Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Chris Vince
Main Page: Chris Vince (Labour (Co-op) - Harlow)Department Debates - View all Chris Vince's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Chris Vince ExcerptsTuesday 3rd February 2026
(1 day, 18 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Dr Ben Spencer (Runnymede and Weybridge) (Con)
Q
My second question is jointly for Ian and Stuart, from the ICO and Ofgem. Some industry stakeholders have expressed concern about low levels of incident reporting and enforcement under the NIS1—network and information systems—regs. How will your respective approaches to regulation change as a result of this Bill, to ensure that it is implemented and that cyber-resilience is improved across the sectors you are responsible for regulating?
Natalie Black: I will kick off. We have some additional responsibilities, building on the NIS requirements, but the data centre aspect of the Bill is quite a substantial increase in responsibilities for us. It is worth emphasising that we see that as a natural evolution of our responsibilities in the sector. Communications infrastructure is evolving incredibly quickly, as you will be well aware, and data centres are the next big focus. In terms of preparations, we are spending this time getting to know the sector and making sure we have the right relationships in place, so that we do not have a standing start. I have done a number of visits, for example, to hear at first hand from industry representatives about their concerns and how they want to work with us.
We are also focusing on skills and recruitment. We already have substantial cyber-security responsibilities in the communications infrastructure sector. We are building on the credibility of the team, but we are focused on making sure we continue to invest in them. About 60% of the team already come from the private sector. We want that to continue going forward, but we are not naive to how challenging it is to recruit in the cyber-security sector. For example, we are working with colleagues from the National Cyber Security Centre, and looking at universities it is accrediting, to see how we can recruit directly using those kinds of opportunities.
Ian Hulme: On incident reporting, the thresholds in the existing regulations mean that levels are very low. Certainly, the reports we see from identity service providers do not meet those thresholds. I anticipate that we will see more incidents reported to us. With our enhanced regulatory powers and the expanded scope of organisations we will be responsible for, I anticipate that our oversight will deepen and we will have more ability to undertake enforcement activity. Certainly from our perspective, we welcome the enhanced reporting requirements.
Stuart Okin: To pick up on the incident side of things, I agree with Ian. The thresholds will change. With the new legislation, any type of incident that could potentially cause an issue will obviously be reported, whereas that does not happen today under the NIS requirements.
On enforcement, in seven years we have used all the enforcement regimes available to us, including penalties, and we will continue to do so. We absolutely welcome the changes in the Bill to simplify the levels and to bring them up, similar to the sectorial powers that we have today.
Chris Vince (Harlow) (Lab/Co-op)
Q
Stuart Okin: In the energy sector, we tend to use operational technology rather than IT systems. That might mean technology without a screen, so an embedded system. It is therefore important to be able to customise our guidance. We do that today. We use the cyber assessment framework as a baseline, and we have a 335-page overlay on our website to explain how that applies to operational technology in our particular space. It is important to be able to customise accordingly; indeed, we have added physical elements to the cyber assessment framework, which is incredibly important. We welcome that flexibility being maintained in the Bill.
Ian Hulme: Just to contrast with colleagues from Ofcom and Ofgem, ICO’s sector is the whole economy, so it is important that we are able to produce guidance that speaks to all the operators in that sector. Because our sector is much bigger, we currently have something like 550 trust service providers registered, and that will grow significantly with the inclusion of managed service providers. So guidance will be really important to set expectations from a regulatory perspective.
Natalie Black: To round this off, at the end of the day we always have to come back to the problem we are trying to solve, which is ensuring cyber-security and resilience. As you will have heard from many others today, cyber is a threat that is always evolving. The idea that we can have a stagnant approach is for the birds. We need to be flexible as regulators. We need to evolve and adapt to the threat, and to the different operators we will engage with over the next couple of years. Collectively, we all appreciate that flexibility.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Q
The ICO is a horizontal regulator working across all sectors. In your experience, would a single cyber regulator be a good idea? What would be the benefits and the challenges? I will allow Ofcom and Ofgem to jump in and defend themselves.
Ian Hulme: I suppose the challenge with having a single regulator is that—like ourselves, as a whole-economy regulator—it will have to prioritise and direct its resources at the issues of highest harm and risk. One benefit of a sectoral approach is that we understand our sectors at a deeper level; we certainly work together quite closely on a whole range of issues, and my teams have been working with Natalie and Stuart’s teams on the Bill over the last 18 months, and thinking about how we can collaborate better and co-ordinate our activities. It is really pleasing to see that that has been recognised in the Bill with the provisions for information sharing. That is going to be key, because the lack of information-sharing provisions in the current regs has been a bit of a hindrance. There are pros and cons, but a single regulator will need to prioritise its resources, so you may not get the coverage you might with a sectoral approach.
