The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

-

Q Thank you very much to both of you for your insights today. The question on my mind is related, in part, to the point that Jen raised. There are a range of levers at the Government’s disposal in thinking about and acting on cyber-security. I am interested in your thoughts on which parts of the economy ought to be in the scope of regulation and legislative measures, and where effective measures that sit outside of regulation and legislation—guidance being one from a range of non-regulatory measures—would be better suited.

Jen Ellis: Again, that is a hugely complex question to cover in a short amount of the time. One of the challenges that we face in UK is that we are a 99% small and mediums economy. It is hard to think about how to place more burdens on small and medium businesses, what they can reasonably get done and what resources are available. That said, that is the problem that we have to deal with; we have to figure out how to make progress.

There is also a challenge here, in that we tend to focus a lot on the behaviour of the victim. It is understandable why—that is the side that we can control—but we are missing the middle piece. There are the bad guys, who we cannot control but who we can try to prosecute and bring to task; and there are the victims, who we can control, and we focus a lot on that—CSRB focuses on that side. Then there is the middle ground of enablers. They are not intending to be enablers, but they are the people who are creating the platforms, mediums and technology. I am not sure that we are where we could be in thinking about how to set a baseline for them. We have a lot of voluntary codes, which is fantastic—that is a really good starting point—but it is about the value of the voluntary and how much it requires behavioural change. What you see is that the organisations that are already doing well and taking security seriously are following the voluntary codes because they were already investing, but there is a really long tail of organisations that are not.

Any policy approach, legislation or otherwise, comes down to the fact that you can build the best thing in the world, but you need a plan for adoption or the engagement piece—what it looks like to go into communities and see how people are wrestling with this stuff and the challenges that are blocking adoption. You also need to think about how to address and remove those challenges, and, where necessary, how to ensure appropriate enforcement, accountability and transparency. That is critical, and I am not sure that we see a huge amount of that at the moment. That is an area where there is potential for growth.

With CSRB, the piece around enforcement is going to be critical, and not just for the covered entities. We are also giving new authorities to the regulators, so what are we doing to say to them, “We expect you to use them, to be accountable for using them and to demonstrate that your sector is improving”? There needs to be stronger conversations about what it looks like to not meet the requirements. We should be looking more broadly, beyond just telling small companies to do more. If we are going to tell small companies to do more, how do we make it something that they can prioritise, care about and take seriously, in the same way that health and safety is taken seriously?

David Cook: To achieve the outcome in question, which is about the practicalities of a supply chain where smaller entities are relying on it, I can see the benefit of bringing those small entities in scope, but there could be something rather more forthright in the legislation on how the supply chain is dealt with on a contractual basis. In reality, we see that when a smaller entity tries to contract with a much larger entity—an IT outsourced provider, for example—it may find pushback if the contractual terms that it asks for would help it but are not required under legislation.

Where an organisation can rely on the GDPR, which has very specific requirements as to what contracts should contain, or the Digital Operational Resilience Act, which is a European financial services law and is very prescriptive as to what a contract must contain, any kind of entity doing deals and entering into a contract cannot really push back, because the requirements are set out in stone. The Bill does not have a similar requirement as to what a contract with providers might look like.

Pushing that requirement into the negotiation between, for example, a massive global IT outsourced provider and a much smaller entity means either that we will see piecemeal clauses that do not always achieve the outcomes you are after, or that we will not see those clauses in place at all because of the commercial reality. Having a similarly prescriptive set of requirements for what that contract would contain means that anybody negotiating could point to the law and say, “We have to have this in place, and there’s no wriggle room.” That would achieve the outcome you are after: those small entities would all have identical contracts, at least as a baseline.

Kanishka Narayan

- Hansard -

Copy Link

-

Q Thank you all very much for making time. I have an implementation-focused question, perhaps directed at Stuart, but open to all. In practice, it would be helpful to understand how frequent is the case that a single company might provide multiple of the possible services in scope: MSP services, cloud hosting, data centre support and cyber-security services. What ability might we have to identify parts of an organisation that are in scope for particular bits and those that are not?

Stuart McKean: You are going to hear the word “complex” a lot in this session. It is hugely complex. I would almost say that everyone likes to dabble. Everyone has little bits of expertise. Certain companies might be cloud-focused, or focused on toolsets; there are a whole range of skillsets. Of course, the larger organisations have multiple teams, multiple scopes and much more credibility in operating in different areas. As that flows down the supply chain, in many cases it becomes more difficult to really unpick the supply chain.

For example, if I am a managed service provider delivering a cloud service from a US hyperscaler, who is responsible? Am I, as the managed service provider, ultimately on the hook, even though I might be using a US-based hyperscaler? That is not just to pick on the hyperscalers, by the way—it could be a US software-based system or a set of tools that I am using. There are a whole range of parts that need to become clearer, because otherwise the managed service community will be saying, “Well, is that my responsibility? Do I have to deliver that?”.

You are then into the legislation side with procurement, because procurement will flow down. Although I might not be in scope directly as a small business, the reality is that the primes and Government Departments that are funding work will flow those requirements down on to the smaller MSPs. Although we might not be in scope directly, when it comes to implementing and meeting the legislation, we will have to follow those rules.

Kanishka Narayan

- Hansard -

Copy Link

-

Q One of the themes already emerging in the conversation and in the wider public debate is that, on one line of thought, the right framework is that the law should focus on outcomes, principles and responsibilities, and then delegate specificity to both agile definition over time and specific expertise in sectors. An alternative view says that in looseness there is uncertainty, and we in Parliament should prescribe activity and impact thresholds and what companies should be doing. I am interested in areas across the board where you think prescription is a helpful way to go, as well as in your general experience of the core way and framework through which we have regulated a number of these activities, which is to rely on the agility and expertise in particular sectors, rather than the prescription of activity in primary legislation.

Chris Anley: By our calculation, as you say, the number of organisations that fall under the scope of the Bill in terms of the Government’s impact assessment is 0.1% of the private sector, which is one one-hundredth of the tip of the iceberg. We are going to have to adopt a whole-of-economy approach if we are going to secure the UK—we have already talked about the public sector issues.

On the Bill itself, we have three main comments. First, the secondary legislation forms the bulk of the technical measures, so we are calling for early consultation on that. Secondly, the Bill imposes additional reporting obligations, adding to an already complicated situation for reporting cyber-incidents in the UK. The reporting obligations trigger at a time of great complexity for an organisation, so we are calling for a single point of contact for reporting all cyber-security incidents in the UK and a single timeline. That may sound like a big ask—an impossible dream. Australia has already done it, and the EU is in the process of doing it in its digital omnibus streamlining package.

Finally, in terms of cyber professionals, the passage of a cyber-security Bill through Parliament is a golden opportunity to address the serious problems with the Computer Misuse Act 1990. Cyber professionals who are defending the UK cannot currently do so without risking criminal prosecution. We cannot carry out basic identification and verification actions without potentially committing the offence of unauthorised access to computer material, because a ransomware gang, for example, is unlikely to give us authorisation to identify the command and control system they are using to attack the UK.

We support the CyberUp campaign, which is proposing an amendment to the Computer Misuse Act to provide a statutory defence, resting on four strong safeguarding principles. We believe that that would help to protect our defenders while maintaining the integrity of the law. Based on the campaign’s research into the size of the cyber-security industry in the UK, the amendment would not only help to prevent incidents and mitigate incidents in progress, but add 9,500 highly skilled jobs and over £2.5 billion in revenue to the UK economy. Other nations are already benefiting from this type of safeguard, including our oldest ally, Portugal, which has implemented them in its recent amendments to NIS2, which is the exact legislative equivalent of the process we are in today. In summary, please help us to defend the UK by protecting our defenders.

