Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Kanishka Narayan
Main Page: Kanishka Narayan (Labour - Vale of Glamorgan)Department Debates - View all Kanishka Narayan's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
Kanishka Narayan Excerpts(1 day, 11 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
It is a pleasure to see you in the Chair, Mr Stringer. The Bill will make crucial updates that build on the NIS regulations, which are the UK’s only cross-sector cyber-security regulations. As clause 1 sets out, “NIS regulations” refers to the Network and Information Systems Regulations 2018 (S.I., 2018, No. 506).
Clause 2 gives an overview of the Bill’s parts and what they include. It sets out that part 2 amends the NIS regulations by expanding the scope of the regulations to cover data centres, large load controllers and managed service providers. It also introduces powers for regulators to designate suppliers as being critical for their sector. Part 2 also updates the existing incident-reporting regime and includes provisions relating to the recovery of regulators’ costs, information-gathering and sharing powers, and enforcement powers. Part 3 gives new powers to the Secretary of State to specify other sectors as in scope of the regulations in future, to create new regulations relating to the security and resilience of regulated services, and to issue a code of practice and a statement of strategic priorities. It also requires the Secretary of State to report on this legislation and its implementation. Finally, part 4 gives new national security powers for the Secretary of State to issue directions. I commend the clauses to the Committee.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
It is a pleasure to serve under your chairmanship, Mr Stringer. I thank all hon. Members on both sides of the Committee for taking part, and the officials for their work on the Committee stage of this important Bill.
The Bill will significantly update and expand the Network and Information Systems Regulations 2018 by bringing new services within scope of regulation, giving sector regulators the power to designate critical suppliers, updating and expanding the reporting regime for cyber-security incidents and making significant changes to the regulatory funding model and regulators’ information-gathering and sharing powers. The Bill will also grant extensive powers to the Secretary of State to respond to emerging cyber-threats, including the power to bring further sectors within the scope of regulation, giving directions to regulated entities and issuing a code of practice that sets out measures for compliance with duties under the NIS regulations. Recognising the increasing role of malicious cyber-activity as a threat to our national security, part 4 will give the Secretary of State far-reaching powers to issue directions to regulated entities for reasons of national security.
Covid turbocharged the digitalisation of all aspects of the economy and our daily lives, bringing new opportunities but at the same time heightening the exposure of digital systems to exploitation by malicious actors. The previous Government recognised that in their post-implementation reviews of the NIS regulations and in a subsequent series of consultations on proposals to improve the cyber-resilience of the entities that are most important to the UK economy. Those consultations included a review of information security risks relating to outsourced IT provision, data centres and organisations controlling large amounts of electrical load. The last Government’s work assessing those threats has informed this Government’s decision to bring data centres, managed service providers and large load controllers within the scope of the NIS regulations.
Industry stakeholders have welcomed the Bill as essential for bringing the cyber rules governing critical infrastructure in line with modern threats, economic realities and technological developments, and for moving our cyber-security regulatory framework into closer alignment with international partners to ease cross-border operations for businesses that provide services overseas.
In some respects, at least, the Bill identifies the right problems, but, crucially, it falls short of providing workable solutions. In embarking on our scrutiny of the Bill, the Committee should be acutely aware of the raft of digital legislation with which businesses and regulators have been asked to grapple in recent years. Many of those new regulations are necessary, but as lawmakers we should be conscious of the burden that we are placing on industries and particularly on small and medium-sized enterprises, which are the lifeblood of the UK economy and which have fewer resources to navigate complex layers of regulation. It is therefore incumbent on all of us to enact laws that are clear and capable of practical implementation.
Dr Spencer
I thank the hon. Member for his point about balance. I am confident that this is an area to which the Committee will return quite a few times in our line-by-line scrutiny of the Bill, particularly clause 12, which relates to the designation of critical suppliers. Clearly the regulations need to be proportionate, but to make that judgment we will need to know exactly what the regulations are. A lot of the detail is not in the Bill and has instead been left to secondary legislation. As we heard from the experts, it is very difficult to scrutinise legislation that is mostly being left to future regulations rather than being set out in the Bill.
These definitions will be critical if businesses are to have clarity as to whether they will fall within scope. I do not want to go too deeply into clause 12 now, but I see it as an exemplar. How are businesses that could fall within the critical supplier designation to know what they need to do? How is the operator of an essential service to know what information it needs to pass to the regulator on businesses that it may end up regulating? It would be very helpful if the Minister could comment, even at this introductory stage, on how he envisages that balance playing out in the Bill, particularly given that so much of the detail has been left to secondary legislation. Anyway, I digress—I will get back on topic.
