Official Report: Minutes of Evidence

The Chairperson (Mr O'Toole): I welcome Paul Duffy, deputy secretary of digital, security and finance shared services; and Hugh Tohill, director of digital, security and engagement. Thanks for coming. We would like an opening statement, please, Paul. Give us the core bits, and we will tease out as much as possible in questions. Members, please indicate if you want to ask a question.

Mr Paul Duffy (Department of Finance): Thank you, Chair, Deputy Chair and Committee members, for the opportunity to brief the Committee on the UK's Cyber Security and Resilience (Network and Information Systems) Bill, which was introduced in the House of Commons on 12 November. The legislation seeks to strengthen defences against cyberthreats to essential services across the UK, including in Northern Ireland. With cyberattacks on the rise — the UK is the most targeted country in Europe for cyberattacks — the Bill aims to ensure that the services on which the public rely every day are better protected. It updates and expands on the Network and Information Systems (NIS) Regulations 2018 to drive a step change in cyber-resilience for critical infrastructure such as energy, drinking water, transport, healthcare and digital infrastructure.

Cyberthreats have evolved rapidly since the original NIS framework was introduced in 2018. Hostile states and criminal groups are launching more frequent and sophisticated attacks on critical systems, targeting not only the primary operators but their suppliers and digital service providers. In the last 18 months, we have seen hospitals, local councils, government networks and democratic institutions hit by cyber incidents. An independent study estimates that significant cyberattacks cost the UK economy around £14·7 billion per year, underscoring the scale of the challenge, and Northern Ireland is by no means immune to those threats. The Bill is in response to today's evolving threat environment.

The Bill's primary objective is to modernise and strengthen the UK's cybersecurity regime for essential services and digital infrastructure. It does that by reforming the NIS Regulations 2018 in three ways: expanding the scope of what is protected; empowering regulators with new tools and resources; and enabling swifter government action in response to emerging threats. Importantly, while it deals with technical subjects, it is not a highly technical IT Bill. It is fundamentally about governance, resilience and accountability in cybersecurity. It ensures that the right duties, oversight mechanisms and powers are in place to improve cyber-resilience across critical sectors. The Bill will bring more essential services and their supply chains into the regulatory framework.

When NIS was first introduced, it covered operators in five critical sectors — energy, transport, health, drinking water and digital infrastructure — and certain digital services such as cloud providers, online marketplaces and search engines. The Bill expands that scope and adds new categories that reflect today's risk areas, such as data centres, managed service providers, large load controllers in energy and designated critical suppliers. Perhaps most important, regulators will gain the power to designate certain key suppliers of essential services as being critical and bring them under regulation.

The Bill seeks to bolster the capabilities of the 12 regulators known as "competent authorities" that oversee NIS implementation across the different sectors. That includes the Department of Finance, which is designated as a NIS competent authority for our devolved sectors, which include energy, health, drinking water and transport.

Currently, organisations have to report cyber incidents only if they significantly disrupt services. That misses early warning signs; for instance, if hackers infiltrate a system but have not yet caused an outage. The Bill will mandate that a broader range of material cyber incidents and breaches are reported within tight timelines: initial notification within 24 hours and a fuller report within 72 hours. That includes incidents such as a ransomware infection, even if the services have not yet been knocked offline. The goal is to give regulators and government a much better real-time picture of a threat so that they can respond faster.

The Bill introduces a statement of strategic priorities mechanism, allowing the Secretary of State for Science, Innovation and Technology to set clear objectives for how regulators should implement cyber regulations to drive more consistency across sectors. One practical issue has been that regulators have the ability to fund their expanded activities. The Bill will empower regulators to cover the full cost of the NIS regulatory work from the companies they oversee. As with other regimes, operators of essential services may be charged fees to cover compliance audits, guidance and enforcement efforts. That ensures that regulators, especially where resources are tight, can hire the necessary experts and run robust programmes without being constrained by internal budgets. Importantly, regulators must be transparent and accountable for how they use the funds with published charging schemes.

