The Chair

- Hansard -

Copy Link

I remind the Committee that with this it will be convenient to discuss the following:

New clause 1—Food supply chain to be regulated as an essential service—

“(1) The NIS Regulations are amended as follows.

(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—

‘Food supply

Food supply chain

The Secretary of State for Environment, Food and Rural Affairs (United Kingdom)’

(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—

‘The food supply chain subsector

11 — (1) This paragraph describes the threshold requirements which apply to essential services in the food supply chain subsector.

(2) For the essential service of the food supply chain in the United Kingdom the threshold requirement is that the person is in the food supply chain and does not qualify as small or a micro-entity (or is excluded) within the meaning of Part 15 of the Companies Act 2006.

(3) after paragraph 10 insert—

(a) a “food supply chain” is a supply chain for providing individuals with items of food or drink for personal consumption, where the items consist of or include, or have been produced to any extent using—

(i) anything grown or otherwise produced in carrying on agriculture, or

(ii) anything taken, grown or otherwise produced in carrying on fishing or aquaculture;

(b) a person is “in” a food supply chain if that person is a producer or an intermediary in a food supply chain.

(4) In paragraph (3)(b)—

(a) “producer” means a person who is carrying on agriculture, fishing or aquaculture;

(b) “intermediary” means a person in the food supply chain between a producer and the individuals referred to in paragraph (3)(a).

(5) In this paragraph—

“agriculture” includes any growing of plants, and any keeping of animals, for the production of food or drink;

“aquaculture” means the breeding, rearing, growing or cultivation of—

(a) any fish or other aquatic animal,

(b) seaweed or any other aquatic plant, or

(c) any other aquatic organism;

“plants” include fungi.

(6) In regulation 8A of the NIS Regulations (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—

(c) provides an essential service of a kind referred to in paragraph 12 of Schedule 2 (food supply chain sector) within the United Kingdom.’”

This new clause would designate those in the food supply chain that rely on network and information systems as “operators of essential services” within the meaning of the Network and Information Systems Regulations 2018, thereby placing them under duties to manage risks to those systems and to provide notification regarding any incidents that have an impact on the food supply chain.

New clause 8—Local authorities to be regulated as essential services—

“(1) The NIS Regulations are amended as follows.

(2) In table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert—

‘Local Government

Local Government

The Secretary of State for Housing, Communities and Local Government’

(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—

‘The Local Government Sector

11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector.

(2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register.

(3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records.

(4) In this paragraph “local authority means”—

(a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly;

(b) in Wales, a county council or a county borough council;

(c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994;

(d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.’”

This new clause would bring local authorities within the scope of the NIS Regulations as operators of essential services in relation to their functions managing electoral rolls and social care records. This ensures that public sector bodies holding sensitive data such as electoral rolls and social care records are subject to the same statutory protections as other critical infrastructure.

New clause 9—Critical manufacturing and retail sectors—

“(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities—

(a) the manufacture of critical transport equipment;

(b) the industrial production and processing of food products; and

(c) the retail sale of food and essential goods via large-scale distribution chains.

(2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors.”

This new clause would require the Secretary of State to designate the manufacturing of critical transport equipment and retail of food and essential goods (when part of a large-scale distribution chain) as essential activities, bringing them within the scope of Part 3 of the Bill.

New clause 11—Electoral infrastructure to be regulated as an essential service—

“(1) The NIS Regulations are amended as follows.

(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—

‘Elections

Electoral infrastructure

The Electoral Commission’

(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—

‘The electoral infrastructure subsector

11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector.

(2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to—

(a) maintain a register of electors containing more than 50,000 entries;

(b) issue, receive, or process postal ballots for a parliamentary or local government election; or

(c) count or aggregate votes cast in a parliamentary, mayoral or local government election.

(3) In this paragraph—

“parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom;

“network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026.

(4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert—

“(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.”’”

This new clause would designate the administration of elections and maintenance of voter registers as an “essential service” within the meaning of the NIS Regulations.

New clause 12—Political parties to be regulated as an essential service—

“(1) The NIS Regulations are amended as follows.

(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—

‘Government

Political parties

The Secretary of State for Housing, Communities and Local Government’

(3) In Schedule 2 (essential services and threshold requirements), after paragraph 10 insert—

‘The political parties subsector

11 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector.

(2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons

(3) In this paragraph—

“registered political party” means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000.’”

This new clause would designate political parties as providing essential services for the purposes of cyber security.

The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- Hansard -

Copy Link

- - Excerpts

I will start by addressing the questions raised by hon. Members, including the hon. Member for Spelthorne, who concluded by setting out a general philosophy of how we thought about what is in and out of scope, and then I will address some of the more specific concerns in the new clauses.

