Question proposed, That the clause stand part of the Bill.

With this it will be convenient to discuss clauses 30 to 35 stand part.

Clause 29 is the key pillar of the Bill’s future-proofing powers. It allows the Secretary of State to update, amend or replace the NIS regulatory framework by creating new regulations. This is a critical provision. Due to the way in which the NIS regulations were transposed into UK law, the Government lack a way of updating the framework other than through primary legislation. As a result, our regulations have remained static amid a rapidly evolving threat landscape, leaving our essential and digital services vulnerable to attack and our resilience falling behind the EU. The clause is an important response to that problem. It will ensure that the Government can take swift action so that our cyber regulations remain relevant. It is a more proportionate and effective approach than always relying on primary legislation.

I know the use of delegated powers can be a source of concern, so I will be clear that the clause is not a carte blanche—or a blank cheque, which the hon. Member for Spelthorne might be worried about—to smuggle in anything and everything under the guise of cyber-security. It is tightly constrained to ensure that any new regulations align with the original purposes of the NIS regulations. New regulations can be made only for the purposes of strengthening the cyber-security and resilience of the UK’s most critical activities, and only where they are genuinely essential to the functioning of the UK’s society and economy. Cyber-criminals will always find ways around regulations, but with this power we can stop them in their tracks.

I have already explained the critical role that clause 29 plays in enabling new regulations to be made for the purposes of cyber-security and resilience. However, I want to be clear about how those regulations will be used and reassure the Committee of their checks and balances. Clauses 30 to 35 set out what the regulations can do.

Clause 30 enables the Secretary of State to use the regulation-making powers to impose requirements on regulated persons. It clarifies who can be made subject to requirements and the types of requirement that can be imposed on them.

My question relates to Clause 29 but also clause 30. As the Minister says, the powers are deliberately wide. The Institution of Engineering and Technology noted in evidence that predictability matters more than compliance. Will the Minister explain exactly how the Government will judge when risks require new statutory duties rather than updated guidance, so that businesses are not left guessing?

Any legislation made under Clause 29 will need to align with the Bill’s clearly specified purposes to protect the systems that underpin our vital services. In any case, secondary legislation will require deep consultation to ensure that businesses have the sense of clarity that they require. There is a specific bar to pass for the scope of any further provisions, and it is a high bar given the definition of the sectors and the activities covered in the Bill.

Clause 30 has been designed with some clear use cases in mind. It will enable the security duties on regulated organisations to be updated with appropriate technical details. It will also ensure that more detailed thresholds for incident reporting can be set, and it is the mechanism through which we will set out the regulatory requirements for designated critical suppliers. In other words, the clause will help us to operationalise the provisions of the Bill and update the technical details of regulatory requirements in response to new risks or technology.

Clause 31 enables the Secretary of State to confer functions on regulators through the Bill’s regulation-making powers. These may be existing NIS regulators or newly appointed regulators. The types of functions that can be conferred are those concerned with compliance: monitoring and securing compliance, and investigating and managing non-compliance. To carry out such functions effectively, regulators must be able to impose penalties. Clause 31 also provides for that while putting in place important safeguards so that regulated organisations have a means of appealing penalties. The clause is essential for future-proofing the regulatory regime. It ensures that regulators can be equipped with the functions and powers they need to ensure the compliance and security of the UK’s most essential services.

Clause 32 sets out details and safeguards for how the regulation-making powers can be used when they impose or amend financial penalties. Crucially, it establishes upper limits on what the penalties can be—the greater of £17 million or 10% of turnover for an undertaking, or £17 million for a non-undertaking, or £17 million for an undertaking adjusted as needed to account for inflation. The 10% threshold has been chosen as a defensible outer limit for a regulatory regime concerned with national resilience and security. It aligns with penalties for non-compliance in legislation regulating critical national infrastructure and with the Bill’s own national security powers.

The clause further clarifies that regulations can define “turnover” and “undertaking”, where needed, to calculate a penalty. Together, these provisions create important safeguards and flexibility. They establish proportionate and transparent parameters within which penalty amounts can be set. They also enable the Secretary of State to define and consult on terms that are essential for operationalising the Bill’s new turnover-based penalties.

Like clause 31, clause 33 enables the Secretary of State to make regulations conferring functions on regulators. The functions specified in clause 33 complement the core compliance functions outlined in clause 31. They relate to the disclosure of information, issuing of guidance, record-keeping, preparation of reports, undertaking of reviews, and co-operation. The clause also enables the Secretary of State to impose functions on organisations that are not regulators but that play a public role related to the cyber-security and resilience of essential services. GCHQ, in its capacity as the UK’s computer security incident response team and technical authority, is the most important. Like clause 31, this clause is essential for future-proofing NIS regulations. It allows organisations that oversee and facilitate the cyber-security and resilience of essential services to be equipped with the tools and functions they need.

Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs using the powers under clause 29(1). These are the costs incurred through their functions under the NIS regulations or other obligations imposed through parts 3 and 4 of the Bill.

