the regulatory model for data infrastructure and resolve the concerns raised by stakeholders.
Ofcom already has proven regulatory expertise and is well placed to oversee the new data infrastructure sector effectively. By adopting a single regulator for data infrastructure, the amendments will reduce administrative burden, simplify engagement, and strengthen accountability. This will ensure a clearer, more effective regulatory framework for this rapidly growing sector.
Clause 4 brings qualifying data centre services into the scope of the NIS regulations, recognising both their vital role in underpinning our economy and public services, and that disruption to them can significantly impact productivity, service delivery, and revenue.
Alison Griffiths
Clause 4 relies heavily on capacity as the trigger for regulation. I understand why that is attractive: it is measurable. But capacity is not the same as criticality, and a high-capacity facility used for redundancy can present less systemic risk than a smaller, highly concentrated one. I simply put on record that the way this threshold is applied in practice will matter more than the number itself.
Kanishka Narayan
I thank the hon. Member for that thoughtful point. One assurance I will offer her is that the direct definition of data centres in scope here rely on capacity as a proxy for their essential independent nature, but when data centres below the capacity threshold but high on the criticality threshold are suppliers to essential services, they would be covered in part by the critical suppliers framework in the Bill. I take her point into account.
Dr Spencer
I am certainly going to come back to it a few times—if not other Members—and I will invite the Minister to come back to it a few times.
Returning to the point about the dependency on particular sectors, I mentioned the impact that Amazon Web Services had on our society and systems; interestingly, the AWS outage was caused not by a cyber-attack, but it demonstrates the disruption to our lives and businesses that could occur in the event of such an attack. The last Government recognised the vital and growing importance of data centres to the UK economy and people’s lives, as well as the risks of serious interruption to these services. That led to a public consultation on enhancing the security and resilience of UK data infrastructure.
The Conservatives therefore welcome that this vital element of our national infrastructure will be subject to cyber-security regulation. However, for regulation to be robust for cyber-resilience and regulator data centres it is essential that there are high rates of industry compliance. The Government stated in their impact assessment for this Bill that there is an ongoing engagement with the data centre sector. Could the Minister lay out what feedback he has received on the sector’s preparedness to meet the cyber-resilience standards set by the NIS regulations?
Likewise, in terms of ensuring effective regulation, Ofcom will have a dramatically increased role in terms of cyber-security regulation when these provisions come into effect. In view of Ofcom’s current regulatory workload and the challenges with recruitment, which I mentioned earlier and highlighted in the evidence session this week, what ongoing engagement is the Minister having with Ofcom more broadly to make sure that it is sufficiently resourced to play its role?
Before I move on to clause 6, on large load controllers, I feel I need to go back to the discussion about proportionality and the purpose and need for these regulations in the Bill. One of the biggest criticisms of the NIS regulations is that they have not really been enforced. I am not saying that a certain rate of enforcement is a marker of efficacy or compliance, but it is curious, and it has been raised to me, that the level of enforcement indicates that the NIS regulations have not really had teeth or changed anything.
In one bad world, we have regulations that are completely disproportionate and place a huge and unnecessary burden on industry. But in some ways the worst of all worlds, or rather another problem that we would need to deal with, would be for us to legislate, produce this wonderful cyber-security Act, and go away happy as legislators—“Hey-ho, it’s all sorted and finished; we can sleep well in our beds about the cyber-security of the UK.” But if the companies cannot follow the legislation, will not follow it or do not have the resources to do so, then all we will have done is waste our time. Worse, we will have given ourselves a false sense of security, rather than delving into some of the real challenges and problems in the sector, which include overall education, encouraging businesses to take the issue more seriously and encouraging people to do Cyber Essentials.
Alison Griffiths
My hon. Friend is making a very good point, which also applies to improving board awareness and ensuring that the enforcement of the regulations incentivises boards to take the issue seriously and make sure that they are equipped to understand the commercial reality of cyber-security for their businesses. Enforcement is an important part of that.
Dr Spencer
That is something that I know will come up in debate as we go through the Bill. It is curious that we are receiving consistent feedback that some boards are not taking the issue of cyber-security seriously, in terms of allocating resource to it, especially in the light of the very high-profile cyber-attacks on businesses. Obviously, I am all over this issue, given my role as shadow Minister, but I think it is completely insane, certainly for larger companies, not to focus on the challenge of cyber-security. It is a challenge for businesses of all sizes, but I am mindful that implementation is particularly problematic for very small businesses.
Alison Griffiths
Clause 7 is definition-heavy, and rightly so; these terms decide who is regulated and who is not. My only observation is that cloud models are, as the Minister knows, evolving quickly because of the AI revolution. Definitions that track architecture too closely will age fast, so the Committee should be alert to whether these terms will still make sense in five years’ time and not just today.
Kanishka Narayan
I very much welcome that point. In talking about broad architecture characteristics—being able to scale compute and to be elastic to multi-tenants by being shareable—rather than setting out the specific nature of resources, we capture both commercial cloud and AI deployments. However, I am keen to ensure that we keep this under review and, where possible, use the flexibilities provided by the Bill to adapt it to changes in technology.
Although the policy intention behind the definition has not changed, amendment 13 will provide certainty for industry, support effective regulatory oversight and ensure that services whose disruption could significantly impact the UK economy and society are properly captured. In addition, the drafting is more aligned with that of our international partners, which will improve efficiency for providers operating across borders.
This targeted, technical improvement will bring greater clarity, consistency and fairness to the NIS regulations. I urge Members to support both the clause and this important amendment.