Consideration of Bill, as amended in the Public Bill Committee

New Clause 2

Cyber security support service for SMEs

“(1) The Secretary of State must, by regulations, make provision for the establishment and operation of a cyber security support service for relevant small and medium-sized enterprises (SMEs) for the purposes of improving the security and resilience of their network and information systems.

(2) For the purposes of this section, a relevant SME is one which is—

(a) an operator of an essential service,

(b) a relevant digital service provider,

(c) a relevant managed service provider, or

(d) a critical supplier,

within the meaning of the NIS Regulations.

(3) A support service established under this section must provide—

(a) advice and technical assistance to SMEs following a cyber incident; and

(b) guidance on recovery and remediation.”—(Victoria Collins.)

This new clause would require the Secretary of State to establish a cyber security support service for relevant SMEs.

Brought up, and read the First time.

I beg to move, That the clause be read a Second time.

With this it will be convenient to discuss the following: New clause 3—Review of high-risk bodies— “(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies. (2) A review under this section must assess— (a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise; (b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and (c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities. (3) In this section— “relevant body” means— (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier, within the meaning of the NIS Regulations. “foreign state-owned enterprise” means a body corporate in which a foreign state has a controlling interest; “network and information systems” has the meaning given by section 24(1).”. This new clause would require the Government to review the security risks posed by critical suppliers and essential service providers linked to foreign states and evaluate whether current powers are sufficient to address these threats. New clause 4—Critical manufacturing and retail sectors— “(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities— (a) the manufacture of critical transport equipment; (b) the industrial production and processing of food products; and (c) the retail sale of food and essential goods via large-scale distribution chains. (2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors.”. This new clause would require the Secretary of State to designate the manufacturing of critical transport equipment and retail of food and essential goods (when part of a large-scale distribution chain) as essential activities, bringing them within the scope of Part 3 of the Bill. New clause 5—Local authorities to be regulated as essential services— “(1) The NIS Regulations are amended as follows. (2) In the table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert— “Local GovernmentLocal GovernmentThe Secretary of State for Housing, Communities and Local Government” (3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert— “The Local Government Sector 12 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector. (2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register. (3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records. (4) In this paragraph “local authority” means— (a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly; (b) in Wales, a county council or a county borough council; (c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994; (d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.”. This new clause would bring local authorities within the scope of the NIS Regulations as operators of essential services in relation to their functions managing electoral rolls and social care records. This ensures that public sector bodies holding sensitive data such as electoral rolls and social care records are subject to the same statutory protections as other critical infrastructure. New clause 6—Computer Misuse Act 1990: security and resilience of network and information systems— “(1) The Secretary of State must, within twelve months of the passing of this Act, review whether amendments to the Computer Misuse Act 1990 may be conducive to ensuring, maintaining or improving the security and resilience of network and information systems used or relied upon in connection with the carrying on of essential activities. (2) Following the conclusion of the review under subsection (1), the Secretary of State must lay before Parliament a report which outlines— (a) the potential amendments to the Computer Misuse Act 1990 which were considered as part of the review; (b) the review’s conclusions as to whether the potential amendments considered could be beneficial in ensuring, maintaining or improving the security and resilience of relevant network and information systems; and (c) the Government’s intentions to make amendments to the Computer Misuse Act 1990 or act on any other recommendations of the review.”. This new clause would require the Secretary of State to review, within 12 months, whether amending the Computer Misuse Act 1990 could improve the resilience of network and information systems, and to report the government’s intentions to Parliament. New clause 7—Consultation on resourcing of regulatory authorities and regulated persons— “(1) The Secretary of State must, within one year of the passing of this Act, carry out a consultation with regulatory authorities and regulated persons for the purpose of assessing— (a) whether regulatory authorities and regulated persons have resources and capabilities adequate to fulfil their requirements under this Act; and (b) whether further government support is needed. (2) The Secretary of State must publish a report setting out the findings of the assessment carried out under subsection (1).”. This new clause would require the Secretary of State to consult and report within one year on whether regulatory authorities and regulated persons have sufficient resources and capabilities to meet their statutory obligations, and whether additional government support is required. New clause 8—Electoral infrastructure to be regulated as an essential service— “(1) The NIS Regulations are amended as follows. (2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert— “ElectionsElectoral infrastructureThe Electoral Commission” (3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert— “The electoral infrastructure subsector 12 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector. (2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to— (a) maintain a register of electors containing more than 50,000 entries; (b) issue, receive, or process postal ballots for a parliamentary or local government election; or (c) count or aggregate votes cast in a parliamentary, mayoral or local government election. (3) In this paragraph— “parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom; “network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026. (4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert— ‘(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.’”. This new clause would designate the administration of elections and maintenance of voter registers as an “essential service” within the meaning of the NIS Regulations. New clause 9—Political parties to be regulated as an essential service— “(1) The NIS Regulations are amended as follows. (2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert— “GovernmentPolitical partiesThe Secretary of State for Housing, Communities and Local Government” (3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert— “The political parties subsector 12 — (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector. (2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons. (3) In this paragraph— “registered political party” means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000.”. This new clause would designate political parties as providing essential services for the purposes of cyber security. New clause 10—Board oversight of security and resilience of network and information systems— “(1) Where a relevant body is governed by a board or equivalent management body, that body must exercise oversight of arrangements relating to the security and resilience of the body’s network and information systems. (2) In exercising oversight, the management body must— (a) approve the approach taken by the body to the management of risks to the security and resilience of the body’s network and information systems; and (b) satisfy itself, on a periodic basis, that appropriate and proportionate measures are in place to manage those risks. (3) The management body may be held accountable for failures by the body to comply with duties relating to the security and resilience of its network and information systems. (4) Members of the management body must undertake training designed to enable them to identify risks and assess appropriate risk-management practices. (5) For the purposes of this section, a relevant body is one which is— (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier, within the meaning of the NIS Regulations.”. This new clause would require active board oversight of, and accountability for, security and resilience measures, where a relevant body is governed by a board or similar body. New clause 11—Requirement for regular testing of network and information systems— “(1) A relevant body must undertake regular testing of the security and resilience of the network and information systems on which it relies in the provision of its services. (2) Testing undertaken in accordance with this section must— (a) be proportionate, having regard to the size, nature and risk profile of the business; and (b) be conducted periodically, at intervals that are appropriate to the risks identified by the body. (3) A relevant body must document— (a) the outcomes of testing undertaken in accordance with this section; and (b) any remedial actions required or taken in response to the testing. (4) Information documented under subsection (3) must be provided to the relevant regulatory authority upon request. (5) For the purposes of this section, a relevant body is one which is— (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier, within the meaning of the NIS Regulations.”. This new clause would require bodies to carry out proportionate, periodic testing of the security and resilience of their network and information systems and provide the results to regulatory bodies upon request. New clause 12—“Last-resort” powers in respect of data centres and AI models— “(1) Regulations under section 29(1) may confer on the Secretary of State powers (“last-resort powers”) to direct the shutdown of— (a) data centres, or (b) AI systems used or deployed by a data centre, in the event of an AI security or operational emergency. (2) For the purposes of this section— “data centre” has the meaning given in paragraph 11 of the NIS Regulations (as amended by this Act); “AI system” means a machine-based system that, from the input it receives, can infer how to— (a) generate predictions, digital content, recommendations, decisions or other similar outputs, or (b) influence a physical or virtual environment, with a view to achieving an explicit or implicit objective; “used or deployed” means made available to— (a) a substantial number of individuals within the United Kingdom; or (b) providers and operators of essential services; “AI security or operational emergency” means a situation where the Secretary of State has reasonable grounds to believe that— (a) there is a security or operational compromise to one or more relevant network and information systems, (b) this compromise is caused, or contributed to, by the use or operation of an AI system used or deployed by a data centre, whether through autonomous or non-autonomous means; and (c) this compromise poses a catastrophic risk; “catastrophic risk” means a risk carrying a reasonable likelihood of causing or contributing to— (a) large-scale disruption to critical infrastructure or essential services; (b) significant degradation of the national security, national defence, or intelligence capabilities of the United Kingdom; or (c) severe, large-scale harm to human life; “data centre operator” means a person who operates a data centre; (3) As soon as reasonably practicable after, and in any event within seven days of, giving a direction under subsection (1), the Secretary of State must— (a) lay a report before Parliament setting out the direction and the reasons for it; and (b) take all reasonable steps to arrange for the report to be the subject of a debate in each House as soon as is reasonably practicable. (4) Regulations relating to last-resort powers must establish requirements on data centre operators in relation to data centres used for the training, deployment or operation of AI systems, including relating to— (a) the possession or installation of technical infrastructure necessary for compliance with last-resort powers; (b) the provision of secure communication channels for use by the Secretary of State when utilising last-resort powers; (c) the implementation of regular emergency exercises to ensure that a direction under this section can be received safely and implemented; and (d) post-mortem processes to be followed before a data centre is allowed to resume operations after the use of last-resort powers, including— (i) incident reporting; and (ii) implementation of mitigation measures to prevent recurrence. (5) A person commits an offence if they fail to comply with any requirement imposed by regulations made under subsection (4). (6) Regulations relating to last-resort powers may— (a) confer on the Secretary of State, or on a person designated by the Secretary of State, powers to act where they reasonably believe that an offence under subsection (5) is being, has been, or may be about to be committed; (b) include, for the purposes of paragraph (a), powers to— (i) close premises; (ii) turn off systems or require that they be turned off; (iii) take any other action necessary to control the risk arising from an AI security or operational emergency. (7) Regulations must require that, where powers under subsection (6) are exercised, the Secretary of State must— (a) give written notice of the action taken, and the reasons for the action taken, to the operator or provider as soon as reasonably practicable; and (b) inform the operator or provider of their right to apply to the High Court for relief. (8) The High Court may make any order it thinks fit on an application under subsection (7)(b), including— (a) confirming, varying or cancelling the requirements; (b) imposing additional requirements; (c) ordering compensation. (9) The Secretary of State must publish guidance on the use by licensing authorities, planning authorities and other public authorities of their statutory powers to facilitate compliance with regulations relating to this section. (10) A public authority must have regard to guidance issued under subsection (9) when exercising any function to which the guidance relates. (11) The Secretary of State must, within six months of the commencement of this section and subsequently at six-monthly intervals, prepare a report on the causes and potential causes of AI security or operational emergencies and lay a copy of the report before Parliament. (12) The causes and potential causes of AI security or operational emergencies considered in any report under subsection (11) must include — (a) adversarial uses of AI systems by state and non-state actors; (b) the capabilities for cyber-attacks by autonomous AI systems; and (c) the development of AI systems that can autonomously compromise national security, escape human oversight, and upend international stability, including systems described as “superintelligent AI”.”. This new clause would enable the Secretary of State to be granted “last-resort powers” to ensure that the government can intervene in case of an emergency caused by AI used or deployed by a data centre which can cause large-scale harm. New clause 13—Digital Sovereignty Strategy on risks posed by foreign interference and reliance on foreign technologies— “(1) The Secretary of State must, within 12 months of the passing of this Act, publish a strategy (“a Digital Sovereignty Strategy”) which sets out the Government's approach to maintaining the security and resilience of relevant network and information systems by— (a) assessing, managing and mitigating risks— (i) associated with foreign interference, (ii) arising from reliance on foreign-supplied technologies, and (b) preventing over-reliance on foreign providers by building domestic capacity. (2) For the purposes of this section, a “relevant network and information system” is a network and information system belonging to— (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier, within the meaning of the NIS Regulations. (3) A Digital Sovereignty Strategy published under this section must— (a) include risks associated with— (i) hardware, (ii) software, (iii) supply chains, and (iv) procurement processes; (b) include a specific focus on security and resilience in government digital procurement processes, detailing how the Government intends to reduce strategic dependencies on foreign-owned service providers to mitigate the risk of systemic disruption; (c) include a commitment to prioritise the use of technologies developed in the UK by UK organisations in relevant network and information systems to reduce reliance on foreign technologies, and (d) where risks are identified under subsection (1)(a)(i), state how the Government intends to address these risks by supporting the use of domestic technologies or systems for the purpose of ensuring the security of those systems.”. This new clause would require the Government to publish a Digital Sovereignty Strategy setting out how it intends to address risks to relevant network and information systems posed by foreign interference and reliance on foreign technologies, including by supporting the use of domestic technologies. New clause 14—Register of foreign powers for the purposes of Part 4— “(1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must by regulations, and within six months of the passing of this Act, establish and subsequently maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom’s critical network and information systems. (2) Foreign powers determined by the Secretary of State as eligible for inclusion on the register under subsection (1) must include states which have been confirmed by GCHQ as posing a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers, including where the relevant risk is posed by state affiliated groups. (3) Regulations under this section are subject to the affirmative resolution procedure. (4) In this section, “foreign power” means— (a) the sovereign or other head of a foreign state in their public capacity; (b) a foreign government, or part of a foreign government; (c) an agency or authority of a foreign government, or of part of a foreign government; (d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or (e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government— (i) hold those posts as a result of, or in the course of, their membership of the party, or (ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party.” This new clause would require the Government to maintain a register of state actors posing a threat to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of the Act, which enable the giving of directions in the interests of national security. New clause 15—Review of the cyber security risk posed by foreign powers— “(1) The Secretary of State must, within 12 months of the passing of this Act and annually thereafter, review the extent and nature of the risk posed by relevant foreign powers to the network and information systems of operators of essential services and critical suppliers. (2) A review under this section must identify whether any risk arises from— (a) activities undertaken outside of the UK, or (b) foreign owned or controlled infrastructure or locations within the UK. (3) For the purposes of subsection (1), “relevant foreign powers” include states which have been confirmed by GCHQ as posing a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers, including where the relevant risk is posed by state departments, state agencies or affiliate groups. (4) Within three months of each review under subsection (1), the Secretary of State must— (a) lay before Parliament a report containing the findings and conclusions of the review; and (b) where information is not included in a report on the grounds of being prejudicial to the UK’s national security, send such information to the Intelligence and Security Committee of Parliament.” This new clause would require the Government to report on the risk to relevant network and information systems posed by specified foreign powers, considering whether such risks arise from extra-territorial activities and/or UK infrastructure or premises owned or controlled by foreign powers. New clause 16—Digital Sovereignty Strategy (relevant network and information systems)— “(1) The Secretary of State must prepare and maintain a Digital Sovereignty Strategy (“the Strategy”) in relation to relevant network and information systems. (2) The Strategy must— (a) set out the Government’s assessment of the risks to relevant network and information systems arising from or related to— (i) dependence on hardware, software, or digital services that may be subject to foreign interference; (ii) extra-territorial legal requirements that may be imposed on non-domiciled suppliers; (iii) vulnerabilities, undue control, or supply-chain dependency on foreign states or entities; (b) technological developments, market concentration, or strategic dependencies that may affect the security or resilience of relevant network and information systems; (c) set out the Government’s approach to mitigating the risks identified under subsection (2); and (d) include an assessment of— (i) the role of open source software, open standards, and open architectures in strengthening the resilience, transparency, and security of relevant network and information systems; (ii) the security and maintenance needs of open source software components used, or proposed to be used, in relevant network and information systems; (iii) the skills, capabilities, and capacity of United Kingdom-based developers, maintainers, and technical experts required to support the use of open source components in relevant network and information systems; (iv) options to increase the use of open source components and to diversify open source suppliers, reduce strategic dependencies, and enhance domestic capability in key technologies used in relevant network and information systems; (v) options for international collaboration in the production of open source components used in relevant network and information systems; (vi) any legislative, regulatory, procurement, or policy measures the Government considers necessary to support digital sovereignty through open source components and reduce systemic risk in relation to relevant network and information systems. (3) The Secretary of State must publish the Strategy and any revisions to it, subject to the redaction of information the publication of which would be reasonably likely to prejudice national security. (4) The Strategy must be reviewed at least once in every three-year period but may be updated whenever the Secretary of State considers that significant new risks have arisen. (5) In this section— “relevant network and information system” means a network and information system belonging to— (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier, within the meaning of the Network and Information Systems Regulations 2018; “digital sovereignty” means the ability of the United Kingdom to maintain secure, resilient, and reliable access to and control over the hardware, software, data, and digital services on which relevant network and information systems depend; “open source” has the meaning given to it in the definition published by the Open Source Initiative.” New clause 18—Review of the number of bodies providing cloud computing services— “(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the risks posed to relevant network and information systems by the number of different bodies providing or supplying cloud computing services. (2) For the purposes of this section, “cloud computing services” has the meaning given in paragraph 1 of the NIS Regulations.” This new clause would require the Government to review the risks posed to relevant network and information systems by the number of different bodies providing or supplying cloud computing services. New clause 19—Review of risks posed by foreign state ownership or control of providers of cellular Internet of Things modules— “(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the risks posed to relevant network and information systems by foreign state ownership or control of providers of cellular Internet of Things modules. (2) For the purposes of this section– “cellular Internet of Things modules” means devices that communicate over public mobile networks for the purposes of enabling autonomous machine to machine communication;”. This new clause would require the Government to review the risks posed to relevant network and information systems by providers of cellular Internet of Things modules owned or controlled by foreign states. New clause 20—Specification of retail commerce as an essential activity— “(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify as an essential activity retail commerce carried out by companies with an annual turnover in excess of £12 billion. (2) Regulations introduced under subsection (1) must designate appropriate regulatory authorities for this sector.” This new clause would require the Secretary of State to designate retail commerce carried out by companies with an annual turnover in excess of £12 billion as an essential activity, bringing it within the scope of Part 3 of the Bill. New clause 21—Food supply chain to be regulated as an essential service— “(1) The NIS Regulations are amended as follows. (2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert— “Food supplyFood supply chainThe Secretary of State for Environment, Food and Rural Affairs (United Kingdom)” (3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert— “The food supply chain subsector 12 — (1) This paragraph describes the threshold requirements which apply to essential services in the food supply chain subsector. (2) For the essential service of the food supply chain in the United Kingdom the threshold requirement is that the person is in the food supply chain and does not qualify as small or a micro-entity (or is excluded) within the meaning of Part 15 of the Companies Act 2006. (3) For the purposes of this paragraph— (a) a “food supply chain” is a supply chain for providing individuals with items of food or drink for personal consumption, where the items consist of or include, or have been produced to any extent using— (i) anything grown or otherwise produced in carrying on agriculture, or (ii) anything taken, grown or otherwise produced in carrying on fishing or aquaculture; (b) a person is “in” a food supply chain if that person is a producer or an intermediary in a food supply chain. (4) In paragraph (3)(b)— (a) “producer” means a person who is carrying on agriculture, fishing or aquaculture; (b) “intermediary” means a person in the food supply chain between a producer and the individuals referred to in paragraph (3)(a). (5) In this paragraph— “agriculture” includes any growing of plants, and any keeping of animals, for the production of food or drink; “aquaculture” means the breeding, rearing, growing or cultivation of— (a) any fish or other aquatic animal, (b) seaweed or any other aquatic plant, or (c) any other aquatic organism. “plants” includes fungi. (6) In regulation 8A of the NIS Regulations (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert— ‘(c) provides an essential service of a kind referred to in paragraph 12 of Schedule 2 (food supply chain sector) within the United Kingdom.’” This new clause would designate those in the food supply chain that rely on network and information systems as “operators of essential services” within the meaning of the Network and Information Systems Regulations 2018, thereby placing them under duties to manage risks to those systems and to provide notification regarding any incidents that have an impact on the food supply chain. Amendment 1, in clause 8, page 7, line 36, at end insert— “(1A) In paragraph (1), after “risks” insert “, including risks arising from fraud,””. This amendment would explicitly include fraud as one of the risks to the security of network and information systems that relevant digital service providers must identify and manage. Amendment 28, in clause 10, page 9, line 33, at end insert— “(2A) The measures taken by an RMSP under paragraph (1) must ensure that the number of customers to whom the RMSP provides services does not exceed the critical risk threshold. (2B) In paragraph (2A), the “critical risk threshold” is the number of customers within a sector or subsector where an incident affecting the provision of services to those customers by the RMSP would result in disruption that is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom. (2C) Paragraph (2D) applies where the number of customers to whom an RMSP provides services exceeds the critical risk threshold by virtue of contracts entered into before the coming into force of section 10 of the Cyber Security and Resilience (Network and Information Systems) Act 2026. (2D) The RMSP must take steps to reduce the number of customers to below the critical risk threshold, including exercising any right to terminate a contract or vary the terms of a contract.” This amendment would place a duty on relevant managed service providers (“RMSPs”) to ensure that they do not provide services to manage the technology systems for a number of customers that exceeds a critical risk threshold, such that an incident affecting those services would be likely to result in significant disruption in the United Kingdom. This would prevent an RMSP managing the technology systems for a whole sector or subsector. Provision is also made for a situation where an RMSP is in breach of the critical risk threshold because of contracts entered into before the enactment of the Bill. Government amendments 7 to 11. Amendment 6, in clause 18, page 40, line 12, at end insert— “(8A) Where the CSIRT receives notification of an incident under regulation 11, 11A, 12A or 14E which it considers to materially involve autonomous or adaptive systems based on machine learning, the CSIRT must share relevant technical information with the relevant body within 72 hours. (8B) For the purposes of this regulation, a “relevant body” means the AI Security Institute or any successor or replacement body designated by the Secretary of State.”. This amendment would require incident data relating to AI systems in critical national infrastructure to be sent to the body designated by the Government as responsible for AI safety and security. Government amendments 12 to 14. Amendment 3, in clause 18, page 41, line 15, at end insert— “Exemption from disclosure: right to a fair trial (1) Nothing in sub-paragraphs (1)(d) to (1)(f) of regulation 6, or regulation 6A, permits a NIS enforcement authority to share information with another NIS enforcement authority or with a person within paragraph (2) of regulation 6 if the Secretary of State determines that— (a) the receiving jurisdiction is one in which the right to a fair trial cannot be guaranteed, or (b) the disclosure could result in actions being taken that would be incompatible with the right to a fair trial. (2) For the purposes of making a determination under paragraph (1) above, the Secretary of State must have regard to the opinion of— (a) subject matter experts, and (b) competent civil society groups. (3) The Secretary of State must, within 12 months of the passing of the Cyber Security and Resilience (Network and Information Systems) Act 2026, publish and lay before Parliament an annual report detailing the determinations made under paragraph (1) above in the previous 12 months.” This amendment would prevent the sharing of information with overseas authorities for the purpose of prosecuting crimes not committed in the UK if the Secretary of State determines that the receiving country is one in which the right to a fair trial cannot be guaranteed. Government amendments 15 to 17. Amendment 4, in clause 29, page 54, line 9, at end insert “, including the risks arising from the use of embedded communications components manufactured outside the UK;”. This amendment would make explicit that regulations could concern the risks arising from the use of embedded components within the systems (such as cellular internet of things modules). Amendment 2, in clause 40, page 63, line 7, leave out “5” and insert “3”. This amendment would increase the frequency of the reports that must be published under Clause 40, from every five years to every three years. Amendment 5, in clause 43, page 66, line 18, at end insert— “(i) a requirement relating to embedded communications components manufactured outside the UK.” This amendment would provide an additional requirement that may be imposed on a regulated person, in relation to an embedded communications component manufactured outside the UK. Government amendments 18 to 27.

