Cyber Security and Resilience (Network and Information Systems) Bill
Oliver Dowden ExcerptsTuesday 6th January 2026
(1 week ago)
Commons ChamberRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Ian Murray
The banking sector is obviously in the regulators’ scope for cyber-security, and there have been a number of outages, as my hon. Friend mentions. The general principle is that cyber-attacks no longer come in through the front door, but through third parties and suppliers. We have seen that, for example, in the recent incidents at Heathrow and in cloud outages with Amazon Web Services and other such companies. They are covered by their own regulations. As I said in answer to my hon. Friend the Member for Lichfield (Dave Robertson) about Jaguar Land Rover, those companies will not be in the scope of the Bill, but we hope that the financial services sector, which is a leader in cyber-security for a whole host of fairly obvious reasons, will take that forward.
The recent attacks on British icons such as Marks & Spencer and Jaguar Land Rover will loom large in people’s minds. Many Members across the Chamber have already mentioned them. Supply chains were thrown into chaos, with small businesses paying the price, which clearly shows the ripple effect across the economy—on other businesses, smaller businesses and patients, such as in the public service examples mentioned earlier—when one part of the system is attacked.
We are clear that all businesses—that covers financial services, Jaguar Land Rover, Marks & Spencer and others—must take immediate steps to protect themselves. That is why, in October, members of the Cabinet wrote to the FTSE 350 companies urging them to strengthen their defences by doing three things: first, to make cyber risk a board priority; secondly, to require suppliers to have a cyber essentials certificate; and thirdly to sign up to the early warning service. That was followed by a similar letter to entrepreneurs and small businesses in November with bespoke advice for smaller teams. We know that those actions work. Organisations with cyber essentials are 92% less likely to claim on cyber insurance than those that do not. Businesses know best how to protect themselves; we are not here to regulate for the sake of regulating.
Government are taking action too. As I announced this morning, the Government cyber action plan sets a radically new model for how Government will strengthen their cyber-resilience and is backed by over £210 million of investment. Government Departments will be held to standards equivalent to those set out in the Bill. That is why the public sector and the Government are not included in the scope of the Bill. The Government should not need to legislate for themselves; we should just get on with making sure that we are leading the charge and that the cyber action plan strengthens the Government’s cyber-resilience. [Interruption.] I do not know if that was an attempt at an intervention from the Opposition Front Bench, but I am happy to take it.
Sir Oliver Dowden (Hertsmere) (Con)
I welcome the Minister’s comments about the obligation on the public sector. However, I caution him that, in my experience, cyber-security is one of those things that Ministers talk about, but then other priorities overtake it. The advantage of legislative requirements is that they force Ministers to think about it. I urge the Minister to look at that point again as the Bill passes through Parliament. There is a case for putting more stringent requirements on the public sector in order to force Ministers’ minds on the point.
Ian Murray
The right hon. Gentleman would have had some involvement in this when he was in government; indeed, the 2018 regulations came from the previous Government. We are all trying to make sure that we are catching up with the technology as quickly as it moves. He makes a very interesting point that I am very conscious of and happy to take away. We are determined to deliver the cyber-security action plan, which is backed by £210 million.
The actions that the previous Government took did not come to fruition in terms of their 2030 target, which is why we have refreshed the action plan and brought it forward with some significant cash. It is important for Ministers to take that forward. I hope that the right hon. Gentleman will hold us to account to ensure that we are fulfilling that promise in the cyber-security action plan. Public services, and indeed central Government, must take the leading role to show businesses that the approach to take is to ensure that all our systems are as secure as possible, not just on economic grounds, but for the people that we all seek to represent.
Sir Oliver Dowden (Hertsmere) (Con)
It is a pleasure to follow the hon. Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), who has brought tremendous expertise to this debate. In my previous role overseeing national resilience and cross-Government co-ordination of national security threats, cyber-security was probably the one area that caused me the greatest number of sleepless nights. There has been a lot of talk in recent months and years about the increased need to defend the realm and the steps that need to be taken to address the defence of the realm.
We all know from past experience that the first line of any attack on the defence of the realm is highly likely to be through cyber-attacks. Indeed, in a completely different context, we need only to look at the public comments made by the President of the United States a couple of days ago about the first steps that the United States took in its intervention in Venezuela: he talked about the United States’ capability to knock out the power supply there. If we look at our adversaries, particularly Russia, North Korea and Iran, we can see that they are actively inculcating and encouraging environments in which cyber-attacks can be planned and take place. Whether that is done explicitly by private sector individuals or with the connivance of the state, a deliberate grey zone is created, with the desire to increase knowledge of cyber-risks to the United Kingdom and our allies, and to carry out penetrative attacks to that effect. We are likely to see this grey zone warfare continue to increase as a result of the actions that we see in Ukraine and elsewhere.
