Official Report: Minutes of Evidence
Committee for Finance, meeting on Wednesday, 17 June 2026
Members present for all or part of the proceedings:
Mr Matthew O'Toole (Chairperson)
Ms Diane Forsythe (Deputy Chairperson)
Mr Gerry Carroll
Miss Jemma Dolan
Miss Deirdre Hargey
Mr Harry Harvey
Mr Brian Kingston
Witnesses:
Mr Paul Grocott, Department of Finance
Ms Lorraine McCaffrey, Department of Finance
Cyber Security and Resilience (Network and Information Systems) Bill: Department of Finance
The Chairperson (Mr O'Toole): We have in front of us, from the Department of Finance, Lorraine McCaffrey, deputy director of digital and cyber engagement — hi, Lorraine; and Paul Grocott, deputy secretary of digital shared services. Paul, make an opening statement, please. Members, indicate if you wish to ask questions.
Mr Paul Grocott (Department of Finance): Thanks, Chair, and thank you, members, for the opportunity to brief you on the Bill. I talked briefly to the Clerk. Thanks very much to the Clerk and team for arranging the session; I am grateful to you for accommodating us on the agenda. In my relatively short time in this role, it has been clear to me that cybersecurity and resilience are much wider than the contents of the Bill. I would very much welcome an opportunity to come back to the Committee to talk about the wider brief. We can arrange that through the Clerk and departmental Assembly liaison officer.
The Bill updates the existing Network and Information Systems Regulations 2018. The purpose of the Bill is to strengthen the cybersecurity and resilience framework for essential services in digital infrastructure. The Bill does that in three practical ways. First, it widens the scope. For example, it brings in such categories as medium and large data centres; large load controllers; medium and large managed service providers; and designated critical suppliers. However, at this stage, our assessment is that that widening of the scope will not impact on our responsibilities as a competent authority. Secondly, it strengthens the regulatory toolkit. For example, it updates arrangements around incident reporting, information sharing and enforcement. Thirdly, it makes the framework more adaptable. For example, it enables further changes to be made through secondary legislation. It is also about responding to imminent or emerging cyber events.
Although the subject matter of the Bill is technical, it should not be understood as an IT issue; it is more about governance, resilience and accountability. In essence, it is about making sure that the right duties, oversight arrangements and powers are in place.
Mr Grocott: Exactly. From the Department's perspective, it marks an evolution of our role. It strengthens the existing 2018 Network Regulations. Rather than creating a new framework, it builds on those. It does not fundamentally change what we do as a competent authority. The Department is the competent authority for operators of essential services in four sectors: energy; transport; drinking water supply and distribution; and health. We support the overall policy intent of the Bill because cyber risk does not respect the geographical boundaries of those sectors, so it is important, where possible, to facilitate collaboration across sectors.
The Department for Science, Innovation and Technology (DSIT) and the Department of Finance agree that legislative consent is required for 22 clauses. Broadly, those clauses cover the strengthening of regulatory arrangements; guidance; information gathering; enforcement; appeals; penalties; and information sharing. We consider that consent is required for a further six clauses: 15, 18, 25, 26, 38 and 52. Our assessment is that, because those clauses relate to incident reporting, information sharing, strategic priorities, consultation on those priorities, codes of practice and enforcement, they affect the statutory framework within which DOF exercises its functions as the competent authority, so we have included them. While DSIT and DOF differ on the devolution analysis, that does not affect the substantive analysis that I gave: we recommend that the relevant powers be extended.
The Chairperson (Mr O'Toole): For the record, what is the difference? Do you have a different analysis of which bits are devolved and which are not?
Mr Grocott: Yes. DSIT put forward 22 clauses. In our assessment, an additional six clauses should have been included. Our recommendation is that we agree consent for those 22 clauses. It is just that —.
Mr Grocott: They are incident reporting; information sharing; the ability of the Secretary of State to set strategic priorities; the Secretary of State's ability to conduct a consultation on those priorities; codes of practice that DSIT may issue; and enforcement. We consider that they are relevant and recommend that consent should be applied to them. In many ways, devolution analysis is a subjective exercise. It does not materially affect our assessment of the Bill; it is just that DSIT did not agree with our assessment.
Mr Grocott: As regards timescales, on 28 May, the Executive agreed to table a legislative consent motion; a memorandum was laid before the Assembly on 9 June. I understand that the debate is likely to be scheduled for the next session, but that allows time for the Assembly to notify Parliament of its position before the Bill goes through its final stage in the Lords.
As a brief opening statement, that is all that I had planned to say. Lorraine and I are happy to answer Members' questions.
The Chairperson (Mr O'Toole): Thank you very much. If I were to summarise the Bill, I would say that it is about improving resilience to cyberattacks and that it does so by improving provisions for information sharing and a series of technical things that clarify responsibilities and vires. Is that right?
Mr Grocott: Yes, certainly. From a DSIT perspective, it recognises that the scope of operators of essential services is now wider. For example, data centres are now within scope because bad actors will target them and because of the nature of the impacts of a cyberattack on such a centre. Bringing those things within scope requires regulators to have the necessary tools to respond to that threat.
The Chairperson (Mr O'Toole): Does there need to be an all-island or cross-border context, given the single electricity market, for example? There are many data centres on this island. Is there any intersection there, or has any thought been given to that?
Mr Grocott: The South will be implementing the network and information systems 2 (NIS2) directive, which is in the EU acquis. Since the UK has stepped outside the EU acquis, there are differences, but the Bill and the NIS2 directive allow for cross-border coherence. They allow regulators on the island of Ireland to cooperate much more seamlessly. DSIT's devolution analysis considered the single electricity market and confirmed that it does not affect article 9 and annex 4 — I think, from memory — of the Windsor framework.
