Question proposed, That the clause stand part of the Bill.

With this it will be convenient to discuss clauses 26 to 28 stand part.

Clause 25 introduces a power for the Secretary of State to designate a statement of strategic priorities for the implementation of the NIS regulations. The NIS regulations are enforced by 12 different sectoral regulators. Although that allows each regulator to apply its sectoral expertise, it also means that at times they have taken divergent approaches to their regulatory responsibilities. Clause 25 addresses that by allowing the Secretary of State to set overarching objectives for regulators in the wider context of a statement of strategic priorities. The statement will replace the NIS national strategy, which the Government were previously required to produce under the NIS regulations. It will set out the Government’s priorities for the security and resilience of essential services.

To ensure that the objectives remain stable enough to enable regulators to plan their work, the clause will prevent a statement from being withdrawn or amended within three years of its designation. However, that three-year rule will not apply if there has been a General Election, or a significant change in the threat landscape or in Government policy. That will allow for flexibility where appropriate. In sum, clause 25 empowers the Government to drive a more effective and consistent application of the NIS regulations.

Clause 26 establishes the process through which a statement of strategic priorities can be designated. It requires that there must be consultation with regulators, and that the statement be laid before Parliament, where it will be subject to the negative procedure. It establishes that the Government must share a draft of a proposed statement with the NIS regulators, and that the regulators must be given at least 40 days to provide comments to the Government on that draft statement. The Government must consider whether it is appropriate to make any changes to the draft statement in the light of that consultation. Once any changes have been made, they must lay the statement before Parliament, where it will be subject to the negative procedure. Following that, the Secretary of State may designate the statement.

Clause 27 establishes the legal duties that regulators will have in relation to a statement of strategic priorities. It sets out that regulators must

“have regard to the statement” when carrying out their NIS functions, as introduced by parts 3 and 4 of the Bill. It also introduces a requirement for regulators to “seek to achieve” the objectives included in the statement.

As we heard in written evidence from the ABI, clarity about roles really matters. Can the Minister confirm that the statement of strategic priorities is not intended to operate as indirect instruction, and that regulators will retain clear discretion where sector evidence points in a different direction?

I thank the hon. Member for her point. Perhaps I can give a flavour of the objectives I might expect in a statement and assure her of the independence of sector regulators. Subject to consultation, which we would expect in the build-up to any such statement, a statement might include objectives such as encouraging regulators to seek to ensure that their sectors have plans in place to increase security, or focusing on regulatory activity in areas of greatest horizontal risk. To the hon. Member’s point about sector-specific expertise and the independence of regulators, the statement is intended to set objectives to be achieved within the parameters of regulators’ existing statutory duties, and what the overarching risks are. Of course, regulators will be free to do that in the ways they think most appropriate for their sectors, in the light of their own expertise and experience. I hope that gives the hon. Member some assurance.

Clause 28 requires the Secretary of State to publish an annual report setting out, in general terms, how NIS regulators have complied with their duties in relation to a statement of strategic priorities over the previous 12 months, and how they intend to meet their duties in the following 12 months.

As the Minister is saying, Clause 28 is meant to help Parliament understand how regulators are responding to the statement of strategic priorities. Can he say a little about how substantive that reporting will be, and whether it will genuinely allow Parliament to assess how those duties are being exercised in practice?

The hon. Member raises a very important point. We want Parliament to play an important role in the scrutiny of the overarching regime as a whole, but particularly in the operation of the statement. Perhaps I can break it into two parts: scrutiny of the statement in the first instance, and scrutiny of regulators’ compliance with the statement. Once a draft statement has been consulted on, the Government will be required to lay it before Parliament, and that will be subject to the negative procedure. Parliament will have 40 days to scrutinise the proposed statement and express disagreement with it, which is very similar to the procedure for statements of strategic priorities in other areas—not least online safety. In terms of confidence in Parliament about actions that regulators have taken, the Secretary of State will be required to publish an annual report setting out, in general terms, the activity undertaken by regulators in the prior 12 months, alongside activity planned for the following 12 months. My expectation is that, very similarly, Parliament will have sight of that, and have the ability to scrutinise it and ask questions of the Secretary of State in the usual way.

indicated assent.

I am grateful to my hon. Friend the Member for Harlow for his affirmation of that important point of parliamentary scrutiny.

As I mentioned, the report in question will set out how NIS regulators have sought and will seek to achieve the objectives in the statement through the exercise of their regulatory functions. The Clause requires the Secretary of State to lay the annual report before Parliament, as well as to publish it in an appropriate manner. Clause 28 also introduces information-gathering powers for the Secretary of State so that they can collect the necessary information from regulators to draft the report. I commend the clauses to the Committee.

It is a pleasure to serve under your chairmanship, Mr Stringer.

Clause 25 introduces a power for the Secretary of State to issue a statement of the Government’s strategic priorities in relation to the security and resilience of network and information systems with regard to essential activities. The statement will set out the responsibilities of regulators and specify objectives to secure the Government’s priorities. Competent authorities must be consulted in the drafting of the statement, and the Secretary of State must issue a report in every 12-month period on regulators’ compliance with meeting the objectives within it.

The changes aim to address important challenges around consistency in the approach to regulation that were identified by the previous Government’s second post-implementation review of the NIS regulations. Importantly, the measures also provide for a regular review of competent authorities’ approach to discharging their regulatory obligations. That measure is necessary given the inconsistent approach to oversight and enforcement of the NIS regulations so far.

We know that there are existing challenges relating to the capacity of competent authorities and there is the ongoing issue of securing sufficient cyber-security professionals to staff the teams. It is all well and good making statements, but they need to be followed. What strategies does the Minister anticipate will be needed and used to support—and, where necessary, drive up—standards of regulatory oversight when competent authorities fall short of the aims set out in the statement?

I thank the Shadow Minister for raising an important point. His broader question is one of the most important in this context: Bills are only as good as the ultimate enforcement capability, capacity and framework in which regulators enforce them. Particular aspects of the Bill are focused on that question. One ensures that regulators have not just the resource through the cost recovery and charging schemes that the Bill allows for, but the information through the information-gathering powers—and not just the information, but a statement of strategic priorities as new horizontal risks emerge across sectors. So regulators are armed with resource, information and strategic priorities that emerge from time to time.

Alongside all those resources, data and information powers, regulators need also to have accountability, of course. In that context, the statement of strategic priorities is intended to be one vehicle through which regulators’ compliance with overarching objectives of the Bill will be looked at as well, alongside ongoing oversight of each of the regulators through the usual departmental channels.

Having worked in business, I know that the words we use to ensure that the capabilities are there are easy to say but not always easy to deliver. How will the Minister ensure that when we have a multi-sector issue, which could easily come up—particularly, as we have already discussed, around OT and the use of IEDs across multiple sectors—the National Cyber Security Centre and other regulators will have access to the skills, people and resources necessary to manage what could be a catastrophic incident? We already know that cyber-skills are in short supply as it is, even in the commercial sector.

The hon. Member raises an important point. Two or three things are really important channels of impact when it comes to skills. First, the NCSC as a convening body across regulatory areas will be able to make sure that different regulators come together and learn by being able to share information not just between themselves, but through the NCSC itself as the convening body for sharing good and prompt understanding of emerging risks.

Secondly, on broader skills, the cost recovery schemes allowed under the Bill create a way for regulators to ensure they are resourced up and have the ultimate financial firepower to be able to enforce the requirements of the Bill.

I thank the Minister for his patience. He mentions a specific example of where he will ensure that the NCSC is resourced up. Do we have specific examples that have happened already of those powers having been put in place successfully? From conversations with the NCSC, I understand that it is reliant on its accredited bodies across the country, but we have not yet—I am touching the wood of my desk, as I speak—had to respond to a complex multi-sector issue. I challenge the Minister on whether he is confident about our capability to respond to one.

I share the hon. Member’s recognition and her gratitude that we have not experienced the sort of incident that she described. The NCSC has told her, me and other Committee members that it brings regulators together and has done so on a number of occasions in the past to share cross-sectorally an understanding of emerging risks as well as incident-specific impacts. I take no sense of complacency from that precedent, but I do take some confidence from it. As the Minister in charge, I will ensure that the Department keeps a close eye on the ongoing implementation of the co-ordination powers under the Bill.

The Minister is being generous with his time during this important debate. I was just thinking through his earlier response to the point made by my hon. Friend the Member for Bognor Regis and Littlehampton about using the cost reclaims to employ cyber-security professionals. That goes to the heart of the concerns about the Bill and its approach to regulation.

We have heard that the industry, including regulators, is struggling to recruit cyber-security professionals. What gives the Minister confidence that, just because some money will be sloshing around in the regulators, there will be the ability to recruit cyber-security professionals, who are going to be essential to the implementation of the Bill?

First, I will provide some context for agreement. We want more people to be trained in cyber-security so that they can serve in the public and private sectors. Through the Bill, as well as a range of other initiatives, we are making sure that at every stage of the pipeline, there is resourcing, confidence and a demand signal that so more people can benefit from cyber-skills and serve in the industry.

There is a clear financing path for regulators to at least start to hire. Earlier in the pipeline, we are looking at a series of cyber-skills programmes all the way from schools through CyberFirst—I think about 415,000 students have gone through that programme. Ultimately, we want to create a long-term pipeline so that regulators and private companies can make the most of those skills.

I am going to mention Harlow, because Harlow has young people with amazing potential. The point that the Shadow Minister and other Opposition Members have made is really important. We need to make sure that this and the next generation of young people are trained up in these skills, because this is an emerging threat. I encourage the Minister to promote the Bill and what the Government are doing in cyber-security, because it is important that the wider public know that these important skills and jobs are available.

I am, of course, very happy to take on my hon. Friend’s recommendation that I be the promoter and ambassador for the Bill across the country. I am only sad not to have been invited to visit his Constituency in the act of promoting said Bill, but I take his point seriously.

On the broader point about skills, I entirely agree with both my hon. Friend and the Opposition in recognising that skills are central to the enforcement of the programme. I hope that the funding and the earlier focus on skills across the life cycle give some assurance that the Government are committed to that.

Question put and agreed to.

Clause 25 accordingly ordered to stand part of the Bill.

Clauses 26 to 28 ordered to stand part of the Bill.