We just have to look at our own experience. Many hon. Members have made the point that the initial attack on JLR rapidly cascaded and affected many others in the supply chain. From the Government’s own research and testing—this is in the public domain—one sees that a cyber-attack can rapidly cascade into other areas. For example, when we test the impact of a cyber-attack on our electricity system, it rapidly cascades into our water system, which is dependent on electricity. Clearly, it also rapidly cascades into our transport system. Before long, a small cyber-attack becomes a very, very large cyber-attack. In common with all other advanced countries, the United Kingdom is highly exposed to cyber-attacks—a point that I made repeatedly from the Dispatch Box.
I welcome this legislation and the steps that the Minister has outlined today, but I gently caution against what he said. I do not think it was his intention, but he said that this legislation will fix the cyber-security problem. It will not fix the cyber-security problem. No single piece of legislation is ever going to fix the cyber-security problem, nor is this a question of good guys and bad guys or of, “The last Government did nothing, and this Government are doing something.” Each Government must have a fresh look at the challenges of cyber-security, and take necessary and proportionate steps to address the risks.
Matt Western
Given the right hon. Gentleman’s extensive experience, it is very interesting to hear what he says. If he had his time again—this is not to criticise the previous Government, but to ask about the here and now—would he think that this area needs an absolute focus from across Government and across society, because it is such a crucial part of our defence?
Sir Oliver Dowden
Yes, I totally agree. Indeed, that is why the National Cyber Security Centre, working in conjunction with the last Government and now the current Government, has set out the whole-of-Government approach. It cannot just be about the actions of individual Government Ministers or individual actors in the private sector; the whole of Government need to act together.
On the further steps we could and should have taken—this goes back to my intervention on the Minister—I do think that more pressure needs to be brought to bear on Ministers in terms of their accountability for cyber-security, and I fear that if we do not put this into primary legislation, it can slip further and further down Ministers’ in-trays. Although Ministers have a desire to address it, more pressing and immediate problems distract their attention.
I have some constructive suggestions about how we can improve the proposed legislation. The first is about many of the powers being delegated to secondary legislation or ministerial direction. I do not have a problem with that, because it is essential that we have a framework piece of legislation and then the flexibility to allow secondary legislation to be brought forward to address challenges as they arise, but I urge Ministers to undertake a meaningful and mandatory consultation on any secondary legislation that comes forward, so that businesses and others can contribute to it.
I also caution against Ministers devolving to regulators their duties in respect of cyber-security. Too often—again, this applies to Governments of both colours—regulators are empowered to address cyber-security problems or any other problems. They then charge off in one direction and fail to take into account questions such as proportionality—the impact of the regulations versus their economic burden—and Parliament and Ministers cease to have a significant role. I urge Ministers to keep a tight grip on regulators and on the instructions that they give them.
I would also be a little cautious about some of the arguments made by hon. Members about the need constantly to expand the scope of this legislation to further areas of the private sector. It is very easy for us in this Chamber to talk about the need for further legislation, but when a small business is faced with a huge Act and required to interpret it, it looks a very daunting prospect. My preference would be to continue the sort of co-operation that we have seen through the whole-of-society approach advocated by the NCSC.
On proportionality, I urge Ministers to embrace AI. There are opportunities to use AI to triage incoming attacks and avoid duplication, for example, and a lot of streamlining of the system can be done in that area. On the flipside of AI, we must take very seriously the risk of cyber-attacks posed by agentic artificial intelligence. It appears that we reached an inflection point in November 2025, when Anthropic reported disrupting what it described as the first large-scale cyber-espionage campaign executed largely via agentic AI. We are likely to see much more of this. I would welcome the Minister saying in his concluding remarks what the Government intend to do to ensure that we keep up with this threat, because we are only in the foothills of the risk posed by agentic AI.
Further to the point about the role of the public sector, 40% of incidents handled by the National Cyber Security Centre when I was the Minister responsible were from the public sector, so I question the exclusion of the public sector. I appreciate that the Government have announced a plan. I have not had a chance to look at it, but I can imagine what it contains broadly. The key thing is what stick is applied to public officials and Ministers, outside the core responsible Government Departments, to make sure that they take their responsibilities seriously, so I think some legislative proposals may be needed in that area.
Similarly on budgets, again the core responsible Departments—the Cabinet Office and the Department for Science, Innovation and Technology—will prioritise cyber-security. I fear that other Departments may not, so there is a strong argument for ringfencing cyber-security budgets for all Departments so that money cannot be transferred to more pressing short-term problems, as has often been the case, particularly, for example, in the NHS.