Mr Grocott: Yes, absolutely.
Ms Forsythe: Thanks very much. Welcome to your role. It is good to see you here.
Mr Grocott: Thank you very much.
Ms Forsythe: DSIT was seeking consent for 22 clauses, and you have asked that further consideration be given to six clauses, even though DSIT has said that consent for them is not required. Why is there dispute over those?
Mr Grocott: As I mentioned to the Chair, that is just about the subjective analyses of what requires legislative consent. Our position is that those clauses affect the role of the competent authority and, therefore, that it is appropriate for us to seek consent. That is why they are included in the LCM that is being put to the Assembly. DSIT does not agree. It thinks that those clause remain within reserved competence, and so they were not amongst the 22 that it put forward originally.
Mr Grocott: Possibly, yes. In our assessment, those clauses affect what we do. We are ensuring that the Assembly and the Minister, because it is within his remit, understand that.
Ms Forsythe: So, it is not really a dispute; it is just that you have decided to do a bit of extra good practice.
Mr Grocott: Yes. It is not material to our recommendation on the Bill.
Ms Forsythe: OK. That is grand. Will this mean that we maintain parity with the rest of the United Kingdom and the Republic of Ireland?
Mr Grocott: It is not exact parity, because we are outside the EU acquis, but the direction of travel is convergence on an international stage. The counterfactual is that we do not want the North — and DOF, as the competent authority — to be in a separate regime from Britain or the South and the rest of the EU.
Ms Forsythe: That is good. I wanted clarity on the reference in the briefing paper to "parity with Europe and Britain". I represent a border constituency, and, sometimes, when it comes to these types of things, we fall into an unusual area. It is good that there will be parity across the board. Thanks very much.
Mr Kingston: Thank you for your attendance. DOF has been the NICS competent authority since 2018. Is that correct? This Bill, which is going through Westminster, will expand DOF's remit and powers or the amount of reporting to it.
Mr Grocott: Yes. As I mentioned, there are three areas. One relates to the sectors that could be included within the remit if regulations are changed, but we do not think that that will affect us, because the thresholds are very much targeted at operations the size of those in GB. We will be affected by the toolkit that the regulators use around incident reporting and as regards the information that we can gather from our operators of essential services. Our ability to share that information among regulators will change how we carry out our role as a competent authority.
Mr Kingston: Clause 17 relates to charges. Do you foresee the extra responsibilities resulting in significant costs being incurred? If the Department wanted to levy a charge, who would pay it? Would it be the data centres and that sort of thing, or would it be any authority or arm's-length body that they report to?
Mr Grocott: That clause puts in place the power for competent authorities to recover costs. DSIT will introduce secondary legislation that will add a bit more detail on that. At that stage, we will have to consider our position as a competent authority for Northern Ireland and whether we would want to draw down. A significant amount of regulatory impact assessment will have to be completed in order for us to decide whether we would want to use those powers. That will be after DSIT has introduced the secondary legislation.
Mr Kingston: Do you see the extra remit incurring a significant extra cost? I presume that there are people who are already dedicated to this task.
Mr Grocott: Yes, there is a group within Lorraine's team. As of now, we think that we can manage that, but we will have to keep it under review, understand what the secondary legislation will require us to do and make an assessment on that basis.
Miss Hargey: The Bill gives the Secretary of State powers in respect of a statement of strategic priorities to set the expected outcomes for the regulators, and in respect of further provisions. Does any of that contradict the six clauses that you believe relate to devolved matters? Are there processes in place for engagement on those points when this is being updated?
Mr Grocott: Yes. That particular power is in one of the six clauses that we think require legislative consent, but, given the nature of the cross-cutting emerging threats, we still think that is appropriate that the Secretary of State may want to provide strategic priorities on those issues. Both setting the priorities and reporting on them will require consultation with us.
Miss Hargey: So, the Bill says that the Secretary of State has to consult.
Mr Grocott: Yes, that is in the Bill. There is a requirement on the Secretary of State to consult.
Miss Hargey: Do you foresee any other amendments being tabled — possibly in the Lords, before consideration of the Bill is complete — that will impact on devolved matters?
Mr Grocott: There have not been any amendments to the Bill as it has gone through the Commons. I would not like to predict what will happen in the Lords. We do not know, but —
Mr Grocott: — we will have to react to that as and when the Lords considers the Bill.
Miss Hargey: Obviously, we are on an island. There are data centres on both parts of the island, and information might flow between the two. In what the Irish Government are doing under the EU regulations, and in what is being done here, are you assured that there will not be any falling between the stools or any loopholes?
Mr Grocott: Yes, absolutely. My experience in this role is that cooperation between regulators is impressive and extensive. Whitehall-based organisations and Dublin-based organisations are very open and willing to bring us into conversations. It is described as a "team sport", and I can attest to the fact that they live by those values. Lorraine, do you want to add something on the engagement that you are leading?
Ms Lorraine McCaffrey (Department of Finance): There will be significant engagement with the operators of essential services over the summer months. All the regulators are engaging with DSIT on several aspects of the Bill. We are very much aware of the importance of ensuring that that takes place. We started the early engagement during CyberNI Week, and that will continue throughout the rest of this year.
The Chairperson (Mr O'Toole): Members, no one else has indicated that they wish to ask a question. I do not think that we need anything else at this point. There will be a draft report and the legislative consent motion will come forward, and we will consider that at next week's meeting. