Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, what powers the Government has to audit the cyber security of (a) UK critical national infrastructure operators and (b) their major suppliers.

In 2018 the Government put in place new powers under the Network and Information Security (NIS) Regulations which require the most significant operators in the energy, transport, health, water, and digital infrastructure sectors to manage cybersecurity risk, including from the supply chain. The Competent Authorities who regulate the critical national infrastructure operators in scope of NIS may inspect and potentially impose fines of up to £17 million. Outside of NIS any powers are sector specific. Expert technical support from the National Cyber Security Centre (NCSC) is provided to regulators and operators to ensure that cyber security risk is managed and mitigated in a consistent way across the UK’s CNI.