Dr Ian Levy: To follow up on what Chris says, we strongly agree on early consultation on the technical detail of the secondary legislation. Somebody said in the previous session that, in security, the devil is always in the detail. Well-meaning text can be massively misinterpreted. We need to be very careful about that, so wide, early consultation is key.

On incident reporting, I will make two points. Chris made the point that when you are being asked to report, you are at your most desperate, because you have just found out that you have been attacked and you do not know what is going to happen. A lot of legislation accidentally ignores the victim. When we set up the NCSC, one of the primary things was that we were there to support the victims. I urge you not to lose sight of that. Absolutely, go after and find the culprits later, but in the moment, the victims are absolutely key to this.

The second part of that, about a single reporting timeline and a single reporting route, is that it is not just good for the victims but the only way that we generate strategic intelligence. That is one of the things that is missing in the UK—and has been for decades. We have five, six or seven different reporting portals that all characterise things differently and take different types of information, and bringing them together to have a single picture about the actual threat to the UK is incredibly difficult. A single reporting forum could fix that.

Ben Lyons: I might distinguish between what organisations need to do and whether organisations are in scope. In terms of what they need to do, the outcomes-based approach is sensible. If you think about when the Johnson Government were consulting on the measures that would go on to form this Bill, that was a time when ChatGPT had not been invented and the geopolitical environment was very different. The world is moving fast, and I think that the cyber assessment framework is a good starting place for what a code of practice could look like, because it is already understood by industry and is outcomes-driven.

I agree with the previous comments about incident reporting. I think that there is a lot of merit in the suggestion around a shared portal so that it is easier to report incidents in that moment of dealing with a cyber-attack. Within the regime as envisaged, probably the most important bit with reference to reporting is about improving that early clarity and visibility for the NCSC so that they can help. That is probably where I would place the emphasis, more than on regulators having that information within 24 hours. In that context, an approach that recognises best efforts in that first 24 hours but is focused on tackling the problem will be important for dealing with the issue.

On the supply chain, I would say—and we have heard about this before—that there could be more clarity there in terms of who would be in scope for designated suppliers. Thinking a bit around both systemic dependency and the potential for wider disruption would be important factors to give it more clarity.

Matt Houlihan: To round off the responses, on the question about finding the balance between specificity and agility, the Bill does a reasonable job at that. We can totally see the need to keep some of the doors open, because not only is the nature of the threat changing rapidly but the nature of technology—and of our capabilities to defend—is changing as well. We have already talked about AI, and we have lots of quantum research taking place as well that will have a big bearing on cyber-security.

It is right that the Bill has some agility in it, but it is clear from the responses today that there is a need to tighten it up in certain places. We talked about incident reporting, and having a simpler, more co-ordinated system for regulated entities to work with so that that reporting process is easier. The definition of “incident” itself needs to be looked at, we believe. The idea of an instance not only having, but being capable of having, an adverse effect on information systems opens the door very widely to lots of potential incidents that may need to be reported on. Having a tighter definition there would be very useful.

To touch on the point about Secretary of State powers, we feel that the door is a little bit too wide. If you look at legislation such as Australia’s cyber-security legislation from 2018, the Security of Critical Infrastructure Act, that also has some good Secretary of State powers, but there are lots of guardrails contained in it that make it clear that it is a power of last resort, where the entity is unwilling or unable to carry out the remedial action itself. There are also other guardrails contained in that legislation. We urge the Committee and the Government to look at that Act and take inspiration from it to think about where those guardrails could be worked into the UK law.

The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

-

Q One of the things that we have heard over the course of the day is that the Bill is just one of a range of different ways in which public authorities engage with companies on cyber-security and resilience. I am interested in hearing about the impact the Police CyberAlarm programme has had on the cyber-security and resilience of organisations. What would you like to see going forward?

DCS Andrew Gould: I love the fact that you have heard of it. One of the things that we struggle with is promoting a lot of these initiatives. Successive Governments actually deserve a lot of credit for the range of services that are provided. We aspire to be a global cyber-power, and in many ways we are. When you look at the range of services, tools, advice and guidance that organisations or the public can get, there is quite a positive story to tell there. I think we struggle to bring that into one single narrative and promote it, which is a real challenge. People just do not know that those services are there.

For those who are not familiar with Police CyberAlarm, it is a Home Office-funded policing tool focused on small and medium-sized organisations that probably do not have the skills or understanding to protect themselves as effectively. They can download that piece of software, and it will sit on their external networks and monitor for attacks. For the first time, it helps us in policing to build a domestic threat picture for small and medium-sized organisations, because everybody has a different piece of the puzzle. GCHQ has great insight into what is coming into the UK infrastructure, but it obviously cannot monitor domestically. Big organisations that provide cyber-security services and monitoring know what is impacting their clients or their organisation, but not everybody else. At policing, we get what is reported, which is a tiny piece of the puzzle. So everyone has a different bit of the jigsaw, and none of it fits together, and, even if it did, there would still be gaps. For SMEs, that is a particular gap.

For us, we get the threat intelligence to drive our operational activity, which has been quite successful for us. The benefit for member organisations—we are up to about 12,000 organisations at the moment, which are mostly schools, because we know that they are the most vulnerable to attack for a variety of reasons—is that, having the free tool available, it can do the monthly vulnerability scans and assessments. So they are getting a report from the police that tells them what they need to fix and what they need to patch.

We do not publicly offer a lifetime monitoring service, because we would not want the liability and responsibility, and we do not have the infrastructure to run that scale of security operation centre. But, in effect, that is actually what we have been doing for a long time—maybe not 24/7, but most of the time—because we have been able to identify precursor activity to ransomware attacks on schools or other organisations, and have been able to step in and prevent it from happening. There have been instances where officers have literally got in cars and gone on a blue light to organisations to say, “You need to shut some stuff off now, because you are about to lose control of your whole organisation.”

To that extent, it has been really impactful, but the challenge for us is how to scale. How do you scale so that people understand that it is there? How do you make it easier for organisations to install? That is one of the things that we are working on at the moment, so that everybody can benefit from the scans and the threat reporting, and we can benefit from a bigger understanding of what is going on.

The flip side of the SME offer from our point of view is our cyber-resilience centres. By working with some of the top student talent in the country, we can scale to offer our member organisations across the country the latest advice and guidance, help them understand what the NCSC advice and guidance is, and then help them to get the right level of security policies, patch their systems and all that kind of thing. It helps them to take the first steps on their cyber-resilience journey, and hopefully be more mature consumers of cyber-security industry services going forward. We are helping to create a market for growth, but also helping those organisations to understand their specific vulnerabilities and improve from a very base level.

The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

-

Today I am updating the House on a number of developments: the designation of Lanarkshire as the UK’s newest AI growth zone, the establishment of the AI and the Future of Work programme, the expansion of the AI upskilling programme, and progress on delivery of the “AI Opportunities Action Plan”, one year on from its publication.

Lanarkshire AI growth zone

The Government are today designating Lanarkshire as the latest AI growth zone, marking a major step in our modern industrial strategy and strengthening Scotland’s position in the UK’s growing AI economy.

The Lanarkshire site will be delivered by UK company DataVita, in partnership with CoreWeave. It will support more than 3,400 jobs over the coming years and will crowd in £8.2 billion in private investment, with a further £540 million committed over 15 years to support the local community. This will fund skills and training packages, after school coding and digital clubs, and support for local charities and food banks.

The 9,000 acre site will be one of the most advanced AI campuses in the world, drawing on on site renewable energy to power up to 500MW of compute and exploring how excess heat generated by data centre cooling could support nearby facilities such as University Hospital Monklands, Scotland’s first fully digital and net zero hospital.