The overarching philosophy has not at all been to deny, as the hon. Members for Spelthorne and for Brecon, Radnor and Cwm Tawe argued, that there are a series of services that are absolutely essential. There is a category of critical national infrastructure, and there is a category of essential sectors and services that we identified in the pandemic. Although there is some overlap, a distinct segment for the Bill is operators of essential services such as digital services and managed service providers. The assessment there has been more about the immediacy and severity of the impact, and the availability of alternative provision in a very short time, which has meant that those sectors have been ruled in. I will lay out the logic of our position on the new clauses, which might help clarify this question, although I would be happy to engage further with hon. Members on it.

I am conscious that the hon. Member for Bognor Regis and Littlehampton and the shadow Minister raised very appropriate points about robustness and proportionality in relation to the Secretary of State exercising the powers in the Bill, so I will lay out the process and the role of Parliament.

In terms of the process for bringing new sectors or activities in scope, something must meet a specific, rigorous test to be defined as a new essential activity for the purposes of the Bill. The Secretary of State must be satisfied that the activity is essential to our economy or society. As I have mentioned, that is reserved for the most vital activities to our nation and acts as a high bar for inclusion, on the terms I mentioned to the hon. Member for Spelthorne.

In reaching a decision, the relevant Departments will need to carry out risk assessments and impact assessments and consider whether inclusion of those sectors and activities is proportionate. That is part of the normal policy development process. After that, the proposals will be subject to consultations and the affirmative procedure, ensuring the necessary scrutiny. Parliament will have the final say on the use of any expansive powers, as the vast majority of the changes I mentioned will be made through delegated powers and subject to the affirmative procedure. If a new sector is then brought into scope, we will undertake a phased implementation wherever possible, and organisations will be given adequate time to comply. Alongside that, regulations will be made in a controlled way and include consultations with relevant stakeholders before secondary legislation is laid before Parliament.

I make one final observation on the points that have been made, not least about Jaguar Land Rover. The UK Export Finance export development guarantee is not a bailout. UKEF receives payments for providing its guarantees, ensuring that the Government are appropriately compensated for the risk taken. In that context, a different assessment was made, as I hope to come to shortly.

More broadly, the Committee heard from expert witnesses that although the purpose of the Bill is clear, and its impact is a significant help for our national cyber-security and essential services, it or any other singular move is no silver bullet when it comes to our cyber-security. Different levers are effective in different parts of the economy and must be applied appropriately.

The most stringent lever the Government have at their disposal is legislation. As we have discussed in this and prior sittings, proportionality is key to the exercise of that lever. Regulation creates obligations and requires resources, so the pros of regulating must outweigh the costs. In the context of the Bill, that means protecting our society and economy from unacceptable risks with an immediacy of threat to our day-to-day life, not least our national security. That means things like keeping the lights on, the taps running and the NHS going, where there is little or no alterative provision of such services. We must also avoid creating unnecessary burdens where other measures are available.

In that context, I turn first to new clauses 1 and 9. The Government and the National Cyber Security Centre are clear that all organisations, whether a food supplier, an automotive giant, a supermarket or any other business operating in the UK, should take steps to protect their cyber-security and increase their resilience. That is why in October the Government wrote to FTSE 350 companies urging them to take three actions to strengthen their defences. First, they should make cyber-risk a board-level priority, and I know that that sentiment is shared across the Committee. Secondly, they should require suppliers to have baseline cyber-security through Cyber Essentials. Thirdly, they should sign up to the NCSC’s early-warning service.

The response has been encouraging already. A significant proportion of organisations have responded, with many of those responses coming directly from chief executive officers and chairs, showing the seriousness accorded to this by boards. Following the letter, we have seen increased interest in the Cyber Essentials website, uptake in early-warning registrations, and uptake in registrations for the IASME supplier check tool, which organisations can use to identify suppliers with Cyber Essentials certificates.

Beyond that, Departments and the NCSC deliver sector-specific support for key parts of the economy. On food specifically, the Department for Environment, Food and Rural Affairs and the wider Government have worked with the food and retail sector on cyber-resilience for many years, and we always stand ready to protect the UK food supply chain. During last year’s incidents involving Marks & Spencer and the Co-op, the NCSC and DEFRA worked closely with the affected retailers to support their response, to communicate advice and guidance and to assess the risk to food security. Following the attack, DEFRA Ministers wrote to major retailers to invite further collaboration on cyber-matters. Officials from both the NCSC and DEFRA are working with retailers to understand how we can best support them and the resilience of our food supply chain in the future.

Crucially, the food sector is unique among critical sectors for its high levels of industrial and geographic diversity. There are approximately 20,000 small and medium-sized food manufacturers alone spread across the UK, and many more farms, distribution centres, retailers and other types of businesses that form the UK’s food supply chain. As a result, it is a sector with few single points of failure. Its resilience is further strengthened by the steps that individual operators and suppliers are taking.