Businesses are struggling with legal uncertainty and the increased costs of regulatory burden. Regulators in the sector lack the resources, the teeth and sometimes even the will to carry out effective oversight and enforcement of existing cyber regulation. Uncertainty about which incidents should be reported will dramatically increase the burden on regulated entities and on regulators. All the while, institutional barriers to effective oversight and enforcement remain.
The Bill fails to give the legal certainty and the proportionate framework that businesses need if we are to achieve widespread adoption and hardened cyber-resilience across the sectors that are most critical to the economy and our society. Perhaps most critically, there is little point in granting the Secretary of State extensive powers to make directions to regulated entities for national security purposes if the Government remain wilfully blind to the greatest threats to our national security. In the past few weeks, reports have circulated that a Chinese state-affiliated group hacked the communications of top Downing Street officials between 2021 and 2024, yet the vital organs of our state, central Government Departments and agencies carrying out the most critical functions, are left unprotected and unaccountable for their cyber-resilience under the Bill.
If we do not address these problems, we risk the Bill becoming yet another missed opportunity for the Government. These are opportunities that we can ill afford to miss if we are to safeguard our economy and our national security.
Kanishka Narayan
I welcome some of the Opposition spokesperson’s comments. Let me briefly address his questions about definitions and public sector inclusion. It is customary for the Opposition to oppose for the sake of opposition, at times, and I am afraid that this is one of those times; I have so far set out only two clauses, which are effectively an index to the Bill. Notwithstanding that, I will address his two particular points.
I was delighted that in our evidence sessions we heard from witness after witness who appreciated the flexibility of the Bill. For the Government to prescribe activities or incident thresholds in the finest detail in primary legislation is not how businesses, Government and regulators ought to engage. I hope that the Opposition will come to appreciate that in due course.
On critical suppliers, which no doubt we will come on to, I thought that in response to Opposition comments at our second sitting, I set out a very clear, precise set of tests. I found no opposition to that claim, but I look forward to hearing any original thoughts on that question.
On incident reporting, I was delighted that there was a witness who noticed that the extension of the definition of incident reporting, to include incidents capable of having an impact, was appropriate and exactly in the right place.
On the question about the public sector’s inclusion, we are here not to prescribe and wait for a law to tell us what we ought to do in the public sector, but instead to move fast and fix things. In that spirit, the Bill focuses on essential services.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2 ordered to stand part of the Bill.
Clause 3
Identification of Operators of Essential Services
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
Clause 3 makes important distinctions as to which organisations can and cannot be considered operators of essential services for the purposes of the NIS regulations. It clarifies that a person—in practice, an organisation or business—can be an operator of an essential service regardless of whether that person is established in the UK, as long as they are providing essential services in the UK. That means that organisations established outside the UK can be regulated under the NIS regulations.
Clause 3 also makes it clear that the NIS regulations do not apply to public electronic communications networks or to public electronic communications services. Those are telecoms operators, which are regulated separately under the Communications Act 2003. The amendments in clause 3 will prevent telecoms companies from being subject to duplicate regulations; they will also ensure that all essential services in the UK are protected, even if the company operating them is based outside the UK. I commend the clause to the Committee.
Dr Spencer
Clause 3 will amend the relevant provisions of the NIS regulations, stipulating that operators of essential services are within scope of the regulations whether or not they are operating an essential service in the UK, and regardless of jurisdiction in which they are established. Providers of public electronic communications networks and public electronic communications services are excluded from characterisation as operators of essential services, as the Minister says, to avoid duplication with their sector-specific cyber-security regime.
The clause is an important provision to ensure that entities providing essential services in the UK are compliant with domestic standards. Perhaps the most important aspect of the change is ensuring that serious cyber-security risks that appear within the systems of those entities are reported to the UK authorities for action. That is vital for the National Cyber Security Centre to keep abreast of emerging risks and be able to respond to them.
Nevertheless, the complex maze of compliance and regulatory standards across jurisdictions is a growing challenge for businesses of all sizes and particularly for small and medium-sized enterprises. This is also a complicating factor facing UK companies when providing services abroad, particularly in the digital domain. Will the Minister lay out what discussions he has had with industry representatives about easing the complexity of cross-border digital service provision to ensure that the UK is a competitive and attractive place to do business?
