Written questions by Bhatti.

Innovation and Technology, what estimate her Department has made of the number of cyber attacks on energy infrastructure.

The government's Cyber Security Breaches Survey shows that 43% of UK businesses reported experiencing a cyber breach or attack within the past year. Within the utilities sector this figure is 48%. The survey does not specifically detail cyber attacks on energy infrastructure.The National Cyber Security Centre (NCSC) has warned there is a significant and enduring cyber threat faced by the UK’s critical national infrastructure. As part of its routine operations the NCSC works closely with all areas of the UK’s critical national infrastructure to highlight the cyber threat landscape and associated mitigation activities. As noted in its Annual Review (2025) the NCSC has undertaken a wide range of activities to enhance protections for the UK’s energy infrastructure, including delivering technical advice and guidance on cyber security challenges, working directly with key suppliers on cyber security initiatives, and providing additional support to operators of renewable energy assets. The annual review also notes how NCSC has deepened its understanding of cyber maturity in critical national infrastructure, enabling more targeted interventions and strengthening the UK’s ability to identify and eliminate sophisticated threat actors.The Cyber Security and Resilience (Network and Information Systems) Bill updates the Network and Information Systems Regulations 2018, which includes essential services in the energy sector. The Bill will improve the cyber security of the energy sector and its infrastructure through better resourced regulators to respond to cyber threats, and a stronger mechanism for government to set priority outcomes for regulators to work to.The incident reporting framework will also be updated through the Bill, including for the energy sector. Under the existing reporting regime, too many significant incidents do not need to be reported, and this creates a gap in the government’s knowledge and ability to protect the UK from harm. A wider range of significant incidents, such as successful ransomware and pre-positioning will need to be reported under the Bill. A light touch, initial notification will also be required within 24 hours of an incident being discovered will enable quicker and more effective support to be provided to organisations.The Bill will keep pace with an increasingly digitalised and interconnected energy sector by bringing load controllers into scope of the NIS Regulations as a new essential service, where they meet the threshold, ensuring regulation is focused where the risk is greatest.

Innovation and Technology, what assessment her Department has made of the risk of cyber attacks on energy infrastructure.

The government's Cyber Security Breaches Survey shows that 43% of UK businesses reported experiencing a cyber breach or attack within the past year. Within the utilities sector this figure is 48%. The survey does not specifically detail cyber attacks on energy infrastructure.The National Cyber Security Centre (NCSC) has warned there is a significant and enduring cyber threat faced by the UK’s critical national infrastructure. As part of its routine operations the NCSC works closely with all areas of the UK’s critical national infrastructure to highlight the cyber threat landscape and associated mitigation activities. As noted in its Annual Review (2025) the NCSC has undertaken a wide range of activities to enhance protections for the UK’s energy infrastructure, including delivering technical advice and guidance on cyber security challenges, working directly with key suppliers on cyber security initiatives, and providing additional support to operators of renewable energy assets. The annual review also notes how NCSC has deepened its understanding of cyber maturity in critical national infrastructure, enabling more targeted interventions and strengthening the UK’s ability to identify and eliminate sophisticated threat actors.The Cyber Security and Resilience (Network and Information Systems) Bill updates the Network and Information Systems Regulations 2018, which includes essential services in the energy sector. The Bill will improve the cyber security of the energy sector and its infrastructure through better resourced regulators to respond to cyber threats, and a stronger mechanism for government to set priority outcomes for regulators to work to.The incident reporting framework will also be updated through the Bill, including for the energy sector. Under the existing reporting regime, too many significant incidents do not need to be reported, and this creates a gap in the government’s knowledge and ability to protect the UK from harm. A wider range of significant incidents, such as successful ransomware and pre-positioning will need to be reported under the Bill. A light touch, initial notification will also be required within 24 hours of an incident being discovered will enable quicker and more effective support to be provided to organisations.The Bill will keep pace with an increasingly digitalised and interconnected energy sector by bringing load controllers into scope of the NIS Regulations as a new essential service, where they meet the threshold, ensuring regulation is focused where the risk is greatest.

Innovation and Technology, what assessment her Department has made of the potential merits of creating a cyber incident database with compulsory fixes to be created for energy infrastructure.

