“(1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must, by regulations, establish and maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom’s critical network and information systems within six months of the passing of this Act.

(2) Foreign powers designated by the Secretary of State under subsection (1) must include states –

(a) which have been confirmed by GCHQ as having—

(i) perpetrated, or attempted to perpetrate, a cyber-attack in the UK in the preceding seven years,

(ii) targeted, or intended to target, that attack at the network or information systems of one or more operators of an essential service or critical suppliers, or

(iii) carried out, or intended to carry out, that attack through a state department, agency or affiliate group,

(b) which GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.

(3) Regulations under this section are subject to the affirmative resolution procedure.

(4) In this section, ‘foreign power’ means–

(a) the sovereign or other head of a foreign state in their public capacity;

(b) a foreign government, or part of a foreign government;

(c) an agency or authority of a foreign government, or of part of a foreign government;

(d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or

(e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government—

(i) hold those posts as a result of, or in the course of, their membership of the party, or

(ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party.”—(Dr Ben Spencer.)

This new clause would require the Government to maintain a register of state actors posing a threat to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of the Act, which enable the giving of directions in the interests of national security.

Brought up, read the First time, and Question proposed (10 February), That the clause be read a Second time.

Question again proposed.

I remind the Committee that with this we are considering the following:

New clause 3—Register of foreign powers for the purposes of Part 4: review of nature of risk—

“(1) For each foreign power added to the register established under section [Register of foreign powers for the purposes of Part 4], the Secretary of State must review the extent and nature of the risk posed to the network and information systems of operators of essential services and critical suppliers, including whether the risk arises –

(a) from activities undertaken outside of the UK, or

(b) from foreign owned or controlled infrastructure or locations within the UK.

(2) Within six months of the establishment of the register under section [Register of foreign powers for the purposes of Part 4(1)], the Secretary of State must lay before Parliament a report containing –

(a) the findings and conclusions of the review conducted under subsection (1), and

(b) the Government’s plan for addressing the risks identified.

(3) If the Secretary of State considers that laying a report, or any portion of a report, under subsection (2) would be contrary to the interests of national security, the Secretary of State must make a statement to Parliament confirming that –

(a) a review has been conducted under subsection (1), and

(b) that the report, or a portion of the report, cannot be laid before Parliament for reasons of national security.”

This new clause would require the Government to report on the risk to relevant network and information systems posed by foreign powers appearing on the register established by NC2 considering whether such risks arise from extra-territorial activities and infrastructure or premises owned or controlled by foreign powers.

New clause 13—Statement on risks posed to systems by foreign interference—

“(1) The Secretary of State must, within 12 months of the passing of this Act, publish a statement of the Government’s plans in relation to risks to the security and resilience of network and information systems arising from foreign interference.

(2) Any statement under this section must—

(a) set out the Government’s intentions to assess, manage and mitigate the risks posed, or which could potentially be posed, to the security and resilience of network and information systems by foreign interference in such systems;

(b) include risks associated with—

(i) hardware,

(ii) software,

(iii) supply chains,

(iv) procurement processes, and

(v) the use of, or reliance on, foreign technologies or systems;

(c) include a specific focus on government digital procurement processes.

(d) where risks are identified under (2)(b)(v), state whether the Government intends to address these risks by encouraging or supporting the use of domestic technologies or systems.”

This new clause would require the Government to publish a statement of how it intends to address and mitigate any risks to network and information systems posed by foreign interference.

New clause 15—Review of high-risk bodies—

“(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies.

(2) A review under this section must assess—

(a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise;

(b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and

(c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities.

(3) In this section—

‘relevant body’ means—

(a) an operator of an essential service,

(b) a relevant digital service provider,

(c) a relevant managed service provider, or

(d) a critical supplier

within the meaning of the NIS Regulations.

‘foreign state-owned enterprise’ means a body corporate in which a foreign state has a controlling interest;

‘network and information systems’ has the meaning given by section 24(1).”

This new clause would require the Government to review the security risks posed by critical suppliers and essential service providers linked to foreign states and evaluate whether current powers are sufficient to address these threats.

I rise to speak to new clauses 13 and 15, standing in my name.

New Clause 13 would require the Secretary of State to publish, within 12 months, a comprehensive statement on how the Government intend to manage the risks of foreign interference in our critical systems. It calls for steps to be taken to assess the need for a digital sovereignty strategy. We need to know not just how we will fight cyber-threats but whose technology we will rely on to do it. The new clause would force the Government to set out a plan to explicitly assess risks in hardware, software and supply chains.