Kanishka Narayan
On the question about cross-border compliance and making sure that we have a proportionate and effective regime, we have had a series of engagements at ministerial and official level with representatives of techUK, the industry body. The NCSC has convened a series of organisations—not least managed service providers, but others as well—and there has been a pretty extensive period of consultation on that and every other matter in the Bill.
I feel satisfied that the Bill strikes a good balance in ensuring proportionality in what businesses experience. Critically, as supply chains in this context become increasingly cross-border, it is vital that bodies that may not be resident in the UK but which provide essential services here are included in the scope of the Bill.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4
Data centres to be regulated as essential services
Kanishka Narayan
I beg to move amendment 11, in clause 4, page 3, line 5, column 3, leave out from beginning to “the” in line 6.
This amendment and Amendment 12 would remove the Secretary of State for Science, Innovation and Technology as a joint regulator for the data infrastructure subsector, leaving the Office of Communications acting as the sole regulator for that subsector.
The Chair
With this it will be convenient to discuss the following:
Government amendment 12.
Clause stand part.
Clauses 5 and 6 stand part.
Kanishka Narayan
Clause 4 of the Bill amends the NIS regulations by creating a new regulated sector, data infrastructure, and designating the Secretary of State for Science, Innovation and Technology and Ofcom as joint regulators. We have received clear feedback from the data infrastructure sector expressing concerns that a dual regulator model could create unnecessary complexity and limit accountability. Amendments 11 and 12 will remove the Secretary of State for Science, Innovation and Technology as a regulator, leaving Ofcom as the sole regulator, which will streamline the regulatory model for data infrastructure and resolve the concerns raised by stakeholders.
Ofcom already has proven regulatory expertise and is well placed to oversee the new data infrastructure sector effectively. By adopting a single regulator for data infrastructure, the amendments will reduce administrative burden, simplify engagement, and strengthen accountability. This will ensure a clearer, more effective regulatory framework for this rapidly growing sector.
Clause 4 brings qualifying data centre services into the scope of the NIS regulations, recognising both their vital role in underpinning our economy and public services, and that disruption to them can significantly impact productivity, service delivery, and revenue.
Alison Griffiths
Clause 4 relies heavily on capacity as the trigger for regulation. I understand why that is attractive: it is measurable. But capacity is not the same as criticality, and a high-capacity facility used for redundancy can present less systemic risk than a smaller, highly concentrated one. I simply put on record that the way this threshold is applied in practice will matter more than the number itself.
Kanishka Narayan
I thank the hon. Member for that thoughtful point. One assurance I will offer her is that the direct definition of data centres in scope here rely on capacity as a proxy for their essential independent nature, but when data centres below the capacity threshold but high on the criticality threshold are suppliers to essential services, they would be covered in part by the critical suppliers framework in the Bill. I take her point into account.
Bradley Thomas (Bromsgrove) (Con)
What consideration has been given to the potential conflict between data centres’ contractual obligation regarding customer confidentiality and mandatory rapid reporting? What assurance can the Minister give us that data centres will ensure that the conflict does not impact their future business?
Kanishka Narayan
In the course of engaging with firms we have considered what the timeline for reporting ought to be. It is critical that the initial notification requirement, which is a much lower requirement than the full notification requirement, at least gives the NCSC and other enforcement authorities the ability to counter national security and wider-impact risks. I believe that specification to be proportionate in the Bill, but it is of course a matter for implementation that we will keep a close eye on.
An attack on a data centre can have significant impacts beyond the facility itself. As data centres underpin digital services across multiple sectors, disruption or compromise can cascade through essential services, businesses and public services. Incidents may also pose national security and economic risks, given the concentration of sensitive and critical data. Bringing qualifying data centre services into scope of the NIS framework helps ensure these risks are managed proportionately and incidents are reported promptly.
As per Government amendments 11 and 12, we propose that Ofcom is the regulator. Medium and large third party data centres and very large enterprise centres will be required to manage risks and report to Ofcom. Their thresholds have been carefully calibrated to capture data centres whose disruption could have the greatest impact, while avoiding unnecessary burdens on smaller operators. This will strengthen the cyber-security and resilience of data centres, align with international regulations, and introduce structured oversight, notification, and incident reporting to strengthen national security and economic stability.
Dr Spencer
As I risk getting into trouble with Mr Stringer, I will not respond to the hon. Member for Lichfield. I look forward to the opportunity to debate this issue again, perhaps in the emergency Budget in the next couple of weeks.
Clause 6 brings large load controllers, which provide the flow of electricity in and out of smart appliances, within scope of the NIS regulations if the load is above 300 MW. I understand that the threshold has been decided through consultation, given that that pressure could have a substantial impact on the grid. There is a challenge in managing peak demand and supply in the grid and big changes in it, so I entirely understand why the Government are introducing this provision. Smart EV devices—I have a smart charging electric vehicle device myself—used system-wide could cause big grid disruptions, particularly as we integrate infrastructure into our homes such as solar panels, batteries and other energy-related smart devices.
In fact, we need the grid to become more smart device-integrated over the next 10, 15 or 20 years. When we look at projections of energy consumption, we see that we will need to enable people to use the grid by expanding technology such as vehicle-to-grid energy supply, so that we can manage peak load. That is part of expanding our energy, reducing energy costs and supporting renewable energy and the transition to net zero. If anything, this issue will become more important and expansive over the years.
On that basis, I have some questions for the Minister about the clause. Why are data centres and large load controllers the two sectors that he has decided to put on the face of the Bill? I say that with particular reference to the NIS2 regulations, which are expanded a bit more. How does he envisage this area expanding in the future? Is he confident that the scope of the clause is sufficient to cover future technologies that are coming down the track? I am thinking of EV charging apps. The list is prescriptive, but does it have sufficient flexibility? Is the Minister able to come back with secondary legislation if he needs to expand the list in the future, given that it is in the Bill in that form? Would it not be better to put that on the face of the Bill and to use secondary legislation to lay it out, in order to have flexibility? The Minister has been trying to ensure flexibility elsewhere, and understandably so—let us not go back into those debates. I just want to understand his reasoning behind that a bit better. That is certainly not a criticism, but I want to know why those particular sectors have been pulled out, and why it has not been left for secondary legislation.
Kanishka Narayan
With your permission, Mr Stringer, I will restrict my comments to clauses in question—in particular, clauses 5 and 6—and the relevant Government amendments. The shadow Minister has auditioned for roles at the Department for Business and Trade in talking about the philosophy of regulation, at the Department of Health and Social Care in talking about his medical background, and at the Treasury in talking about taxation. I will try to restrict myself to none of those and simply speak to the clauses and address three points in response to his comments.
The first relates to the skills and resourcing of our regulators. On that, I welcome the shadow Minister’s prior engagement with me directly and his questions now. The last Government completely gutted our regulators. Having done so, they achieved neither growth nor regulatory quality, which Opposition Members now talk about. As a consequence, it falls to us to make sure that our regulators are fit for purpose and resourced in the way they need to be. This Bill gives them the powers to secure initial and full notifications in a timely way, the powers to share information in an appropriate way and, fundamentally, the ability of cost recovery, to resource themselves in an appropriate way. Alongside that, our wider initiatives on skills in the cyber-sector and technology more broadly are fundamental to achieving our aspirations, not least through the CyberFirst programme, which I mentioned in a witness session.
Kanishka Narayan
I might just make a slight bit of progress. As I mentioned in a previous session, the programme reached 415,000 students, and it has now been evolved into the wider TechFirst scheme as well.
The shadow Minister, as well as the hon. Member for Bromsgrove, made a very important point about resilience in particular and sovereign capability. Particularly for those reasons, I am really proud of two things. One is that the Bill includes suppliers that may not be resident in the UK but provide essential services in the UK. This is a critical means through which we can secure our capabilities here. The second, which is close to my particular interests in the data centre and compute world, is that, through our initiatives on sovereign AI, and having launched a very innovative advance market commitment in the chips part of the stack, which ends up crowding in wider demand—not least through companies such as Nscale, a fundamental part of our AI growth zone in the north-east—this Government are finally rectifying the errors and omissions of the last Government, in making sure that Britain does not do what it did in the last commercial cloud context, but instead, in this AI compute world, has some actual chips on the table.
Thirdly, I will not try to settle the thrilling debate between the shadow Minister and my hon. Friend the Member for Lichfield on the philosophy of regulation. I will simply make the humble suggestion that in this context we have arrived at, not a full-fat compendium, as the shadow Minister described it, but a very targeted Bill, which has been the result of extensive industry engagement—indeed, some of it was carried out by the prior Government—that aligned on the sectors in question and the inclusion of critical suppliers in scope.
