Official Report: Minutes of Evidence

The Chairperson (Mr McGuigan): I welcome to the Committee meeting Adrian Borland, head of vehicle policy branch, Department for Infrastructure, and Paddy Cairns, vehicle policy branch, Department for Infrastructure. I will hand over to you for the provision of evidence.

Mr Adrian Borland (Department for Infrastructure): Thank you, Chair. This will probably be familiar to you from the stuff that we sent, but we will just run through it.

Regulation (EU) 2024/2847 aims to strengthen cybersecurity by laying down a uniform legal framework for essential cybersecurity requirements for a range of products that have digital elements. However, only articles 66 and 68 of regulation (EU) 2024/2847 are relevant to DFI and qualify as amending legislation that is being notified to the Committee.

The amendment made by article 68 is to regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles. That regulation is listed under heading 9 of annex 2 of the protocol, "Motor vehicles, including agricultural and forestry tractors".

The amendment is the insertion of the entry, "Protection of vehicle against cyberattacks", in the table in part C of annex II to regulation (EU) No 168/2013. Annex II provides an exhaustive list of requirements for the purposes of EU vehicle type approval that must be complied with under article 18 of that regulation. Part C of annex II provides a specific list of vehicle construction and general type-approval requirements. The effect of the amendment is, therefore, to ensure that in-scope vehicles and systems, components and separate technical units intended for such vehicles are protected against cyberattacks. The technical requirements that will apply in practice have not yet been stipulated and will be established in due course through a future amendment of regulation (EU) No 168/2013.

Article 66 of regulation (EU) 2024/2847 has an association to the article 68 amendment, since it is a typical amendment to the market surveillance framework, regulation (EU) 2019/1020, which is done when a new EU regulation is made. The amendment adds regulation (EU) 2024/2847 to the list in annex 1 of the union harmonisation legislation, to which the market surveillance framework applies. It is an administrative amendment to update the legislation and does not have any practical effect on the type-approval regime itself. It is about establishing the framework for market surveillance for manufacturers and national authorities and the powers of investigation and enforcement.

The Committee will be aware that type approval is a reserved matter. As such, we have sought an initial assessment of the impact from the Department for Transport. DfT has advised that there is no expected adverse impact from the amendment of regulation (EU) No 168/2013 since the type-approval requirements for in-scope vehicles in GB and NI are intentionally aligned and no divergence will take place. It does not, therefore, appear likely that the application of the replacement EU Act in terms of type approval of in-scope vehicles would have a significant impact specific to the everyday life of communities in Northern Ireland in a way that is liable to persist. It is designed to have a positive impact on cybersecurity. Not implementing the amendment would, in fact, have a detrimental effect, because Northern Ireland would potentially not benefit from the improved cybersecurity of products with digital elements that are used in the production of in-scope vehicles. It would also mean divergence from GB type-approval schemes that will implement the amendment.

The Department for Science, Innovation and Technology (DSIT), which is the GB lead Department on regulation (EU) 2024/2847, is working on a revised explanatory memorandum (EM) now that the regulation has been adopted. With the more recent inclusion of the amendment of regulation (EU) No 168/2013, DfT is providing input to that revision. However, the revised explanatory memorandum has not yet been completed and was not available for the Committee meeting.

I am happy to take any questions that the Committee may have, Chair.

The Chairperson (Mr McGuigan): Thank you. That sounded pretty straightforward with regard to what we have to do. Do you envisage anything different in the revised EM?

Mr Borland: No, we do not envisage anything different at all.

The Chairperson (Mr McGuigan): OK. Fair enough. Thank you.

Dr Aiken: I have just a quick question. Thanks very much for your evidence. Obviously, we have a significant cybersecurity sector in Northern Ireland. It relies particularly on being part of a UK system, with digital improvements and a digital security system within that. What analysis has been done of any change that that is likely to make to the access that our cybersecurity industry in Northern Ireland has to the system in the rest of the UK and, obviously, the other elements of it, which are quite important?

Mr Borland: None that I am aware of in relation to the vehicles that are in scope.

Dr Aiken: It is not just about vehicles; it is about our industry. This is cybersecurity in the round. If you read the draft legal text from the European Commission, you see that it talks about cybersecurity, cybersecurity products, digital elements, the cybersecurity industry and the digital industry. It covers a wide area, not just vehicles.

Mr Borland: Vehicles are DFI's interest.

Dr Aiken: I get that, but our job as a Committee is to look at the impact —

Mr Borland: I understand.

Dr Aiken: — and we do not have other Departments in front of us today.

Mr Borland: As I understand it, the generality of the regulation is not quoted in the protocol and does not apply to Northern Ireland. We are therefore subject to UK legislation on that. That is about as far as I could go.

Dr Aiken: OK. Thanks.

The Chairperson (Mr McGuigan): Thank you. Steve, you are right: there is a wider piece of legislation, but it is important to remember that the Committee really only has any impact on articles 66 and 68. They are the only matters that come under the Windsor framework.

If no one has any other questions, I thank Paddy and Adrian for coming to present to us. Gentlemen, thank you very much.