Question proposed, That the clause stand part of the Bill.

With this it will be convenient to consider the following:

Clauses 54 to 56 stand part.

Government amendments 23 and 24.

Clauses 57 and 58 stand part.

This group concerns the power for the Secretary of State to issue directions to the NIS regulators, as well as general provisions relating to the power and the power to direct regulated entities. That includes the procedure for reviewing, varying or revoking directions, the procedure whereby Parliament can scrutinise these directions, how information concerning directions can be shared, the means by which directions can be issued and the clarifications of key terms concerning part 4 of the Bill. I shall speak to each Clause in turn.

Clause 53 grants the Secretary of State the power to direct NIS regulators in the exercise of their NIS functions, where it is necessary and proportionate in the interests of national security. The current system requires regulated entities to undertake “appropriate and proportionate” measures to secure themselves against cyber-threats. Regulators issue guidance to their sectors to help them to interpret that duty. However, geopolitical or technological developments could lead to rapid, unexpected increases in the cyber-threat that quickly leave whole sectors vulnerable and create a national security risk.

In such circumstances, it is essential that the Secretary of State can leverage the expertise and powers of NIS regulators to drive the implementation of enhanced security procedures and practices. For example, they may need to direct a regulator to issue an urgent advisory to its sector regarding new cyber-threats or to update guidance on what measures are “appropriate and proportionate” for them to take. This power will not extend to other Government Departments or devolved Governments, for which any actions to mitigate significant national security threats will be agreed through engagement.

Given the changing nature of national security threats, there may be times at which a national security direction needs to be varied or revoked. Clause 54 introduces powers for the Secretary of State to change the content of a direction, or revoke it altogether, where it is necessary and proportionate to do so in the interests of national security. The Secretary of State will be able to vary a direction to add new requirements, or to simplify directions by removing requirements that are no longer needed. To ensure that regulated entities are able to make representations, the Secretary of State is required to consult them before a direction is varied, where practicable. This requirement does not apply if consultation would be detrimental to the interests of national security.

Moving on, I reiterate that these powers equip the Secretary of State to act in defence of the UK’s national security. While it is important that the Secretary of State can act swiftly and decisively to protect the UK from major cyber-risks, it is right that the Government are held to account in their use of these powers via parliamentary scrutiny.

Clause 55 therefore requires the Secretary of State to lay copies of directions, and any variations of them, before Parliament. However, this requirement does not apply if laying them before Parliament would be contrary to national security. The clause includes caveats that, when laying a direction before Parliament, the Secretary of State can exclude details that could pose a risk to national security or might unreasonably harm an organisation’s commercial interests.

Clause 56 introduces important powers for the Secretary of State and NIS regulators to share information they have collected while overseeing requirements in, or related to, a direction, where this is necessary for national security. The clause enables information to be shared by the Secretary of State and NIS regulators with each other and with other regulators, GCHQ, other UK public authorities and public authorities overseas.

The clause specifies that information can be shared only where this is necessary for national security, and where the information is relevant and proportionate to the purpose of the sharing. It provides reassurance that information disclosed under this clause will not constitute a breach of any obligation of confidence or restriction on disclosure. It also clarifies that information cannot be shared where disclosure is prohibited under the Investigatory Powers Act 2016. Information sharing within these parameters has a vital role to play in enabling greater co-operation between organisations supporting national security in the UK and with allies overseas.

Clause 57 contains important information on how directions and notices issued by the Secretary of State to regulated entities or regulators may be given to the recipient. It explains that a direction or notice can be delivered by hand, left at the appropriate address, posted or emailed. It contains information on which addresses and email addresses notices and directions can be sent to. Government amendments 23 and 24, tabled in my name, are technical amendments to simplify the process for issuing documents under the national security powers in part 4 of the Bill.

Under clause 57, as the Bill currently stands, a regulator may contact a regulated person only using the person’s published email address, even if the regulated person has provided an alternative preferred email address to the regulator. Where those email addresses differ, and the address provided to the regulator is correct, this may cause problems for issuing and enforcing a direction on a regulated entity. Government amendments 23 and 24 resolve this issue by allowing a regulator to contact a regulated person using either their published email address or an email address that the person has provided to the regulator.

Clause 58 clarifies how key terms used in part 4 should be interpreted. It does so by cross-referencing how those terms are defined in earlier parts and clauses of the Bill, ensuring consistency of meaning throughout. In order to ensure that unexpected changes to sectoral risk that impact the UK’s national security can be mitigated, and that the directions regime can operate effectively with appropriate parliamentary scrutiny, I ask the Committee to support these clauses and minor amendments.

Clause 53 would grant the Secretary of State powers to issue directions to regulators where this is necessary for national security reasons, and to allow a reasonable period for the regulator to comply with that direction. Clause 54 provides that directions may be amended or revoked by the Secretary of State. Under clause 55, directions to regulated entities or regulators must be laid before Parliament unless that

“would be contrary to the interests of national security.”

I repeat my earlier question about the ISC’s role regarding scrutiny. Clause 56 would permit the Secretary of State and regulatory authorities to share any information obtained under part 4 with each other and the NCSC. The provision also allows for the sharing of information with other UK or overseas public authorities with equivalent cyber-security or national security functions. Government amendments 23 and 24 seek to amend that clause to provide for directions and notices issued under this part to be sent by email to relevant persons who provided those contact details to regulatory authorities.

Some reassurance on the extent of information sharing for businesses is delivered through provisions specifying that disclosures of information should be limited to that which is relevant and proportionate. However, those are high-level and subjective terms, open to interpretation by the authority sharing the information. Can the Minister provide any update on the development of protocols between authorities to ensure that information shared is limited to that which is necessary for effective oversight and enforcement in relation to national security risks?

On the Shadow Minister’s first point, I repeat what I said earlier and, of course, acknowledge his concern. I assure him that, while a direction can only be issued out of necessity for national security, it does not follow that public knowledge of that direction or its contents would compromise national security. I would expect a pretty extensive scope of such directions and, therefore, an appropriate channel of scrutiny in Parliament.

On his question of protocols to ensure information shared is not just proportionate in general, but specific to the purpose of national security specified, I am happy to give him the assurance that the Bill contains it and that, in the process of working out implementation, we will make sure that regulators are focused on developing those protocols.

Question put and agreed to.

Clause 53 accordingly ordered to stand part of the Bill.

Clauses 54 to 56 ordered to stand part of the Bill.