“(1) The Secretary of State must, within one year of the passing of this Act, carry out a consultation with regulatory authorities and regulated persons for the purpose of assessing—

(a) whether regulatory authorities and regulated persons have resources and capabilities adequate to fulfil their requirements under this Act; and

(b) whether further government support is needed.

(2) The Secretary of State must publish a report setting out the findings of the assessment carried out under subsection (1).”—

This new clause would require the Secretary of State to consult and report within one year on whether regulatory authorities and regulated persons have sufficient resources and capabilities to meet their statutory obligations, and whether additional government support is required.

Brought up, and read the First time.

I beg to move, That the Clause be read a Second time.

The purpose of new clause 10 is to ensure that regulatory authorities and regulated persons have adequate resources and capabilities to carry out their responsibilities. Fundamentally, this is a question of state capacity. Surely it is hard to disagree with that statement. We can pass legislation in this House, but if the regulators tasked with enforcing that legislation lack the resources and capabilities to fulfil their duties, and if the businesses subject to the new requirements lack clarity about what is required of them, the Bill will remain little more than words on a page.

Cyber-resilience cannot be achieved through legislation alone, poor and weak though this piece of legislation is; it must be delivered by regulators with properly trained staff, clear guidance and sustained investment in enforcement and oversight. Without that foundation, even the strongest legal framework risks becoming ineffective. The new clause would create a vital statutory reality check. It would require the Secretary of State within one year of the Act coming into force to consult with regulators and regulated organisations, and report to Parliament on whether the regulatory system is equipped to function under the new rules. The new clause asks a simple but essential question: do the bodies responsible for protecting our critical digital infrastructure have the people, funding, tools and skills that they need to succeed?

Laws work only if the people enforcing them have the time, money, expertise and systems to do so properly. The scale of the challenge is already clear. Research from ISC2 shows that 88% of organisations that have suffered cyber-incidents link those breaches directly to skills shortages. If regulators themselves face similar skills or operational shortages, enforcement will be slow, inconsistent and ultimately ineffective, and may leave businesses facing uncertainty about what is required of them.

The new clause would help to ensure that issues are identified early and addressed proactively, rather than after a major cyber-security incident exposes weaknesses in our regulatory system. For this legislation to work, it requires fully funded and effective regulators. That is why I will press the new clause to a vote.

This new Clause, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe, would require the Secretary of State to consult and report within one year on whether regulatory authorities and regulated persons have sufficient resources and capabilities to meet their statutory obligations. Historical levels of regulatory oversight and enforcement in relation to the NIS regulations 2018 have fallen short of what is necessary to achieve meaningful cyber-resilience across regulated sectors. The second post-implementation review of the NIS regs 2018, conducted in 2022, found that incident reporting on the part of regulated entities was very low, with only 13, 12 and 22 NIS incidents reported in 2019, 2020 and 2021 respectively.

A review conducted by the Worshipful Company of Information Technologists identified a near total absence of formal financial sanctions under the NIS regulations, with zero confirmed major penalties from 2021 to 2024. The model has not been conducive to effective discharge of regulatory responsibilities, with knock-on effects for cyber-resilience and regulated industries, yet regulators will be expected to oversee a far larger pool of regulated bodies and process a far larger number of incident reports under the Bill’s provisions. It is therefore right for us to scrutinise carefully whether regulators are in a position to meet these obligations.

In the evidence sessions, many of my questions to witnesses, including those from Ofgem, ofcom and the Information Commissioner’s Office, focused on their preparations to meet the demands of their expanded roles. It was clear from feedback that although regulators understand what they need to do to prepare, the practical challenges associated with securing sufficient resource are far from resolved. I would therefore be grateful if the Minister could clarify his plans to review regulators’ progress and what the key milestones will be to ensure that regulators can discharge their new duties alongside their existing ones when these provisions come into effect.

I thank the hon. Member for Brecon, Radnor and Cwm Tawe for his new Clause, which seeks to require a consultation on the resourcing and capabilities of regulators and regulated entities, assessment on whether additional Government support is needed, and a report on the findings. I reassure the hon. Gentleman that the Bill was developed in close collaboration with regulators and industry to ensure that regulators have the right information and tools to implement it.

The Bill already requires the Government to produce two regular reports to monitor the effectiveness of the legislation, and those would naturally include reviews of whether resourcing and capability were impacting on the effectiveness of the regime. The first of those is the annual report on regulator activities in relation to the statement of strategic priorities. The second is the report on the operation of the legislation, which must take place at least every five years.

While we are talking about resources and the application of the Bill, I raise with the Minister that, on page 102 of the impact assessment, it states that the going rate for a contract lawyer is £34 an hour. To my mind, that is out by a factor of probably 10. In the 10 days since our last sitting, has the Minister had a chance to re-examine the impact assessment and discover whether that was a genuine error? That number gets multiplied many times in the impact assessment. Has he had a chance to look into that?

The hon. Member has made that point a couple of times before. I am happy to write to him about the calculations, so that he is able to understand the survey and the significant uplift on which the figures are based.

In response to the hon. Member for Brecon, Radnor and Cwm Tawe, given that the two reports can already include the topics addressed by his new Clause, adding another report would risk confusing their purposes and increasing administrative burdens on those involved unnecessarily. The Government will not hesitate to adapt our support offering based on the findings of those reports. That will include using our flexible mechanisms—for example, updating our guidance to regulators, the statement of strategic priorities and the code of practice. Beyond that, we will continue to engage with regulators as the Bill is implemented, and consider whether any other means of improving regulators’ and regulated entities’ resourcing and capabilities are necessary and proportionate. For those reasons, I ask the hon. Member to withdraw his new clause.

Question put, That the clause be read a Second time.

The Committee divided: Ayes 2, Noes 9.

Question accordingly negatived.