Lanarkshire becomes the fifth AI growth zone announced since the launch of the action plan, joining Oxfordshire, north Wales, south Wales and the north-east. AI growth zones are expected to support up to 15,000 jobs and at least £28 billion in private investment.

Establishment of the AI and the Future of Work programme and expansion of the AI upskilling programme

The Government are establishing a comprehensive AI and the Future of Work programme to ensure the UK is prepared to benefit from and adapt to the profound changes AI will bring to jobs, workers and the labour market. This includes launching a new cross Government AI and the Future of Work Unit and appointing an independent expert panel drawn from industry, academia, civil society and trade unions to guide this work.

Building on last year’s commitment to provide free AI training for all workers, the Government are expanding their national upskilling programme—delivered with major industry and now public sector partners—to equip 10 million workers with AI skills by 2030, up from the original 7.5 million ambition.

This forms part of a wider effort to ensure that AI-driven transformation delivers opportunities, supports economic growth, and helps workers and communities benefit from technological change.

AI opportunities action plan—delivery update

AI growth zones were a core commitment of the AI opportunities action plan, which the Government published a year ago to ensure the UK leads in shaping the AI revolution.

One year on, we have moved decisively from ambition to delivery. We have now met 38 of the action plan’s 50 commitments, and today we are publishing our one- year-on update. Per the action plan, we have focused on three goals: laying the foundations to enable AI, changing lives for the better, and securing our future.

Laying the foundations.

We have designated five AI growth zones, accelerating data centre build out. We have expanded national compute capacity, with Isambard AI switched on in Bristol and committed to procure to increase the supercomputer capacity at the University of Cambridge—already home to the DAWN supercomputer—sixfold by spring 2026. We have also begun the biggest AI skills drive in a generation: over 1 million AI training courses have already been delivered in just the last six months.

Changing Lives.

AI is already delivering practical benefits for citizens. AI-assisted diagnostics are supporting one third of NHS chest X-rays, improving detection and treatment times. We have announced trials of AI tutoring tools to support learning and reduce teacher workload.

Securing our Future.



UK AI companies raised more than £6 billion last year, and there are now over 185 UK tech unicorns valued at over $1 billion. The Government have now established the Sovereign AI Unit, backed by up to £500 million, to invest in UK AI companies and support them to become world-leading in critical parts of the AI value chain.

There is much more to do to seize the opportunities of AI. Over the coming year we will continue to bring AI growth zones from designation to delivery, operationalising the Sovereign AI Unit—backed by up to £500 million in funding—and equip millions of workers with the skills they need for the AI age.

But our achievements over the last year show what is possible when ambition meets delivery. If we sustain this pace, Britain will continue not just adapt to technological change, but to shape it in the public interest.

[HCWS1289]

The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

-

It is a pleasure to serve with you in the Chair, Dr Murrison. First and foremost, I thank the hon. Member for Bridgwater (Sir Ashley Fox) for securing today’s debate on the impact of the time taken to install gigabit-capable broadband in rural communities, and for once again drawing to the attention of the House the importance of delivering fast and reliable digital connectivity to them.

I also thank all other hon. Members across the House who have persistently championed the cause of improving rural broadband, and not least for their gift of anticipation when it comes to the speech of the hon. Member for Bridgwater.

Kanishka Narayan

- Hansard -

Copy Link

-

I am happy to give way briefly.

Kanishka Narayan

- Hansard -

Copy Link

-

I thank the hon. Member for making that point, and I am very happy to engage with him both individually and with my colleague, the Minister for Digital Economy, on the particular experience of his constituents.

The contributions we have heard today from across the House again highlight just how essential connectivity has become to daily life. We have heard about its centrality to work, education and, as my hon. Friend the Member for Monmouthshire (Catherine Fookes) said, to healthcare, online banking, farming, running a business or simply staying connected with friends and family.

The Government recognise that delays in broadband delivery can be particularly frustrating for rural residents, who often have fewer alternatives than urban residents, and for whom a slow or unreliable internet connection can have a deep impact on their quality of life and economic opportunities. Our mission is to ensure that 99% of premises can access a gigabit-capable connection by 2032. According to the latest figures from the independent website thinkbroadband.com, over 89% of UK premises already have access to a gigabit-capable connection.

Through Project Gigabit, we are targeting precisely the communities that have been highlighted in today’s debate. Commercial roll-out would not otherwise take place for these communities, and public investment is therefore essential. As at the end of September 2025, over 1.3 million premises in rural and hard-to-reach communities across the UK had been upgraded to gigabit-capable broadband through Government-funded programmes. In addition, over 1 million premises are now included in signed Project Gigabit contracts worth £2.4 billion in total.

Kanishka Narayan

- Hansard -

Copy Link

-

I know my hon. Friend is a deeply committed champion for his constituency, so I would be very happy to meet him—both on my own and with my colleague, the Minister for Digital Economy—to look at the issues in his constituency.

We are making good progress on delivering these contracts. We have already celebrated the completion of the first three Project Gigabit contracts in Northumberland, Teesdale and north Dorset, which marks an important milestone in our programme. These early completions show that the programme is working, and rural communities are beginning to see the benefits of this investment.

The majority of premises receiving Government funding for broadband upgrades continue to be rural. Between April 2024 and March 2025, 89% of the premises benefiting from our interventions in this sector were in rural areas, including proud farming communities. We remain absolutely committed to ensuring that these communities receive the gigabit-capable connectivity they need and deeply deserve.

I also recognise, with honesty, that there have been delays to subsidised roll-out across Devon and Somerset in particular, as a result of premises being descoped from contracts under the earlier superfast broadband programme, including in the constituency of the hon. Member for Bridgwater.

When suppliers encounter financial, operational or technical challenges, I know that rural communities feel the impact the most, and as a proud representative of rural communities in south Wales, I feel it, too. I want to reassure hon. Members that we are closely engaging with Connecting Devon and Somerset, and with suppliers, to establish a clear path forward.

Following the announcement in 2025, descoped premises, particularly in the constituency of the hon. Member for Bridgwater, were made available for suppliers to bring forward proposals under the gigabit broadband voucher scheme. Several suppliers expressed interest, and I am pleased to say that approximately 3,000 premises are now included in approved voucher projects. Around 8,500 descoped premises remain without confirmed commercial or subsidised plans. However, these premises are now being considered for inclusion in the Project Gigabit contract with Openreach. We expect to finalise the amended scope of that contract in the spring. The hon. Member feels that work is urgent, and I do, too.

Approximately 3,100 premises in the hon. Gentleman’s Bridgwater constituency are currently included in the Project Gigabit contract delivered by Openreach, and my hope is that this intervention will deliver gigabit-capable connections to homes and businesses across the constituency, such as those in Nether Stowey, North Petherton and Westonzoyland.

Although 3,400 premises in Bridgwater were descoped from the previous superfast broadband contracts, almost half of those premises have since been connected through a supplier’s commercial roll-out, without the need for public subsidy. The remainder are included within the scope of the current contract change discussions we are undertaking with Openreach.

A healthy, competitive broadband market is fundamental to achieving our national gigabit ambition. Commercial delivery has been and will remain the backbone of the UK’s digital transformation. The majority of gigabit-capable connections have been delivered entirely through private investment. The Government’s role is to create the right environment for such investment to continue at pace. That is why we continue to work in close partnership with both industry and Ofcom to support the roll-out of fibre networks across the UK, including in the most rural and hard-to-reach areas.