As the director of the National Cyber Security Centre has said, “Every organisation delivering the UK’s critical services…relies on uninterrupted digital operations. Disruptions to those operations isn’t simply an IT issue; it’s a…national resilience issue”. The Liberal Democrats wholeheartedly support that point, and it is why we welcome the measures introduced by this Bill, which strengthen existing cyber protections to enhance national security. However, as the Liberal Democrats have made clear throughout the Bill’s stages so far, there are many missed opportunities to truly future-proof our country’s cyber-security to protect our democracy, economy and national security. I will speak to the Liberal Democrat amendments to the Bill, which we think would achieve that. First, on the scope of the Bill, last year we saw the costliest cyber-incident in UK history. The financial damage caused by the attack on Jaguar Land Rover is estimated to have cost between £1.6 billion and £2.1 billion—a cost shared between JLR directly and its supply chain. In the public sector, cyber-attacks are causing eye-watering costs too—just look at Redcar’s cyber-attack, which cost them a staggering £10.4 million. Despite that, the Bill takes no consideration of the significant economic cost of such cyber-attacks, excluding retail and manufacturing industries as well as local government from the scope of the Bill. New clauses 4 and 5 address a crucial gap. New clause 4 would bring the manufacturing of critical transport equipment and the retail of food and essential goods, where they form part of a large-scale distribution chain, within the scope of essential categories under the Bill. That means that companies such as Jaguar Land Rover would finally receive the protections that their strategic importance demands and protect their supply chains too. New clause 5 extends that same recognition to local authorities, whose digital infrastructure underpins the delivery of services that millions of people depend on. The Government’s own industrial strategy recognises that sustainable and secure growth requires strong levels of cyber-resilience across the economy, but their own cyber Bill does not live up to this. If a cyber-attack brought JLR’s production lines to a halt or crippled the digital infrastructure of a council, the damage to our economy and people’s daily lives would be enormous. Those are not the only issues within the scope of the Bill. Safeguarding our democratic processes must be treated as a national security priority, and here, too, the Bill falls short. At a time when foreign interference in our elections is not a hypothetical but a documented and growing threat, the Government have chosen not to act. New clauses 8 and 9 would begin to change that. New clause 8 would designate the administration of elections and voter registers as essential services within the meaning of the network and information systems regulations—a straightforward recognition that the machinery of our democracy is as critical as any power grid or hospital network. New clause 9 would designate political parties as essential services for the purposes of cyber-security, extending meaningful protection to the organisations through which the British people exercise their democratic voice. I understand that the Bill is not a silver bullet for cyber-security, but these amendments make the modest, targeted and entirely reasonable ask that vehicle manufacturing, food retail supply chains, local authorities, our elections and our political parties are brought within scope. In turning to online-generated fraud and scams, we can see the impact of a lack of action to secure online and cyber-spaces. Fraud makes up 44% of all UK crime, and online technologies—especially artificial intelligence—are supercharging that. According to reporting in The Times a few weeks ago, research by Lloyds bank found that Meta’s social media sites are a starting point for 76% of purchase scams in the UK, with the value of losses to UK customers estimated at around £66 million in the last year alone. Not only does the Government’s fraud strategy completely overlook the role of social media giants and big tech in the proliferation of online scams, but the Bill fails to address explicitly the risks that fraud and scams pose to critical infrastructure and organisations. That is especially striking when we consider that the Government’s official statistics on cyber-security breaches show that phishing attacks—scams—remain the most prevalent type of breach or attack by far in the UK. Amendment 1 would change that. It would amend clause 8 to add “risks arising from fraud” explicitly to the list of security threats facing relevant digital services so that those threats can be identified and managed. That is also why the Liberal Democrats are calling for social media giants to be financially liable for scams originating on their platforms and for an online crime agency to tackle these issues and standardise AI labelling. We must not forget that these threats do not fall solely on large institutions and critical infrastructure. Small and medium-sized enterprises are on the frontline of cyber-crime; they are disproportionately targeted and too often without the resources or expertise to defend themselves. Many of the businesses caught up in the supply chains of our critical industries and exposed to the fraud and cyber-risks that I have described are SMEs, yet there are no provisions in the Bill to help potentially under-resourced SMEs cope with the increasing threat of cyber-attacks. New clause 2 would require the establishment of dedicated cyber-security support services for those businesses. For the Liberal Democrats, backing British small businesses means ensuring that they are not left to face those threats alone. The Liberal Democrats have also tabled a series of further measures that would make the legislation fit for purpose over the long term. A law is only as good as its enforcement, which is why we are pressing for board-level accountability for cyber-resilience under new clause 10, regular proportionate testing of systems under new clause 11 and more frequent Government reporting every three years—rather than every five years—under amendment 2. Last week, at London Tech Week, as I was surrounded by experts across the industry, one thing became clear. We think that technology is moving quickly now, but with the growth and development of AI this is the slowest we will ever see change happen. That is why we need the framework to evolve, which means reviewing the security risks posed by foreign-linked critical suppliers, which new clause 3 would do, modernising the outdated Computer Misuse Act 1990, which new clause 6 would do, and assessing whether regulators have the resources they actually need to do their job, which new clause 7 would do. Those are not radical tasks; they are basic conditions for a cyber-security regime that works today and will continue to work in the future. If there is one matter that cuts to the heart of what the Bill should be about, and asks the fundamental question about Britain’s place in a contested digital world, it is digital sovereignty. All the protections we have discussed for our industries, our democracy and our small businesses will mean little if we do not first answer who controls the digital infrastructure on which all of them depend, and question whether, at every level of the stack, we have critical control over that. That is echoed loudly by the industry itself. A study by Civo, a UK sovereign cloud provider, found that 83% of IT decision makers in this country worry about the impact of geopolitical developments on their data sovereignty. When we look at the numbers, it is not hard to see why. About 55% of central Government organisations report that over 60% of their estate is on the cloud, and the vast majority of that is with just two providers, both of which are American. We have handed the keys to significant parts of our national digital infrastructure to foreign corporations, subject to foreign laws and exposed to foreign decisions entirely outside our control. That includes our public services. The Liberal Democrats are alarmed at the NHS’s growing reliance on complex, opaque digital systems set up by Palantir. With Palantir’s background in security and surveillance, that marks a divergence from the traditional relationship between the NHS and firms with specialised medical knowledge. The procurement process for the federated data platform, which was awarded to Palantir in 2023, is worryingly opaque.

We are pleased that the Science, Innovation and Technology Committee has called on the Government to exercise the break clause in that contract. We call on the Government to use the break clause and provide a clear timeline for Palantir’s removal from the NHS. Even Karp and Zamiska—from Palantir—said:

“The limits of soft power, of soaring rhetoric alone, have been exposed. The ability of free and democratic societies to prevail requires something more than moral appeal. It requires hard power, and hard power in this century will be built on software.”

Let us now look at Anthropic. Last week, it launched its new AI model, Claude Fable 5. Almost as soon as it was launched, the US Government intervened and shut it down for foreign nationals both inside and outside the country. Let me put that more clearly: Anthropic closed access to its tools under the direction of the US Government. This is a wake-up call. Our reliance on the technology that fuels our economy and underpins our services shows that we desperately need a sovereign digital strategy. Fable 5 may have been a feature for only about a day, but imagine if it had been powering processes and public services when it was suddenly cut off by the US Government.

