Question proposed, That the clause stand part of the Bill.

Clause 20 introduces important updates to the information-gathering powers that regulators have under the NIS regime. It ensures that regulators are able to collect any information that they might reasonably require to exercise, or to decide whether to exercise, their functions under the regulations.

While the clause sets out some of the purposes for which a regulator might particularly wish to collect information—for example, to determine whether an organisation should be designated as a critical supplier—this is an explicitly non-exhaustive list. The clause also allows regulators to collect information through the issuing of an information notice. It sets out the details that must be included in such a notice, and the form that it may take. An information notice must, for example, explain why the information is being sought and the form in which it must be provided.

New regulation 15A, as introduced by the clause, makes clear that an information notice can be given to an organisation based outside the UK and can apply to information held outside the UK. An information notice may require the obtaining, generating, collecting or retaining of information or documents. Those changes are critical in ensuring that regulators can access the information they need properly to enforce the NIS regulations. I commend this clause to the Committee.

Can the Minister elaborate on how he will ensure that regulators have the capacity to cope with large-scale data reports?

Clause 20 grants regulators wide-ranging information-gathering powers, in relation both to regulated entities and to organisations currently outside the scope of the regulations. These new powers will be important to competent authorities in gaining access to the information necessary to consider which businesses should be designated as critical suppliers for their sectors. The Minister will remember that we had a very extensive discussion about the allocation, or otherwise, of critical suppliers. What assurance can he give that requests for information under this new clause will be exercised proportionately? That is especially relevant for SMEs, which might struggle administratively to meet broad requests for information within short deadlines.

I know I will be told off by the Chair if I try to rehash the previous debate on clause 12, but one of the points I made during that debate was that the scope of what could fall under the definition of a critical supplier could, in my view, include any supplier to an operator of an essential service. Potentially, therefore, a request for information under this provision could be incredibly broad. Can the Minister give some reassurance about how this will work in practice, relating to the proportionality of data collection? The concern is that this could become a fishing or dredging exercise, rather than something that is proportionate and targeted on the most high-risk suppliers.

In terms of scope, could the Minister give us some sense, when it comes to managed service providers, whether the purpose behind this Clause is to enable regulators to find out their entire client list? I would be grateful for some clarity on that point.

I will take each of those three questions in order. The hon. Member for Bromsgrove raised a very important point—shared, I think, in sentiment across the House—about ensuring that regulators have the capacity to deal with the volume and quality of information they might receive under the provisions of this Clause. Precisely for that reason, we have set out a charging scheme possibility here that allows regulators to equip themselves. Of course, that is initially a question of resourcing, rather than the quality or capability of that resourcing. We will therefore continue to ensure, through our oversight of regulators in appropriate ways, that we are pressing home the importance of enforcement quality and regulatory capability.

To the Shadow Minister’s point on proportionality, I share the focus on ensuring that designation and information requirements are proportionate, not least for critical suppliers. Like him, I will avoid repeating the previous debate, but the five-step test for the designation of critical suppliers, combined with the fact that the Bill allows for secondary legislation and guidance to specify more proportionate burdens on them, rather than on key regulated entities, alongside the fact that information notices ought to be proportionate and focus primarily on the purposes of the Bill, gives me—and, I hope, him—assurance about the proportionality embedded in the Bill.

Will the Minister talk through what the data exchange flow chart will look like? How will it work in practice? Will the OES proactively contact the regulator and say, “We have all these suppliers—go play”? Will the regulator contact the OES and say, “Give us a list of all your suppliers, and then we are going to start an investigation programme and decide what data we need”? What is the direction of communication in practice? Or—perhaps even worse—will the burden be on suppliers to an OES to contact the regulator and say, “Could we possibly be in scope?” How will it shake out in practice?

Although I will not specify prescriptively what the activity and flow ought to be, I can share from my experience that many large-scale businesses—and indeed many medium and small-sized businesses—have a very clear business continuity plan mapping their critical suppliers. In this case, I would expect the regulator and the regulated entities to engage. Who sends the email first is an open question, and I would not want to specify it in the Bill, but I would expect each regulator and their regulated entities to work very closely to understand the critical suppliers that meet the tests specified in the Bill, and to engage with those critical suppliers as a consequence.

The Minister has mentioned business continuity plans a second time as a justification for not going into detail on this, but the whole reason for the Government bringing in the powers in Clause 12, and the designation of critical suppliers, is that there was no business continuity plan in place in the example of Synnovis. I do not see how that argument gets away from the need for clarity, for organisations that could be at risk of being in scope of being assessed and designated as a critical supplier, about what actions they have to take in response to regulation, proactively or otherwise, and the burdens on them. We have just discussed the cost of enforcement, which risks essentially becoming a cyber-security tax.

I would not want to imply that every organisation has a business continuity plan, but the simple point is that the framework for assessing critical third-party suppliers is established in business and other regulatory regimes, as I have mentioned. The novelty or ambiguity that the Shadow Minister suggests simply does not apply. That is not to say that there will not be cases in which new critical third-party suppliers will be designated—that is the point of the provisions of the Bill. The practice will of course need rigour, efficiency and proportionality, but it will be grounded in existing, widely understood frameworks.

I need the hon. Member for Spelthorne to remind me of his question, if I might ask him to do that.

I might have to remind myself. I asked the Minister whether the purpose of this Clause is for a regulator to be able to ask a managed service provider what their entire client list is, in order to make various assessments.

I thank the hon. Member for asking and repeating the question. The purposes of the provisions on information requirements are focused on ensuring that regulators can conduct their duties as provided by the Bill. I would not expect information notices to require an exhaustive list in every instance, but instead to primarily focus on a more proportionate set of asks relating to risk vectors to the security of the regulated entities and to wider national security and cyber-security.

Question put and agreed to.

Clause 20 accordingly ordered to stand part of the Bill.