Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, what assessment he has made of the adequacy of the Cyber Security and Resilience Bill's incident reporting criteria for capturing novel failure modes arising from autonomous or adaptive machine learning systems in critical national infrastructure.

The Cyber Security and Resilience (Network and Information Systems) Bill makes vital updates to the Network and Information Systems (NIS) Regulations 2018 to ensure that providers of the UK’s essential services are reporting more forms of harmful cyber incident to their regulators. Where these incidents meet the threshold of a reportable incident, they will need to be reported to the relevant regulator regardless of the cause. This will include incidents caused by the failure of autonomous or adaptive machine learning systems within a regulated entity’s network and information systems.