Crucially, this is about backing British tech as well as working internationally. Collaborative sovereignty would make us stronger partners globally. That is why we have tabled new clause 13—I urge the House to vote for it—which would require the Government to establish a digital sovereignty strategy that sets out clearly how Ministers will assess, manage and mitigate risks to the security and resilience of our critical systems and place British tech procurement at its centre.

I thank the hon. Member for his question. That is why we need a strategy—we need to be clear about the Government’s priorities. On procurement, we have heard from the National Audit Office that cost is often a priority, but at what cost? When the Government are looking for suppliers, what do we value? There must be a strategy for that, and we need to have that conversation so that the direction is clear, whether on hardware or software. Working internationally is vital, but it is also important to be clear about what is important for us, especially in the tech stack. That is the thing: it is about our security and resilience as well as our economy, strengthening those developing technologies as well as using technology. It is also about working together internationally and knowing that we have the resilience to look after and trade our technology stack.

It is about our security, our cyber-security and our resilience. Within a three-mile radius of Belfast, we have some of the best cyber-security resilience in the whole of the United Kingdom. It is about those 2,750 employees and the £258 million of direct gross value added. Does the hon. Lady recognise that powerhouses like Belfast must be fully integrated into our national cyber strategy? Will she put on the record that that is what we should be aiming for?

I thank the hon. Member for his intervention. I absolutely agree. Across the United Kingdom, including in Northern Ireland, there are incredible British tech firms. Many of them have said to me that their services are being procured by other Governments in Europe and around the world, yet they find their own British Government not using them or getting the value out of that British technology here by developing skills and jobs. The Liberal Democrats welcome the Government’s hardware strategy, announced last week, which at least acknowledges the importance of British procurement, but acknowledgment is not a strategy. New clause 13, which I am pleased to say has drawn support from across the House, would make it one. In an increasingly unstable world, the case for British digital resilience, British technology and British sovereign capability has never been stronger. I therefore urge hon. Members to vote for the new clause. Cyber-security is no longer a technical matter confined to server rooms and IT departments. It is a question of national resilience, economic strength and democratic integrity. The Bill before us takes important steps, but important steps are not enough in today’s digital age. With these amendments, we have the opportunity to close the gaps, broaden the protections and build a framework that is genuinely fit for the digital age.

I call the Chair of the Select Committee on Science, Innovation and Technology.

It is a pleasure to follow the hon. Member for Harpenden and Berkhamsted (Victoria Collins). I would like to start by making two relevant declarations of interest. I worked for the Office of Communications before entering Parliament and I am currently a fellow of the Institution of Engineering and Technology. Madam Deputy Speaker, you might have heard me mention on occasion that I was an engineer before coming into Parliament. As such, in 2010, I was desperate for issues around technology to come up in Parliament, as it was a subject I actually knew something about, but they rarely did. In the intervening 16 years, however, things have changed, and technology issues such as online safety, wi-fi on trains, sovereign technology and infowars are now raised regularly. I welcome the increasing role of technology in all our constituents’ lives, but this must go hand in hand with rigorous cyber-security to protect against threats from state and non-state actors. As I highlighted in my speech on Second Reading, the UK’s only cross-cutting cyber-security legislation is currently that inherited from the European Union. The previous Conservative Government failed to update these regulations, leaving us working under an outdated framework. I therefore really welcome this Bill, which seeks to expand the scope of existing cyber-security regulations to new sectors, strengthen the role of regulators and grant the Government new powers to respond to the threats posed by cyber-security breaches. We are only as secure as our weakest link, but I am afraid we still have a number of weak links left. Cyber-attacks are having a real financial impact on the UK and are happening at an increasing rate. According to the Institution of Engineering and Technology, cyber-attacks cost UK businesses an estimated £64 billion annually, with £37 billion in direct costs and £26 billion in indirect costs. Last year we also saw the well-documented cyber-attack that hit Marks & Spencer, leaving shoppers unable to buy online from the company for months. The company’s profits were almost wiped out, down from £390 million to £3 million for the first half of 2025. As a Sparks card holder myself, I was unable to use my card for six months and I fear I may have contributed to those figures. This brings me to my first amendment, new clause 20, which seeks to designate retail businesses as an essential activity, bringing them within scope of part 3 of the Bill. Retail is the UK’s largest private sector employer. It holds large amounts of consumer data but often relies on dated IT systems. Yet, as I noted on Second Reading, the existing scope of the Bill would not have prevented or even had an impact on the attacks on Marks & Spencer or Jaguar Land Rover, despite the significant disruption they caused to our constituents and our economic activity. Indeed, in November, the Bank of England cited the cyber-attack on JLR as a factor in its decision to hold interest rates. The Government’s plan to promote the new cyber governance code of practice to improve pre-operative preparedness in sectors such as retail is welcome, but voluntary measures alone will not deliver the consistent adoption of good cyber governance across economically significant sectors such as retail. According to the Government’s figures, only 9,680 Cyber Essentials Plus certificates were issued to small and medium-sized businesses between November 2023 and October 2024. There are an estimated 6 million small and medium-sized enterprises in the UK, so this is not going to address that challenge at the rate at which it needs to be addressed. I welcome the Opposition amendments that would bring retail businesses within the Bill’s scope, but I am concerned that they might be too extensive in bringing small and medium-sized businesses into its remit and placing a disproportionate burden on them. The revenue threshold of £12 billion in my new clause 20 provides the necessary specificity to ensure that only large retail businesses, including Marks & Spencer and Jaguar Land Rover, would fall under the expanded Network and Information Systems Regulations 2018. This would lead to faster incident-reporting responses and customer notification, alongside stronger powers, including those to deal with non-compliance. Turning to my new clause 18, we have already heard that the concentration of the UK’s public sector data within a small number of US-owned providers—Amazon Web Services and Microsoft Azure specifically—presents a structural risk to national resilience. Combined, AWS and Microsoft account for 70% to 80% of the public cloud market, according to the Competition and Markets Authority. Part of the issue is that that figure is an estimate. I have put down a series of written parliamentary questions over the last seven years to find out just how dependent the Government are on AWS and Microsoft. This data is not tracked across Government. Can the Minister say how he intends to assess a threat that the Government are not measuring? As set out in my Committee’s report entitled “Rewiring the state: Delivering digital government”, our national resilience is put at risk by the strategic lock-in that these companies have in many of our public services and Administrations. Major Departments, including His Majesty’s Revenue and Customs and the NHS, are under multi-year agreements that further entrench these cloud infrastructures within the Whitehall ecosystem. Included in my Committee’s report was evidence we heard from the Open Cloud Coalition, who suggested that the Department for Science, Innovation and Technology should consider a period of over-correction, including the mandatory re-competition of high-risk or large-scale contracts, to break cycles of vendor lock-in. The Government are rightly seeking to co-ordinate cloud contracting, but I believe that this should be done in a way that would ensure more, not less, competition. We would like to see the detail of how the all-of-Government cloud contract will prevent vendor lock-in, and I would like the Minister to outline his engagement with the CMA on the contract’s development. Not only does our reliance on these two cloud services raise practical issues—as seen with the AWS outage in October—but there are questions around data protection. Under the Clarifying Lawful Overseas Use of Data Act and the Patriot Act, the US Government can compel US companies, including AWS and Microsoft, to hand over data if held overseas—that is, in the UK. I am aware that the Minister might reference our sovereign hosting capability, Crown Hosting, but it hosts only 4% of Government legacy services. Will he please outline how the Government intend to ensure protection so that the public sector makes better use of the services provided by Crown Hosting? Could he also set out how he will ensure that the Government’s digital transformation ambitions cannot be derailed at any time by decisions based on the narrow interests of a foreign, commercial or state actor? He might choose to argue that this is highly unlikely, but I would point him to the recent decision of the US Government to withdraw foreign nationals’ access to Anthropic’s Fable 5 model. Finally, my new clause 19 calls on the Secretary of State to conduct a review into the risks posed by foreign state ownership or control of providers of cellular internet-of-things modules. I always like to mention that I was the first Member of Parliament to speak about the internet of things, in my debate back in 2011. Having worked in technology as an engineer, the threat posed by cyber-attacks on the internet of things was very real to me from the start of my parliamentary career. Indeed, in 2017 I wrote an article highlighting the threat of cyber-attacks on sex toys, in a vain attempt to raise the profile of the issue.

Common internet of things modules, or IOTs, are widely embedded across telecommunications and other critical national infrastructure, as well as in consumer products. In telecoms, CIMs—cellular IOT modules—underpin interoperability, monitoring, configuration and automation in complex multi-vendor networks, including those supporting cellular IOT at scale.

Although CIMs do not directly control networks, dependence on foreign-manufactured CIM-enabled software and tooling poses risks to resilience, security and sovereignty. Chinese attempts to corner the global market in CIMs could have significant national security implications. When they are embedded in cars, they transmit the location, the route and even passenger video. I hope that I need not elaborate on the implications of their being switched off or turned to hostile uses.

The hon. Lady was very prescient then, and it has got worse since. There was lots of talk under the previous Administration about Downing Street cars being searched for IOTs. We know about the huge imports from bad actors, such as China and other countries—that is really what we should be worried about. Many of them contain kill switches, which would devastate some of our industry, such as energy. That would be a disaster. She is right to have raised the issue and to continue to raise it.

The right hon. Member does well to remind us that the impact of hostile action using CIMs, such as by turning on a kill switch, would be devastating across multiple sectors, including potentially the consumer sector, as well as security, automotive, transport and finance. That is why it is so important to consider this. I particularly draw the Minister’s attention to the list provided by the US Federal Communications Commission—the equivalent of Ofcom—of equipment and services covered by section 2 of the Secure and Trusted Communications Networks Act. The list dictates what technology is legally permitted to be authorised for import and sale in the US, and many companies on the list are owned or controlled by the Chinese state. I thank the Minister in the other place for meeting me and my hon. Friend the Member for Dunfermline and Dollar (Graeme Downie), whose amendment I also support, and hearing our concerns about the supply of IOT devices. It was unfortunate that the Minister did not see the need for action, particularly given that the US has taken action against Chinese-made goods and that, during a trip of the British-American Parliamentary Group to the US just last week, we heard that further action is likely to be taken against cellular IOT modules specifically. That could mean UK products being banned from import into the US if they contain such CIMs. We have seen a rapid growth of those devices across transport, as we have mentioned, as well as energy and, importantly, water and health. I am concerned about the ability of our domestic British businesses to export into the US given those restrictions, as well as the impact on our security. I would therefore be grateful if the Minister could set out whether he is looking into that concern. As was eloquently emphasised in the personal statements made by the recently resigned Secretary of State for Defence, my right hon. Friend the Member for Rawmarsh and Conisbrough (John Healey), and Armed Forces Minister, my hon. Friend the Member for Birmingham Selly Oak (Al Carns), the first duty of Government is the security of their citizens. That is true when it comes to our armed forces and our defence in the real world, and it is also true when it comes to our security in the virtual world. Those two overlap so much more than in the past. I welcome the Bill, but I have real concerns about the need to bring retail businesses such as M&S within its scope, the concentration of the UK’s public sector data in a small number of US-owned providers, the implications for technology sovereignty that that raises, and the risks posed by foreign state ownership of providers of cellular internet-of-things modules. I hope that the Minister will address those concerns and deliver the cyber-security and resilience that our constituents deserve.

It is always a great honour to follow the hon. Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), who talks common sense most of the time she gets up, which may be one of the reasons why she is still on the Back Benches. If we listened more to those who know something about things, rather than talking as though we know things, and saying things that are invariably wrong, we in Parliament would obviously be better off. The greatest threat we face is that bad actors out there are using this level of technology to get across to countries such as the UK. This is not a party political point, because both Governments have failed to face up to it to the degree that they should have—that is why this Bill is welcome, but it is not everything, as the hon. Lady says—but we think that we can treat the bad actors as though they were normal actors in a commercial sense. However, China is using slave labour to undercut markets and regularly puts IOTs into cars. It gets away with it because we think that we need China more than it needs us. That is the big problem. The hon. Lady is right to raise it, and I congratulate her for again making an excellent speech. I will in due course beg to move my amendment on anti-refoulement, because although this is a good Bill, some bits are missing and others have been skated over. This is one area about which we will come, again and again, to regret that we had not done more. The issue is British citizens abroad ending up under the rule of Governments that do not believe in the concept of freedom before the law, in a fair trial as part of that process, or in habeas corpus, which is an English common law right that has gone around the world. The amendment seeks to prohibit data sharing with jurisdictions that cannot guarantee a fair trial. It maintains the current legal approach, which generally restricts the sharing of sensitive information outside the EU. Currently, information sharing of a type enabled by proposed new regulation 6, which is in clause 18, is prohibited outside the EU. The proposed new regulation is therefore weaker than what is going on in the European Union. Sadly, it paves the way for such sharing, rather than restricting it. The amendment therefore seeks to prohibit information sharing with places where the Secretary of State believes that a fair trial simply cannot be obtained. It would require the Secretary of State to consult civil society and human rights experts to identify jurisdictions—this would apply universally and not just to China, although China is a big player in this—where the right to a fair trial cannot be guaranteed, with all decisions subject to mandatory annual reports to Parliament. That is important: Parliament should be part of this and make decisions about whether it agrees with the Government. Beijing is a good example. It has frequently used seemingly legitimate criminal complaints to target dissidents. Proposed new regulation 6, if unamended, therefore raises transnational repression risks rather than solving them. The amendment is necessary to close that loophole in the Bill, which currently fails to anticipate politically motivated requests from such totalitarian states. I often say that we should stop speaking about countries such as China, Russia, Iran and North Korea as authoritarian states. They are not authoritarian states; they are totalitarian states. Why do I say that? Because everything in those countries is owned and run by the state. Authoritarian states are often dictatorships, but they are not the same thing as totalitarian states. They are brutal and nasty, but totalitarianism is a complete system. This is about totalitarian states. Proposed new regulation 6 is predicated upon helping other Governments obtain justice. The argument of my amendment 3 is that—quite apart from the transnational repression risks—justice as we understand it cannot be served in a country where essentially there is no rule of law, no right to a fair trial, and a judicial system that serves the party. As I often say, it is a matter of pride that perhaps the greatest gift this country has given to the world is the concept of freedom in the face of the law. That is the point I made earlier: habeas corpus came from English common law and dominates so much of the free world’s thinking. It was not until the 1970s that some countries in Europe actually practised habeas corpus, so it was not just the case that it was produced by Britain; it was also owned by many other countries. That is what is at risk here, and we should be the greatest defenders of that right to a fair trial anywhere in the world. Let us take a few of these countries as examples for why amendment 3 is needed. Let us look at China. Requests were made by authoritarian states—totalitarian states in this case—regarding Interpol notices, as has been the recent pattern, and this happens a lot. The People’s Republic of China and other countries have a troubling recent history of very significant transnational repression, hounding dissidents in the UK and cloaking their political persecution in superficially legitimate criminal charges. The PRC is not alone in requesting information on political opponents in the UK, and it does it a lot. We can confidently speculate that China will make requests of the UK almost immediately should the Bill be passed. Let me look at the single biggest case that confronts us in China at the moment: that of Jimmy Lai. He is a British citizen. I cannot tell you, Madam Deputy Speaker, how endlessly in debates, even under the previous Administration, we had to fight to get the Government to state that he is a British citizen, not a dual nationality citizen. He is a British citizen, is proud to be British, has been British all his life and has only ever owned a British passport—he has never been a Chinese citizen with a Chinese passport. The special rapporteur on torture, Alice Jill Edwards, in her 2024 and 2025 reports, specifically flagged concerns that evidence obtained through torture is still widely admitted in Chinese courts. She also expressed concerns in late 2024 regarding the case of Jimmy Lai in Hong Kong, noting that evidence allegedly secured through torture in mainland China was and is being used in the trial. On 15 November 2024, the United Nations working group on arbitrary detention published its opinion that Jimmy Lai is “unlawfully and arbitrarily detained” and called for his immediate release. The proposed new regulation will not go far enough and therefore does not deal with this, and that is what my amendment 3 is all about. On the risk of extradition to China from safe third countries, currently the UK does not have a bilateral extradition treaty with the People’s Republic of China, and it has suspended its bilateral extradition treaty with Hong Kong—something that many of us were calling out for at the time in 2020. In 2025, proposed changes to the Extradition Act 2003 would allow co-operation between UK and Hong Kong authorities on a “case-by-case ad hoc basis”. The trouble with that is that it begins to open the door. The risk of sharing NIS data is not confined to the physical removal of individuals; it also poses a profound threat to national security and the safety of the diaspora within the UK—how often have we heard about that? These totalitarian states not only seek to extradite dissidents, they seek to silence them through transnational repression and to compromise the UK’s own digital resilience. Sharing NIS data with an adversarial jurisdiction is akin to providing a road map for a state-sponsored cyber-attack. For dissidents and human rights defenders living in the UK, NIS data can be used to demonise and de-anonymise their activity. This information is frequently used to identify and harass family members remaining in their home country, to conduct targeted phishing and surveillance against the individual’s private devices, and to coerce the individual into becoming an informant under the threat of criminal charges based on the shared technical data. Let me deal with another case: that of Ryan Cornelius in the United Arab Emirates. Ryan Cornelius is a British citizen who has been arbitrarily detained in Dubai for 18 years, despite well-documented evidence of an unfair trial and inhuman treatment. Ryan’s detention has been found to be arbitrary by the UN working group on arbitrary detention. His case arose from a high-profile financial dispute involving loans connected to a major Dubai development project. Although he and his associates had reportedly complied with restructuring agreements with Dubai Islamic Bank, he was arrested without warning, transferred by plain-clothed officers to a police facility, where he was held incommunicado, denied access to a lawyer and subjected to aggressive interrogation. During this time, he was coerced into signing documents in Arabic—a language he does not understand—under the false premise that this would give him his release.