On the shadow Minister’s question about the thresholds and definitional specificity of large load controllers in the Bill, I will of course remain very open to ensuring that the secondary powers, which are intended precisely to enable us to move flexibly as the clean power industry moves, give us the flexibility to move with it. At the same time, the threshold of 300 MW reflected the point at which a large load controller could pose an unacceptable risk to the electricity system and our CNI. This threshold was set very clearly in partnership with technical experts, including the National Energy System Operator. Of course, as the market grows, the potential for cyber-incidents will grow, and we will keep that under close review.
Chris Vince
On the point about flexibility, I think we would recognise that the legislative process in this House does not always move as quickly as we might want it to, but there are reasons for that, because scrutiny is really important. Does the Minister agree that the changing nature of the cyber-threats we face and the changing nature of technology, which he understands far more than me, are the reasons why it is so important to have flexibility in the Bill?
Kanishka Narayan
I thank my hon. Friend for that point. The reality is that neither he nor I am placed to judge exactly where the thresholds should be set on a permanent basis. That is exactly why we have secured the flexibilities that we have in the Bill.
Clause 5 brings Crown-operated data centres into scope of the NIS regulations, ensuring that Government data centres meet robust standards comparable to those in the private sector. Bringing Crown data centres within scope closes a critical gap and guarantees that public sector infrastructure is protected against evolving threats. Exemptions will apply only in defined cases in which a data centre service is provided by an intelligence agency or a facility handling highly classified—“Secret” or “Top Secret”—information. These data centre services are already governed separately, and applying the NIS regime could cause conflict. I urge that clause 5 stand part of the Bill.
Finally, clause 6, on large load controllers, introduces the essential new service of load control under the energy subsector of the NIS regulations. This will capture organisations—
The Chair
Order. I am sorry to interrupt the Minister, but can he speak a little more loudly and slowly for the benefit of all Members?
Kanishka Narayan
Loudly and slowly: this will capture organisations remotely managing significant amounts of electrical load via energy-smart appliances, both in a domestic and non-domestic setting. These organisations play an increasingly important role in the management of the electricity system, but are not currently regulated for cyber-security. A cyber-attack could therefore create major disruptions to the national grid, shutting down public services and critical national infrastructure. Capturing load control as an essential service will safeguard the public from these disruptions. It will also reflect the need to bring in new safeguards to manage a more digitalised and dynamic energy landscape in the transition towards net zero.
Dr Spencer
Before the Minister moves on—I was a bit nervous that he was going to finish—I have an additional question about the Crown data centre. What happens if a data centre is providing services commercially to both the public and the Crown? How is that operated within the scope of the Bill?
Kanishka Narayan
I am happy to write to the shadow Minister on that point. My understanding is that a Crown data centre will be in scope if it is providing, as in that particular example, to both the public and the private sector, but I am happy to write to him to clarify that point.
The load control market is growing exponentially and we need to make it cyber-secure. For that reason, I propose that clause 6 stands part of the Bill.
Amendment 11 agreed to.
Amendment made: 12, in clause 4, page 3, line 7, leave out “(acting jointly)”.—(Kanishka Narayan.)
See the explanatory statement for Amendment 11.
Clause 4, as amended, ordered to stand part of the Bill.
Clauses 5 and 6 ordered to stand part of the Bill.
Clause 7
Digital services
Kanishka Narayan
I beg to move amendment 13, in clause 7, page 7, line 7, leave out paragraph (b) and insert—
“(b) a pool of computing resources is ‘scalable’ if the resources are flexibly allocated by the provider of the service, irrespective of the geographical location of the resources, in order to handle fluctuations in demand;
(c) a pool of computing resources is ‘elastic’ if the resources are provided and released according to demand, in order to rapidly increase and decrease available resources depending on workload;
(d) computing resources are ‘shareable’ if—
(i) multiple users share a common access to the service, which is provided from the same electronic equipment, and
(ii) processing is carried out separately for each user.”
This amendment would refine and make further provision about certain aspects of the definition of “cloud computing service”.