It is very important that we do not overlook the basics. It is very easy to talk about legislation or to talk in high-level terms about threats, but probably the single biggest thing we could do to deal with cyber-risks in this country is to make sure that every time every single business and private individual gets one of those annoying pings on their phone saying that they need to upgrade their software to the latest operating system—it is the same with their PCs, iPads and so on—they do so. That is done by providers, because they know that there is a cyber-risk, and there is a patch to address it. If the patch is applied immediately, that can have a huge effect on the resilience of the whole of society, and the NCSC constantly puts out that message.
We need to look at our resilience in society as a whole when we have a major cyber-attack. We have had major cyber-attacks, but they have tended to be in just one sector, albeit with cascading effects, as with JLR. We have not yet had a whole of society cyber-attack—either one that flows out of control from a criminal attack, or a deliberate attack from a hostile state cascading widely across all of society—affecting our electricity, water supplies and so on. I fear that it is only a matter of time before that happens, and we need to look at the resilience of individuals, including the ability to have analogue systems such as battery-powered torches, rather than electric torches, and so on. I started the work on that as a Minister, and I think more needs to be done in that space.
We also need to look at the question of emergency communications. It was certainly my experience that public sector broadcasters—such as, I think, the BBC—are not required to take emergency communications from the Government in such situations. I think that is a loophole that could be exposed in such a situation.
On resilience more broadly, we are in the foothills of the impact of AI. We are going to see vast impacts on employment and how people lead meaningful lives as AI advances more and more rapidly. For the resilience of our society, this House needs to have a much wider debate—not on this Bill, but more generally—about how we address the epoch-changing challenges we are facing.
In conclusion, I think this is a welcome piece of legislation and an important step forward. My hon. Friend the Member for Hornchurch and Upminster (Julia Lopez) correctly highlighted the very important challenges, and they will need to be addressed as this Bill passes through the House. I think it is an important step forward, but it is only one step, and once this legislation is enacted, we will need to be prepared to return to this issue again and again.
Independent Football Regulator
Oliver Dowden Excerpts(2 months ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Urgent Questions are proposed each morning by backbench MPs, and up to two may be selected each day by the Speaker. Chosen Urgent Questions are announced 30 minutes before Parliament sits each day.
Each Urgent Question requires a Government Minister to give a response on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
Lisa Nandy
I know that my hon. Friend is a fantastic champion for her constituents, and that this is something they care about. Both the Minister for Sport and I have heard the strength of feeling from the national league. This matter is not within the scope of the Independent Football Regulator—we deliberately kept its remit tight so it could focus on the many issues that have been raised, not least by my hon. Friend the Member for Sheffield South East (Mr Betts)—but I know that what has been said has been heard by the EFL, and the Government will continue to follow this closely.
Sir Oliver Dowden (Hertsmere) (Con)
I like and respect the right hon. Lady and I do not doubt her sincerity, but I do wonder whether she would have been quite so forgiving had I chosen to appoint a Tory donor to lead this regulatory body. Moreover, although I supported the establishment of the regulator and, indeed, initiated it at the time of the risk of a European Super League, I fear that since then the regulator has become excessively bureaucratic. It risks deterring international investment and the broader investment in the game that has been so beneficial for it. Does the right hon. Lady think that it might be time to look again at this regulator, and to put more emphasis on self-governance in football? I think that in recent years, it has shown itself to be capable of stepping up to the challenge.
Lisa Nandy
I thank the right hon. Gentleman for the tone that he has taken, but I must say to him that if he does not think that David Kogan was fit to be considered because he was a Labour donor, his party should not have put him on the list while knowing full well that he was a Labour donor, or, indeed, appointed him to the board of Channel 4. I appreciate that it is inconvenient for the Opposition, but I am afraid that that is the fact of the matter.
The right hon. Gentleman asked whether it is time to reconsider the Independent Football Regulator. Football fans were promised in 2021 that the last Government would act to deal with the many problems that we had seen in football clubs throughout the country, but they had to wait for a Labour Government to make good on that promise. In October this year, the Minister for Sport was able to confirm that Mr Kogan had been appointed and that we would start that work immediately. He has had a few weeks in which to get on with the job, and he has already achieved more in that time than the last Conservative Government achieved in 14 years.
BBC Leadership
Oliver Dowden Excerpts(2 months ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lisa Nandy
I do agree with my hon. Friend. As well as the very important issues around standards, I would add trust, accountability and independence from Government—any Government, including ours—because the BBC plays a critical role in holding up a mirror not just to society but to Governments of all political persuasions. I would add that the BBC has always been one of the strongest drivers of the creative industries across every nation and region. As part of the charter review process, we will be working to strengthen that to make sure that the BBC is able to tell the story of our whole nation, and not just some of it.