Mr Cornelius’s trial proceedings were marked by violations of his right to a fair trial. He was not provided with an interpreter and could not understand the proceedings, while the appointed lawyer did not speak English, rendering effective communication impossible. In 2011, Mr Cornelius was convicted and sentenced to 10 years’ imprisonment and ordered to pay $1 billion in penalties. He served the full sentence, without the routine reduction for good behaviour despite being a model prisoner, further underscoring the arbitrary and punitive nature of the detention and the profound deficiencies in the judicial process against him. He was then to face the fact that the law was changed. He is now continuing to serve his 10-year sentence—it is now 18 years since he was given that sentence. That is hardly a fair trial.

I want to touch on Jagtar Singh Johal, who is detained in India. He is a British Sikh activist who has been held without trial in India for eight years. The United Nations says he is being held

“on discriminatory grounds, owing to his status as a human rights defender and based on his political activism, religious faith and opinions”.

This is the problem again; it is another example of somebody in a country that we seek to have alliances with who is not facing a fair and reasonable process under the law. That is the point that amendment 3 makes.

I want to praise one particular character—one person who I think should at least suggest that the Government vote for the amendment. While still Leader of the Opposition, the right hon. and learned Member for Holborn and St Pancras (Keir Starmer) wrote both to Boris Johnson and to my right hon. Friend the Member for Richmond and Northallerton (Rishi Sunak), calling on them to officially request Jagtar’s immediate release. In that letter, he made it clear that Jagtar’s detention was arbitrary and that he had been

“gravely mistreated, with no legal basis”.

I bow before the ex-head of the Crown Prosecution Service in the United Kingdom.

The point being made through those specific cases is made for a wider set of cases through amendment 3. I wish the Government would accept the amendment rather than our having to put it to a vote, but I think it is necessary for us to do so in order to make this point. Too often we co-operate, rather lazily at times, with Administrations in foreign countries that we know will never give a fair trial to a British citizen sitting in their courts—in fact, they do not have a fair trial for many of their own citizens. For example, the UAE has been brutal in its behaviour, fomenting violence and war in Sudan, but it gets away with it simply because it happens to be wealthy enough and we want its investment. But we should never turn our head away from the single greatest thing we have given to the world, and which we should constantly recognise that we should maintain for the rest of the world: habeas corpus—the right to a proper and fair trial. It is an inalienable right of every individual who is a British citizen, and we should defend that right. To defend that right, we should not give cause to those courts that will not give a fair trial by giving them information, support or help at any time. That is the amendment I have tabled and, if called, I will move it.

It is a pleasure to follow the right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith). I concur with the points he made on Jimmy Lai and Jagtar Singh Johal and, more widely, about the internet of things. I think of Norway and Denmark, which suddenly realised that hundreds of buses they had imported from China had kill switches, meaning that their entire public transport networks could potentially have been disabled, just like that. That is the reality of these new technologies, and we need to face up to it and have our eyes wide open in the contracts and deals that we sign. On Second Reading five months ago, I welcomed the Cyber Security and Resilience (Network and Information Systems) Bill, but even in the short time since then, the world has become an ever more dangerous place, and the cyber-threat has only intensified. I commend the Government on their hard work in the intervening period, and in my remarks today I want to focus on the cyber-threat landscape, my two amendments—new clause 21 and amendment 28—and the need for a national conversation on national security, which of course includes cyber-security. Let me start with the cyber-threat landscape. The UK is the most cyber-attacked nation in Europe and the third most cyber-attacked nation globally, with three in four businesses having suffered a cyber-attack in the past year. My hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah) talked about the attacks on Jaguar Land Rover, Marks & Spencer, the Co-op and others. Having spoken with those businesses with the Joint Committee on the National Security Strategy and individually, I know of the scale of the impact that was felt within their operation and how affected they were by these attacks. It is unimaginable, even for the most seasoned business and industry leaders, to suddenly find themselves under such attack, and the repercussions for the economy have been very significant. In April, the CEO of the National Cyber Security Centre, Richard Horne, laid out the scale of cyber-attacks: on average, the NCSC deals with around four nationally significant incidents a week—that is not the hundreds of incidents that are occurring every day, but the really serious, significant ones. The threat of cyber-attacks will only intensify. Continued state-backed cyber-attacks from Russia, China and Iran, either directly or via proxies, are being fuelled by technological advancements in AI and quantum computing, increasing the complexity and sheer volume of such attacks. The reality is that major cyber-attacks are no longer rare one-offs but an operational reality facing every business and organisation—public and private—across the UK, as they are globally. It is important that we secure our systems to make them more robust and deter such attacks, so that those who wish to do us harm will go after others. It is in this context that the Bill has been introduced, and it takes serious, robust steps to increase the resilience of the UK. However, given the escalating threat picture, I continue to have concerns about the scope and breadth of the Bill. That is why I have tabled new clause 21 and amendment 28, which I hope the Minister will reconsider. New clause 21 would bring those in the food supply chain within the scope of the NIS regulations and regulate them as “operators of essential services”, while excluding smaller businesses, to avoid an unnecessary administrative burden. I understand that the Minister addressed this on Second Reading, explaining that essential services would only include those sectors “the failure of whose network and information systems poses imminent threat to life to the British public.”—[Official Report, 6 January 2026; Vol. 778, c. 225.] I would gently suggest that the collapse or disruption of the food supply chain would pose an imminent threat to life. I say that in an honest and not patronising way. Those of us who have had conversations behind the scenes about what happened during the pandemic, and Opposition Members who were far closer to that when in government, will realise that the health threat was one element, but the collapse of society—not just the economy, but society—with the potential for civil unrest and rioting, due to the lack of food and toilet rolls on shelves and so on, would have been the most urgent and pressing issue. It is worth noting that the European Union’s NIS2 directive does include food distribution in its regulation, so it is feasible and recognised internationally as important. The Bill does grant the Secretary of State powers to bring in new sectors. Could the Minister reassure me that the Department will give this due consideration today and in the future? Secondly, amendment 28 would ensure that relevant managed service providers do not provide services to manage the technology systems for a number of customers that exceeds a critical risk threshold within the same sector or subsector. The rationale behind this is simple: it is about building resilience and ensuring that if one RMSP fails or is breached, a whole sector is not hamstrung by it. I can envision a situation whereby one particular RMSP dominates a large category or small subsector that may be a crucial part of a supply chain, thereby crippling the whole chain. Indeed, my hon. Friend the Member for Newcastle upon Tyne Central and West cited the UK Government’s dependency on AWS and Microsoft as an example. Will the Minister please consider that? Aside from my two amendments, it is clear that the Bill, in itself, is not the only answer to our cyber-resilience; multiple approaches are needed. Given that the Bill does not include large swathes of the economy or local government, it is even more important that we explain to businesses and the public the very real threats that we face. That brings me to my final point, which is on the need for a national conversation on national security. We can have the best crafted and tightest legislation and regulation, but unless we have a real cultural shift and acknowledgment of the cyber-threat and its impacts, from board level to entry-level positions, all of this will be wasted. I once again encourage the Department and the whole machinery of government to go further and faster in explaining the threat posed and the steps we can all take to boost resilience, because resilience starts with the mobile phone in our pocket, and cyber-security is only as strong as its weakest link. The Joint Committee on the National Security Strategy, which I chair, has begun its inquiry into building national resilience through a national conversation. It is clear from the evidence we have heard from Taiwan, the Netherlands and other European nations I have spoken to that we need to explain the threat to people, build a stronger cultural sense of resilience and explain that we all have a role to play; it is not simply the state’s responsibility. I will update the House on our findings in due course, and I hope the Minister and the Government will find that useful when considering their plans for national resilience. To conclude, this Bill is a substantial and serious step forward in protecting the UK from cyber-attacks. It makes us more resilient and strengthens our collective security, but there are areas where I encourage the Government to be more ambitious—namely, by bringing the food supply chain into the essential services classification, as Europe is doing; setting critical risk thresholds for RMSPs; and expanding the scope of the Bill to encompass more of the economy.

It is a pleasure to follow such esteemed colleagues. My only declaration before I start my speech is that I hold a degree in information systems from the University of Leeds. I have been sat here for the last two hours looking at the memorial plaque for Jo Cox, 10 years after the horrific day that we lost Jo. I was a West Yorkshire candidate alongside Jo in the run-up to the 2015 election. It is to my huge detriment that I never got to serve with her here. Today is such a difficult day for so many colleagues. I know that Jo would have dearly liked to see many of the things that Labour is doing in government. It is incumbent on us to try to push forward all the things that Jo strived for, to make this place better, to make the country better and to make the world better. Let me now turn to cyber-security. Data centres are warehouse-like facilities that house the information technology equipment upon which almost all digital activity relies. The UK Government say that they “underpin almost all economic activity and innovation, including the development of AI and other technology, public service delivery” and modern-day communications. Europe’s largest data centre market is Greater London, where most of the UK data centres are concentrated. There are four types of data centre, one being AI data centres, which are facilities specialised for the high-performance computing needs of AI development and AI models. Having data centres based in the UK allows our Government to regulate them, such as by requiring them to meet cyber-security standards and reduce their environmental impact, which is obviously very important. Data centres are an essential part of our critical national infrastructure. They have a huge environmental impact so must be managed carefully, but the benefits of having them on our home turf is that we can regulate them. In our current state of hybrid war with Russia, it is vital to protect those data centres from any nefarious actors or cyber-warfare, and to strengthen their protections against cyber-attacks spawned by AI. Otherwise, the impact on public safety, the economy and society could be catastrophic.

Given the importance of data centres, and the speed of development of AI systems, should the Secretary of State not hold last-resort powers to hit the kill switch—the big red button—to direct a shutdown of data centres or AI systems deployed at significant scale, in the event of an AI security or operational emergency? Such powers would be strictly reserved for catastrophic risk scenarios, which are defined in line with the national risk register’s high impact threshold. It is a significant decision to shut down a data centre, and such a decision must come from someone who puts national security and the public interest at the core of their decision: the Secretary of State.

New clause 12, entitled “‘Last-resort’ powers in respect of data centres and AI models”, would ensure that the Government could intervene in the case of an emergency caused by

“AI systems used or deployed by a data centre”

that can cause large-scale harm. It is well recognised that today the UK finds itself in a new threat landscape, which poses unprecedented security challenges. As per the strategic defence review, we face threats that are

“more serious and less predictable than at any time since the cold war.”

Cyber-attacks are now a daily reality and, as colleagues have said, the real-world costs are substantial.

The 2024 NHS Synnovis ransomware attack disrupted over 11,000 out-patient appointments, with a direct cost of at least £32.7 million. We have moved on at speed with data centres and AI models since 2024, and the risks become exponential as innovation in the sector charges on. More recently, AI models such as Claude Mythos showcased unprecedented autonomous cyber-hacking and cyber-offensive capabilities, to the point that it was not released publicly.

If implemented, the new clause would require data centre operators to maintain technical infrastructure, secure communications, and hold “regular emergency exercises” to ensure that powers can be used quickly and effectively. It would also mandate regular parliamentary reports on the causes and potential causes of AI security emergencies, including adversarial and non-state actor use and autonomous cyber-attack capabilities—we are seeing growing evidence of those, which could lead to tragic consequences. There is clear legal precedent for such powers. For example, the Civil Contingencies Act 2004 confers significant intervention powers in extreme harm scenarios.

The new clause would bake in robust checks and balances to constrain Government overreach. It would require parliamentary reporting within seven days of any direction, followed by a debate in each House at the earliest opportunity. It would require a High Court review, so that any operator served with a direction has an immediate right to apply for relief, with the Court empowered to confirm, vary, cancel or award compensation. There would be post-incident accountability, with incident reporting and mitigation measures required before operations resumed. Compliance costs are expected to be minimal and would require only a small up-front investment in technical infrastructure for a handful of data centres, some of which already possess such infrastructure. By definition, such powers are designed to be used sparingly and only in genuine emergencies.

The cost of inaction vastly outweighs the compliance burden, as a single major AI-driven cyber-incident could dwarf the total cost of implementing those powers across all affected operators. Last-resort kill-switch powers for AI systems and data centres underpin the overall concept of cyber-resilience—the final backstop. The UK must remain proactive rather than reactive, and we need to be ready in these unprecedented times. As AI companies race towards superintelligence, it becomes ever more important to have the right safeguards in place to avoid catastrophic outcomes. The new clause provides an urgent, legally sound and proportionate mechanism to stay ahead of real-world threats to our critical national infrastructure. I will not be pushing it to a vote, but perhaps the Minister will consider adding it to the Bill.

I also wish to mention amendment 3, tabled by the right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith). If a country cannot guarantee a fair trial, how can we think that, for any reason and at any time, we could disclose data that could result in an unfair conviction? That undermines our whole idea, and today of all days I cannot imagine why we would not enact something to protect the rights of our citizens when abroad.