The government's Cyber Security Breaches Survey shows that 43% of UK businesses reported experiencing a cyber breach or attack within the past year. Within the utilities sector this figure is 48%. The survey does not specifically detail cyber attacks on energy infrastructure.The National Cyber Security Centre (NCSC) has warned there is a significant and enduring cyber threat faced by the UK’s critical national infrastructure. As part of its routine operations the NCSC works closely with all areas of the UK’s critical national infrastructure to highlight the cyber threat landscape and associated mitigation activities. As noted in its Annual Review (2025) the NCSC has undertaken a wide range of activities to enhance protections for the UK’s energy infrastructure, including delivering technical advice and guidance on cyber security challenges, working directly with key suppliers on cyber security initiatives, and providing additional support to operators of renewable energy assets. The annual review also notes how NCSC has deepened its understanding of cyber maturity in critical national infrastructure, enabling more targeted interventions and strengthening the UK’s ability to identify and eliminate sophisticated threat actors.The Cyber Security and Resilience (Network and Information Systems) Bill updates the Network and Information Systems Regulations 2018, which includes essential services in the energy sector. The Bill will improve the cyber security of the energy sector and its infrastructure through better resourced regulators to respond to cyber threats, and a stronger mechanism for government to set priority outcomes for regulators to work to.The incident reporting framework will also be updated through the Bill, including for the energy sector. Under the existing reporting regime, too many significant incidents do not need to be reported, and this creates a gap in the government’s knowledge and ability to protect the UK from harm. A wider range of significant incidents, such as successful ransomware and pre-positioning will need to be reported under the Bill. A light touch, initial notification will also be required within 24 hours of an incident being discovered will enable quicker and more effective support to be provided to organisations.The Bill will keep pace with an increasingly digitalised and interconnected energy sector by bringing load controllers into scope of the NIS Regulations as a new essential service, where they meet the threshold, ensuring regulation is focused where the risk is greatest.

Innovation and Technology, what assessment she has made of the potential impact of the Cyber Security and Resilience (Network and Information Systems) Bill on the cyber resilience of energy infrastructure.

The government's Cyber Security Breaches Survey shows that 43% of UK businesses reported experiencing a cyber breach or attack within the past year. Within the utilities sector this figure is 48%. The survey does not specifically detail cyber attacks on energy infrastructure.The National Cyber Security Centre (NCSC) has warned there is a significant and enduring cyber threat faced by the UK’s critical national infrastructure. As part of its routine operations the NCSC works closely with all areas of the UK’s critical national infrastructure to highlight the cyber threat landscape and associated mitigation activities. As noted in its Annual Review (2025) the NCSC has undertaken a wide range of activities to enhance protections for the UK’s energy infrastructure, including delivering technical advice and guidance on cyber security challenges, working directly with key suppliers on cyber security initiatives, and providing additional support to operators of renewable energy assets. The annual review also notes how NCSC has deepened its understanding of cyber maturity in critical national infrastructure, enabling more targeted interventions and strengthening the UK’s ability to identify and eliminate sophisticated threat actors.The Cyber Security and Resilience (Network and Information Systems) Bill updates the Network and Information Systems Regulations 2018, which includes essential services in the energy sector. The Bill will improve the cyber security of the energy sector and its infrastructure through better resourced regulators to respond to cyber threats, and a stronger mechanism for government to set priority outcomes for regulators to work to.The incident reporting framework will also be updated through the Bill, including for the energy sector. Under the existing reporting regime, too many significant incidents do not need to be reported, and this creates a gap in the government’s knowledge and ability to protect the UK from harm. A wider range of significant incidents, such as successful ransomware and pre-positioning will need to be reported under the Bill. A light touch, initial notification will also be required within 24 hours of an incident being discovered will enable quicker and more effective support to be provided to organisations.The Bill will keep pace with an increasingly digitalised and interconnected energy sector by bringing load controllers into scope of the NIS Regulations as a new essential service, where they meet the threshold, ensuring regulation is focused where the risk is greatest.

Innovation and Technology, what progress he has made on establishing the Digital Inclusion Action Committee.

The Digital Inclusion Action Committee is an external advisory body that will work closely with the Department for Science, Innovation and Technology. It will be made up of national and local experts to tackle digital exclusion. Its role is to scrutinise, steer and help determine the work of the government in reducing digital exclusion in every part of the UK.The Expression of Interest closed on 2nd April, and selection is underway, led by Baroness Armstrong. Attendees are expected to be announced in Spring 2025. The first meeting will take place shortly thereafter.

Innovation and Technology, what steps his Department is taking to tackle digital exclusion.

The Government published the Digital Inclusion Action Plan in February, which sets out the first steps we are taking towards our ambition of delivering digital inclusion for everyone across the UK, regardless of their circumstances. The Government also published a call for evidence on the focus areas and invited contributions from individual citizens, charities, business, civil society, and subject matter experts. The call for evidence closed on 9 April and details on how the Government expects to respond will be shared in due course.

Innovation and Technology, what progress he has made on the Digital Inclusion Innovation Fund, announced in February 2025.

Digital inclusion is a priority for Government. The Digital Inclusion Innovation Fund is designed to support initiatives that increase digital participation and to identify innovative best practice with an ambition to scale and replicate successful digital inclusion activities.Further details of funding will be shared in due course.

Innovation and Technology, whether he plans to publish the evidence from the Digital Inclusion Strategy Call for Evidence.

The Government published the Digital Inclusion Action Plan in February, which sets out the first steps we are taking towards our ambition of delivering digital inclusion for everyone across the UK, regardless of their circumstances. The Government also published a call for evidence on the focus areas and invited contributions from individual citizens, charities, business, civil society, and subject matter experts. The call for evidence closed on 9 April and details on how the Government expects to respond will be shared in due course.