Our approach is designed to complement commercial build, not to replace it, ensuring that public funding is targeted only where the market cannot deliver on its own. In July last year, we published a consultation on our draft statement of strategic priorities to Ofcom, setting out the Government’s view on the importance of promoting competition and maintaining a stable regulatory environment that gives investors confidence. A predictable and proportionate regulatory framework is essential for suppliers to continue investing billions in our fibre networks. Ensuring that regulation is not lifted prematurely is central to protecting our consumers, which is why competition must be properly established before we can relax regulatory safeguards. That is the approach needed to deliver long-term benefits.

I know there has been a question about where the Government are in this process. Our draft statement set out our position on infrastructure sharing, which has become one of the sector’s most important enablers of competition. In particular, Ofcom’s physical infrastructure access product has allowed over 100 alternative networks to roll out fibre using Openreach’s ducts and poles, lowering barriers to entry and helping to accelerate competition. We have asked Ofcom to provide greater transparency on how PIA pricing is calculated and set, because transparency is the underpinning driver of confidence for investors.

We are reviewing responses to the consultation on our draft statement of strategic priorities, and we will set out the Government’s conclusions in due course. I of course note the hon. Member’s comments, and we are all hoping for pace as well as rigour in the response to the consultation.

Kanishka Narayan

- Hansard -

Copy Link

-

Openreach has not made that representation to me. The Government are squarely focused on reaching the 99% target, and we are doing all we can to make sure that all providers are in a place to do so. I am happy to engage with Openreach if it wants to make a representation to me.

To ensure that the commercial market can continue to deliver as fast as possible, the Government remain committed to removing deployment barriers. Whether that is done by reforming wayleave processes, improving access to land and multi-dwelling units, enhancing the co-ordination of street works or accelerating planning decisions, every barrier we remove helps the industry to build networks faster and more efficiently.

Even with the scale of commercial investment and the ambition of Project Gigabit, the expectation is that some remote premises will remain too expensive to reach with gigabit-capable fibre in the immediate term. We are therefore continuing to consider what more we can do to enable high-quality alternatives for those in the “very hard to reach” category. The satellite market is developing at pace. We expect to see more competition in that market imminently, with rapidly improving terminal equipment, higher speeds and falling costs for end users. We continue to monitor and support the development of that market, recognising its role in connecting the most remote communities.

I am conscious of the points made on mobile connectivity, not least those made by the hon. Member for Winchester (Dr Chambers). With increasing 5G coverage from mobile network operators, fixed wireless access is becoming an increasingly viable connectivity option. Ofcom estimates that fixed wireless access delivered over mobile networks is already available to 96% of UK premises, with wireless internet service providers offering fixed wireless access to around 8% of premises.

I thank the hon. Member for Bridgwater for securing this important debate, and I thank all Members who have contributed. In response to the hon. Member for Chester South and Eddisbury (Aphra Brandreth), I want to flag that, since Building Digital UK and Freedom Fibre mutually agreed to terminate the Project Gigabit contract for Cheshire, we have launched a new procurement for Cheshire. We expect it to be in place by the spring, and we will be sure to let her know of its progress.

Let me be clear that, although challenges remain, the Government are acting. We are committed to working at pace with suppliers, local authorities, communities and devolved Governments to ensure that progress continues. Rural communities must not and will not be left behind as we work towards our goal of 99% gigabit coverage. Given that the hon. Member for Bridgwater brought up wider support for rural communities, I put on record that this Government are squarely on the side of rural communities across the UK, which were abandoned by the previous Government on trade negotiations and farming funding and were not given appropriate representation.

Question put and agreed to.

The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

-

First and foremost, I thank my hon. Friend the Member for Telford (Shaun Davies) for securing this Adjournment debate. Throughout his entire tenure as the local MP, he has been a relentless champion for the people of Telford on the question of 5G and mobile coverage. He has listened closely to those he represents in person and through surveys. He has represented their voices in the media and to my hon. Friend the Minister for the Digital Economy in the other place, and he has done that again in this debate with both an impressive speech and a deep understanding of Telford.

Mobile coverage is an extremely important topic, which is reflected in the amount of interest shown across from the House in any parliamentary activity on the subject. Access to high-quality, reliable and secure mobile connectivity is critical for people to participate effectively in the modern digital economy. It is essential for day-to-day life in many cases. Whether it is to run a business online, to access essential public services, to manage finances online, to contact GP surgeries or to stay in touch with loved ones, we all need reliable mobile connectivity.

The Government have an ambition for all populated areas to have access to higher-quality stand-alone 5G by 2030. That of course includes Telford and areas right across the west midlands. It is true that Ofcom currently reports that stand-alone 5G is available outside of only 1% of premises across my hon. Friend’s constituency. That is clearly unacceptable. I am also conscious that the picture has slightly updated in recent months, and I will take the opportunity to shine some light on that. The published coverage stats were last collected in July last year, and there has been some improvement in the picture since then. We expect that the figure will further increase significantly in the next report published by Ofcom as reporting catches up with network roll-out.

Mobile network operators are investing significantly to improve coverage and I know that progress continues at pace. I have been assured that that is leading to coverage improvements in many areas, including Telford. The operators’ significant investment plans are public. VodafoneThree has committed £11 billion as a result of the merger, BT has an ambition to deliver stand-alone 5G to 99% of the UK population by the end of financial year 2030, and Virgin Media O2, as part of its mobile transformation plan, committed £700 million of further investment in its mobile network nationwide.

In preparation for this debate, officials have engaged with the operators to understand their specific coverage improvement plans in my hon. Friend’s constituency and across the west midlands. BT has confirmed that, in line with its announcement of October of last year, 99% of residents across the Telford constituency can now access stand-alone 5G. I will come to points of dissatisfaction between that claim and the wider experience of people in Telford imminently.

VodafoneThree has confirmed that stand-alone 5G coverage will increase in the Telford constituency to 100% by its first reporting milestone in 2028, in line with its merger commitments. Virgin Media O2 has made strides to improve mobile coverage across the west midlands, including boosting 4G and 5G capacity across Coventry and deploying stand-alone 5G small cells in Birmingham city centre in 2024. That feedback from operators starts to show the significant progress being made in rolling out stand-alone 5G across Telford and the west midlands region. I encourage all Members to contact the operators if they too would like to understand plans for their constituency.

I am deeply sorry to hear of the difficulties that my hon. Friend reports about the reliability of services in the region. I recognise that in our modern economy and way of life, services need to be reliable for everyone in all parts of the country. Communications providers have legal obligations to ensure that their services are appropriately resilient, as overseen by Ofcom, and I recommend that if customers are having continuing difficulties, as my hon. Friend has mentioned, they can contact their provider and, in the instance of serious and repeated failures, also report to Ofcom.

At this point, may I raise the particular issue that my hon. Friend has highlighted about the discrepancy between people’s lived experience and the reported data? It is an experience familiar to me, both from my constituency and more widely, and Government recognise that there are discrepancies in cases between the lived experience of people and the level of coverage that Ofcom reports.

The launch of our Map Your Mobile tool in June last year was a positive step forward, but the work of our Government does not stop there. We have restated in our proposed statement of strategic priorities for Ofcom the importance of continuing to improve the reporting of mobile coverage, for example, by building on the launch of the tool through the exploration of measured and crowdsourced data. Alongside that, I also point out that the Streetwave coverage checker is a tool available on the River Severn Partnership website which has also been funded by Government and the 5G Innovation Regions project. I am conscious that that, in particular, includes my hon. Friend’s constituency in Telford.

I understand my hon. Friend’s concerns about flooding in his local area. I know he has brought that up with the Department. There are potential safety risks arising when flooding is combined with a lack of mobile signal, and I thank my hon. Friend for raising that important issue. Clearly, it is right to raise the risk to public safety so that it can be looked into and addressed accordingly. In relation to mobile signal, I hope that some of the information provided starts to give him some reassurance on what is available in the local area and what is planned for the future. I am happy to work with him and colleagues from both the Department for Environment, Food and Rural Affairs and the Environment Agency so that the matters that he has raised can be investigated by the correct authorities.

As I know my hon. Friend will be aware, satellite services can provide another new means of connecting residents in otherwise hard-to-reach areas. I am pleased that the rapid advance of low Earth orbit technology for satellites means that the performance of services is also increasing through that measure. As well as satellite services offering home broadband that are already on the market, Vodafone and O2 have both announced that direct-to-mobile device services will launch and be available to consumers this year.

To help operators achieve their ambitious roll-out plans, we continue to work closely with them to identify and remove barriers to deployment where it is practical to do so. That includes implementing the remaining provisions of the Product Security and Telecommunications Infrastructure Act 2022 and launching a call for evidence to see where planning rules can be relaxed to support the deployment of mobile infrastructure. Alongside that work at national level, we have also provided funding to both the west midlands and Shropshire as part of our 5G Innovation Regions programme to increase the uptake of 5G services and to drive investment in networks.

I know that we need to do more to ensure investment in high-quality mobile connectivity. That is why we are undertaking a full mobile market review. We want to understand better the factors impacting investment in widespread high-quality mobile connectivity and what more the Government can do to support it over the long term. We will soon be publishing a call for evidence to support our assessment and we encourage all relevant parties to engage with this process. I also encourage all Members of the House to be champions of digital infrastructure deployment. It is only through working in our constituencies, with constituents and with the local planning authority, that we can together champion digital connectivity.

Finally, I would like to repeat my thanks to my hon. Friend the Member for Telford for securing this debate on such an important topic, and to all Members who have intervened and contributed to the debate today. It would, of course, be remiss of me not to end on a note of acceptance of his kind invitation. I will be very happy, either directly or through my hon. Friend in the other place, to visit him and to support his hard work for the people of Telford.

The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

-

Thank you, Mrs Harris. I pay my due respects to you as the godmother of the Welsh mafia. It is always a pleasure to serve with you in the Chair, but particularly on this occasion. With my hon. Friend the Member for Montgomeryshire and Glyndŵr (Steve Witherden) initiating his first Westminster Hall debate on this deeply important subject, you in the Chair and me responding on behalf of the Government, I am deeply proud that the Welsh enthusiasm for science and technology is right at the heart of the debate.

I thank my hon. Friend the Member for Montgomeryshire and Glyndŵr for securing this important debate on the impact of science and discovery centres on national science and technology priorities. I am grateful to all Members who contributed to the debate. It has been a total delight to hear about the wonderfully distinct flavours of science and discovery centres across the country, and about the distinct stages of our lives at which they have touched us. As my hon. Friend said, they include the experiences of our parents, of our childhood, of our schooling, of our enlightened first girls’ holidays, of our weddings and of our professional work too.

Growing the economy is the Government’s No. 1 priority, and science and technology are central to achieving that ambition. That is why the Government have committed to an unprecedented £86 billion investment in UK research and development over the next five years—the largest ever by any Government. That investment is about driving innovation, creating jobs and securing long-term economic growth. It signals our determination to put science and technology at the heart of our national priorities.

Of that investment, £38 billion is allocated to UK Research and Innovation to deliver our core priorities across the research and innovation buckets. That includes £14 billion for advancing curiosity-driven research, £7 billion to support the formation and growth of innovative companies and £8 billion for funding research into the Government’s priorities, including the industrial strategy priority areas. For the first time, UKRI will map its investments against priority sectors, with £9 billion of direct support for the industrial strategy across buckets 2 and 3. Those allocations reflect our national science and technology priorities, ensuring the UK leads in critical fields such as artificial intelligence, clean energy, advanced manufacturing and life sciences—areas that are essential to our future prosperity.

I am conscious that investment alone is not enough. To turn this unprecedented commitment into real-world impact, we need a world-class STEM workforce—a pipeline of talented individuals equipped to transform ideas into breakthroughs. That is why the Government believe in the value of a strong STEM workforce and have committed to ensuring that everyone, regardless of background, has the opportunity to pursue a rewarding career in science, technology, engineering and maths.

A strong, skilled STEM workforce is vital to delivering innovation, driving productivity and strengthening our country through our mission-led approach. That means inspiring the next generation, broadening participation and ensuring that science does not just happen behind closed doors but belongs to everyone. That is exactly the motivation behind our £187 million TechFirst programme, which will touch the lives of 1 million young people right across the UK.

The Government acknowledge that that is one of the key areas in which science and discovery centres play a deeply important role. Although some centres conduct research, their primary purpose is to serve as cultural institutions and visitor attractions that embed science within the UK’s cultural fabric, making it open, inclusive and aspirational. They maintain strong civic links with schools, teachers, industry, businesses and research partners, and they meet the growing demand for STEM education and learning opportunities for people of all ages, backgrounds and abilities. Through their engagement right across the UK, these centres enrich our cultural life, much like museums and galleries do for art and heritage. They deliver outstanding experiences that spark curiosity, foster critical thinking and build problem-solving skills, which are qualities that collectively drive innovation.

The Explore Your Universe: Valuing Inclusion programme has taken hands-on science into schools and communities that rarely have access to those opportunities, building confidence and inspiring future STEM careers. The Life Science Centre in Newcastle and Dynamic Earth in Edinburgh are active delivery partners in this national programme, bringing inclusive, practical physical science engagement to schools and families.

Through Next Gen Earth, centres are connecting young people with climate and environmental science, linking classroom concepts to real-world data and local action. The Centre for Alternative Technology in the constituency of my hon. Friend the Member for Montgomeryshire and Glyndŵr continues to play a leading role in this programme, helping young people to engage with climate science through hands-on workshops and youth-led projects. Mindsets + Missions has supported new ways for science and discovery centres and museums to co-create with local audiences, strengthening trust, inclusion and civic value, alongside scientific literacy. UKRI support, through its research councils, has been pivotal in enabling those programmes, aligning public investment with priority sectors and ensuring that research outcomes reach learners, teachers and under-represented communities nationwide.

The scale of these centres’ reach is remarkable. In 2024 alone, they welcomed over 5.2 million visitors, including hundreds of thousands of schoolchildren and families. More than 450,000 people from disadvantaged or under-represented communities were able to access the centres free of charge. Over the past two years, science and discovery centres have worked with 37% of UK schools, supporting the science curriculum and STEM skills in 96% of parliamentary constituencies. Importantly, these centres help us to tackle one of the biggest challenges in science and technology: diversity. Last year, 55% of visitors were female, and targeted outreach programmes are bringing science to communities that have historically been excluded from STEM careers.

Close to my heart, I am particularly excited about the way in which the centres speak to diversity of place as well, ensuring an offer for rural places, such as those highlighted by my hon. Friends the Members for Montgomeryshire and Glyndŵr and for Widnes and Halewood (Derek Twigg). That is the case right across every part of our Union, as represented so ably by Members’ contributions today from across England, Scotland, Northern Ireland and Wales—diversity not just in theory, but in practice.

I listened carefully to the concerns expressed by Members about the financial and operational challenges faced by the centres. As highlighted, many have ageing infrastructure, which needs replacement, and many operate as charities without a consistent funding stream. They often rely on low ticket prices to ensure that accessibility is a priority and to deliver on inclusive community engagement. I recognise those pressures, as we do right across Government, and we understand the difficult decisions that many centres face, but with limited income sources and major infrastructure needs, building financial resilience will be a key part of long-term success for the centres. I know that they will reflect on diversifying income and exploring innovative ways to strengthen sustainability as part of the solution.

I am also keen to highlight the available funding streams that UKRI will continue to provide, some of which may be of relevance and support to the centres. I am conscious of the focus on investment that delivers the greatest impact across the centres—working with centres to develop sustainable models and innovative partnerships will deliver on resilience and value for money.

Kanishka Narayan

- Hansard -

Copy Link

-

I thank my hon. Friend for her question and for her experience of science societies that she described so vividly. Historically, as I mentioned, UKRI has funded specific programmes. I am conscious that where there is available programme funding for eligible centres, they ought to ensure that they apply for it. I am keen to make sure that UKRI is working keenly and engaging with the centres, flagging up such funds as relevant.

Looking ahead, we remain committed to strengthening the STEM pipeline in collaboration with science and discovery centres, UKRI and industry, so that together we can inspire the next generation and secure the UK’s future as a science and technology leader. We will continue to champion programmes that broaden participation and that embed science in our culture, while exploring practical ways to support the infrastructure that enables the centres to thrive, always guided by the principle of long-term sustainability.

I am particularly conscious of the questions asked by Members from across the House. In response to the question about departmental engagement, I am keen—I have turned up here—that DSIT engages closely, but I am also conscious that the cultural contribution of discovery centres is a fundamental part of what motivates them and those who visit them. I am therefore keen to commit to close cross-Government working right across DCMS, DSIT and any other Departments.

I am keen not just to meet the low bar of having turned up to the debate as a Minister, but to take up the requests of hon. Members across the House to ensure that today is the start of the conversation, not the end of it. I am therefore delighted to commit to a meeting with my hon. Friend the Member for Montgomeryshire and Glyndŵr and with the Association for Science and Discovery Centres to progress the conversation in a tangible way as well.

On the question of potential sources of funding, whether underspends or Treasury, I am afraid that I have neither the power, nor—on this occasion—the willingness to commit to particular sources of funding and to write a fiscal event live in this debate, but I have heard loud and clear the concerns expressed about the funding resilience of science and discovery centres.

It would be remiss of me not to pay a personal tribute to the science and discovery centres. As true as the preference for magazines of the hon. Member for Winchester (Dr Chambers) is, it is also true that growing up faced with the choice between Techniquest in Cardiff Bay, and the cinema and bowling alley neighbouring it, I made a commitment to my parents—and I commit the same to the House—that my preference was always Techniquest.

On that note, I thank all Members who have spoken today. The debate has highlighted not only the extraordinary contribution of science and discovery centres, but the shared responsibility that we all have to ensure that they succeed in a sustainable way, and that the inclusive way in which they engage young people and families right across this country is maintained for as long as possible.

The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

-

It is a pleasure to serve with you in the Chair, Ms Butler, for my first Westminster Hall debate. It is a particular pleasure not only to have you bring your technological expertise to the Chair, but for the hon. Member for Strangford (Jim Shannon) to be reliably present in my first debate, as well as the UK’s—perhaps the world’s—first AI MP, my hon. Friend the Member for Leeds South West and Morley (Mark Sewards). It is a distinct pleasure to serve with everyone present and the expertise they bring. I thank the hon. Member for Dewsbury and Batley (Iqbal Mohamed) for securing this debate on AI safety. I am grateful to him and to all Members for their very thoughtful contributions to the debate.

It is no exaggeration to say that the future of our country and our prosperity will be led by science, technology and AI. That is exactly why, in response to the question on growth posed by the hon. Member for Runnymede and Weybridge (Dr Spencer), we recently announced a package of new reforms and investments to use AI to power national renewal. We will drive growth through developing new AI growth zones across north and south Wales, Oxfordshire and the north-east, creating opportunities for innovation by expanding access to compute for British researchers and scientists.

We are investing in AI to drive breakthroughs in developing new drugs, cures and treatments. But we cannot harness those opportunities without ensuring that AI is safe for the British public and businesses, nor without agency over its development. I was grateful for the points made by my hon. Friend the Member for Milton Keynes Central (Emily Darlington) on the importance of standards and the hon. Member for Harpenden and Berkhamsted (Victoria Collins) about the importance of trust.

That is why the Government are determined to make the UK one of the best places to start a business, to scale up, to stay on our shores, especially for the UK AI assurance and standards market. Our trusted third-party AI assurance roadmap and AI assurance innovation fund are focused on supporting the growth of UK businesses and organisations providing innovative AI products that are proven to be safe for sale and use. We must ensure that the AI transformation happens not to the UK but with and through the UK.

In consistency with the points raised by my hon. Friend the Member for Milton Keynes Central, that is why we are backing the sovereign AI unit, with almost £500 million in investment, to help build and scale AI capabilities on British shores, which will reflect our country’s needs, values and laws. Our approach to those AI laws seeks to ensure that we balance growth and safety, and that we remain adaptable in the face of inevitable AI change.

On growth, I am glad to hear the points made by my hon. Friend the Member for Leeds South West and Morley about a space for businesses to experiment. We have announced proposals for an AI growth lab that will support responsible AI innovation by making targeted regulatory modifications under robust safeguards. That will help drive trust by providing a precisely safe space for experimentation and trialling of innovative products and services. Regulators will monitor that very closely.

On safety, we understand that AI is a general-purpose technology, with a wide range of applications. In recognition of the contribution from the hon. Member for Newton Abbot (Martin Wrigley), I reaffirm some of the points he made about being thoughtful in regulatory approaches that distinguish between the technology and the specific use cases. That is why we believe that the vast majority of AI should be regulated at the point of use, where the risk relates and tractable action is most feasible.

A range of existing rules already applies to those AI systems in application contexts. Data protection and equality legislation protect the UK public’s data rights. They prevent AI-driven discrimination where the systems decide, for example, who is offered a job or credit. Competition law helps shields markets from AI uses that could distort them, including algorithmic collusion to set unfair prices.

Kanishka Narayan

- Hansard -

Copy Link

-

My hon. Friend brings deep expertise from her past career. If she feels there are particular absences in the legislation on equalities, I would be happy to take a look, though that has not been pointed out to me, to date.

The Online Safety Act 2023 requires platforms to manage harmful and illegal content risks, and offers significant protection against harms online, including those driven by AI services. We are supporting regulators to ensure that those laws are respected and enforced. The AI action plan commits to boosting AI capabilities through funding, strategic steers and increased public accountability.

There is a great deal of interest in the Government’s proposals for new cross-cutting AI regulation, not least shown compellingly by my right hon. Friend the Member for Oxford East (Anneliese Dodds). The Government do not speculate on legislation, so I am not able to predict future parliamentary sessions, although we will keep Parliament updated on the timings of any consultation ahead of bringing forward any legislation.

Notwithstanding that, the Government are clearly not standing still on AI governance. The Technology Secretary confirmed in Parliament last week that the Government will look at what more can be done to manage the emergent risks of AI chatbots, raised by my hon. Friend the Member for York Outer (Mr Charters), my right hon. Friend the Member for Oxford East, my hon. Friend the Member for Milton Keynes Central and others.

Alongside the comments the Technology Secretary made, she urged Ofcom to use its existing powers to ensure AI chatbots in scope of the Act are safe for children. Further to the clarifications I have provided previously across the House, if hon. Members have a particular view on where there are exceptions or spaces in the Online Safety Act on AI chatbots that correlate with risk, we would welcome any contribution through the usual correspondence channels.

Kanishka Narayan

- Hansard -

Copy Link

-

I have about two minutes, so I will continue the conversation with my hon. Friend outside.