I refer Members to my registered interest as parliamentary chair of the Campaign for Secure Technology, which I thank for its work in preparing my two amendments as well as my speech. I echo the comments of my hon. Friends the Members for Leeds Central and Headingley (Alex Sobel) and for Newcastle upon Tyne Central and West (Dame Chi Onwurah) about the scale of the threat that we face from cyber-attack. We must ensure that we are having that national conversation about the nature of the threats we face, and who those threats come from. In many ways, this country is already in conflict with Russia, and in more than what we could call competition with China—something that the public are not fully aware of. We must do more to ensure that they are fully aware of that threat, and that they hold our feet, and those of the Government, to the fire, and ensure that we are taking the kinds of measures in this Bill, and beyond, that we need to protect our economy, our military and our democracy more widely. I will limit my remarks to amendments 4 and 5, which I tabled. It is always difficult to speak at this point in a debate, because people with far more experience and knowledge than me have said a lot of the things that I was planning to say, and have done so with far more eloquence and knowledge than I have. Amendments 4 and 5 seek to deal with part of our digital infrastructure that is almost entirely invisible to the public and rarely discussed in Parliament—other than this afternoon—yet is essential to our national security: cellular internet-of-things modules. As my hon. Friend the Member for Warwick and Leamington (Matt Western) described, cellular IOT modules are small electronic components, about the size of a credit card, and they allow a device to connect to the internet over a mobile network. They sit inside everything from smart meters, CCTV cameras and traffic lights to industrial sensors, medical devices and parts of our energy grid. They are the connective tissue of our modern digital economy, and we all rely on them every day. Despite their importance, however, very little is known publicly about what they do and the potential harm that they could cause. Today, more than 70% of all cellular IOT modules used globally are manufactured in China, and that dominance creates strategic vulnerabilities that the Bill must address. Amendments 4 and 5 would ensure that the Bill covers the risks created by embedded communications components manufactured outside the UK. Amendment 4 would ensure that the Secretary of State can treat the provenance of those components as a cyber-security risk, and amendment 5 would allow Ministers to require operators of critical systems to identify and mitigate those risks. In short, the amendments would give the Government clear authority to act where foreign-made modules create known vulnerabilities. Why is that necessary? Because the modules present three major security threats. The first is dependency. When one country controls the overwhelming supply of a critical technology, that is by its nature a structural risk. If supply is disrupted, whether for geopolitical leverage or commercial pressure, our energy systems, transport networks and emergency services could be left without essential replacement parts. We have already seen that threat with Huawei and our 5G network—a mistake we must not repeat. The second reason is disruption—as colleagues have said, that is increasingly referred to as the “kill switch”. Internet-of-things cellular modules contain firmware that can be updated remotely. If a manufacturer is subject to state influence—and in China we know that they are—it could insert a kill switch or back door that allows it to disable devices at scale and at will. It could push out malicious updates, insert malware or remotely disable devices. That could mean vehicles being turned off, cranes and industrial machinery being halted mid-operation, or financial terminals suddenly going offline. We could even see disruption to areas such as NHS refrigeration, affecting drugs and blood supply. The concern with that type of module is that it might not happen overnight or be something we immediately see. It could be hidden for a number of weeks or months in different technologies and across different parts of our economy, and it would be incredibly difficult—nigh on impossible—to prove exactly what had happened and who had done it, and to tie it to any one state actor with certainty. It is certainly not something that could be done quickly, allowing for a full response. As my hon. Friend the Member for Warwick and Leamington said earlier, there are a number of examples of that from around the world. Perhaps the best known was when Russia invaded Ukraine in 2022 and tried to steal more than two dozen John Deere tractors and ship them to Chechnya. The US company intervened to switch them off. It remotely locked the thieves out of the equipment, rendering the tractors useless. That is the kind of action we could see China take in the event of a future crisis. Closer to home, my hon. Friend the Member for Warwick and Leamington mentioned that Norway tested two of its Chinese-designed electric buses, one manufactured in the Netherlands and one built in China, to discover exactly the same kill switch technology.

Does the hon. Member agree that, given that Transport for London now has 500 Chinese buses ordered and on the streets of London, there is a glaring opportunity for huge embarrassment to this nation if those kill switches were ever used on the buses in our capital city?

That proves why we need more awareness of the threat that we face. It is not necessarily a case of banning certain components or technologies, but we must be more aware and ensure that the Government have the powers they need to respond where possible.

My hon. Friend is right to say in his eloquent speech that raising awareness and having a debate about this issue is important, but the problems may not necessarily be the result of hostile actors. If the providers of the modules were to stop providing software updates, the modules would be more likely to fail and then become the subject of hostile attacks. So not only could the technology be killed by a hostile actor, but an increased dependency on software updates puts us at risk.

As ever, my hon. Friend is correct. How many of us have had some bit of technology break because the firmware is no longer allowed to be updated, meaning that something no longer works, it is no longer supported and it breaks down immediately? To add to that, by its nature, something that is not regularly updated becomes more vulnerable to attack by hackers. They may not be state sponsored, but they may take advantage of a weaker part of a technology. That was pointed out to me on a recent visit to Taiwan. Its semiconductor industry is incredibly strong, but it builds the more high-tech elements of semiconductors. I was told that it would not bother to commit to manufacturing other types of technology because they were too cheap and simple to make and could be mass produced. On that note, I refer to my entry in the Register of Members’ Financial Interests about the trip to Taiwan. I did not intend to raise it during my speech, but there was an opportunity to do so. The third element of risk is data extraction, as was mentioned by the right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith). Under the Chinese national intelligence law, companies and organisations are legally required to assist state intelligence agencies and to hand over data upon request, creating a systemic risk in the UK that any data accessible through a cellular internet-of-things module could ultimately be accessible to the Chinese state. Modern vehicles, especially electric and autonomous vehicles, are effectively computers on wheels, continuously collecting data on drivers, surroundings and infrastructure. The US Select Committee on China recently warned that Chinese EVs are “rolling data collection devices” and argued that restricting Chinese-made components is a national security imperative. The US Department of Commerce has now moved to limit the deployment of software and communications equipment sourced from adversary Governments in connected vehicles. Those who are worried about China’s reaction to such measures should be aware that it has already taken precisely these steps against the west. Tesla cars have been banned not just from entering Chinese defence, bases but from various Government agencies and authorities. In the meeting mentioned by my hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), I was concerned that there was a suggestion by one of the officials that there was no need to concern ourselves about the threat of Chinese internet-of-things modules because the threat was merely “theoretical”. As I and others have shown today, these examples are not just theoretical. Frankly, most threats are theoretical until they are not theoretical. This is happening now across critical sectors and national infrastructure. Other countries, such as the US, Australia and those in the EU, are all moving to toughen up their legislation specifically on cellular internet-of-things modules, and I believe that the UK must take action as well. My amendments would ensure that the Bill explicitly covers these risks and gives Ministers the clarity and authority to act when necessary. If this Bill is to truly strengthen the UK’s cyber-resilience, it must not leave one of the most serious threats to our modern and increasingly digital world outside its scope. I ask the Government to work with me to address the threat of cellular IOT modules.

Madam Deputy Speaker, I hope you will not mind if I take a moment to reflect on the fact that today is the 10th anniversary of the murder of our dear friend Jo Cox. I was lucky to serve alongside Jo on the board of the Labour Women’s Network and we had done similar kinds of work previously. I often sit here in the Chamber and look at Jo’s shield and wonder what she would have made of the state of our politics, our country and our world today. I think about how much better we would be if she was still here to contribute. Jo’s most famous words matter so much today—that we “have far more in common than that which divides us.”—[Official Report, 03 June 2015; Vol. 596, c. 674-65.] As my hon. Friend the Member for Midlothian (Kirsty McNeill) said today, holding on to Jo’s words and keeping her spirit going matter always, but they matter even more when it is difficult to do that. I hope that Jo’s family and friends, and those closest to her, know how much she is missed and that we strive to carry her light forward with us.

The threats that cyber-attacks pose increase every year and the nature of the cyber-threats we face is continually developing. Last year, the UK faced 204 nationally significant cyber-incidents, attacks which threaten large organisations, local and central government or our other essential services. That represents an increase of more than double compared with 2024. The attacks are speeding up, and so must regulation. I am glad that the Bill brings data centres into the scope of network and information systems regulations, given that they underpin nearly all economic activity and public services.

Current NIS regulations are limited to sectors deemed critical in 2016, a year after OpenAI was founded and five years before the foundation of Anthropic. It is high time that our cyber-security regulations caught up with the pace of threats, including those from Russia, who are already seriously targeting our country, as we have learned more about just this week. But this is where I believe we need to go further, particularly in limiting the threat posed by AI to our cyber-security and our critical national infrastructure.

I will focus my speech on UK data centres and the scope to maintain cyber-defences around them in the Bill. AI has the power to bring enormous benefits to our society and economy, from healthcare to productivity. AI growth will rely on having the right infrastructure to support it. Of course, this means the installation of data centres across our country. These data centres should be located in appropriate places, making use of former industrial sites and brownfield land wherever possible, in locations and settings that are as discreet as possible.

My constituents in Auchtertool are right to state that the fields beside their village are not an appropriate setting for a large data centre, as is currently proposed. In Scotland, there have been no changes to planning law to take account of the advent of data centres and the resources that they require. I hope that the Scottish Government will recognise this and rapidly change planning law so that villages like Auchtertool are not put in this situation.

Residents in Auchtertool are also right in their concern that Fife council does not, at this stage, appear to be taking full account of the environmental impact of a huge data centre like this, and that is why I have challenged this with the council. Scottish law must be brought up to date, as has already been done in other parts of the UK. We have an abundance of former industrial sites in Scotland and in Fife, which would be much more appropriate locations for such infrastructure.

AI will do incredible things while transforming society, and there is no point in anyone denying that or trying to turn back the clock. Indeed it is incumbent upon us to ensure that the UK is a world leader in AI and the good that it can do, and I know the Minister will agree with that. However, the pace at which the technology is developing and the pace at which safety regulation is developing are vastly different.

Powerful models, like Anthropic’s Mythos, are redefining the cyber-security landscape with potentially catastrophic effects for our critical national infrastructure. Mythos has exposed previously undiscovered flaws in every major operating system and every major web browser, putting at risk our social and economic security. In the past week alone, the Trump Administration, not exactly known for its heavy handedness in regulating the tech sector, imposed an export control directive on Anthropic’s Fable 5 and Mythos 5, citing national security concerns. This means that the Administration felt so concerned about the model’s effects on national security, that it decided no one outside the US should have access to it. In the UK, the National Cyber Security Centre has predicted that it is highly likely that cyber-attackers will be able to use AI to help them to find zero-day vulnerabilities. Powerful models such as Mythos would aid cyber-attackers in exploiting vulnerabilities in defence systems that our experts had not previously been aware of.

Similarly, as the race quickens to AI superintelligence, where the capabilities of AI models surpass the capabilities of any human, it is crucial that we have control over our data systems as well as over AI more widely. For all our history, humans have been the most intelligent beings on this planet, yet superintelligence means that AI systems could begin acting outside our control and in ways that are currently beyond our understanding. That will have extremely dangerous consequences for humanity.

We must be able to switch off those systems if we need to, but currently we cannot. That is clearly unacceptable and must change. That is why I am speaking in support of new clause 12, in the name of my hon. Friend the Member for Leeds Central and Headingley (Alex Sobel). The new clause would provide the Secretary of State with a kill switch on data centres in case of a “catastrophic risk” posed by a UK data centre—the national risk register’s most serious level of risk.

The Government must have control over data centres in the UK. The innovation in AI is spectacular, but all too often its developers live in a world of their own, without Government regulation. That is the case particularly in the United States, where they have been given carte blanche to press ahead with AI development despite any security risks.

This week, I was proud to see our Labour Government announce a ban on under-16s accessing social media, which many of us have campaigned for since we were elected to this place. Many of my constituents across Cowdenbeath and Kirkcaldy, especially teachers and parents, have told me that they want that to happen, but the complexity in implementing the ban shows how hard it is to use rearguard action to regulate a technology that should have had more attention over a decade ago. While social media has many positives, the damage it is able to do to our democracy and our young people has been driven by many of the same tech bros who are now telling us that they need a regulation-free environment to develop AI.

In my view, this Bill does not explicitly reference misinformation or disinformation threats. I have just met with the Council for Countering Online Disinformation, and in that meeting I learned that X’s algorithm amplified misinformation and disinformation online about the riots that took place in Epsom. Does the hon. Member agree that it is really important that we add strong safeguards against misinformation and disinformation into the Bill?

I certainly agree. Misinformation and disinformation are a huge challenge to our democracy and our country. We know that many enemy nations, such as Russia and Iran, are seeking to exploit loopholes, and I believe the Government have to take further action on that, for sure. We should not wait to find out whether AI has the potential to damage our critical national infrastructure; we know that in some cases it does, and we should be prepared for it. “Catastrophic risk” includes harm to critical infrastructure, national security or a severe, large-scale harm to human life. Governments should have the power to prevent those risks from coming to pass. It is our No. 1 duty to keep our citizens safe. In a speech in April, the Secretary of State argued in favour of greater AI sovereignty in the UK, and kill switches would provide exactly that—sovereign control over the most dangerous risks posed by artificial intelligence. New clause 12 includes proportionality and accountability, and the costs of implementing kill switches on data centres would be minimal, particularly in comparison with the financial losses associated with major cyber-attacks; we have heard more about that from many of my hon. Friends in this debate. It would ensure that there is parliamentary reporting within seven days of any direction from the Secretary of State and a debate in this House at the earliest opportunity. Any operator served with direction would have an immediate right to receive a High Court review. We are elected to this House first and foremost to keep our nation safe. AI developers are moving at a pace far, far faster than Governments, and they are racing towards superintelligence. It is crucial that if—or, more likely, when—that is achieved, we have the right safeguards in place to avoid catastrophic outcomes. That is a crucial part of our national resilience and an issue that I and others who are present today continue to speak about, because it badly needs more attention. New clause 12 does not seek to stymie the development of AI systems that could bring radical benefits to our society. Instead, it provides the Government with a suitable mechanism to stay ahead and in control of real threats to our critical national infrastructure. That is why I support the new clause and hope that the Government will do the same. If not, I ask the Minister to set out how the Government plan to ensure that we have these powers, which are so clearly needed.

I thank all my hon. Friends and all hon. Members who have contributed to what has been a really good and well-meaning debate. People will be relieved to know that I intend to keep my contribution fairly brief. I say to the right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith) that I do not pretend to be an expert when it comes to cyber-security and resilience, although other Members across the House would say that that has never stopped me talking before. It was a pleasure to be on the Bill Committee for this legislation; in part, I think that was because of the very constructive nature of conversations in Committee. As the shadow Minister in particular will know, I sat very passively throughout Committee and said very little, which is common for me. This is a really important piece of legislation. As Members across the House have rightly said, it is the first duty of any Government to protect their citizens. There are obviously huge benefits as we move forward into a more technologically advanced world, but there are also real challenges, and as a country we need to be ready for them. It was also a pleasure in Committee to have the opportunity to mention my father-in-law, Professor Robin Bloomfield—not least because I need all the brownie points that I can get—who is a professor of cyber-security at City St George’s, University of London. Let me also reference the fact that I have a data centre in my constituency, the Kao data centre; it is named after Charlie Kao, who, along with George Hockham, created the fibre-optic cable in Harlow. It is fair to say that I have some skin in the game in terms of the importance of this legislation. When I looked through the list of amendments, the first thing I thought was, “The Liberal Democrats have been busying themselves.” I say genuinely to them that I welcome conversations about the need to protect local government and electoral services. Although I do not think that necessarily has to be covered in this legislation, I hope the Minister has listened to the comments made by the Liberal Democrats. We can absolutely come back to that conversation in this House, because it is hugely important that our democratic services in particular are not eroded by bad state actors, as has been discussed previously.

