#
My Lords, we are a proudly online nation, embracing interconnectivity in all walks of life. Cloud-based working, the rise of software as a service, the advent of artificial intelligence and more have rocketed the UK forward. They have enabled us to work faster, more efficiently and with more flexibility than ever before. However, with these advancements come risks. As the technology powering our modern economy has leapt forward, so too have the tools that our adversaries use to extort, disrupt and surveil. Last year, more than 600,000 UK businesses were subject to cyber attacks. This is not only holding businesses back; it is undermining our security. These are criminals and hostile state actors seeking to disrupt the very foundations of our country. The UK is now the most targeted country in Europe for cyber attacks. It is the duty of this Government to take bold action. We have been clear that all businesses must protect themselves from cyber attacks, but this does not mean regulating every single business. They know their customers and their suppliers, and they are best placed to protect themselves, using the free tools that we have provided. I commend those who have already signed our Cyber Resilience Pledge, and urge more to do so, committing to take the three simple steps recommended in it: making cyber a board-level responsibility and following the cyber governance code of practice; signing up to the National Cyber Security Centre’s early warning service; and taking a risk-based approach to requiring Cyber Essentials across supply chains. This is our government certification scheme to help organisations improve their cyber resilience. Cyber Essentials works. Organisations with it are 92% less likely to claim on their cyber insurance than those without it. Taking these steps can make a huge difference. However, where the risks are so great that public safety, the economy or our national security is threatened, it is right that we regulate. The Network and Information Systems—NIS—Regulations 2018 are the UK’s only cross-sector cyber legislation. They apply to operators of essential services in the energy, health, transport, drinking water and digital infrastructure sectors, as well as some digital service providers. The NIS regulations are designed to protect the security and resilience of our most essential services, to keep lights on, to ensure that taps keep running and to protect our NHS. We regulate only where we must, which is why the scope of the NIS regulations is precise. They are a targeted security intervention and the best tool in our arsenal to protect our most essential services. However, the regulations have fallen out of date. If we do not act, the essential services on which we all depend will remain under threat. That is why we have introduced the Bill. The Cyber Security and Resilience (Network and Information Systems) Bill is a vital opportunity to improve the UK’s defences. In fact, it is the first Bill in British history to have “cyber” in its title. It will update the NIS regulations for the modern age and ensure that the Government can maintain their effectiveness and respond to imminent national security threats. The objectives behind the Bill are threefold. First, it will safeguard the services on which our people rely most, making our essential and digital services more secure. Secondly, it will deliver a step change in our national security, improving our defences against the cyber attacks that threaten this country. Thirdly, it will better protect our economy. The UK will be a safer and more attractive place for businesses to establish themselves, thrive and grow. The Bill will achieve these objectives through proportionate and timely measures, which I will speak to in turn. First, the Bill brings more sectors into scope of the NIS regulations. As our economy becomes more interconnected, so do the routes that cyber criminals exploit. For example, data centres in the UK have become critical to nearly all our economic activity and public services. From NHS patient records to financial systems, these vast digital depots are a key part of the modern world. That is why data centres meeting the Bill’s thresholds will be regulated as essential services, ensuring that they take steps to secure their networks. The Bill also brings large load controllers under regulation. These are organisations that manage significant electricity flows to or from smart appliances. They must be safeguarded to secure our electrical grid and protect consumers using such appliances. We are also bringing large and medium managed service providers—MSPs—into scope of the NIS regulations. These are organisations offering ongoing services, such as remote IT support or cyber security threat management, to customers. MSPs have deep access into their customers’ systems. As more and more organisations rely on them, MSPs become an increasingly attractive entry point for disruption. Noble Lords will remember last April’s cyber attack on M&S. It involved a managed service provider being socially engineered, with attackers being able to gain access and compromise systems. We need to close this gap. But these regulations must be proportionate and targeted. Large and medium MSPs comprise fewer than one in 10 of the MSPs active in the UK but account for around 97.6% of the UK’s MSP revenue, so small and micro MSPs will be exempt from this measure. By targeting regulation where the risk and reach are greatest, we will protect almost all MSP customers without burdening small businesses. In limited circumstances, small and micro-businesses supply critical goods or services to the essential and digital services on which we rely. The Bill therefore enables businesses, including smaller companies, supplying critical goods or services to be designated as “critical suppliers”. This is designed to combat the cyber risks stemming from increasingly complex supply chains. Members may be aware of the 2024 attack on Synnovis, a pathology provider to some NHS trusts. Criminals thousands of miles away deployed ransomware and made Synnovis’s files unusable, delaying 11,000 appointments. This demonstrates the ripple effect that a compromised supply chain can have on the services at the ends. Duties that critical suppliers will be subject to will be set out in secondary legislation. I turn to our 12 NIS regulators, whose sectoral expertise is critical to protecting our essential and digital services. These regulators are often operating with one hand tied behind their backs. They do not have the information, resources or levers necessary to properly fulfil their duties. For instance, organisations need only tell their regulator about an incident once it has already caused significant disruption. Under the Bill, they will have to report more types of breaches, to their regulator and the NCSC, within 24 hours and provide a full report within 72 hours. This includes incidents such as pre-positioning and ransomware, where an incident may not cause immediate damage but poses a real threat to the UK economy or society. This will not only enable the NCSC to support those affected more quickly and warn others but allow the Government to better understand the threat landscape. Furthermore, the Bill requires digital and managed service providers and data centres to inform their customers about reportable incidents that are likely to adversely affect them. This way, customers can take appropriate steps to protect themselves. However, effective reporting must be matched by consistency. Our 12 regulators