We will act to ensure that AI companies are able to make their own products safe. For example, the Government are tackling the disgusting harm of child sexual exploitation and abuse with a new offence to criminalise AI models that have been optimised for that purpose. The AI Security Institute, which I was delighted to hear praised across the House, works with AI labs to make their products safer and has tested over 30 models at the frontier of development. It is uniquely the best in the world at developing partnerships, understanding security risks, and innovating safeguards, too. Findings from AISI testing are used to strengthen model safeguards in partnership with AI companies, improving safety in areas such as cyber-tasks and biological weapon development.

The UK Government do not act alone on security. In response to the points made by the hon. Members for Ceredigion Preseli (Ben Lake), for Harpenden and Berkhamsted, and for Runnymede and Weybridge, it is clear that we are working closely with allies to raise security standards, share scientific insights and shape responsible norms for frontier AI. We are leading discussions on AI at the G7, the OECD and the UN. We are strengthening our bilateral relationships on AI for growth and security, including AI collaboration as part of recent agreements with the US, Germany and Japan.

I will take the points raised by the hon. Members for Dewsbury and Batley, for Winchester (Dr Chambers) and for Strangford, and by my hon. Friend the Member for York Outer (Mr Charters) on health advice, and how we can ensure that the quality of NHS advice is privileged in wider AI chatbot engagement, as well as the points made by my hon. Friend the Member for Congleton and my right hon. Friend the Member for Oxford East on British Sign Language standards in AI, which are important points that I will look further at.

To conclude, the UK is realising the opportunities for transformative AI while ensuring that growth does not come at the cost of security and safety. We do this through stimulating AI safety assurance markets, empowering our regulators and ensuring our laws are fit for purpose, driving change through AISI and diplomacy.

The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

-

I beg to move,

That the Committee has considered the draft Online Safety Act 2023 (Priority Offences) (Amendment) Regulations 2025.

It is a pleasure to serve under your chairmanship, Mr Vickers. The draft regulations were laid before the House on 21 October. Before I proceed, I draw the Committee’s attention to the correction slip that was issued for the regulations in October. It relates to minor drafting changes in respect of the date of the Sexual Offences Act 2003 in the explanatory memorandum and the order of the words in the title of the offence inserted by paragraph (2) of regulation 2.

The Government have committed to taking decisive action against the most severe and damaging online harms. Through this statutory instrument, we are strengthening the Online Safety Act 2023 by creating new priority offences to tackle cyber-flashing and self-harm. This will ensure that platforms take stronger, more proactive steps to protect users from these harms.

There is compelling evidence that cyber-flashing and content encouraging self-harm are widespread and cause serious harm to individuals. The frequency of these harms is significantly higher among young age groups: of those aged 18 to 24, 9% had experienced cyber-flashing and 7% had experienced content encouraging self-harm. That means that across the country around 530,000 people in that age group have seen cyber-flashing and around 450,000 have seen self-harm content. That is clearly unacceptable.

Some 27% of UK users who were exposed to cyber-flashing reported significant emotional discomfort, and exposure to self-harm content has been shown to worsen mental health. A 2019 study found that 64% of Instagram users in the US who were exposed to self-harm content were deeply emotionally disturbed by it, and a 2018 study found that 8% of adults and 26% of children aged eight to 18 who were hospitalised after self-harming had encountered self-harm or suicide-related content online. Those figures demonstrate that the content is not isolated but widespread. It affects a significant portion of the online population.

As Members will know, the Online Safety Act, which received Royal Assent on 26 October 2023, places strong duties on platforms and services to protect users. Providers must assess how likely their services are to expose users to illegal content or to be used to commit or facilitate priority offences. Providers then need to take steps to mitigate the identified risks, including by implementing safety-by-design measures to reduce risks and content moderation systems to remove illegal content when it appears. The Act sets out a list of priority offences for the purposes of providers’ illegal content duties. Those relate primarily to the most serious and prevalent online illegal content and activity. Platforms need to take additional steps to tackle such illegal activity under their illegal content duties.

The draft regulations will add cyber-flashing and content encouraging self-harm to the list of priority offences under the Act. The offences are currently covered under the Act’s general illegal content duties, but without priority status. Without that status, platforms are not obliged to carry out specific risk assessments for harm to users that derives from this kind of harmful content or to put in place measures to prevent users from seeing such content in the first place. Stakeholders have welcomed the additions. Charities such as the Molly Rose Foundation and Samaritans have long campaigned for strengthened protections for vulnerable users.

The changes to the Act will take effect 21 days after the regulations are made, which can be done after the regulations are approved by both Houses. Ofcom, as the online safety regulator, sets out in codes of practice the measures that providers can take to fulfil their statutory illegal-content duties. The safety duties on providers to prioritise tackling self-harm and cyber-flashing will fully take effect when Ofcom makes the relevant updates to its codes on the measures that can be taken to fulfil the duties.

We anticipate that Ofcom will recommend that providers should take action in a number of areas. It could include content moderation, reporting and complaints procedures, and safety-by-design steps, such as providers testing algorithm systems to see whether illegal content is being recommended to users. Where providers fail to meet the duties, such as by not having proportionate measures to remove and proactively prevent this vile material from appearing on their platforms, Ofcom has robust powers to take enforcement action against them, including a power to impose fines of up to £18 million or 10% of qualifying worldwide revenue, whichever is the higher.

The statutory instrument upgrades cyber-flashing and self-harm content to priority status, thereby strengthening the impact of the Online Safety Act and protecting users from such content. Service providers will be required to take more proactive and robust action to protect, remove and limit exposure to this kind of illegal content. That will ensure that platforms take stronger steps to protect users, reduce the prevalence of these behaviours online and help to make the internet a safer place for everyone.

Kanishka Narayan

- Hansard -

Copy Link

-

I thank Committee members for their valuable contributions to the debate. The update in the regulations will bring us closer to achieving the Government’s commitments to improve online safety and strengthen protection for women and girls online. We believe that updating the priority offences list with the new cyber-flashing and self-harm content offences is the correct, proportionate and evidence-led approach to tackling this type of content, and it will provide stronger protections for online users.

I will now respond to the questions asked in the debate; I thank Members for the tone and substance of their contributions. The shadow Minister, the hon. Member for Runnymede and Weybridge, raised the use of VPNs. As I mentioned previously in the House, apart from an initial spike we have seen a significant levelling-off in the usage of VPNs, which points to the likely effectiveness of the age-assurance measures. We have commissioned further evidence on that front, and I hope to bring that to the House’s attention at the earliest opportunity.

The question of chatbots was raised by the shadow Minister, by the hon. Member for Bromley and Biggin Hill, and by the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted. Let me first clarify what I previously mentioned in the House: the legislation covers not only chatbots that allow user-to-user engagement but those that involve one-to-AI engagement and live search. That is extensive coverage of chatbots—both those types are within scope of the Online Safety Act.

There may be further gaps in the Act that pertain to aspects of the risks that Members have raised, and the Secretary of State has commissioned further work to ensure that we keep up with fast-changing technology. A number of the LLMs in question are covered by the Act, given the parameters that I have just defined. Of course, we will continue to review the situation, as both scope and risk need to evolve together.

Kanishka Narayan

- Hansard -

Copy Link

-

Let me be clear: there is no lack of clarity in the scope of the Bill. It is extremely clear to a provider whether they are in scope or not. If they have user-to-user engagement on the platform, they are in scope. If they have live search, which is the primary basis in respect of many LLMs at the moment, they are in scope. There is no lack of clarity from a provider point of view. The question at stake is whether the further aspects of LLMs, which do not involve any of those areas of scope, pose a particular risk.