Natalie Black: Having worked in this area for quite some time, I would add that the challenge with a single regulator is that you end up with a race to the bottom, and minimum standards you can apply everywhere. However, with a tailored approach, you can recognise the complexity of the cyber risk and the opportunity to target specific issues—for example, prepositioning and ransomware. That said, we absolutely recognise the challenge for operators and companies in having to bounce between regulators. We hear it all the time, and you will see a real commitment from us to do something about it.
Some of that needs to sit with the Department for Science, Innovation and Technology, which is getting a lot of feedback from all of us about how we need it to co-ordinate and make things as easy as possible for companies—many of which are important investors in our economy, and we absolutely recognise that. We are also doing our bit through the UK Regulators Network and the Digital Regulation Cooperation Forum to find the low-hanging fruit where we can make a difference. To give a tangible example, we think there should be a way to do single reporting of incidents. We do not have the answer for that yet, but that is something we are exploring to try and make companies’ lives easier. To be honest, it will make our lives easier as well, because it wastes our time having to co-ordinate across multiple operators.
The Chair
We will now hear oral evidence from Chung Ching Kwong, senior analyst for the Inter-Parliamentary Alliance on China. We have until 3 pm for this session.
Chris Vince
Q
Chung Ching Kwong: Just to give some background, I am a senior analyst for the Inter-Parliamentary Alliance on China, and a PhD candidate in law at the University of Hamburg, focusing on data protection and data transfer. My expertise is not entirely on critical infrastructure security, but I do a lot of analysis on China’s legal system and also how it works in general. That is how I can contribute to this evidence session.
The threat posed by the CCP to our critical national infrastructure, such as water, energy and transportation, has shifted from espionage—stealing secrets—to pre-positioning, or preparing for sabotage. We cannot understand the threat without understanding the civil-military fusion of the Chinese state. Chinese companies operating in our CNI are not independent per se, in the way we would normally think about that in our country—in other words, private entities that operate on their own and have their own decision-making mechanisms. They are legally obligated under at least article 7 of China’s national intelligence law to co-operate with the state, to provide information, to provide help with decryption and to gather information at the request of the Government.
As highlighted by the NCSC, groups such as Volt Typhoon are pre-positioning within utility networks in the States. They do not use malware; they live off the land, using legitimate administrative credentials to proceed undetected for years. That is not for financial gain; they do it until the time is right for them to pull the trigger and cause a crisis.
In the transportation sector, there are a lot of cellular IOT modules embedded in e-buses and EVs. These devices require constant communication with servers in China to function, so they are constantly feeding data back to China for maintenance, remote access of data and that kind of thing. It could all be innocent and a feature for operational and functional purposes, but if—and only if—Beijing orders that data to be handed over and actions to be taken, it will become a problem.
That is the context of the risk we are facing when it comes to China, especially in terms of state-sponsored attacks. All entities, be they foreign companies in China or local Chinese-founded companies, have an obligation under Chinese law.
Chris Vince
Q
Chung Ching Kwong: Gathering information and data is definitely one of the main goals, but it is not limited to data transfer. Right now, in the UK, they do not need to rely only on access to critical infrastructure; under the Data Protection Act here in the UK, it is legal to transfer personal data through contractual clauses, so they can have access to personal data as long as they have that.
Of course, gathering data gives them insight into what is happening in the UK; if they want transportation data or power grid data, they can gather those data by different means. But it is also very important to understand Xi Jinping’s comprehensive national security concept. I think this is the reason why they are so determined to collect information, not only in the UK but worldwide.
In that kind of comprehensive security concept, political security, defined as the survival of the regime, is paramount. It overrides anything—not economic gain, not whether or not the GDP of China is going to grow in the next year, but any information or action that they see as necessary to make sure that the CCP is in control. That means it is gathering data of dissidents overseas, it is gathering data on the power grid, it is gathering data on transportation—anything they might find useful for a different purpose, which is, ultimately, to serve the goal of the survival of the regime.
Bradley Thomas
Q
DCS Andrew Gould: That is another really good question. Generally, it is financial, but you will often get what is called the double dip, so there is the extraction of data as well as the encryption of it, so that you no longer have access to it. They might take that data as well, primarily personal data, because of the regulatory pressures and challenges that that brings. There is a sense among a lot of criminal groups that, if they have personal data, you are more likely to pay, because you do not want that reputation, embarrassment and all the rest of it, as opposed to if they take intellectual property, for example. But it is not that that does not happen as well. Primarily, it is financial gain.