In practice, the clause ensures that the Secretary of State can make changes and updates to the way that regulators carry out their cost recovery function under the NIS regime. It could, for example, be used to specify further factors that regulators need to consider when establishing approaches for charging fees in the charging schemes, in addition to those already set out in clause 17. That might be needed to deliver greater consistency in how the cost recovery measures are being applied and is something that the Government will keep under review.

As the Association of British Insurers has highlighted in its written evidence, the way cost recovery operates will shape behaviour on the ground. Can the Minister reassure the Committee that changes made under Clause 34 will be transparent and proportionate and will not inadvertently discourage investment in cyber-resilience, particularly for smaller firms in supply chains?

On a personal point, could I ask him to speak more slowly? I am really struggling to hear him.

I apologise for the pace of my speech; I will try to make sure I am speaking more slowly.

On the particular point on transparency and ensuring that any amendments to cost recovery are both transparent and grounded in specific provisions, I can set out the sorts of expectations we have had for circumstances in which amendments might be made. In particular, the Bill’s powers will enable regulators to set up charging schemes, but it is not prescriptive—

Could the Minister repeat that?

The Bill’s new powers enable regulators to set up charging schemes, but it is not prescriptive about how it should do that beyond certain baseline requirements. More specific requirements, as provided for in the Bill, could become clear, such as if cost recovery mechanisms are not working effectively or if regulators are diverging unhelpfully.

All regulators must consult on charging schemes. In doing so, the industry should have ample opportunity to scrutinise the approach that regulators are taking and, importantly, Parliament should be able to add to that scrutiny as well. Like Clause 31, clause 34 is essential for the future-proofing of NIS regulations.

Clause 34 enables the Secretary of State to make provisions for regulators to recover relevant costs; I have mentioned examples of the sorts of factors we might specify in that context. Together with clauses 29 to 33, 35 and 41, clause 34 is necessary to ensure that the Secretary of State can update and amend the functions of regulators as needed in the future, and is an integral part of the Bill’s future-proofing powers.

Clause 35 is the final clause that clarifies the limits and prospective uses of the regulation-making power in clause 29. It confirms that the regulations may confer functions and allow certain functions to be delegated to others—for example, it could enable a regulator to delegate functions to inspectors. It also clarifies that regulations can be made to require a person to have regard to guidance or codes of practice, or that make provision by reference to another document or piece of guidance. In short, the clause provides helpful clarity about how the regulations could be applied.

On a point of order, Mr Stringer. I am not sure whether this strictly meets the criteria for a point of order, but it is clear that some people in the room cannot hear what is happening. I know the convention is that only the Whips and Ministers sit on the front row, but if those who are struggling to hear wish to sit closer, could we abandon that convention? It would be a reasonable adjustment so that everyone can participate properly, because this is discriminatory.

I thank the hon. Lady for her point of order. It is a convention, and if the hon. Lady or any other Member wishes to sit on the front bench to make life easier, they certainly have my permission to do so.

Further to that point of order, Mr Stringer. Genuinely, I simply need the Minister to speak slowly and clearly. Yes, I am wearing hearing aids; I am sure that others wear them too. I am doing my very best to make sure that I can lip-read, but that is almost impossible given the speed the Minister is speaking at. One cannot lip read when he is looking down all the time either.

I thank the hon. Lady for her point of order. I know the Minister is trying very hard; his normal rate of speech is much faster, so he is trying. If you catch my eye, I will interrupt the Minister, or anybody else who is speaking, and remind them. It is important that every Member can hear so that they can participate in the debate.

I confess, Mr Stringer, that I suspect I am also guilty of speaking a bit fast in our previous debates. I will do my best to slow down and speak in a lower tone, as I know that can also help, particularly with certain types of hearing impairment.

To continue the theme of agile regulation, Clause 29 enables the Secretary of State to update the NIS regulations through secondary legislation. Clause 30 enables the Secretary of State to impose requirements on regulated entities, which may include directions to take specific actions to increase cyber-resilience, to report on certain matters and to appoint a UK representative if the entity is based outside the UK.

Furthermore, clause 31 specifies that the Secretary of State may direct competent authorities to undertake certain activities, including mandating functions in connection with monitoring and securing compliance with relevant requirements, investigating suspected non-compliance and mitigating the effects of non-compliance on the part of regulated entities. Clauses 32 to 35 provide for the Secretary of State to issue ancillary directions to facilitate information-gathering, investigation and enforcement activities on the part of regulators.

Taken together, the clauses give the Secretary of State a strong suite of powers to respond to emerging cyber-security risks. Again, I recognise the necessity of being able to respond quickly in fast-changing circumstances. However, the Government should clearly be reporting on the Secretary of State’s exercise of the powers at regular intervals to ensure transparency. We will discuss that in due course when we come to clause 40, on the report on network and information systems legislation.

Does the Minister wish to respond?

No.

Question put and agreed to.

Clause 29 accordingly ordered to stand part of the Bill.

Clauses 30 to 35 ordered to stand part of the Bill.