The Bill makes it easier for regulators to share information with others and with bodies like law enforcement or intelligence agencies in the context of cyberthreats. That addresses legal uncertainties that currently might slow down cross-agency cooperation. The existing NIS enforcement regime, including penalties for non-compliance, will be updated. The Bill raises the ceiling on fines to align with regimes like GDPR, although the exact levels are still subject to final agreement.

The changes will give the Department of Finance, as the Northern Ireland regulator, the tools and resources needed to ensure that our local essential service providers truly meet their obligations. Rather than add bureaucracy, this is about making regulation more effective, getting better information on risks, having the funding to engage more with operators and being able to act decisively if standards are not met.

Finally, the Bill recognises that cyber is a fast-moving domain. It gives the Secretary of State for Science, Innovation and Technology new powers to adapt or intervene when needed for national security. Currently, to expand NIS to new sectors or significantly change security rules, primary legislation is needed that can take some time to put in place. The Bill will enable the Government to add new sectors or adjust security requirements via secondary legislation. That future-proofing means that, if a new critical technology or sector emerges — for example, something like AI as a service or a quantum cloud — in the future, posing systemic risk, we will not have to wait years for another Act. The Department for Science, Innovation and Technology (DSIT) can enact regulations to bring it into scope quickly, subject to parliamentary oversight.

Drawing on precedents and other national security laws, the Bill gives the Secretary of State for Science, Innovation and Technology the power to issue binding directions to regulators but not to a devolved Government acting as regulator, as in Northern Ireland, and directly to companies in the event of an urgent, extreme cyberattack. That would be used only in exceptional cases, for example, if there was intelligence of an imminent cyber campaign, targeting critical infrastructure, the Secretary of State could direct companies to take specific preventative actions immediately.

In summary, the Cyber Security and Resilience Bill delivers a comprehensive upgrade to the current cybersecurity laws, expands coverage to more of the systems that matter, gives regulators more capacity and equips government to handle serious threats in real time.

Turning to Northern Ireland's interests, although this is a UK-wide Bill, its implications for Northern Ireland and our devolved responsibilities have been carefully considered. Cybersecurity of essential services straddles reserved and devolved competencies. The UK's view, as set out in the devolution analysis, is that the Bill's provisions largely relate to matters that are excepted or reserved, namely national security and telecommunications. However, in practice, the Bill will operate through the existing NIS framework, which involves devolved sectors and authorities.

As I said, in Northern Ireland, the Department of Finance is the competent authority under the NIS regulations for our devolved sectors. We develop policy for NIS in Northern Ireland, oversee and enforce the regulations for local operators of essential services and coordinate with the UK Government on cyber legislation and policy. Naturally, the Bill directly engages devolved functions, even though it is being passed at Westminster.

The Department of Finance has reviewed the Bill's provisions to determine which engage devolved matters. Our legal advisers in the Departmental Solicitor's Office (DSO) have been engaging with DSIT legal advisers as we seek to finalise our consideration of the devolution analysis. That includes considering the Windsor framework implications for Northern Ireland and checking whether any aspect of the Bill might conflict with our unique post-EU arrangements.

Crucially, the Bill aligns with the EU's NIS2 directive reforms, which were adopted in December 2022 and have similar key provisions, such as expanded scope, risk management reporting and stricter enforcement. Given Northern Ireland's geographical and economic proximity to the EU and, indeed, the cross-border provision of some of our services, that alignment means that our operators will be held to a standard of cyber-resilience comparable to that of our counterparts across Europe, closing any regulatory gap that an adversary might wish to exploit.

The overarching conclusion of DSIT's devolution analysis is that none of the Bill's provisions are in the devolved space, leaning on broad national security grounds. However, DSIT intends to seek legislative consent from the Northern Ireland Assembly for certain provisions. It has identified 15 clauses and one schedule that will alter the executive functions of the Department of Finance.

I will speak to the timing of the Bill. The UK Parliament has commenced its consideration, with the Bill having been introduced on 12 November. The Second Reading of the Bill is yet to be scheduled. It is anticipated that the Third Reading will take place in the House of Commons next summer, before the Bill is introduced in the House of Lords. To allow time for the final considerations of the devolution analysis and the Windsor framework analysis, the Finance Minister will lay a memorandum before the Assembly to explain why a legislative consent motion (LCM) is not being sought at this time. We are hopeful that the final consideration of the devolution analysis and the Windsor framework analysis will be completed in the coming weeks, at which stage the Minister will take a view on commencing the legislative consent process. At that stage, I will be more than happy to come back to the Committee with any further update on the analysis that has been completed.

