Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, what estimate her Department has made of the compliance costs for small and medium-sized enterprises resulting from the audit and assurance requirements in the Cyber Security and Resilience Bill.

The Impact Assessment of the Cyber Security and Resilience (Network and Information Systems) Bill considers the impact on small and medium-sized enterprises. This is available on gov.uk.

The Bill is also explicit that small and micro-sized managed or digital service providers are exempt from being designated as Regulated Managed or Digital Service Providers and can only be regulated if they are designated as critical suppliers, for which there will be a high bar for designation. This is by design, to ensure proportionality.

The government will take a proportionate approach to implementation, including the design of the secondary legislation, which will be consulted on and impact assessed. Small organisations will be able to respond to the consultation, and we welcome their views on these matters. This will be followed by an implementation period and guidance from government and regulators.