Kanishka Narayan
Clause 7 amends the definitions of “relevant digital service provider” and “cloud computing service” in the existing NIS regulations. As in the original NIS regulations, an RDSP is a cloud computing service, online search engine or online marketplace. To be in scope, they must provide a service in the UK and not be a small or microbusiness. That prevents disproportionate business burden, focusing on those larger businesses whose compromise could have a significant impact on the UK’s economy or society. The changes to the definition in the clause clarify that to be in scope, providers cannot be designated as a critical supplier or be subject to public authority oversight, as defined by clause 11. That maintains consistency with the approach to managed services, and minimises dual regulation and unnecessary burden.
Government amendment 13 strengthens the definition of a cloud computing service in clause 7. It introduces precise, clarified and separate definitions of the three core characteristics of cloud computing resources, which is that they are scalable, elastic and shareable.
Alison Griffiths
Clause 7 is definition-heavy, and rightly so; these terms decide who is regulated and who is not. My only observation is that cloud models are, as the Minister knows, evolving quickly because of the AI revolution. Definitions that track architecture too closely will age fast, so the Committee should be alert to whether these terms will still make sense in five years’ time and not just today.
Kanishka Narayan
I very much welcome that point. In talking about broad architecture characteristics—being able to scale compute and to be elastic to multi-tenants by being shareable—rather than setting out the specific nature of resources, we capture both commercial cloud and AI deployments. However, I am keen to ensure that we keep this under review and, where possible, use the flexibilities provided by the Bill to adapt it to changes in technology.
Although the policy intention behind the definition has not changed, amendment 13 will provide certainty for industry, support effective regulatory oversight and ensure that services whose disruption could significantly impact the UK economy and society are properly captured. In addition, the drafting is more aligned with that of our international partners, which will improve efficiency for providers operating across borders.
This targeted, technical improvement will bring greater clarity, consistency and fairness to the NIS regulations. I urge Members to support both the clause and this important amendment.
Dr Spencer
Clause 7 amends the definition of cloud services, which have been within the scope of regulation since the NIS regulations came into force. The expanded definition emphasises remote accessibility and the “on demand” nature of cloud services, and that services may be delivered from multiple locations. It also excludes managed services from the scope of cloud services to avoid duplication of regulatory requirements and oversight.
The Minister proposes changes to this provision in Government amendment 13, which sets out further details regarding the features of in-scope cloud service provision, including common access by multiple users, with each having access to separate processing functions. My question to the Minister builds on the one raised by my hon. Friend the Member for Bognor Regis and Littlehampton. It is obviously difficult—if it is possible at all—to predict how the tech sector will evolve, but what powers will the Government have to adjust these provisions as the cloud ecosystem changes, and what consultation has the Minister done on that within the scope of the Bill?
Kanishka Narayan
On that important point, which the hon. Member for Bognor Regis and Littlehampton also raised, the changes to the definition came about in part through extensive engagement, and in particular by ensuring that the attributes of “elastic” and “scalable” were treated individually rather than jointly and that “shareable”—the ability to have multi-tenants and therefore be a genuine cloud computing service for multiple clients—was considered in scope. As I mentioned to the hon. Member for Bognor Regis and Littlehampton, it is important that we keep this under review, and part of the reason for the secondary powers in the Bill is to make sure it remains both specific, giving clarity and certainty, and flexible at the same time.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Currently, the law requires regulated persons to manage risks to the security of their systems. Amendment 28, tabled by the Liberal Democrats, explicitly inserts “risks arising from fraud” into that duty. It would make it clear that a system cannot be considered secure if it is easily exploited by scammers.
Fraud should be considered a national security issue, and there is clearly a relationship between fraud and cyber-security. Scammers across the world are targeting British citizens. Elderly fraud victims in Dyfed-Powys lose £7,900 a day to a tidal wave of scams perpetrated by scammers from many countries across the world, notably Nigeria. UK-wide, in the first half of 2025 alone, criminals stole over £600 million through scams. Surely, we cannot pass a cyber-security and resilience Bill—
Dr Spencer
I broadly agree. This is one of those difficult areas where there can be overlap. I have sympathy with the argument that it is important to use any opportunity, and in particular this Bill, to raise fraud.
We focus on financial fraud, but this area is not limited to that, especially when we think about other malicious operators, and about ransomware and hacktivism, where the boundaries are particularly blurred. In a situation where a fraudulent operator, service, provider or organisation has material, whether on social media or subject to search engines, and the police or other competent authorities have flagged it to the provider as fraudulent—as illegal criminal activity—what duties does that provider have to remove it or take it down? Is that something that the Minister is aware of? Has he looked into it, and what is the Government’s plan to crack down on that activity?