The Cyber Security and Resilience Bill represents a vital step forwards in protecting essential services in Northern Ireland from the growing cyberthreat. It brings the legal framework up to date, incorporating lessons from incidents of recent years, and creates stronger defences and response powers.

Thank you for your attention. Hugh and I will be happy to take any comments or questions.

The Chairperson (Mr O'Toole): Thanks for that, Paul. As always, members should indicate if they wish to ask a question.

Has the Finance Minister taken a view on whether he will recommend that legislative consent be granted?

Mr Duffy: At this stage, the Finance Minister has not been asked to take a view on that. We want to ensure that the devolution analysis and the Windsor framework analysis have been fully considered before putting that advice to him.

The Chairperson (Mr O'Toole): He has not been asked by officials or has not been asked by the UK Government?

Mr Duffy: He has been asked by the UK Government but not by officials.

The Chairperson (Mr O'Toole): I suppose that he could give a view if he wanted. You are waiting for more detailed legal opinion on whether you agree with the UK Government's view of which provisions touch specifically on devolved competence, and their view, basically, is that it is very few apart from 15 clauses and one schedule: is that right?

Mr Duffy: It is 15 clauses across a number of areas.

The Chairperson (Mr O'Toole): You have not formally, legally agreed that yet at official level.

Mr Duffy: Yes. We have sought further clarification on one or two areas. We want to be absolutely clear on the powers that will be granted to the Secretary of State through the Bill. That is the one area in which we seek some final clarification. We expect a response on that from DSIT by the end of the week.

The other matter that we want to make sure is properly considered is the Windsor framework analysis. While there do not appear to be any significant issues, we want to make sure that due process is properly followed.

The Chairperson (Mr O'Toole): First of all, do all the clauses on which you are seeking more information relate to the Secretary of State having powers to do things such as direct public bodies or businesses to do one thing or another, such as to disclose information on a cyberattack? Do they all relate to powers that will be taken by the Secretary of State?

Mr Duffy: Yes. We want to make sure that we are absolutely clear on what the Bill means when it comes to the extent of those powers and whom they apply to. We have clarification that the Secretary of State cannot direct a regulator in a devolved government; that was one of the things that were outstanding.

The Chairperson (Mr O'Toole): The Bill does not allow that to happen.

Mr Duffy: No, but the Secretary of State has the power to direct operators of essential services — managed service providers and companies — if there are concerns around a significant cyber risk.

The Chairperson (Mr O'Toole): I will work through that. This may be a bad example — tell me if it is completely inappropriate — but let us say, for the sake of argument, that the data breach incident that affected the PSNI a couple of years ago was the result of a hack rather than of human error. By the way, for anyone is watching, this is a totally hypothetical example that I am trying to use. In that scenario, the UK Secretary of State — the Secretary of State for Science, Innovation and Technology in this case, I presume — would not have had the power to order the service provider or the PSNI to do anything, but, under this legislation, they would.

Mr Duffy: Yes. It would depend on the organisation.

The Chairperson (Mr O'Toole): Say, for example, it were Fujitsu or BT.

Mr Duffy: They are operators of essential services or large service providers, so it is likely to be an organisation that operates UK-wide, such as Fujitsu or BT. It would be one of the large operators.

The Chairperson (Mr O'Toole): It would not necessarily. It could theoretically be a Northern Ireland-specific company. If, for whatever reason, the hypothetical cyber incident were only to affect Northern Ireland, the Bill would give the Secretary of State the power to say whether they want to issue an order of one kind or another to a specific provider.

Mr Duffy: And if it meets certain thresholds; for example, if it is a national security issue, rather than a localised issue.

The Chairperson (Mr O'Toole): OK. Obviously, the Secretary of State would get advice, but would that power all be in the hands of the Secretary of State to effectively decide what they deem to be —. Would they have to lay a statutory instrument or something?

Mr Duffy: My understanding is that they would have to go through a parliamentary process.