Innovation and Technology, what progress his Department has made with the Digital Poverty Alliance on providing re-purposed Government laptops to people who need them.

The Government is implementing a device donation pilot by working with the Digital Poverty Alliance to refurbish end-of-life laptops from DSIT, DESNZ and DBT and distribute them to those who need them most. This pilot will be in effect until Autumn 2025.We are also working closely with industry on a device donation charter, to encourage more organisations to set up their own device donation schemes. We are hoping to publish this in Spring 2025.

Innovation and Technology, how much money the Government has committed for the Digital Inclusion Fund; and how it will be allocated.

Digital inclusion is a priority for Government. The Digital Inclusion Innovation Fund is designed to support initiatives that increase digital participation and to identify innovative best practice with an ambition to scale and replicate successful digital inclusion activities.Further details of funding will be shared in due course.

Innovation and Technology, whether he has had discussions with the European Union on the future of EU Adequacy on data protection.

I refer the Hon. Member to the answer I gave on 18 October 2024 to Question 8500.

Innovation and Technology, what progress he has made on removing Huawei from 5G networks by the end of 2027.

As he will know, the Designated Vendor Direction issued in October 2022 set out twelve requirements on the removal of Huawei equipment and services that telecoms providers have a legal obligation to meet. We are working closely with providers who received a direction to monitor and ensure compliance. There are two remaining deadlines for the end of 2025 and 2027 which providers must meet.

Innovation and Technology, whether he has had discussions with the Secretary of State for Education on supporting digital inclusion in schools.

I met with the Minister of State for School Standards last week to discuss digital inclusion in schools as a shared priority across our Departments.

Innovation and Technology, whether he plans to bring forward legislative proposals to require businesses to carry out data protection impact assessments.

Article 35 of the UK GDPR already requires organisations to carry out a data protection impact assessment if the type of processing they are doing is likely to result in a high risk to the rights and freedoms of individuals.

Innovation and Technology, if he will make an assessment of the potential merits of using the Digital Information and Smart Data Bill to extend the list of cookie exemptions to include (a) advertising performance and (b) audience measurement cookies.

There is a balance to strike between driving growth and innovation whilst ensuring people retain appropriate choice and control about how their personal data captured by cookies is used. While we have not added this exemption to the face of the Data (Use and Access) Bill, we have taken power in new regulation 6A to extend or modify the list of exemptions.We have already begun talking to industry and others about the possible use of this power and will continue to do so. This change would require careful consideration and consultation.

Innovation and Technology, whether he plans to amend the Research Excellence Framework.

The next Research Excellence Framework (REF) is currently being developed by Research England and the three Devolved higher education funding bodies, in collaboration with the higher education sector.Since the funding bodies initial proposals for REF 2029 were issued in June 2023 plans for the REF have been amended in response to feedback from universities and other stakeholders. This development process will continue until final guidance is set in 2026.

Innovation and Technology, when he will publish a consultation on the potential merits of bringing forward an Artificial Intelligence Bill.

As set out in the King’s Speech, the Government will establish legislation to ensure the safe development of AI models by introducing targeted requirements on companies developing the most powerful AI systems. This legislation will build on the voluntary commitments secured at the Seoul and Bletchley AI Safety Summits and will strengthen the role of the AI Safety Institute. As part of the development of this legislation, the Government will launch a full public consultation shortly, working with industry, AI experts, academics, and civil society to hone our proposals before presenting them to Parliament.

Innovation and Technology, what areas of discussion have been submitted by parties attending the AI Action Summit in November 2024.

We are looking forward to working with France as they organise the AI Action Summit, taking place on 10 and 11 February 2025. France have outlined there are five tracks for the Summit: Trust in AI, Global Governance, Innovation, Public Interest and Future of Work. Each track has a working group which we are a part of, and we look forward to contributing to the summit across these themes. We will share more details about France’s plans for the summit, including on specific areas of discussion and agenda, as and when they become available.

Innovation and Technology, how many universities (a) he and (b) other Ministers in his Department have visited since their appointment.

Since taking office in July, we have visited six universities. I have visited Glasgow University, Queens University Belfast and Imperial College London. Members of the ministerial team have made visits to Northumbria University, Imperial College London and businesses partnered with universities such as Birmingham City University.

Innovation and Technology, if he will take steps to develop a digital inclusion strategy.

It is a scandal that the previous government did not introduce a digital inclusion strategy for ten years.Digital inclusion is a priority for my department and for government, and work is ongoing to develop our approach to tackling digital exclusion and coordinate across government departments. Digital inclusion means ensuring that everyone has the access, skills, support and confidence to participate in a modern digital society, whatever their circumstances.Government will work closely with the third sector, devolved administrations, businesses and local authorities, many of whom have already implemented highly successful programmes, to ensure interventions are collaborative and targeted to individual needs.