Question proposed, That the clause stand part of the Bill.

Clause 17 introduces new charging powers for NIS regulators, enabling them to recover the full costs of their regulatory functions under the NIS regime. This is an important reform that will help to ensure that regulators are effectively funded as they take on their expanded responsibilities under the Bill. It will allow them to move away from a funding model that relies on ad hoc invoicing or Government grants, and to approach their duties with greater confidence and certainty.

The clause sets out detailed procedural requirements that determine how and when the charging powers can be used. These will ensure that regulated organisations know what to expect from regulators; fees will be set proportionately and regulators will provide satisfactory accounting for the sums they have charged.

The first requirement is that regulators consult and publish a charging scheme. It must specify what functions the fees are covering, the amount of fees being charged or how those fees will be calculated, and the charging period they cover. Crucially, regulators will be able to set different levels of fee for different types of organisations—for example, varying charges according to size or turnover, or excluding organisations from the charging scheme if it would be disproportionate or counter-productive to include them.

I have two points for the Minister to address. First, can he address concerns around whether funds raised will be directly reinvested into improving cyber-security, rather than covering administrative overheads? Secondly, there is no specific reference to turnover thresholds, so how can the Minister be sure that a one-size-fits-all approach will not be used, causing many similar organisations to suffer financially?

I thank the hon. Member for those thoughtful points. On the first question, the charging scheme applies to relevant costs, which are costs that regulators incur precisely when they carry out functions under the NIS regulations relating to cyber-security specifically. Those can include the cost of audits, inspections, handling incident reports or enforcement action, as well as other aspects, such as assessments of cyber-security and the provision of advice. It is important to acknowledge that regulators can decide to recover costs in relation to specific functions or their costs relating in particular to the Bill’s provisions. I hope to have assured the hon. Member that the charging scheme has a clear, tight scope that is related to cyber-security functions.

On the second question, regulators probably ought to look at turnover in a way that is sector-specific, in part because there are already a range of ways in which other regulatory regimes define turnover in particular sectors, so the appropriate definitions for their sectors will be familiar to both regulators and regulated entities. At a later date, secondary legislation may be used if it is found necessary to set out factors that regulators ought to consider in setting up charging schemes, including the possibility of nuanced definitions of turnover. Any future regulations for this purpose will be subject to consultation requirements and the affirmative procedure. I would very much expect, at a sector level, a clear and proportionate definition and charging structure in relation to turnover.

The second requirement is to set out, transparently and clearly, what fees have been paid, what fees are still due, and what costs have been incurred in a given charging period. On Second Reading, many hon. Members discussed the need for properly resourced regulators to successfully implement the Bill. I share that concern, and this Clause seeks to achieve exactly that, in a way that is fair and proportionate to regulated organisations.

I commend the clause to the Committee.

Clause 17 will amend the NIS regulations to provide a framework for regulators to impose charges on regulated entities to recover the costs incurred by them in carrying out their supervision and enforcement functions. The Government’s explanatory factsheet supporting the Bill suggests that those changes are needed to ensure that regulators are

“better resourced to carry out their responsibilities.”

We have heard at length from witnesses in oral evidence sessions that resourcing is a key consideration for regulators in meeting their new and expanded obligations under the Bill. The concept of our regulators’ being better funded is good. However, as with much of the Bill, the lack of detail around the regulator charging model is causing uncertainty among regulated entities that would be liable to meet the associated costs.

Several aspects of the proposed charging regime require further elaboration, including the intention to enable authorities to recover the costs “or expected costs” incurred in connection with their functions. That involves a heavy degree of cost forecasting on the part of the regulators, which is to be expected to a certain extent, but what guidance will the Government provide to ensure that the approach to estimating costs is both transparent for regulated entities and consistent across regulators?

Furthermore, the clause establishes that charges payable by regulated entities under the scheme

“need not relate to the exercise of functions” in relation to that organisation. That may be common practice on a smaller level in professional regulatory models where the members, such as doctors, lawyers and accountants, pay a fee for oversight functions to the regulator, which may not regulate them personally. On that basis, I should declare an interest: I am registered under the General Medical Council and therefore regulated accordingly. However, in circumstances such as the regulation of cyber-security, regulatory activity may involve protracted, technically complex investigations involving multiple personnel over many months, or even years. The costs associated with that type of activity are substantial.

The Government said that

“cost recovery measures will be brought into force through secondary legislation following Royal Assent. This will ensure that regulators have time to prepare and conduct consultations on fee regimes.”

Can the Minister give any indication now on how cost recovery charging is likely to be distributed among sectoral entities? Will larger organisations be asked to meet a greater proportion of the costs, or will there be a flat regulatory fee across all entities that is topped up by reference to size or risk profile?

Another objection raised by industry stakeholders is that the charging regime effectively acts as an additional operational tax—one that, at present, is not possible for regulated entities to ascertain or plan for as part of their budgeting. Industry representatives have pointed out that funds allocated for regulatory fees are often diverted from operational security measures. For SMEs and mid-sized MSPs in particular, these charges represent a tangible reduction in available capital for technical controls and innovations. Any charges must therefore be transparent, proportionate and justified.

Another concern is that a regulator funded by organisations within the remit of its oversight may have reduced incentives to prioritise efficiency in the exercise of its duties. Which comparable regulatory regimes have the Government looked at for inspiration in planning this funding model? Which regulators are regarded as successful in their approach to oversight and enforcement and is there any correlation between that and their funding models?

The Shadow Minister raised two main points that I am keen to address. The first was about ensuring that I committed to next steps on potential guidance for the charging scheme. I can confirm that the Government will issue guidance for competent authorities. That will include general directions on how the fee regime ought to be implemented. At the same time, we do not intend to be prescriptive as to how competent authorities should recover costs to benefit from their experience and practice in setting up these regimes. It is important that each regulator is able to tailor their fee regime in a way that is consistent with and complementary to the state of their sector.

On the subject of charging and money, has the Minister had the opportunity to revisit his own impact assessment on the basis that there might be a glitch in the matrix? It says on multiple occasions that the hourly salary for a contract lawyer is £34 an hour. When we discussed it last week, I contended that this was totally unrealistic, probably to a factor of 10.

I am reminded of the hon. Member’s point last week. I am happy to write to him on the basis of the precise figure in the impact assessment, which I understand to be based on not just an extensive survey but the application of subsequent uplifts. I am more than happy to continue that conversation in correspondence.

On factors that ought to be considered in setting up charging schemes, I mentioned some, such as size and turnover, but I will flag that those are suggestive and indicative rather than exhaustive factors that regulators may consider. Regulators ought to be able to set different levels of fee for different types of organisations. There is also provision to exclude organisations from a charging scheme altogether if it would be disproportionate or counterproductive to include them. It is appropriate that regulators and competent authorities can vary their charging schemes in the light of that.

On current regulatory performance and its correlation with charging schemes, I have not observed any direct correlation. What I have seen, simply, is that some regulators are clearly doing well. We heard in evidence from a range of participants that in some cases things are working particularly well and that, in others, there is more scope for improvement. That is precisely why the Bill sets no fundamental lowest common denominator for how regulators ought to approach either charging or their enforcement duties; instead, it ensures that we are conducting oversight of each regulator as robustly as possible. I assure hon. Members that the question of regulatory enforcement is central and that the motivation behind the charging scheme is precisely to ensure that regulators are well resourced to implement the Bill.

Question put and agreed to.

Clause 17 accordingly ordered to stand part of the Bill.