The Chairperson (Mr O'Toole): That is effectively a new development that would give a UK Secretary of State the power to weigh in to or, rather, to intervene or request a service provider, public or private, but you are finding that out?

Mr Duffy: Yes. What is crucial here is that, where there is a wide, systemic risk of an incident, it is intervening in a way that curtails that from expanding into other sectors or other areas. It is in recognition of how quickly a cyber incident can evolve into something much larger. If you were to wait for legislation to be put in place before you could respond to an incident, the perpetrators would be long gone before you were able to intervene.

The Chairperson (Mr O'Toole): Who is responsible for that at the minute? Does a devolved Minister have the power to do those things?

Mr Duffy: It depends on the organisation and on the threshold. In the Department of Finance, we have a role in regulating operators of essential services in Northern Ireland. For example, if there is a cyber incident in a health trust, at the moment, that trust has to notify the competent authority — the Department of Finance — that there has been an incident. The trust goes through its continuity processes to manage that incident, but we would expect to see an incident report, an understanding of how that incident arose, what mitigations they put in place, how they responded to it and what they have learned from it. There will be almost a follow-up audit with recommendations to that trust on how to prevent future incidents.

The Chairperson (Mr O'Toole): The kinds of powers that you have are nowhere near what the UK Secretary of State is seeking to take in the Bill, presumably.

Mr Duffy: No. The powers that we have at the moment are around our local services and providers, whereas the powers that the Secretary of State would have would be UK-wide powers.

The Chairperson (Mr O'Toole): I accept that one is UK-wide and yours is currently local, but, apart from the geographical remit, are they of similar legal import? Do you have similar power to command them to release information to you, for example?

Mr Duffy: At the moment, we can request information from them, so we put information notices out. We also have the power to —.

The Chairperson (Mr O'Toole): They are legally obliged to follow. It is not just that you have the right to ask; they must comply.

Mr Duffy: Yes, and the reporting has to be within the time frame as well. They legally have to do that. If there were an incident in a local trust in Northern Ireland — I am trying to think of a hypothetical example — and it were caused by a supplier that was a UK-wide supplier to other health providers, the Secretary of State would obviously wish to take an interest in that regard because that could have a UK-wide health impact.

The Chairperson (Mr O'Toole): In that hypothetical scenario, that would not necessarily mean that the health trust would have to make a disclosure to the Secretary of State. It would mean that the Secretary of State would be advised by their officials that it was more systemic and/or UK-wide.

Mr Duffy: If it were to become a national issue, the Secretary of State would have the power to intervene.

The Chairperson (Mr O'Toole): You mentioned the Windsor framework. What specific issues that you are alive to are at play there?

Mr Duffy: I would not call out any specific issues at this stage. My concern has been about the quality of the analysis that has been provided.

The Chairperson (Mr O'Toole): Is it not good enough?

Mr Duffy: I do not think that it meets the standard.

The Chairperson (Mr O'Toole): From whom?

Mr Duffy: DSIT.

The Chairperson (Mr O'Toole): DSIT. OK.

Mr Duffy: We have challenged the quality of it. We do not expect it to flag any particular issues, but we want to make sure that it goes through the right process and that proper due diligence has been done.

The Chairperson (Mr O'Toole): Is it policy-specific, or does it just seem a bit flimsy?

Mr Duffy: I think that it is the latter.

The Chairperson (Mr O'Toole): OK, that is fair enough. It seems as though it has been a bit of a desktop exercise, basically, and not very —.

Mr Duffy: There is an obligation to follow certain guidance. While the Bill may not have huge implications for the Windsor framework, we still want the proper process to be followed.

The Chairperson (Mr O'Toole): An issue that I have talked about in another capacity as a potentially unseen aspect of Brexit that is not covered or is covered only partially in certain contexts that largely involve the movement of goods is this: data moves across the island of Ireland all the time. Organisations and, often, individuals move data, whether that relates to banks, churches, the GAA, trade unions or another all-island organisation. We are lucky in that the UK Government have maintained GDPR adequacy. Is there anything in the Bill that could make that more challenging? I cannot foresee such a scenario, but can you tell me whether there are any?