cover all NIS sectors and the UK’s four nations. We must utilise their sectoral expertise but ensure that the rules are applied consistently. We cannot allow any sector to become an easy target. This Bill enables government to designate a single set of strategic priorities, as well as objectives tied to them, that regulators must seek to achieve. This will complement the security and resilience requirements, to come in secondary legislation, setting clear, consistent expectations and putting good practice on a firmer footing. The Secretary of State will be required to consult the regulators on a draft of the statement before designating it. In addition, the Bill gives regulators new powers to recover their full regulatory costs from the organisations that they oversee. This includes enforcement costs, ensuring that this is not conducted to the detriment of a regulator’s books. Regulators must consult on how these fees will be calculated and publish a yearly statement to show how these funds were used. The Bill also raises the maximum penalty enforceable for regulatory breaches while simplifying the penalty bands for easier, more consistent application. Regulators must consider all circumstances of a case before setting a penalty. This is not designed to punish companies but to incentivise their compliance. The ideal scenario is no penalties at all. We are also fixing legacy issues concerning information sharing, so regulators can better understand what can and cannot be shared and with whom. All information shared must meet a specified purpose or require permission to be shared and be relevant and proportionate to the purpose for which it is shared. This Bill unties our regulators’ hands, giving them the information, resources and powers that they need to hold the line. That is what effective regulation should look like. Finally, the Bill contains some important measures to enable future resilience, ensuring that the NIS regulations remain effective into the future. This Bill introduces a targeted, essential set of delegated powers to enable the NIS regulations to keep pace with the ever-changing cyber landscape. These include powers by which the Government can bring new services or sectors into scope of the regulations, so long as they meet the Bill’s strict criteria, or make regulations to further mitigate the risks from security and operational compromises. In the majority of cases, these delegated powers will be subject to consultation and the affirmative procedure will apply. Today’s threats were unimaginable in 2018, so we must not legislate as though today’s threats will stand still. These are carefully targeted, and it would be remiss not to take this opportunity to provide for careful, proportionate delegated powers. In almost all cases of these powers, the Government must consult on any changes. Parliament will still have the final say over legislation made under these powers. Our delegated powers memorandum contains greater detail. In exceptional cases, even secondary legislation is too slow. Right now, if our intelligence community becomes aware of a NIS incident that threatens our national security, the Government have no emergency power within the NIS regulations to protect our people. This Bill provides powers for the Secretary of State to direct regulators and regulated entities where national security is threatened. This could entail instructing a sector to follow new guidance in response to a crisis or requiring an organisation to take technical steps to remove an intruder from a network. These are essential last-resort levers. The Bill has strong safeguards to ensure that they are used accordingly and only where strictly necessary for national security. This Bill is about protecting the foundations of a modern economy. Growth cannot flourish where essential services are vulnerable, where businesses are exposed to disruption and where hostile actors can exploit weaknesses. We are not choosing between security and growth; we are recognising that one depends on the other. This will help secure the services that our people rely on, give businesses the confidence to invest and grow and strengthen our national security in an increasingly dangerous world. I beg to move.
#
Con The Earl of Effingham
My Lords, I thank the Minister for introducing the Bill before your Lordships’ House this afternoon. His Majesty’s loyal Opposition support the objective which lies behind this legislation. The cyber threat facing the UK is growing incrementally, both in scale and in sophistication. From hostile states to organised crime, from ransomware attacks on our public services to increasingly complex attacks on critical national infrastructure, the need to strengthen our national resilience is indisputable. Many noble Lords will be familiar with a number of reforms contained within this Bill, predominantly because they originate from the review of the Network and Information Systems Regulations undertaken by the previous Conservative Government following the consultation that was launched in 2022. It should not be a surprise that we welcome measures to improve consistency across the various regulators responsible for enforcing the existing regime. However, support for the objectives of a Bill should never prevent your Lordships’ House from asking whether the legislation is sufficient and proportionate. Most importantly, noble Lords would be right to constructively challenge whether this legislation forms part of a coherent strategy. That should be a central question. We are being asked to scrutinise and revise one of the fastest-moving areas of public policy without the Government having first published the cyber strategy within which these measures are intended to sit. Ministers have described this Bill as merely one component of a wider programme to strengthen Britain’s cyber resilience, so it is entirely fair and reasonable to ask, “Where exactly is that programme? Where is the strategy? Where is the explanation of how these powers fit within the Government’s broader approach to protecting our digital economy and our critical national infrastructure?” Only last Thursday, we heard an Oral Question on the impact of AI in vaccine technology. It is obvious to all that AI is, regrettably, also transforming how cyber attacks are conducted, increasing both their scale and their sophistication. Hostile states have become more aggressive. Organised crime has become more capable. The boundary between economic security and national security has become ever more blurred. Yet little of that ever-shifting landscape appears to find expression within the Bill itself. In fact, artificial intelligence does not appear to feature in the legislation. Quantum cracking does not feature. Weaponised disinformation does not feature. The wider question of how government intends to respond to AI-enabled cyber threats remains unanswered. Nor does the Bill address the long-standing concerns surrounding the Computer Misuse Act, despite repeated calls from the industry for reforms that better reflect modern cyber security practice and remove the legal uncertainty facing legitimate cyber security researchers. Legislation in this field is unlikely to come before Parliament every year. That places a particular responsibility on noble Lords now to ensure that what is enacted today remains relevant, as much as it realistically can be, tomorrow.

Parliamentary information from Hansard, licensed under the Open Parliament Licence v3.0. Theme tags generated by AI — verify before use in briefings.