Finally, it is worth mentioning that the cyber-attack on Marks & Spencer last year, which hon. Members have raised, specifically involved the social engineering of a third party managed service provider. As the Committee is aware, the Bill brings large and medium-sized managed service providers into scope. That important change delivers downstream benefits across the wider economy, including for food retailers.

I will move on to new clause 8. The Government recognise that a step change in cyber and digital resilience is required across the public sector, including in local authorities. The Government’s cyber action plan is the overarching strategy to improve the cyber-resilience of Government. It will hold the public sector, including local government, to equivalent requirements to organisations regulated by the Bill. At the outset, the hon. Member for Spelthorne raised a question about schools and pupil data; where local authorities are the lead affected departments in that context, they would be expected to maintain very close oversight and compliance with the requirements and asks of the cyber plan, including in schools and the maintenance of pupil data.

Local authorities in England are accountable for their own cyber-security and resilience. The Ministry of Housing, Communities and Local Government, as the lead Government Department, is accountable for the sector-wide resilience of English local government, and is already taking a range of steps to support the sector, strengthen its cyber-resilience and manage its risks more effectively. For example, MHCLG has already provided £23 million of cyber grant funding and technical support to local government. That includes the delivery of clear cyber-security standards through the adoption of the cyber assessment framework—CAF—for local government. It is also aligned with the wider approach taken by organisations already in scope of the network and information systems regulations.

On social care specifically, as the lead Government Department for adult social care, the Department of Health and Social Care is working to ensure that the standards applied by adult social care providers are consistent with those used across Government and the wider public sector. The DHSC is investing a further £21 million over this Parliament to give care providers the support and guidance they need to improve their cyber-resilience and to enhance cyber-security standards to align with the cyber assessment framework. The MHCLG has also launched a local government cyber-incident response service to support English local authorities to respond to severe cyber-incidents, helping to limit the impact these have on data and services.

I now move on to new clauses 11 and 12, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe. The joint election security and preparedness unit—JESP—sits jointly between the MHCLG and the Cabinet Office. It was created by the defending democracy taskforce, a cross-Government unit, and works to protect UK elections and referendums by co-ordinating work across Government to respond to threats, including on cyber-security.

I know that the shadow Minister takes a keen interest in these questions on the run-up to elections, and he raised some important points. JESP works closely with the NCSC, which produces guidance for organisations involved in delivering elections, including local authorities. That includes advice to help IT practitioners implement security measures that will help prevent common cyber-attacks, as well as offers for direct NCSC support, including the NCSC’s active cyber-defence services.

The MHCLG as a whole is responsible for centrally managed digital electoral services covering voter registration, a postal or proxy vote, or a voter authority certificate. All systems and suppliers involved in developing and maintaining digital electoral services must meet strict cyber-security requirements, not least the MHCLG cyber-security assurance framework.

I will move on to political parties. JESP and the NCSC regularly engage with political party representatives to understand their requirements, monitor any cyber-infrastructure vulnerabilities and raise awareness about Government cyber-defence services. The NCSC’s active cyber-defence programme provides free security tools to help UK organisations, including political parties and local authorities, reduce exposure to common cyber- threats. The NCSC encourages all political parties to sign up to these, and offers individual candidate briefings to parties that wish to take them up.

Everything I have said reflects the Government’s current assessment of where regulation is needed to protect the core of our society and economy. Of course, we have seen that what is considered an essential service can change, and we also know that cyber-threats are constantly evolving. That is why the Bill will enable the Government to bring more essential activities and services into scope in future, and to take swift action if UK national security is at risk, in scenarios where the evidence suggests the pros outweigh the costs. However, at this stage we do not think that that is the case for new sectors. I therefore ask hon. Members not to press their new clauses.

Question put and agreed to.

Clause 24 accordingly ordered to stand part of the Bill.

Clause 25

Statement of strategic priorities etc

Question proposed, That the clause stand part of the Bill.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

To return to the point made by my hon. Friend the Member for Milton Keynes Central about the Bill’s provisions, the Bill looks at particular risks posed by hostile states, related actors and a wide range of other actors. Network and information systems for essential services and the identity of risk sources may be one consideration for organisations and regulators as well as the NCSC. The Bill does not look at specific actors but the outcome of the risk. Of course, hostile actors are an important part of that. I am happy to write to my hon. Friend about wider initiatives outside the Bill, particularly in the public sector, which I know is an important concern for her in relation to hostile state actors. There are a range of initiatives that the Government are taking forward in that context.