Mr Duffy: Certainly not that I am aware of. If anything, the Bill aligns the UK more with the European NIS2 directive regulations that came into force in 2022.

The Chairperson (Mr O'Toole): OK. There is more surety, if anything.

Mr Duffy: It provides a more comparable regulatory framework for organisations that work cross-border.

The Chairperson (Mr O'Toole): That is really helpful.

That is it from me, so I will bring in colleagues.

Ms Forsythe: Thank you for coming today. At the outset, Paul, you said that Northern Ireland is the part of the UK that is most targeted by cyberattacks.

Mr Duffy: Sorry: the UK is the most targeted place in Europe.

Ms Forsythe: OK. I was going to ask you for more detail on that.

Mr Duffy: Thankfully not.

Ms Forsythe: Why is that the case?

Mr Duffy: Why is the UK is the most targeted?

Ms Forsythe: Yes.

Mr Duffy: There is a host of reasons. Some of it is driven by politics. We see during conflicts such as the Ukraine crisis that certain countries that support other countries politically are subject to more targeted threats and attacks.

Mr Hugh Tohill (Department of Finance): Absolutely, it is about the UK's geopolitical position. The stance taken by the Government makes the UK an attractive proposition for other nation states or adversaries operating at that level. Criminal gangs that operate from some of the adversary nations actively target the UK not just for financial gain but to disrupt and impact on election processes and the delivery of government across the UK.

Ms Forsythe: OK. Thanks very much. You covered the reasons for using the Westminster Bill rather than an Act of the Assembly, but, for clarity, given that you said that primary legislation would take time but this would help you to make sure that we are aligned and doing the right thing in the meantime, is there still an intention to introduce primary legislation?

Mr Duffy: No, largely because it is really a national security matter. Cyber does not respect geographical boundaries. The UK is much stronger by defending itself as a whole than as individual components. The Bill will strengthen our regulatory framework here, aligning it with what is happening in the UK and with the NIS directives for the rest of Europe. There would not be a huge advantage in having local legislation on such a wide-ranging issue.

Ms Forsythe: Can you give any indication of the timescale for the Bill?

Mr Duffy: The Bill was introduced on 12 November. We hope that Second Reading will be scheduled before Christmas, although we do not have a date for that yet, with Third Reading towards the end of March or in April, after which it will be introduced in the House of Lords. The aim is for the Bill to receive Royal Assent in early 2027, so that is a year and a bit away.

Ms Forsythe: It is all very current and live. In the meantime, it is important that we stay on top of such an important issue.

Mr Harvey: Looking at it in practical terms, a cyberattack is not always something of financial interest but more the stealing of data, whether that data is worth anything and whether it can be shared, sold or passed on. I am thinking of the speed when things are monitored. Can an attack be reported and addressed if it happens quickly?

Mr Tohill: Yes. We have well-established and effective working relationships with the National Cyber Security Centre, law enforcement here and other areas across Northern Ireland whereby we can stand up our cyber incident response processes very quickly. We have tested those plans and they have proved to be effective. We are confident that, in the event of a major cyber incident locally, we would have all the necessary people together very quickly to address that as well as technical expertise from the private sector, where we have contractual arrangements already in place for that.

Mr Duffy: We certainly would not want to appear to be complacent. Lots can be done to prepare. It is important that we as officials can give assurances on those preparations. Cyberattacks are a fast-moving issue and are growing in sophistication, so we always have to be vigilant.

Mr Harvey: I appreciate that. Thank you.

Mr Kingston: Thank you for your attendance, Paul and Hugh. When I was on Belfast City Council and cybersecurity issues came up, it seemed a remote thing. However, I think that we are all now much more aware. This is the front line of defence of the UK in the modern world. You said that the UK was the most targeted country in Europe, primarily because of the stand that it has taken against aggressors on the international stage and rogue states. The speed of response is critical. There cannot be unnecessary delay when there is a cyberattack.

I am interested in the national security powers. I think you said that the Department of Finance was the competent authority or the Finance Minister specifically. Are you saying that the Secretary of State will have certain increased powers? Describe in lay terms the powers that each will have when speed of response is critical to ensuring that there is no unnecessary delay.