Sir Oliver Dowden (Hertsmere) (Con)
I join the Culture Secretary in paying tribute to the director general of the BBC—I found him helpful on issues such as antisemitism—but the problem with the BBC goes much deeper than the current leadership. Does she agree, first of all, that it goes to the cultural disposition of the BBC? People who work for it have an overwhelmingly metropolitan outlook and obsess about issues such as Black Lives Matter and Palestine in a way that suburban and provincial England does not obsess? Moreover, my constituents are sick of waiting for the lecture from the BBC in output such as drama. That is the case from other broadcasters, but the difference with the BBC is that my constituents pay for it. There is a real problem with the BBC now, whereby many people feel that it represents half the United Kingdom and not the other half. Does she agree that, for those of us who want the BBC to succeed, that must be addressed as a matter of urgency?
Lisa Nandy
The challenges the right hon. Gentleman describes do not specifically relate just to the BBC. I have voiced concerns, as have many Conservative Culture Secretaries previously, about the overwhelming concentration of the media industry in one background and from one region. I believe, as many of my Conservative predecessors have done, that that needs to change. I would caution focusing particularly on the BBC, because that is a problem for the media industry as a whole and therefore for the public debate. The BBC over the years, through its work at Media City in Salford and at Digbeth Loc in Birmingham, is one of the organisations that is at the forefront of changing that. I agree with the right hon. Gentleman, though, that there has to be a level of internal challenge within any successful organisation. In the discussions I have been having with the chairman of the BBC and the director general in recent days, that has been the subject of many of the concerns that I have raised.
Football Governance Bill [Lords]
Oliver Dowden ExcerptsMonday 28th April 2025
(8 months, 2 weeks ago)
Commons ChamberRead Full debate Football Governance Act 2025 View all Football Governance Act 2025 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts Amendment Paper: HL Bill 59-II Second Marshalled list for Report - (13 Mar 2025)
Sir Oliver Dowden (Hertsmere) (Con)
I refer to my entry in the Register of Members’ Financial Interests. Wherever I have been in the world, whether it is in Hertsmere or at the United Nations, I am always asked two questions: “When did you meet the late Queen?” and “Which football team do you support?” Such is the strength and reach of English football.
As I have said to this House before, English football is a cherished cultural and soft power that ranks alongside our greatest museums, galleries and stately homes. Indeed, I saw that again this Friday at my brilliant local club, Boreham Wood FC, led by the indefatigable Danny Hunter. Three generations of his family have sustained that club, sustaining community life, providing education, nurturing us through covid and facilitating the next generation of stars to rise all the way to the top of the premier league. I did not hesitate to act when English football was threatened by the rapacious greed of the proposed European super league, which would have deracinated six of our greatest clubs. It is in that resistance to the ESL that the roots of this Bill lie. The then Prime Minister, Boris Johnson, threatened a “legislative bomb”, which resulted in us bringing forward the governance review led by my excellent former colleague, Dame Tracey Crouch.
In our consideration of this legislation, I caution that English football survives on cut-throat competition in which the rewards for victory are high and the costs of failure are equally high. It is also dependent on significant levels of global investment. Well-structured investment is not a threat to English football: it is one of its great strengths. I could list many examples. We have Manchester City, which is backed by the Abu Dhabi United Group and which has posted record revenues of more than £700 million and profits of £73 million based on solid equity, not risky leverage. That is exactly the sort of leverage that is demanded. Likewise, Newcastle United’s new ownership, led by the Public Investment Fund, has brought more than £300 million of fresh investment without debt, so we have a thriving team and jobs created, with silverware returned. Beyond the premier league, we have seen what the injection of funds at Wrexham has done for its extraordinary ascent through the league. And at Tottenham Hotspur, their fabulous stadium is now expanding to include things like the Eubank-Benn masterclass at the weekend.
This all leads to the core question before the House, which I have very little time to address, but I will try to make my point succinctly. There is undoubtedly a case for regulation. The pyramid is not working, with £100 million for TV rights at the bottom of the premier league as opposed to £4 million at the top of the EFL. We need to address that—it is not sustainable. Likewise, the movement from the national league to the EFL is something that we need to expand, as exemplified by the 3UP campaign. However, before we go down this path, we should look at how circumstances have changed in the past year. Look at the change in the global investment environment, principally as a result of instability in the US, and at the national insurance hike faced by every club up and down the country. Is this really the right moment to proceed with further regulation?
Based on my 20 years’ experience in and out of government, I caution the House that when a regulator is created, however benign the intention, a self-serving bureaucracy always seeks to expand its scope over time. That will be the case for this piece of legislation, and this regulator will be on the front and back pages of the newspapers every single day. We have already heard arguments from Lib Dem colleagues for expanding the scope of the regulator before it is even up and running. In this changed environment, and given measures such as the backstop and its application to the pyramid and to parachute payments, I think there remains a window in which we can threaten this kind of regulation but not actually introduce it, because I fear the damage it will do.
Sir Oliver Dowden
I regret that I cannot give way. For the reasons I have described, I will be voting accordingly at the end of this debate.