Clause 43 grants the Secretary of State the power to direct an NIS-regulated entity to take necessary and proportionate actions in response to national security threats. The power can be used where the entity’s network and information systems have been compromised or there is a threat of such compromise. The clause sets out the sorts of action that a direction could require. A direction could, for example, require an energy provider to take action to remove a hostile actor’s presence from their networks, in response to intelligence that a hostile state actor was pre-positioned for an attack.

Cyber-attacks on NIS sectors represent a serious and growing threat to the UK’s national security. High-capability actors and hostile states can mount increasingly targeted and sophisticated attacks. At present, however, the Government lack powers to require regulated entities to take necessary action in response. That gap could be exploited with increasing frequency and impact. The clause will remedy that, ensuring that the Government have the necessary powers to act quickly to protect our national security.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

This group of clauses concerns the enforcement of directions issued by the Secretary of State. I shall speak to them in turn.

Clause 48 grants the Secretary of State the power to issue a notice of contravention where they believe an entity is failing or has failed to comply with requirements relating to a direction. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will also be able to issue a notification of contravention relating to an information notice or inspection issued by the regulator. It would not be appropriate for a regulator to judge compliance with a direction issued under clause 43 or any other requirement imposed by the Secretary of State.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I am reluctant to engage in the specifics of incidents without knowing the full range, but I would expect there to be an initial period of engagement to get to a position of agreement. Where the Secretary of State’s directions are not complied with in the context of a disagreement of the sort that the hon. Gentleman points out, penalties for non-compliance will be available to the Secretary of State. They will have to be justified both in the moment and subsequently, in the light of the particular provisions of the Bill.

The clause sets out the circumstances in which the Secretary of State and relevant regulators can issue a notice of contravention and the details that such a notice should contain, including the steps that an entity should take to rectify or remedy an act of non-compliance and the penalties that are being considered. The ability to issue a notice of contravention is an important procedural mechanism. It gives directed entities the opportunity to address non-compliance before penalties are imposed through a final confirmation decision, and increases the likelihood that the requirements of a direction will be met. That is vital, given the national security risks that a direction is intended to address.

Clause 49 empowers the Secretary of State to determine appropriate and proportionate penalties for non-compliance with a direction. It sets an upper threshold on what the penalties can be. For non-compliance with a direction, penalties are fixed at the greater of £17 million or 10% of turnover for undertakings, subject to turnover and undertaking being defined in regulations, and £17 million for non-undertakings. For requirements concerning the provision of information or inspections, the maximum penalty for non-compliance is set at £10 million.

Clause 49 also provides for daily penalties to be issued. These are set at £100,000 a day for non-compliance with a direction and £50,000 a day for related requirements. They will continue in force until the entity has complied with the relevant requirement. A regulator that has been tasked with monitoring a regulated entity’s compliance with a direction will be able to issue penalties for non-compliance with an information notice or inspection issued by the regulator.

These provisions have been designed to reflect the gravity of non-compliance with a national security direction and the necessity of ensuring that directed entities comply with the requirements that directions impose. It is also why the maximum penalties have been set at a significantly higher level than they have for the updated NIS enforcement regulations in clause 21. The better comparison in that context is the penalty threshold for national security powers in the Telecommunications (Security) Act 2021, which align with the provisions in clause 49.

Clause 50 grants the Secretary of State and, where relevant, regulators the power to issue a final confirmation notice for non-compliance with a direction or related requirements. The clause specifies that the Secretary of State or regulator can issue a confirmation notice where they have previously notified an entity of suspected non-compliance, and where they are now satisfied that non-compliance has occurred. The notice of confirmation is the mechanism through which the Secretary of State or regulator can issue their final determination about the actions an entity needs to undertake to correct or remedy a contravention, and the penalties it will need to pay, in accordance with the provisions in clause 49.

A confirmation decision can be issued only after a directed entity has had the opportunity to make representations about an earlier notice of contravention. Once it has been issued, the directed entity must comply with it, and this duty can be enforced through civil proceedings. In short, clause 50 ensures that a direction can be enforced effectively and appropriate action taken to penalise non-compliance.

Clause 51 sets out how penalties will be recoverable across the nations of the UK in the event of non-payment. Clause 52 grants the Secretary of State the power to enforce non-disclosure requirements imposed in relation to the issuing of a direction, notice of contravention or final confirmation notice. Failure to respect these requirements could harm national security, for example by exposing vulnerabilities in the UK’s essential services or the security mitigations being put in place to protect their network and information systems. As a result, it is crucial that the Secretary of State has adequate powers to enforce non-disclosure requirements. Clause 52 largely replicates the enforcement process for non-compliance with other requirements of directions issued by the Secretary of State. The maximum penalties will be £10 million or £50,000 per day.

I ask the Committee to support the clauses in order to enable the effective enforcement of directions issued by the Secretary of State to protect the UK’s national security.