Mr Duffy: The powers that fall to the Finance Minister and the Department of Finance as the competent authority are to regulate the devolved sectors, which are energy, drinking water, transport and healthcare. We will continue to exercise those powers. The additional powers that are proposed for the Secretary of State will allow the Secretary of State to intervene with particular companies and direct them to take particular action or share information. I will not say, "the trust" because someone will think that I am targeting healthcare, but, if there was an incident within Translink, for example, we would be involved in that process to understand what happened and Translink's response to it. Depending on how wide that response would be, there may be a need for us to share the information that we gather from Translink with the Secretary of State or the National Cyber Security Centre to consider whether there were national issues to be considered.

Mr Tohill: I will expand on that. Operators of essential services are being regulated against a cyber assessment framework that has been developed by the National Cyber Security Centre. Objective d in that is minimising the impact of cyber incidents, with the key principle being response and recovery planning. That response is deemed critical for operators of essential services to ensure that they are prepared effectively for a major incident. That is a critical element of what they are getting regulated against.

Mr Kingston: When there is a coordinated cyberattack, time cannot be wasted going through a list of people to get their approval to do something. The response needs to be as immediate as possible and authorised from on high.

Mr Duffy: If there is an incident, the organisation impacted will have response plans and will respond to that incident. The regulator would want to understand whether there are wider implications, such as quicker intervention. Early alerts within 24 hours are important, because they indicate whether there is an issue or a systemic issue that we need to be concerned about.

Mr Kingston: I have one other question, Chair. Harry and I previously sat on the Executive Office Committee, and it has a civil contingencies role. How does that relate to the responsibility held in TEO?

Mr Duffy: An isolated incident within an operator of an essential public service, particularly a public body, that will be managed by the organisation. However, if that triggered civil contingencies because it had a wider impact on the public of Northern Ireland, the civil contingencies section would step in over and above the local arrangement. For example, if a Northern Ireland Department experienced a cyberattack, depending on how widespread the impact was, the Department would trigger its response plan, but, if it was widespread, that may trigger civil contingencies, and the Executive Office would be involved.

Mr Kingston: Might there be some overlap of responsibility between TEO and the Department of Finance?

Mr Duffy: There would be an overlap if there were a cyber incident. For example, if the Department for Infrastructure had a cyber incident that became more widespread, the Executive Office would get involved through civil contingencies and likewise if it happened in any other Department. It is not just specific to DOF: Departments have cyber responsibilities, but, where it has a wider impact on Northern Ireland, civil contingencies would have to be triggered.

Mr Kingston: Thank you, Chair.

Miss Hargey: Thank you for the presentation. It is right to take time to look at the Windsor framework implications. From the Justice Committee, I know that the NI Affairs Committee raised concerns about the compatibility of the Crime and Policing Bill going through Westminster with the Windsor framework. In fact, the human rights implications were not properly scrutinised, and I am glad that the extra work is being done.

What is the Human Rights Commission's view of the national security provisions? Of course, every country has national security considerations, but I am concerned about the checks and balances on how that is used to make sure that it is not abused by a Secretary of State, particularly in the devolved arena. Has the Human Rights Commission provided its views on those matters, particularly on the Windsor framework? The commission set up a separate section to look at the Windsor framework, and it was concerned that government Departments in London have not had the same focus on those issues. I am keen to get assurances about that, the engagement with the devolved arena and the checks and balances on the powers, even for the Secretary of State, and particularly on national security issues.

Mr Duffy: That is the crux of why we have not accepted the Windsor framework analysis that has been provided by DSIT. We have concerns about the rigour with which the analysis was completed, and we are working through DSIT with the legal advisers and hope to conclude that in the next few weeks. Certainly, we will seek assurances on issues such as human rights, and ensure that the proper analysis has been undertaken.

The Chairperson (Mr O'Toole): Is that it? Happy enough?

It highlights the importance of taking seats on the NI Affairs Committee and doing the scrutiny.

No further members have indicated that they want to ask questions. At this point, we will release Paul and Hugh and ask to be kept abreast of further developments with the Bill, including when the Minister and the Executive discuss their approach to the LCM. There is a lot more for the Committee to look at, but those were useful presentations. Thank you.