Chris Vince
Q
DCS Andrew Gould: It is a tricky one. It feels like the technology change is getting ever faster and ever more challenging, but I first went into cyber-crime in the Met back in 2014, and we are giving the same advice now as we were giving then. Sometimes your head can explode with the technical complexity of it, but a lot of the solution just comes down to doing the really boring basics in a world-class way. It is things like patching and doing your software updates. Whether you are a member of the public or running an organisation, finding a way to do those updates and patches means that 50% of the threat has gone, there and then. With something like multi-factor authentication, it seems like most organisations do not want to inconvenience their staff or customers by putting it in place, but that would be another 40% of the problem solved. It is not infallible—nothing is—but if you are thinking about how attacks are still successful, it is pretty basic: a lot of our protections are not in place. Solving that means that 90% of the threat is gone, there and then. That then leaves the 10% of more sophisticated threats—let’s make the criminals work a bit harder.
The Chair
Order. That brings us to the end of the time allotted for the Committee to ask questions. I thank the witness for his evidence.
Examination of Witness
Richard Starnes gave evidence.
Dr Spencer
Q
Brian Miller: Sometimes, but sometimes not. I do not think we had any physical links with Synnovis, but it did work on our behalf. Emails might have been going back and forward, so although there were no physical connections, it was still important in terms of business email compromise and stuff like that—there was a kind of ancillary risk. Again, when things like that come up, we would look at it: do we have connections with a third party, a trusted partner or a local authority? If we do, what information do we send them and what information do we receive?
Chris Vince
Q
Stewart Whyte: Anything that increases or improves our processes in the NHS for a lot of the procured services that we take in, and anything that is going to strengthen the framework between the health board or health service and the suppliers, is welcome for me. One of our problems in the NHS is that the systems we put in are becoming more and more complex. Being able to risk assess them against a particular framework would certainly help from our perspective. A lot of our suppliers, and a lot of our systems and processes, are procured from elsewhere, so we are looking for anything at all within the health service that will improve the process and the links with third party service providers.
Dr Gardner
Q
Brian Miller: That is a great question. I will touch on some different parts, because I might have slightly different information from some of the information you have heard previously. On reporting—Stewart will deal with the data protection element for reporting into the Information Commissioner’s Office—we report to the Scottish Health Competent Authority. It is important that we have an excellent relationship with the people there. To put that in context, I was speaking to them yesterday regarding our transition to the CAF, as part of our new compliance for NHS Greater Glasgow and Clyde. If there was a reportable incident, we would report into the SHCA. The thresholds are really well defined against the confidentiality, integrity and availability triad—it will be patient impact and stuff like that.
Organisationally, we report up the chain to our director of digital services, and we have an information governance steering group. Our senior information risk officer is the director of digital, and the chief information security officer role sits with our director of digital. We report nationally, and we work really closely with National Services Scotland’s Cyber Security Centre of Excellence, which does a lot of our threat protection and secure operations, 24/7, 365 days a year. We work with the Scottish Government through the Scottish Cyber Co-ordination Centre and what are called CREW—cyber resilience early warning—notices for a lot of threat intelligence. If something met the threshold, we would report to the SHCA. Stewart, do you want to come in on the data protection officer?
Stewart Whyte: We would report to the Information Commissioner, and within 72 hours we also report to the Scottish Government information governance and data protection team. We would risk assess the breaches and determine whether they meet the threshold for reporting. Not every data breach is required to be reported.
From the reporting perspective, it would be helpful to report into one individual organisation. I noticed that in the reporting requirements we are looking at doing it within 24 hours, which could be quite difficult, because sometimes we do not know everything about the breach within that time. We might need more information to be able to risk assess it appropriately. Making regulators aware of the breach as soon as possible is always going to be a good thing.
Dr Spencer
Q
Kanishka Narayan: I think the guardrails in the Bill are very important, absolutely. The Bill provides that, where there is an impact on organisations or regulators, there is an appropriate requirement for both deep consultation and an affirmative motion of the House. I think that is exactly where it ought to be, and I do not think anything short of that would be acceptable.
Chris Vince
Q
Kanishka Narayan: The primary thing to say is that the range of organisations—commercial ones as well as those from the cyber-security world more generally—coming out to welcome the Bill is testament to the fact that it is deeply needed. I pay tribute to the fact that some of the provisions were engaged on and consulted on by the prior Government, and there is widespread consensus across industry and in the regulatory and enforcement contexts about the necessity and the quality of the Bill. On that front, I feel we are in a good place.
On specific questions, of course, there is debate—we have heard some of that today—but I am very much looking forward to going through clause by clause to explain why the intent of the Bill is reflected in the particular definitions.
Bradley Thomas
Q
Kanishka Narayan: I am shy of making comments on specific incidents, but as a broad brush, clearly the food supply or automotive manufacturing sectors are not directly in scope of the Bill, for reasons I am very much happy to discuss.