I beg to move Amendment 14, in Clause 18, page 38, line 31, at end insert—

“(aa) otherwise in connection with—

(i) the security and resilience of network and information systems, or

(ii) any other matter relating to cyber security and resilience,”.

This amendment would allow NIS enforcement authorities to share information with persons listed in regulation 6(2) (inserted by clause 18), and such persons to share information with NIS enforcement authorities, for purposes relating to the security and resilience of network and information systems or cyber security and resilience.

With this it will be convenient to discuss the following:

Government amendments 15 to 18

Clause stand part.

The Clause introduces vital reforms to how information can be shared in the context of the NIS framework. Right now, as we have heard again and again from both hon. Members across the Committee and witnesses, the NIS regulations have limitations that restrict how and with whom information can be shared. That has serious implications for the effectiveness and efficiency of the regime including business burdens as well as the ability of the UK’s authorities to act on national security or criminal intelligence.

One important limitation in the current regulations is the inability of regulators to share information with many public authorities in the UK and vice versa. For example, NIS regulators currently cannot share information to support the evaluation of the NIS framework or policy development relating to cyber-resilience and national security. The clause addresses those concerns by enabling information to be shared between NIS regulators and UK public authorities, including the Government. That will be done for the purposes of supporting the NIS regulations as well as wider objectives alike, reducing business burdens and for national security and crime purposes.

The clause also imposes strict requirements and safeguards on how the information can be further shared. The net effect of the changes will be fewer burdens on business, better and more informed regulatory decision making, joined-up incident response and improved security for the United Kingdom.

Government Amendment 14 makes targeted but important changes to the clause. It proposes a further ground for sharing information focused on wider cyber-security and resilience outside the context of the NIS regulations and NIS sectors. In practice, it means that NIS regulators will be able to share information with regulators who are responsible for overseeing the cyber-security and resilience of other vital sectors under different regulatory frameworks and vice versa.

The amendment is a crucial addition to the Bill. It means that the UK’s regulators can think holistically about the risks that their sectors are facing, the interventions they propose to take and the obligations they are placing on business. That in turn will mean better outcomes, more effective and informed incident response, more co-ordinated oversight and lower business burdens.

The amendment will be particularly important in supporting co-ordination with the financial regulators responsible for the critical third parties regime, which could be used to designate organisations already in scope of the NIS regulations such as cloud service providers. It also anticipates the need for co-ordination for other sectors, such as civil nuclear and space, in the future. In short, the amendment is necessary to ensure that UK regulators can take a more co-ordinated approach to protecting the UK’s most essential services.

Government amendments 15 to 18 are consequential on amendment 14. I urge the Committee to support the amendments, and I commend clause 18 to the Committee.

Clause 18, which the Government seek to modify through amendments 14 to 18, creates new pathways for information sharing between regulators, public authorities and Government Departments. It also creates a power for NIS enforcement authorities to share information with relevant overseas authorities for specified purposes. The new regime is intended to remove gaps and ambiguities in the existing framework governing the sharing of information obtained in the course of competent authorities and the oversight role of NCSC, and to create legal certainty in this domain.

In turn, it is anticipated that greater information sharing will assist with the detection of crime, enforcement activity and awareness of emerging cyber-risks and with ascertaining the effectiveness of the NIS regulations in building UK cyber-resilience. In particular, the Bill creates a new gateway to ensure that NIS regulators can share information with UK public authorities, and vice versa, as well as sharing and receiving information from organisations outside of the NIS framework, for example other regulators or bodies such as Companies House.

The Bill strengthens safeguards on how information can be used once it has been shared under the NIS regulations by restricting onward disclosure. More effective information sharing will be vital for competent authorities to keep up to date with emerging risks and building resilience in their sectors, and the new measures were broadly welcomed by regulators in our oral evidence session.

However, industry bodies such as techUK have called for further detail on the new information-sharing regime. What steps are the Government taking to ensure that regulators share responsibility for protecting sensitive data, and that information-sharing processes are coherent, proportionate and secure? Could the Minister elaborate on the discussions he has had with regulators on those matters, and on how secure information sharing will work in practice?

Finally, on the detail of the text in Government Amendment 14, proposed new paragraph (aa)(ii) refers to persons

“otherwise in connection with…any other matter relating to cyber security and resilience,”.

Given that this is an information-sharing power, that seems a remarkably broad “any other matter” provision. What disclosures that are not already covered in the Bill does the Minister conceive will come up in that scope? What guidance or consultation will the Minister produce to make sure that such powers are proportionate and not at risk of abuse?

Again, I welcome the Government amendments and Clause 18; they are important to enabling us to share our vulnerabilities in an appropriate way with those people who may be involved. However, some of the aspects of those vulnerabilities that security services—GCHQ, His Majesty’s Government Communications Centre and others—raised with us relate particularly to not only foreign interference, but the potential for interference through technology embedded in our networks. How does the Minister see the measures working within our co-operation with different foreign nations, particularly during these volatile times?

In response to the Shadow Minister’s first question about ensuring sensitive handling of shared information and proportionality, all information handled by regulators ought to be treated carefully and with awareness of its importance. The regulators have to act reasonably, and the NIS regulations specifically require information obtained from inspections to be held securely. Of course, data protection Laws apply to regulators as well. Alongside that, regulators will be required to consider the relevance and proportionality of sharing their information to the purposes set out in the Bill; as I have mentioned, the Bill includes specific purposes for why information might be shared.

On the broader concern about ensuring that the grounds for further sharing are tightly scoped and, as suggested by the shadow Minister and my hon. Friend the Member for Milton Keynes Central, that they are sufficiently expansive to cater to a range of attack vectors, not least hostile states and associated actors, it is perhaps helpful to set out the motivation for Amendment 14. We have been engaging closely with relevant regulators and Departments as we develop the Bill. Feedback from those discussions has demonstrated the need to make changes, so we are acting promptly to ensure that they are reflected in the Bill.

The amendment permits NIS regulators to share information with other public authorities for the purposes of cyber-security and resilience, and only where the information shared is proportionate and relevant to the purpose set out in the Bill. I would not want to specify with prescriptive detail what that is, in the light of the concern raised by my hon. Friend the Member for Milton Keynes Central about the varying nature of attack vectors for cyber-security. I hope that I have provided some assurance that the amendment has been developed closely with relevant regulators.

Amendment 14 agreed to.

Amendments made: 15, in clause 18, page 39, leave out line 21.

This amendment is consequential on Amendment 14.

Amendment 16, in clause 18, page 39, leave out line 24.

This amendment is consequential on Amendment 14.

Amendment 17, in clause 18, page 39, line 26, leave out from beginning to “, or” and insert—

“the provision and availability of data centre services in the United Kingdom”.

This amendment is consequential on Amendments 15 and 16.

Amendment 18, in clause 18, page 39, line 34, leave out

“anything mentioned in paragraph (5)(b)”

and insert—

“the provision and availability of data centre services in the United Kingdom”.—(Kanishka Narayan.)

This amendment is consequential on Amendments 15 and 16.

Clause 18, as amended, ordered to stand part of the Bill.