A number of incidents have been reported publicly, and I will obviously not comment on individual instances. The Online Safety Act does not focus on individual content-takedown instances and instead looks at a system. Ofcom has engaged firms that are very much in scope of the Act already. If there are further instances of new risks posed by platforms that are not currently within the scope of the Online Safety Act, we will of course review its scope and make sure we are moving fast in the light of that information.

The hon. Member for Harpenden and Berkhamsted asked about child sexual abuse material. I was very proud that we introduced amendments last week to the Crime and Policing Bill to make sure that organisations such as the Internet Watch Foundation are engaged, alongside targeted experts, particularly the police, in spotting CSAM content and risk way before AI models are released. In that context, we are ensuring that the particular risks posed by AI to children’s safety are countered before they escalate.

On the question about Ofcom’s spending and capacity more generally to counter the nature of the risk, the spending cap at Ofcom allows it to enforce against the offences that we deem to be priority offences. In part, when we make the judgment about designating offences as a priority, we make a proportionate assessment about whether we believe there is both severity and the capacity context for robust enforcement. I will continue to review that situation as the nature of the offences changes.

Finally, I am glad that the Government have committed throughout to ensure that sexually explicit non-consensual images, particularly deepfakes, are robustly enforced against. That remains the position. I hope the Committee agrees with me on the importance of updating the priority offences in the Online Safety Act as swiftly as possible. I commend the regulations to the Committee.

Question put and agreed to.

The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

-

I am publishing a Command Paper delivering AI growth zones, setting out the Government strategy to ensure the United Kingdom remains a global leader in artificial intelligence by building the infrastructure that underpins AI development and deployment, creates jobs right across the UK and grows the economy.

Artificial intelligence is transforming economies and societies worldwide. Being an AI maker, rather than an AI taker, is a critical goal of our modern industrial strategy and today we set out how we will build out the UK’s AI data centre capacity to underpin this frontier industry and support the growth sectors of the UK. This is a strategic opportunity to drive growth, strengthen national security and improve public services. To seize this opportunity, we must build secure, resilient and sustainable compute capacity here at home.

The AI growth zones programme will accelerate the delivery of large-scale AI data centres by removing barriers to construction and creating the best possible environment for investment, while maximising the benefits for local people. The package announced today sets out:

A new north Wales AI growth zone, creating 3,450 jobs locally and delivering opportunities across both energy and technology sectors.

Reforms to accelerate grid connections, including prioritising connections for AI growth zones and enabling developers to build their own high-voltage infrastructure.

Targeted electricity price support for data centres in locations that strengthen the grid and reduce system costs.

Planning reforms in England to streamline approvals, update national policy guidance, and protect land for AI growth zones.

Measures to maximise local benefits, including an initial £5 million per site to benefit local communities.

A dedicated AI growth zone delivery unit, acting as a single front door for investors and co-ordinating delivery across Government.

Taken together, these measures have the potential to unlock up to £100 billion in private investment and create over 10,000 jobs.

Over the past 12 months we have secured over 70 billion of investment in AI infrastructure. Now, this ambitious programme will go further to secure our economic future and drive investment into parts of the country that have long been overlooked, securing the future of AI for local areas through new industries, skilled jobs and lasting economic growth.

[HCWS1057]

The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

-

In June 2024, Synnovis, a supplier of pathology services to the NHS, was the victim of a ransomware attack. Computer systems were hacked, private patient data was stolen, and IT systems were rendered useless. This resulted in disruption to services at five NHS trusts and local care service providers across several London boroughs, causing delays to over 11,000 out-patient and elective procedure appointments and, tragically, contributed to the death of a patient. For Synnovis itself, the financial impact of the cyber-attack is estimated at £32.7 million.

The internet is one of the greatest engines for creativity and innovation, transforming every part of our lives, from how we communicate to how we book an appointment with our doctor. It is embedded into every part of the critical systems we rely on daily, with huge benefits. However, as the attack on the NHS provider shows, the technology that underpins cyber-space—the invisible world where all our online activity happens—can be attacked and weaponised by those who mean to do us harm.

Vulnerability to cyber-attacks is not limited to the NHS. Last year, over 600,000 UK businesses were subject to a cyber-attack. Independent research commissioned by DSIT—published today—shows the average cost of a significant cyber-attack for a UK business is over £190,000. When taken at the level of the economy, this suggests an estimated annual cost to businesses of £14.7 billion, or 0.5% of the country’s GDP. These statistics and recent high-profile attacks serve as a sobering reminder that cyber-security is not a luxury, and all organisations should take steps to defend themselves.

The Government are taking a wide range of actions to improve cyber-resilience across the economy. This includes:

Writing to leading UK firms asking them to take urgent action on cyber-security. So far, over 130 firms have responded to the letter with details of the actions they are taking, including requiring suppliers to adopt the cyber essentials scheme.

Launching a new cyber action toolkit to help small businesses boost their online defences.

Offering free cyber-security guidance, tools, training and codes of practice.

Offering practical, hands-on cyber-security help to small and medium-sized enterprises via nine regional cyber-resilience centres.

The “Stop! Think Fraud” campaign, which provides advice to the public and small businesses on how to prevent fraud and cyber-crime.

But where organisations provide essential services that the public and businesses rely on every day, we must go further to ensure that appropriate and proportionate safeguarding measures are in place. As the CEO of the National Cyber Security Centre warned,

“the challenge we face is growing at an order of magnitude”.

Yet as the threat has grown more intense, more frequent and more sophisticated, our defences have become comparatively weaker. The UK’s only cross-sector cyber legislation—protecting the essential and digital services the public and businesses rely on every day, like the NHS, transport system and energy network—is out of date and no longer sufficient to tackle the cyber-threats faced by the UK.

As the Prime Minister has said,

“national security is the first responsibility of any Government—that never changes. But as the world changes, the way we discharge that responsibility must change with it”.

In response to the growing cyber-threat, it is crucial that we act now to enhance the UK’s security and resilience—to protect our essential public services, deliver a step change in UK national security, and underpin economic growth.

This is why today we will introduce the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament, updating the Network and Information Systems Regulations 2018 through three pillars of reform.

Expanded scope: The regime does not cover every UK organisation. It is about those services that are so essential that their disruption would affect our daily lives. The original regulations in 2018 brought into scope services such as the NHS, the transport system and the energy network. Since then, cyber-criminals are exploiting new routes—managed service providers, data centres and critical parts of supply chains—to threaten our way of life. Recent incidents impacting Marks & Spencer and Heathrow airport involved managed service providers, leading to considerable business disruption and interrupting check-in and boarding services, respectively. This reflects the interconnected economy we live in. By bringing into scope more of the core services relied on across the economy, UK businesses and public services will be more secure and resilient.

Effective regulators: 12 regulators are responsible for implementing these laws. This allows for a sector-specific approach, as different organisations are vulnerable to threats in different ways, such as through the technology they use. The Bill will drive a more consistent and effective regime, with expanded and more timely reporting of harmful cyber-attacks, a stronger mechanism for Government to set priority outcomes for regulators to work to, and a fuller toolkit for sharing information, recovering costs and enforcement.

Enabling resilience: The Government do not currently have the powers to head off the threats faced by the UK as they change and evolve. That is why the Government will be given the tools to quickly strengthen our cyber-security and resilience in response to the ever-changing threat landscape, such as bringing more sectors into scope or updating security requirements, and responding to imminent threats to our national security and way of life.

The measures set out today respond to the threat we face—protecting the public at home, putting national security first, and making the UK a safe and confident place to do business.

[HCWS1046]