We should ask what is being done to support UK tech and home-grown cyber-security. We cannot claim to be serious about national resilience if the very infrastructure protecting our critical systems is outsourced abroad to vendors we cannot fully trust. New clause 13 would require the Government to explain how they intend to mitigate the risks associated with reliance on foreign technologies. It would also require the Government to assess the need to encourage and support the use of domestic technologies. That would turn cyber-security into an engine for growth. By identifying high-risk foreign vendors, and pivoting to trusted, home-grown alternatives, we could improve our security and create high-skilled jobs here in the UK. For those reasons, I will press new clause 13 to a vote.

I now turn to new clause 15. How can we be serious about national resilience when the very infrastructure protecting our critical systems could be entirely outsourced abroad? New clause 15 would ensure transparency and force the Government to look at the threat of foreign ownership. The threat to British democracy from foreign interference is clear and present. From Russian money flooding into politics, and Chinese surveillance and intimidation, to foreign oligarchs buying influence, our democratic institutions are under sustained attack. The previous Conservative Government failed the UK. They failed to take the threat posed by Russia seriously, they weakened the Electoral Commission and they allowed foreign money to distort our politics. They withdrew from international commitments at precisely the wrong moment.

This Government have made some welcome moves, but they do not go far enough. Over the last few years, we have seen a rise in cyber-attacks on critical infrastructure. Across the country, schools have closed, airports have been shut, local councils have been hacked and retail stores have been crippled. New clause 15 would require the Government to review the security risks posed by critical suppliers and essential service providers, and to flag which of those are linked to foreign states. It would also push the Government to evaluate whether current powers are sufficient to address these threats. I intend to push new clause 15 to a vote.

In our previous sitting, the hon. Member for Runnymede and Weybridge set out clearly the cyber-threat posed by China, and argued that, through new Clause 2, China should be explicitly recognised as a foreign power presenting a significant risk to the United Kingdom. He rightly highlighted the precedent in UK legislation for maintaining registers of hostile or high-risk state actors to protect national security. I agree that Parliament should be unequivocal in recognising the Chinese Communist party as a strategic cyber-threat, particularly given evidence of state-linked cyber-espionage, infrastructure compromise and the targeting of critical national infrastructure.

We have seen data from the Cabinet Office last week indicating that the Government plan to drastically reduce the integrated security fund spending on domestic cyber and tech to counter cyber-attacks. It will be cut from £113.3 million to £95 million by 2028-29, which is a reduction of 16%. Domestic spending to counter Russian threats in the same period will incur a drop of more than 20%. Those reductions leave us dangerously exposed and are in direct Opposition to the Government’s promises to support the UK’s national security priorities. New clause 2 offers the chance to identify and monitor state actors that pose a threat to UK cyber-security.

The register must also reflect the evolving nature of cyber-risk. Threats do not arise solely from formally hostile states, but also from jurisdictions where hostile cyber-actors operate at scale, using digital infrastructure to target UK systems and citizens. We have seen that in countries such as India and Nigeria, where organised cyber-criminal networks have run sophisticated international operations against the UK, exploiting cloud services and telecommunications infrastructure. In India, law enforcement has dismantled major cyber-crime hubs linked to international targeting, including operations specifically affecting large numbers of British victims.

In 2025, the National Crime Agency worked in partnership with India’s Central Bureau of Investigation to raid an organised crime group in Uttar Pradesh, which had targeted more than 100 UK citizens with pop-ups stating that their devices had been compromised, losing them more than £390,000. That is not only an unacceptable financial loss for our citizens, but a significant waste of resources. In Nigeria, long-established cyber-criminal networks continue to conduct large-scale digital fraud campaigns aimed at overseas targets including the United Kingdom. Interpol’s Operation Serengeti in 2025 tackled high-impact cyber-crimes in Nigeria and 17 other nations, arresting 1,209 suspects and recovering nearly $100 million that had been stolen through cyber-fraud.

Although these states might not be hostile in a geopolitical sense, hostile cyber-actors operating within their borders are none the less inflicting sustained harm and placing heavy burdens on our cyber-defence and law enforcement resources. I support the aims of new clause 2, but urge Ministers to ensure that the framework is flexible enough to capture not only hostile states but jurisdictions that consistently serve as bases for large-scale hostile cyber-activity. Data from the Cabinet Office shows that integrated security fund spending on Russia is set to fall over 20% between 2026 and 2029, which shows that the Government are not taking threats from Russia, or other hostile nations, seriously enough.

It is a pleasure to serve with you in the Chair, Ms McVey.