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for tabling amendment 25, which would amend the duties for RDSPs in the NIS regulations. I empathise with the source of his concern about fraud; I think many of us in the House know and feel that concern, through either our personal experience or that of our constituents.
That said, the security duties within NIS require RDSPs to identify and take steps to manage the full spectrum of risks posed to the security of their systems. They must prevent and mitigate relevant incidents, regardless of what the threats are or where they emanate from. That includes taking an all-hazards risk-based approach. Entities must manage risks to cyber-security, physical security and broader operational resilience. “Security” includes the ability to resist any action that may compromise the availability, authenticity, integrity or confidentiality of those systems, including risks that may arise from fraud. I caution against highlighting only one particular vector of risk in the clause; that is unnecessary and would not reflect the full range of risks each RDSP faces.
Further, while the Bill clarifies the high-level duty to manage risks, secondary legislation will give further detail on the security and resilience requirements. Guidance and the code of practice will give further detail still on the types of risks to consider. For that reason, I kindly ask the hon. Gentleman to consider withdrawing the amendment.
The shadow Minister asked about the Government’s treatment of fraud, particularly when it has been found on a platform and the authorities have asked that platform to take it down. The Government made a clear commitment in our manifesto to introduce a new fraud strategy, and the Home Office, as the lead Department, has been working at pace to engage deeply in making that an effective reality.
Alongside that, in my wider role in online safety, I am conscious that fraud is a fundamental area of content in which platforms have to look at where it crosses the border into illegality, as it may well do in the instance the shadow Minister described. That has been a central focus since the illegal content duties came into play last year. I believe that such instances are well covered by the pieces of legislation that I have just mentioned. The Bill is clearly more focused on critical national infrastructure and its exposure to network and information systems.
Lincoln Jopp (Spelthorne) (Con)
Members on both sides of the Committee have referred frequently to the fact that the incident that took Jaguar Land Rover down would not have been covered by the Bill. JLR employs a digital service provider, in the form of Tata Consultancy Services. Would that provider not be covered, meaning that JLR is in scope?
Kanishka Narayan
Although I will not rule a particular provider in or out of scope, if the provider in question met the threshold for RDSP coverage, it would be covered, but the locus of that coverage would be limited to the provider rather than to the end-customer entity. I hope that clarifies that sufficiently.
Let me explain how clause 8 was designed to tackle the risks that Committee members have set out. The clause updates the existing duties for RDSPs in the NIS regulations to ensure that they remain resilient against evolving cyber-threats. It clarifies the requirement for those services, making it clearer that they must secure themselves not just to keep the services they provide running and available but to contribute to wider systems security as a whole.
Lincoln Jopp
Given the scenario we just discussed, it is possible that a digital service provider would have an obligation to report under the Bill, but the parent company employing its services would not. Given the requirements for confidentiality that a client company may put upon a digital managed service provider, how can that conflict be managed?
Kanishka Narayan
I appreciate the hon. Gentleman’s question, and I have two comments to make on that front. First, the relevant digital service provider will have a range of different customers, and my expectation would be that the regulators and the NCSC would seek a deep understanding of the risk exposure across the full breadth of that portfolio, rather than for each particular customer. Of course, that would form part of some analysis.
Secondly—the shadow Minister asked a related question —I am happy to write about the interaction between prompt notification responsibilities and commercial confidentiality duties, on the basis of the engagement we have conducted so far. Especially when questions of major risk exposure are concerned, I would hope there are provisions that allow the relevant digital service provider to notify the NCSC, but I am happy to write to the hon. Member for Spelthorne and the shadow Minister to clarify that point.
Clause 8 also removes a reference to the RDSP’s own network and information system to clarify that the duty is intended to cover all network and information systems that the relevant digital service relies on.
The cyber-risk landscape is diffuse and multifaceted. Hostile actors can use a range of routes and techniques to attempt to take services offline, as well as to extort, steal and surveil. These changes to the NIS regulations support a holistic approach to tackling cyber-risk. They ensure that important dependencies are covered and that facets of security such as the confidentiality of data and integrity of systems are not set aside.
The clause also requires RDSPs to have regard to any relevant guidance issued by the Information Commission when carrying out its duties. Finally, it removes a requirement for relevant digital service providers to consider specific duties referenced in EU regulations. I urge the Committee to support the clause unamended.
Question put, That the amendment be made.