On local government, there are clearly hundreds of local authorities, many of which are busy upgrading their systems. However, one thing that is not spoken about enough is the human capacity to actually do the work. Many local authorities, like Government themselves, find a real difficulty in recruiting the talent that they need. Does my hon. Friend agree that central Government could provide a greater role and act almost as a centre of excellence for cyber-security for local government?

As a former councillor in a district council bordering London, I know the particular challenges we had in recruiting really decent council officers. I should put it on record that we have had some fantastic officers in Harlow district council, but it was always more difficult to recruit them, because they were drawn particularly to London. I recognise the challenges that he highlights, and I obviously want more support to be given to those professionals to understand cyber-security risks. My father-in-law is very much retired, so I am not giving him a job, but I am sure he would be very keen to see that as well. My hon. Friend’s intervention brings me nicely on to my next point. My hon. Friend the Member for Warwick and Leamington (Matt Western) spoke very well and with a great deal of expertise on this topic. He referenced something that I referenced in Committee, which was that even if we think this legislation is perfect, it will not be enough. We need a culture shift when it comes to cyber-security, so I welcome my hon. Friend’s comments and ask the Minister to reflect on them when he concludes the debate. I did say that I would not give a very long speech, but I have been on my feet longer than I thought I would be, which is typical of me. I will finish by saying that over 11,000 NHS appointments and procedures were lost last year due to cyber-attacks. For too long, successive Governments have failed to properly address the growing threats from cyber criminals and hostile states. I am pleased that this Government are addressing those threats by giving regulators new powers to designate which suppliers are critical in the supply chain, and by investing £210 million to tackle threats and strengthen public services. For that reason, I strongly support the Bill.

My part of the world has already had a hard lesson in what a serious cyber-attack can do, and I thank the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted (Victoria Collins), for mentioning it. In 2020, Redcar and Cleveland council was hit by a cyber-attack that has been attributed to the Russian Conti syndicate, and around 135,000 residents were left without online public services. Systems were disrupted, and the cost was put at more than £10 million. That is a story that has been repeated across our public and private sectors, and we have heard other examples today—my hon. Friend the Member for Leeds Central and Headingley (Alex Sobel) spoke about the NHS, and my hon. Friend the Member for Warwick and Leamington (Matt Western) spoke about manufacturers such as JLR. I echo their calls in the amendments they have tabled today, particularly about the need for last-resort powers in relation to data centres, but also for a national conversation about these issues. I have had discussions with constituents who are sceptical that the Russian state might attack a little council like ours, and it is important to get across the point that it is precisely because ours was low-hanging fruit that it was such a target for Russia. That is exactly why this Bill is needed. Since the NIS regulations were introduced in 2018, the threat has changed; we are more interconnected and more reliant on cloud services, managed IT providers and data centres than ever before, often across long and complex supply chains. As such, it is very welcome that this Bill gives Ofcom a clearer role and brings significant data centre services into the regulatory framework, as well as relevant managed service providers and critical suppliers. The new reporting regime is a practical improvement as well—a 24-hour initial notification and a fuller report within 72 hours will help regulators and the National Cyber Security Centre to spot patterns, warn others and build a better national picture, which is especially important when we consider hostile states. Cyber-security is plainly now a frontline part of our national defence—we have seen how Russian military intelligence activity is targeting Government and critical infrastructure, and we need to be equipped to respond. I am sympathetic to new clause 3, which relates to the role of foreign state bodies, but it ought to be broadened beyond critical and essential services. I will give an example that concerns the security of British citizens’ data from foreign Governments. Right now, the largest leveraged buy-out in history is under way—the takeover of global videogames maker Electronic Arts by Saudi Arabia and Jared Kushner’s Affinity Partners. They are buying access to the sensitive personal and behavioural data of 700 million players worldwide, as well as the ability to expand foreign influence in Britain. I urge the Government—both DSIT and the Department for Culture, Media and Sport—and the CMA to look at this deal with their eyes wide open. Ministers should be prepared to stand up for UK data, UK jobs and UK security. The Chair of the Science, Innovation and Technology Committee, my hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), mentioned interconnectedness between data security and national security. I endorse her amendments dealing with internet-of-things modules and the potential threat of hostile states switching off various pieces of infrastructure around our country. I also urge Ministers to keep pushing further on the threat of hostile state disinformation on social media, which has also been referenced in this debate. That is a fundamental security issue. Russia and others do not only try to knock systems offline; they also try to rot public trust, spread falsehoods and undermine democracy, so the technical threat and the information threat are part of the same hostile playbook. I do wonder whether regulators have sufficient resources to act, and I will listen carefully to the Minister’s remarks on new clause 7. Ultimately, this Bill does not solve every problem, but it is a serious and necessary step forward. It strengthens resilience, widens responsibility, improves reporting, and gives Government clearer powers where national security is at risk. As such, I support the Bill.

I call the shadow Minister.

Before I begin, I would also like to make some remarks in commemoration of the 10th anniversary of the murder of Jo Cox. I never met Jo Cox. I never knew Jo Cox, and I am very sad that I did not, because having seen the impact she has had on our politics, on this place and on the people who knew her, she was clearly an incredible person. I do not think anyone can disagree with what she stood for, and in particular, that we have more in common in our politics. Our politics is worse off without her. Yet again, we return to this Government’s vacant vacillation regarding our national security. I urge the Minister again to take this opportunity to strengthen UK cyber-security from the threat posed by foreign state actors. Protecting the UK and its citizens is the primary responsibility of Government, but still, in the face of clear evidence of increasing threats, this Government fail to act. The risk of physical threats and the need to invest in defence are clear to all, yet the Government prioritise increasing welfare spending over the safety and security of armed forces personnel and our country. The situation is so serious that the Defence Secretary had to resign, as he could not defend the inaction of this Government or the risks they are taking. While the dangers presented to our cyber-security may be less visible, they are no less real. Hostile state actors are working every single hour of every single day to undermine our democracy and our security. These are risks that every Member across this House will be aware of. It is chilling to know that when Iran shut down its internet access, social media accounts purporting to be pro-independence Scottish people stopped tweeting. Expert analysis has estimated that thousands of similar accounts could originate in Iran and that as much as 26% of such accounts could be fake. Social media is now a weapon. We know that hostile state actors have sought to attack and undermine Parliament. Just last week we were told that spyware had been discovered in Government buildings linked to recent high-profile decisions regarding China’s controversial mega-embassy project in London.

I have often said about the device that was found in the Ministry of Housing, Communities and Local Government that unless someone is a member of staff, they cannot get to that side of the building without going through the Home Office. That obviously raises serious questions about the complex on Marsham Street more broadly. Does the shadow Minister accept that there is a pattern of foreign malign forces impacting our institutions, whether that is our Parliament or even the sovereignty of the United Kingdom itself? Unless there is resolve by Government and all parties in this place, we will not face that threat with the scale of response needed.

I thank the hon. Gentleman for the knowledge and experience he brings to the background of that particular case. I entirely agree that it is incumbent on all parties across the House to strengthen our national security and to be clear-eyed about the threat of hostile state actors. I will continue to develop that point in my wind-up speech. The evidence is clear that we face an increasing threat from foreign state actors. We need to take action to recognise those risks and to prevent such attacks. Cyber-security should be at the forefront of our defences, and for that reason, His Majesty’s loyal Opposition have focused again on amending the Bill, particularly with new clauses 14 and 15. We table them in the hope that the Government will not squander another opportunity to act in this Bill. New clause 14 would require the Government to directly identify the threats we face, ending the prevarication we have seen in recent months by obliging the Secretary of State to establish and maintain by regulation a list of foreign powers presenting a significant cyber-security risk to the UK. The amendment would strengthen the link between intelligence agencies and policy enforcement, ensuring that decisions by the Secretary of State to deploy special national security direction powers are based on GCHQ’s verified risk assessments regarding hostile states and state-affiliated groups. It is not about reacting after an attack occurs, but creating a proactive framework to evaluate and mitigate threats, built directly into UK supply chains. That would ensure that the UK is better prepared to deal with cyber-threats and attacks from hostile state actors. With the risks continuing to grow, these decisions cannot remain at the political whim of a Government who are reluctant to act. Let us talk about the dragon in the room. In 2024, the National Cyber Security Centre confirmed that China state-affiliated actors were responsible for cyber-attacks on the UK’s Electoral Commission and Parliament in 2021 and 2022, yet this Government continue to refuse to recognise China as a threat to the UK. New clause 14 would compel the Government to recognise formally what is readily apparent to those on these Benches, to our security services and to the many Members across both Houses who have expressed urgent concern about the security risks that China and other foreign state actors pose to the United Kingdom. The new clause would force the Government to acknowledge that China is a threat. In view of this established and growing threat, our new clause 15 would compel the Secretary of State to review state-sponsored cyber-threats to the UK’s infrastructure, including the cyber-security risk to surrounding critical networks in the vicinity of the super-embassy site in the City of London. As I said in Committee, there is simply no point in granting the Secretary of State powers to issue directions on the basis of national security if the Government are not willing to be clear-eyed about the most critical national and cyber-security threats to this nation. The new clause also strikes an important balance between ensuring parliamentary scrutiny and recognising and protecting the sensitive nature of some of the material that may be unearthed, by making provision for such information to be sent to the Intelligence and Security Committee of Parliament. I am pleased that, having resisted calls to address this risk during previous stages of the Bill’s progress, the Government have now taken some action to address risks from foreign state actors. The publication last week of their National Security (State Threats) Bill comes in response to a sharp spike in state-backed intelligence operations, sabotage and proxy violence. Their own explanatory notes to that Bill state: “Threats to the UK from foreign states are persistent and take many forms, including espionage, foreign interference in the UK’s political system, sabotage, disinformation, cyber operations, and even assassinations. Collectively these are referred to by the Government as state threats.” However, the Bill itself does not once mention cyber-security, and contains no provision requiring assessment of the risks posed. It does not apply to states themselves, and therefore can only be complemented and strengthened by new clauses 14 and 15, which no responsible Government or Member of the House could vote against. Amendment 3, which would insert a provision headed “Exemption from disclosure: right to a fair trial”, was tabled by my right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith). As a Member of Parliament whose constituency includes Runnymede, I am proud both to call him a friend and to work with him on, in particular, his fight for the rule of law and fair trials. The amendment would prevent the sharing of information with overseas authorities for the purpose of prosecuting crimes not committed in the UK, if the Secretary of State determined that the receiving country was one in which the right to a fair trial could not be guaranteed. It would address genuine human rights concerns, and would close a loophole in the Bill that currently fails to anticipate politically motivated requests from authoritarian states. It would help to block hostile state actors such as Russia, China and Iran from probing our systems to detect firmware back doors or vulnerabilities within, for instance, the UK’s utility networks, healthcare systems and data centres. It would also create a statutory duty for the Secretary of State to submit an annual report to Parliament justifying decisions on which foreign jurisdictions are trusted or barred from intelligence sharing. That alone would be invaluable, and would end the many fruitless hours of questions and debate in the Chamber initiated by Conservative Members seeking a clear answer from the Government on whether they see countries such as China as a threat—per my earlier remarks. I am therefore pleased, on behalf of His Majesty’s Opposition, to support my right hon. Friend’s amendment. Let me also pay tribute to the Chair of the Science, Innovation and Technology Committee, the hon. Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah). I thank her for her comments, which were echoed by others, about the risk from the internet of things and cellular modules. That is an important area, and we need to get it right. I will conclude by addressing the amendments tabled by our Liberal Democrat colleagues regarding digital sovereignty and the impact that this approach could have on the UK. New clause 13 is the clearest demonstration to date that the Liberal Democrats do not understand the tech sector or global supply chains. Of course it is right to support British business, but it is not feasible or possible to achieve full sovereignty in a global market or supply chain. Rather, we should prioritise capacities and capabilities, and ensure that the UK has an indispensable role in global supply chains.

I do not think that the hon. Member has understood our amendment, which is about having a strategy. It does not say that everything should be sovereign, but we need to look at our tech stack and have a strategy for what is sovereign and what requires the procurement of elements. I ask him to look at our amendment again.

I refer the hon. Member to her new clause 13, particularly subsection 3(c), which makes it very clear that companies would need to deviate from “foreign technologies”, which would be quite a burden. We need to back Britain in key sectors, from quantum and photonics to chip design and innovation. In so many areas, we lead the world. We should not try to restrict the influence and access of global markets. We must engage not in protectionism, but in leverage, to back Britain and position ourselves so that we are indispensable in the modern global tech sector and supply chains.

Does the hon. Member agree that if we are to excel, we must excel on a UK-wide basis? Does he agree that it would be a very retrograde step to have part of this United Kingdom subject to another jurisdiction’s AI regulations, rather than those of the UK? Does he agree that it is imperative that the AI regulations that govern our digital sector are those of this Parliament and not those of the European Parliament?

I do not want any part of the UK to be subject to the awful AI Act that has been passed by the European Union. Northern Ireland, and particularly Belfast, is a technological powerhouse of which we should be very proud. We need to ensure that it continues to go from strength to strength as part of our fantastic Union. We on the Conservative Benches will not back new clause 13, because we understand how markets and global supply chains work. We believe in Britain.