I thank the Shadow Minister, the hon. Member for Runnymede and Weybridge, for the new clauses in his name, which would require the Secretary of State to create a register of foreign powers that pose a threat to UK cyber-security, to review that register, and to lay a report before Parliament. This is intended to inform the use of powers granted under part 4 of the Bill. I empathise with the shadow Minister’s concerns that hostile foreign actors could target the network and information systems of operators of essential services or critical supplies. That is a clear risk, and one that we are addressing through the Bill.

As drafted, the Bill grants the Secretary of State new powers to issue national security directions to regulated entities or regulators where their compromise poses a national security risk. So long as those tests are met, the powers may be used by the Secretary of State irrespective of the actor that is causing the national security incident or threat.

New Clause 2 would require the creation of a register of foreign states that pose a risk to the UK based on GCHQ advice. I reassure the shadow Minister that regardless of the proposed new clause, any decision to use the powers in this part of the Bill will be informed by expert national security advice from GCHQ. As a result, it is unclear what additional support the proposed register would provide to the Secretary of State when, for example, deciding whether to issue a direction to a regulated entity.

Additionally, the report required by new clause 3 would effectively be a list of the vulnerabilities of the network and information systems of our essential services, and would therefore be an asset to malicious actors. That would be counterproductive to national security. The new clause would allow the Secretary of State not to publish part or all of the report, if publishing would be contrary to the interests of national security. However, it is unclear how even part of the report could be published without harming national security, given its intended content.

Drafting a report of vulnerabilities that cannot be disclosed to Parliament without harming national security would simply duplicate existing assessments, and run the risk of distracting Government from more effective measures to protect from hostile foreign actors. That is not to say that we shirk transparency about these kinds of risk. The Government are already able to communicate with Parliament and the public about such cyber-security risks where it is appropriate to do so, through things such as the National Cyber Security Centre’s annual report and advisories. I therefore kindly ask that the shadow Minister withdraw the new clause.

I thank the hon. Member for Henley and Thame for the Liberal Democrat new clauses in his name, which would require the Secretary of State to publish a statement of how the Government intend to address risks posed by foreign actors to UK network and information systems, and to assess how many entities regulated by the NIS regime are owned in part or in full by foreign states.

Let me reassure the hon. Member that the Government take the risks posed by foreign interference seriously. The NCSC’s annual reviews continue to highlight cyber-risks to the UK from foreign actors, as well as measures to mitigate those risks. We have robust processes for assessing such threats, drawing on the expertise of the intelligence community, including the National Cyber Security Centre and the National Protective Security Authority.

The measures introduced by the Bill will boost the security and resilience of network and information systems across essential services, managed services and relevant digital services, protecting them from the risks of foreign interference. Where that is not enough, the Bill provides a backstop: the new direction powers in the Bill will enable the Government to protect our critical services from exactly those kinds of national security risks. We will be able to require a regulated entity to undertake any action that is necessary and proportionate for national security in response to the threat of a compromise. Conducting assessments of the ownership structures of the many thousands of in-scope entities within six months would be disproportionately resource intensive, distracting Government from more effective measures to protect our services.

Publishing a review identifying national security risks caused by foreign state ownership, or assessing whether our powers are adequate, as the Opposition’s new clause 3 would require, would provide valuable insight to our adversaries. As I have previously set out, there is a clear pathway for Government to communicate with Parliament and the public about such cyber-risks where it is appropriate to do so, but where we identify specific concerns, it is right that we retain the ability to assess and respond without disclosing our conclusions to those who might exploit them.

Finally, it is worth pointing out that, as drafted, new clause 13 is not aligned with the intended scope of the Bill. The Bill is solely concerned with entities that are currently, or could one day be, regulated under the NIS regulations. This new clause would require a statement on the risks posed to all UK network and information systems, which is a significant broadening of the scope of NIS-regulated entities and sectors. Similarly, the focus on Government procurement seems outside that scope, given that Government network and information systems are not wholly regulated by the Bill. For those reasons, I ask that the hon. Member for Henley and Thame kindly consider not pressing his Amendment.

I am grateful to the Minister for his response, but we have seen over the past six months, especially with the alleged spying incidents in Parliament, the Government’s resistance to recognising the Chinese Communist party as a threat. When it comes to our new Clause 3 and concerns over transparency, we have also seen, in the last few weeks, that there are mechanisms—for example, the Intelligence and Security Committee—to ensure the disclosure of documents, while preserving national security. I would therefore like to press new clauses 2 and 3 to a vote.

Question put, That the clause be read a Second time.

The Committee divided: Ayes 6, Noes 8.

Question accordingly negatived.