I start by echoing the thoughts of many Members from across the House, particularly my hon. Friends the Members for Leeds Central and Headingley (Alex Sobel) and for Cowdenbeath and Kirkcaldy (Melanie Ward). I did not know Jo Cox, but I admired her deeply. As we talk about our country’s resilience, her central message—that there is no deeper route to resilience than through the unity of our country and community—is top of our minds for all of us in this House. It is a pleasure to bring this important Bill back to the House this afternoon. The Bill will increase our cyber-defences and resilience, making the UK an even safer place to live and do business. I thank Members on both sides of the Chamber for their valuable contributions to this debate and for the expertise that they have brought throughout the passage of the Bill. I particularly thank them for their recognition of my core belief: that the central question for our national security and resilience is the question of our technological and AI capabilities. We tested the Bill’s measures carefully before introduction, but we have since listened to feedback. There are a small number of minor, technical drafting improvements, which I will briefly go through. Government amendments 16 and 17 ensure that regulators can ask for the information they need to fulfil their obligations under the NIS regulations. This does not give regulators any new powers; it simply confirms that the current reasons for requesting information under the NIS regulations will still apply under the updated regulations. Government amendments 7 and 8 make changes to align with two information-gathering Government amendments made in Committee—amendments 16 and 17. Government amendment 11 makes consequential changes following an amendment made in Committee. That amendment enables information sharing between NIS regulators and other public authorities for cyber-matters outside the scope of the NIS regulations. Government amendments 14 and 15 clarify the safeguards for information sharing gateways, and amendments 9, 10, 12 and 13 make the necessary changes to ensure that the rest of the clause is consistent with the change made by amendment 14. Government amendments 18 to 26, to clause 57, allow regulators and the Secretary of State to issue notices related to the powers of direction to nominated representatives of regulated entities. I have also tabled Government amendment 27, which corrects minor drafting errors to ensure the Bill works as intended. Members raised a series of questions, and I will address them thematically. First, the question of scope was raised by new clauses 4, 20, 21, 5, 8 and 9. I thank my hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), the Chair of the Science, Innovation and Technology Committee, who brings consistent expertise and experience to these questions; the Chair of the Joint Committee on National Security Strategy, my hon. Friend the Member for Warwick and Leamington (Matt Western); and the hon. Members for Harpenden and Berkhamsted (Victoria Collins) and for Brecon, Radnor and Cwm Tawe (David Chadwick), who tabled amendments on the services and scope of the Bill. All organisations, from high street shops to manufacturing giants, should take steps to increase their cyber-security and resilience. The Government and the National Cyber Security Centre are making sure that the right tools are available for every part of the economy. I am sympathetic to their intent, and in particular with my hon. Friend the Member for Middlesbrough South and East Cleveland (Luke Myer) when he talks about the impact of cyber-security incidents on local communities. The Government have committed to reviewing whether new activities need to be brought into the scope of the NIS regulations, but it is essential that any such decision is based on a systematic and specific assessment of carefully considering whether the regulation in these particular parts of statute are the most appropriate response. The NIS regime has been put in place to protect the most essential parts of our economy, often those whose disruption would cause an imminent threat to life. It is focused on a specific set of tests where sectors have little or no alternative service provision in the event of disruption and relates the latest systematic evidence of the threats that each sector faces. In that context, all Government Departments with sectoral responsibility work with their sectors on broader cyber-resilience. The Department for Environment, Food and Rural Affairs does so with food, and the Department for Business and Trade does so with retail, automotive and so on. The NCSC also has strong relationships across sectors, actively working with them to share best practice and incident insights, and to strengthen overall resilience, such as by engaging with the British Retail Consortium following incidents affecting the sector last year. The food sector is unique among other critical sectors because of its high levels of diversity. In the analysis underpinning the judgments made in the Bill, there are approximately 20,000 SME food manufacturers in the UK alone, and many more farms, distribution centres, retailers and other types of businesses that form the UK’s food supply chain. Given the lack of a single point of failure, we think there are more proportionate levers to pull, rather than bringing food in scope of the NIS regime. We have made similar judgments about other sectors on the basis of that systematic analysis, as I have shared in Committee and at other stages of the Bill’s consideration.

I accept the point about the plethora of businesses in the food supply sector, but my amendment simply seeks commonality with what the European Union has pushed for. Why can it not be the right thing for the UK Government to do as well?

I am happy to the write to the Chair of the Select Committee about comparisons with the EU, but the broad thrust is that we have undertaken a specific analysis of whether the burdens of the Bill should apply in a systematic, proportionate and coherent way to sectors. The analysis suggests that food supply is not in scope for the reasons I mentioned—primarily diversity of supply—but I would be delighted to engage with him on the question of why Europe took a different decision. We have based our decision on our analysis here.

Will the Minister give way?

I am going to make some progress but will try to come back to the Chair of the Select Committee shortly. The Government’s cyber action plan is the overarching strategy to raise public sector standards across Government, including local government. The Ministry of Housing, Communities and Local Government has taken action to strengthen local authorities’ cyber-resilience, backed by £29 million of cyber grant funding, technical support and the adoption of the cyber assessment framework for local government. In that spirit, I take particularly seriously the point made by my hon. Friend the Member for Oldham West, Chadderton and Royton (Jim McMahon) on supporting capacity even further with centralised capacity support from the Government Digital Service and other parts of cyber-capability in central Government. The joint election security and preparedness unit, also raised by Members, works to protect UK elections and referendums, co-ordinating across Government on response to threats, including cyber-risks. JESP works closely with the National Cyber Security Centre, producing guidance for organisations involved in delivering elections and electoral infrastructure, particularly local authorities. JESP and NCSC regularly engage with political-party representatives as well. The question of a register of foreign powers has been raised in relation to new clauses 14 and 15, tabled by the shadow Minister, the hon. Member for Runnymede and Weybridge (Dr Spencer). New clause 14 would require the creation of a register of foreign states that pose a risk to the UK, based on GCHQ advice, for the purpose of exercising powers under part 4 of the Bill. I assure the shadow Minister, as I did in Committee, that the use of those powers will always be underpinned by robust intelligence. That includes, where relevant, information about state actors involved in cyber-threats. As a result, it is unclear what additional support the register would provide to the Secretary of State. New clause 15 would require the Government to report annually on risks posed by foreign powers. Drafting a report of vulnerabilities would simply duplicate existing assessments and risk distracting the Government from more effective measures to protect the UK from hostile foreign actors. The shadow Minister also proposes that information that cannot be included in the report for national security reasons is sent to the Intelligence and Security Committee. I have made it clear to him, both in Committee and more broadly, that the Government value the independent and robust oversight that the Intelligence and Security Committee provides on behalf of Parliament. However, we do not consider that the report described in the new clause sits within the ISC’s current oversight remit, as outlined in the Justice and Security Act 2013 and the Committee’s memorandum of understanding with the Prime Minister. The Government are actively reviewing the Committee’s existing memorandum of understanding and will update the House in due course. New clause 3, tabled by the hon. Member for Harpenden and Berkhamsted, would require the Government to assess how many entities regulated by the NIS regime are owned, in part or in full, by foreign states, and the risks that they pose. Publishing a review identifying national security risks caused by foreign state ownership would provide valuable insight for our adversaries. Furthermore, conducting an assessment of the ownership structure of every in-scope entity within six months would be disproportionately resource intensive, and would distract the Government from more effective measures to protect our services.

Let me take the Minister back to the question of bringing the retail sector into the provisions of the Bill. He seems to be saying that cyber-security and resilience require Government intervention only when there is an immediate threat to life. Will he clarify whether that is what he is saying? My understanding is that we need to keep our economy and citizens secure in all circumstances. On the question of proportionality, my new clause 20 seeks to bring in only very large businesses, so that the requirements of cyber-security on them are proportionate. We know that such businesses are not taking the measures to keep cyber-secure, as we have seen recently with Marks & Spencer, Jaguar Land Rover and others.

It is rare for me to have a point of divergence with the Chair of the Select Committee, given her experience and expertise. However, on that question I am absolutely not saying that Government support is limited only to the certain number of sectors covered by the Bill. There are a range of other ways in which the Government act to support sectors outside of the scope of the Bill. That is the right thing to do. The scope of this Bill—the only Bill horizontally applicable to large parts of the economy—is systematically and specifically set to sectors that are significant as essential services, sectors where there is the risk of significant disruption and threat to life, and sectors where alternative supply is limited. For those reasons, we have excluded retail. Consideration of the scale of the business is not currently in that rubric, because there are also businesses that are small in scale but very material in life-threatening impact. I hope that is a satisfactory answer. I thank my hon. Friends the Members for Dunfermline and Dollar (Graeme Downie) and for Newcastle upon Tyne Central and West for their amendments relating to the risks posed by communications modules made or controlled from outside the UK. Although I am sympathetic to their concerns, the Bill’s approach is intentionally technology and incident-agnostic. Instead of reacting to individual components in isolation, we focus on structural checkpoints and systematic dependencies in this context. There are a range of other levers—investment screening through the National Security and Investment Act 2021; telecoms and cyber data security requirements to protect data and networks; supply chain measures, such as those in the Procurement Act 2023; diversification requirements to reduce dependency and build resilience—all of which are important to respond to the deeply significant concerns raised.

Will the Minister give way on that point?

I will make some further progress. I thank my hon. Friend the Member for Leeds Central and Headingley for his amendment relating to AI emergencies. I recognise his concerns, as well as those of my hon. Friend the Member for Cowdenbeath and Kirkcaldy. Technology is evolving rapidly, and Government must be equipped to respond. That is why the Bill grants the Secretary of State the power to direct regulated entities if the compromise of their network and information system, or the threat of it, gives rise to a national security risk. This could, for instance, require an entity to cease using and isolate an AI model. These powers are a backstop to an effective cyber-security regime, enabling Government to act swiftly in the face of unexpected national security threats. They are also designed to be proportionate, recognising the need for stability among regulated entities and the importance of proper accountability. While I share my hon. Friends’ concerns, I encourage them to work with the Government on a systematic range of ways in which we can mitigate the risks they have rightly highlighted.

I will give way to my hon. Friend the Member for Leeds Central and Headingley in the first instance and then to my hon. Friend the Member for Dunfermline and Dollar.

There is obviously a level of complexity here in relation to the data centre, AI development and the network in the UK and more broadly. Will the Minister therefore commit to a meeting with me and my hon. Friend the Member for Cowdenbeath and Kirkcaldy (Melanie Ward) to discuss this matter further?

I would be delighted to.

I would be more than happy to work with the Government on something that will provide specific protections against cellular internet-of-things modules. What assessment has he made of the specific threat of internet-of-things modules, and what protections are there against that in the legislation?

Given the specificity of his question, I will suggest that I come back to my hon. Friend. The broad thrust is that through our investment control legislation and procurement legislation, there are a series of responsibilities on Departments to look at it. [Interruption.] Given your encouragement, Madam Deputy Speaker, I shall move on. Finally, I will respond to the right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith), who raised a very important point. The most important thing to say is that I share his diagnosis, although for reasons mostly of technical drafting, I disagree with his prescription—I hope he will take that in the spirit in which it is intended. His amendment risks creating undue uncertainty in law for many other areas where we do not have an explicit requirement. While I share his diagnosis and his objective, I hope that we can work together to consider how best to give it effect, including through the Foreign, Commonwealth and Development Office’s overseas security and justice mechanisms for information sharing. I thank all hon. Members for their consideration.

I want to draw the Minister back to a point I raised with him at an earlier stage of the Bill, when he gave me what I would call a holding reply. When this legislation goes through, will the whole United Kingdom be subject to it, or will my part of the United Kingdom—Northern Ireland—be subject to the EU’s AI laws as they affect the digital sector? Businesses in that industry in my constituency want to know whether they will be governed by this Bill or by the EU’s AI Act. In other words, will the EU’s AI Act and Cyber Resilience Act be added to annex 2 to the Windsor framework, which would give them superiority and direct application in Northern Ireland? Can we have an answer—are they going to be added or not?

The hon. and learned Gentleman will be aware from a response I recently gave him that both the complexity of the EU’s AI Act and its interaction with the Windsor framework are under consideration at the moment. The EU has made a proposal and we are working with it on that. I will be happy to engage with him on that particular question in due course.

I am not quite certain that I understand the Minister’s reasons for why he cannot accept my amendment, tweak it or work with it in the other place. The reality is that with this Bill, we are opening the door in a way that we would not have otherwise done to the use of information that may predicate a failure for some British citizen sitting in a country where the rule of law does not protect them in the courts. The Government are taking a risk of making it worse, not better. While the Minister agrees to some degree with the principle of what I am saying, surely this is the time to put it right in the Bill.

As I say, I agree with much of the right hon. Gentleman’s diagnosis. Let me state in more detail the reasons for objecting on the mechanism. First, the provisions for information sharing are deeply discretionary for UK regulators. Secondly, the subjects in which they can pursue that information sharing are restricted to significant matters of national security and domestic crime prevention in the UK. Thirdly, the way that the amendment is drafted risks creating undue uncertainty in law. If this is the only regime where there is a specific and explicit reference to fair trial in the legislation, it calls into question how other information-sharing regimes are interpreted, such as under section 114 of the Online Safety Act 2023. In other words, drafted as it is, the amendment could invite legal challenge where a regulator exercises its discretion not to disclose this in other regimes, as there is no explicit exclusion. For those reasons, while I totally agree with the right hon. Gentleman’s diagnosis and his objective, I am afraid that the amendment in question risks undermining the objective.

Will the Minister give way?

I will not, because I am testing the patience of Madam Deputy Speaker—[Interruption.] With your permission, Madam Deputy Speaker, I will give way.

I thank the Minister for generously giving way again. I have no desire to test the House by pushing my amendments to a vote, and I will be happy if I can receive his assurance. I take his points on not having technology-specific regulation where possible, but can I have an assurance that the Minister will work with me, my Committee and other hon. Members to look at the need to safeguard where there are technology-specific risks?

As ever, I would be delighted to work with the Chair of the Select Committee on a range of technology questions, including this one. I am delighted with the support that this House has shown for the intention and principles of the Bill, and I am grateful for Members’ consistent, principled scrutiny.

On the amendment from the right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith), I think we have made some progress with the Minister, but it is clear that trying to isolate the issues around fair trial from other matters is complex. Repeating my earlier call, will the Minister meet me, the right hon. Member for Chingford and Woodford Green and others who signed his amendment to explore the complexities of this after the debate?

I can confirm that the Government will be very happy to engage on this question further with my hon. Friend and the right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith). I commend the Bill to the House.

Before I withdraw new clause 2, I want to draw Members’ attention to my entry in the Register of Members’ Financial Interests in reference to my earlier speech. I beg to ask leave to withdraw the clause. Clause, by leave, withdrawn. New Clause 13 Digital Sovereignty Strategy on risks posed by foreign interference and reliance on foreign technologies “(1) The Secretary of State must, within 12 months of the passing of this Act, publish a strategy (“a Digital Sovereignty Strategy”) which sets out the Government's approach to maintaining the security and resilience of relevant network and information systems by— (a) assessing, managing and mitigating risks— (i) associated with foreign interference, (ii) arising from reliance on foreign-supplied technologies, and (b) preventing over-reliance on foreign providers by building domestic capacity. (2) For the purposes of this section, a “relevant network and information system” is a network and information system belonging to— (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier, within the meaning of the NIS Regulations. (3) A Digital Sovereignty Strategy published under this section must— (a) include risks associated with— (i) hardware, (ii) software, (iii) supply chains, and (iv) procurement processes; (b) include a specific focus on security and resilience in government digital procurement processes, detailing how the Government intends to reduce strategic dependencies on foreign-owned service providers to mitigate the risk of systemic disruption; (c) include a commitment to prioritise the use of technologies developed in the UK by UK organisations in relevant network and information systems to reduce reliance on foreign technologies, and (d) where risks are identified under subsection (1)(a)(i), state how the Government intends to address these risks by supporting the use of domestic technologies or systems for the purpose of ensuring the security of those systems.”—(Victoria Collins.) This new clause would require the Government to publish a Digital Sovereignty Strategy setting out how it intends to address risks to relevant network and information systems posed by foreign interference and reliance on foreign technologies, including by supporting the use of domestic technologies. Brought up, and read the First time. Question put, That the clause be read a Second time.

New Clause 14

Register of foreign powers for the purposes of Part 4

“(1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must by regulations, and within six months of the passing of this Act, establish and subsequently maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom’s critical network and information systems.

(2) Foreign powers determined by the Secretary of State as eligible for inclusion on the register under subsection (1) must include states which have been confirmed by GCHQ as posing a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers, including where the relevant risk is posed by state affiliated groups.

(3) Regulations under this section are subject to the affirmative resolution procedure.

(4) In this section, ‘foreign power’ means—

(a) the sovereign or other head of a foreign state in their public capacity;

(b) a foreign government, or part of a foreign government;

(c) an agency or authority of a foreign government, or of part of a foreign government;

(d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or

(e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government—

(i) hold those posts as a result of, or in the course of, their membership of the party, or

(ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party.”—(Dr Ben Spencer.)

This new clause would require the Government to maintain a register of state actors posing a threat to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of the Act, which enable the giving of directions in the interests of national security.

Brought up, and read the First time.

Question put, That the clause be read a Second time.

Clause 18

Sharing and use of information under the NIS Regulations etc

Amendments made: 7, page 38, line 33, leave out first “and” and insert “or”.

This amendment and amendment 8 would ensure that information could be shared between NIS enforcement authorities where it was for the purposes of security of network and information systems, or for the purposes of resilience of such systems.

Amendment 8, page 38, line 35, leave out “and” and insert “or”.

See the explanatory statement for amendment 7.

Amendment 9, page 39, leave out lines 15 to 17.

This amendment is consequential on amendment 14.

Amendment 10, page 39, line 42, leave out from “paragraph (1)” to end of line 2 on page 40.

This amendment is consequential on amendment 14.

Amendment 11, page 40, line 12, leave out “(1)(c)” and insert “(1)(b)”.

This is a drafting change consequential on an amendment tabled at Committee stage.

Amendment 12, page 40, line 24, leave out from “regulation 6(1)” to “, or” in line 26.

This amendment is consequential on amendment 14.

Amendment 13, page 40, line 31, leave out from “regulation 6(1)” to end of line 33.

This amendment is consequential on amendment 14.

Amendment 14, page 41, line 4, at end insert—

“(4A) A disclosure of information under any provision of regulation 6 or this regulation must be limited to information which is relevant and proportionate to the purpose for which the disclosure is being made.”—(Kanishka Narayan.)

This amendment would ensure that any disclosure under regulation 6 or 6A of the NIS Regulations (defined by clause 1), rather than just disclosures under particular paragraphs of those regulations, would be limited to information which is relevant and proportionate to the purpose for which the disclosure is being made.

Amendment proposed: 3, page 41, line 15, at end insert—

“Exemption from disclosure: right to a fair trial

6AB.—(1) Nothing in sub-paragraphs (1)(d) to (1)(f) of regulation 6, or regulation 6A, permits a NIS enforcement authority to share information with another NIS enforcement authority or with a person within paragraph (2) of regulation 6 if the Secretary of State determines that—

(a) the receiving jurisdiction is one in which the right to a fair trial cannot be guaranteed, or

(b) the disclosure could result in actions being taken that would be incompatible with the right to a fair trial.

(2) For the purposes of making a determination under paragraph (1) above, the Secretary of State must have regard to the opinion of—

(a) subject matter experts, and

(b) competent civil society groups.

(3) The Secretary of State must, within 12 months of the passing of the Cyber Security and Resilience (Network and Information Systems) Act 2026, publish and lay before Parliament an annual report detailing the determinations made under paragraph (1) above in the previous 12 months.”—(Sir Iain Duncan Smith.)

This amendment would prevent the sharing of information with overseas authorities for the purpose of prosecuting crimes not committed in the UK if the Secretary of State determines that the receiving country is one in which the right to a fair trial cannot be guaranteed.

Question put, That the amendment be made.

Amendment made: 15, page 41, line 23, at end insert—

“(1A) A disclosure of information under paragraph (1) must be limited to information which is relevant and proportionate to the purpose for which the disclosure is being made.”—(Kanishka Narayan.)

This amendment would ensure that any disclosure under regulation 7 of the NIS Regulations (defined by clause 1) would be limited to information which is relevant and proportionate to the purpose for which the disclosure is being made.

Clause 20

Powers to require information

Amendments made: 16, page 44, line 15, at end insert—

“(da) assessing the security or resilience of network and information systems relied on by a person regulated by the designated competent authority;

(db) establishing whether any incident has occurred that the designated competent authority believes could have had, has had, is having or is likely to have, an adverse effect on the security or resilience of network and information systems relied on by a person regulated by the authority, and the nature and impact of any such incident;

(dc) assessing the implementation of measures taken under regulation 10 to manage risks and to prevent and minimise the impact of incidents, including as a result of any inspection conducted under regulation 16;

(dd) identifying a failure of a person to comply with any duty imposed by these Regulations;”

This amendment would clarify that the power under paragraph (1) of regulation 15 of the NIS Regulations (substituted by clause 20) includes power to request information for the stated purposes. This makes provision broadly equivalent to what is currently in regulation 15(2) of the NIS Regulations.

Amendment 17, page 44, line 28, at end insert—

“(da) assessing the security or resilience of network and information systems relied on by a person regulated by the Information Commission;

(db) establishing whether any incident has occurred that the Information Commission believes could have had, has had, is having or is likely to have, an adverse effect on the security or resilience of network and information systems relied on by a person regulated by the Commission, and the nature and impact of any such incident;

(dc) assessing the implementation of measures taken under regulation 12 or 14B to manage risks and to prevent and minimise the impact of incidents, including as a result of any inspection conducted under regulation 16;

(dd) identifying a failure of a person to comply with any duty imposed by these Regulations;”.—(Kanishka Narayan.)

This amendment would clarify that the power under paragraph (2) of regulation 15 of the NIS Regulations (substituted by clause 20) includes power to request information for the stated purposes. This makes provision broadly equivalent to what is currently in regulation 15(3) of the NIS Regulations.

Clause 57

Means of giving directions and notices

Amendments made: 18, page 82, line 16, leave out “or notice” and insert “, notice, notification or decision”.

This amendment (and amendments 20, 21, 22, 23, 24, 25 and 26) is a drafting change to clarify that this clause applies to notifications and decisions under Part 4 as well as to directions and notices.

Amendment 19, page 82, line 20, at end insert—

“(1A) Where a regulated person has—

(a) appointed a representative to act on their behalf, and

(b) notified a regulatory authority of the appointment,

a direction, notice, notification or decision under this Part may be given to that representative instead of the regulated person, by any of the methods mentioned in subsection (1).

(1B) Any direction, notice, notification or decision given to a representative by virtue of subsection (1A) is to be treated as having been given to the regulated person.”

This amendment would clarify that a direction, notice, notification or decision can be given to an appointed representative by any method mentioned in subsection (1) of clause 57 instead of to the regulated person in question.

Amendment 20, page 82, line 22, leave out “or notice” and insert “, notice, notification or decision”.

Amendment 21, page 82, line 23, leave out “or notice” and insert “, notice, notification or decision”.

Amendment 22, page 82, line 25, leave out “or notice” and insert “, notice, notification or decision”.

Amendment 23, page 82, line 28, leave out “or notice” and insert “, notice, notification or decision”.

Amendment 24, page 83, line 5, leave out “or notice” and insert “, notice, notification or decision”.

Amendment 25, page 83, line 14, leave out “or notice” and insert “, notice, notification or decision”.

Amendment 26, page 83, line 17, leave out “or notice” and insert “, notice, notification or decision”.—(Kanishka Narayan.)

Schedule 1

Enforcement and Appeals

Amendment made: 27, page 90, line 3, after “sub-paragraph (e)” insert

“(including the “or” at the end)”.—(Kanishka Narayan.)

This amendment is a minor drafting change.

Third Reading

King’s consent signified.

I beg to move, That the Bill be now read the Third time. It has been a privilege to take this vital piece of legislation through the House. I thank everyone who has played a role in getting the Bill to this stage, including the noble Baroness Lloyd of Effra, who has been instrumental in driving the policy in this Bill and leading its passage in the other place. I also thank my right hon. Friend the Secretary of State for Science, Innovation and Technology; the officials who have worked tirelessly since the Bill’s inception; the Bill team, led by Shona Lester; the policy teams, led by Nick Dodd and Liam Harkin; the legal team, led by Alicia Swannell; and my private secretary, Ben Holloway. I also thank parliamentary counsel, the Clerks and the Chairs of the Public Bill Committee, and every Member of the House who served on the Committee, as well as Members who have provided important input today and during all previous stages. This country is subject to daily and unrelenting cyber-attacks. This is no longer the stuff of science fiction, but a daily reality that threatens public services, businesses and even our ways of life. As Dr Richard Horne, the CEO of the National Cyber Security Centre, has said: “The real-world impacts of cyber attacks have never been more evident than in recent months”. The Bill delivers on the Government’s commitment to drive secure growth and make the UK more resilient to the threats we face. It recognises how things have moved on since 2018, with data centres playing an increasingly important role in our digital lives and supply chains continuing to diversify. It also recognises that things will continue to change, with a deliberate, technology-agnostic approach and proportionate powers to enable the Government to close regulatory gaps and respond to imminent national security threats. Since the introduction of the Bill, I have tabled a small number of amendments to refine its drafting and ensure that it achieves its intended purposes. They include designating Ofcom as the sole regulator for data centres, to reduce administrative burdens and strengthen accountability in this key sector. They also include enabling the network and information systems regulators to share vital information with other regulators and public bodies overseeing sectors and vice versa, enabling more co-ordinated and strategic oversight without unnecessary business burdens. They also updated the definition of cloud computing to respond to important feedback from the sector and made several minor and technical corrections to ensure that the Bill can be practically implemented. The version of the Bill before us is an ambitious, practical and proportionate piece of legislation. It is the result of engagement with industry, important regulator feedback, international dialogue and tireless work from officials. I wish Baroness Lloyd the best in moving the Bill forward in the other place, and I commend it to the House.

I call the shadow Secretary of State.

I thank Members across the House for their contributions to this Bill over many months and for their relentless scrutiny. I have never known a Minister to be in such a rush, with three hours of protected time left. I am grateful to officials both in the Department for Science, Innovation and Technology and in Parliament for their hard work in getting this legislation to its final stage. I particularly recognise the hard work of my hon. Friend the Member for Runnymede and Weybridge (Dr Spencer) and his team in providing such top-notch scrutiny of the Bill during its passage through the House. The Opposition have remained at all times supportive of the principles behind the Bill. It was the previous Government who recognised the need to increase cyber-resilience standards for critical digital infrastructure and services, including managed service providers and data centres. It is welcome that those entities—which are so vital to the functioning of the economy, public services and our daily lives—are now covered. However, I said on Second Reading that opportunities to legislate in this area are few and far between, and we need to ask two questions to assess whether this law is fit for purpose: will it work, and is it enough? There was already an urgent need to strengthen our cyber-defences. However, AI is equipping hostile states, criminal gangs and opportunists alike with tools capable of eroding our national defences at speed and at scale, in ways that will affect businesses, the public sector and our infrastructure. It is right that Parliament legislates to raise the collective security bar, but the nature of the cyber-security risks that necessitated this Bill have developed rapidly as we have been taking it through this House. That demonstrates the difficulties we all face as legislators in dealing with the constantly shifting sands of the digital age. We may need to be ready to return to this subject sooner than we had hoped. It is right that critical digital infrastructure such as data centres will fall within the scope of regulation, but we need to recognise that no security measures or standards are 100% effective. Government and businesses need to ensure that essential data and workloads are stored and processed in a way that keeps them secure and operational even when they are under attack. Resilience is key—the Islamic Revolutionary Guard Corps’ apparent targeting of Amazon Web Services sites in the United Arab Emirates and Bahrain earlier this year has shown that digital infrastructure is becoming a prime target in times of conflict. It would be irresponsible to assume that these facilities will not also be targets for cyber-warfare, which is why we have to look closely at concentration of risk, our overall resilience, and any leverage we can build in maintaining access to the best technology going forward. From work on the security of our telecoms infrastructure to scrutiny of the platforms on which critical Government services run, we must now be thinking extremely carefully about our procurement of digital technology. A further significant development since this Bill was introduced is the rapid advance of AI systems capable of identifying cyber-vulnerabilities, particularly in poorly protected legacy IT across Government and public services, including the NHS. It highlights the urgent need to address the Government’s extensive legacy estate, which is especially exposed to exploitation. Nothing in the Bill addresses that need, yet the Government are creating a broader digital architecture for hackers to attack through their plan for Government-issued digital IDs. If public trust is to be restored, especially after the Government’s abortive attempt to introduce mandatory ID last year—still, I fear, a risk by the back door—such systems must always remain both optional and secure. It is therefore concerning that the Public Accounts Committee felt compelled to write to the permanent secretary at the Department for Science, Innovation and Technology in April to criticise the lack of urgency in reviewing legacy IT equipment, given both the sensitivity of the data involved and the scale of the cyber-risk. Earlier, my hon. Friend the Member for Runnymede and Weybridge set out one of the most significant threats that this Bill fails to address: the intensifying cyber-security risk posed by the Chinese Communist party and its affiliates. It is regrettable that the Government have, for a second time, voted down amendments that would have compelled the Secretary of State to create a register of hostile state actors threatening the cyber-security of essential networks and information systems. Those concerns are not restricted to Conservative Members, which is why the amendment tabled by my right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith) attracted cross-party support. The risks posed by cellular IOT modules have been set out expertly in the Chamber today. IOT modules supplied by Chinese manufacturers are now embedded in nearly all internet-connectable products and devices, from smart TVs to electric cars. They can be used to intercept data and track locations, and can even be controlled remotely. The scale of the cyber and physical security threat from IOT modules is the tip of the iceberg, with components that can be used for espionage or cyber-attacks or disabled remotely woven into countless aspects of our critical national infrastructure. This is an issue that is not going away. In summary, although this Bill is necessary and goes some way towards enhancing our cyber-resilience in critical areas, it will not be enough in isolation. It heaps all the burden on the private sector, yet it would have been insufficient to prevent the Jaguar Land Rover incident. It does not address public sector vulnerabilities, and it falls far short of meeting the moment that the now former Defence Secretary, the right hon. Member for Rawmarsh and Conisbrough (John Healey), lamented that this Government were missing in their approach to our collective defence and security. It speaks to this Government’s continued inability to grapple with and address the red lights that are now flashing on the national dashboard. The “corrosive complacency” that Lord Robertson called out in the Government’s approach to investment in defence can also be seen here, in the Government’s ongoing refusal to address the urgent threat to our national cyber-security caused by our reliance on technology and components from nations that have demonstrably malign intent. We are living with the uncomfortable reality that the end of history was a dangerous illusion; one that has led to us gradually outsourcing our critical industries to our geopolitical rivals and competitors, only to have their wares sold back to us in the form of latent time bombs. That is why this legislation, which we support, can only be a discrete tool in addressing a much wider challenge. Cyber-security is no longer a niche compliance exercise; it is about protecting the fundamental economic and defence interests of our nation. That is why I suspect we will be returning to cyber issues in this House before too long, and with greater urgency.

I call the Liberal Democrat spokesperson.

I reiterate the importance of a digital sovereign strategy for our cyber-security. It is about our resilience, our security and our economic strength as a country and collaborative sovereignty. We very much welcome the extended scope of the Bill and we support it moving forward. Question put and agreed to. Bill accordingly read the Third time and passed.

On a point of order, Madam Deputy Speaker. I seek your guidance. There are reports that a Russian warship has today fired warning shots near a UK-registered yacht in the English channel, south of the Isle of Wight. If verified, this action would be of grave concern to the House and would represent a significant escalation in the hostilities shown by Russian actors towards UK interests. Can you guide me on how the House might seek to be urgently updated by a Defence Minister on this development and guided as to the Government’s proposed response?

I thank the hon. Gentleman for his point of order. I have had no notice that the Government intend to bring a statement, but I am sure that those on the Government Front Bench have heard him, and should that change, we will doubtless hear before the Adjournment.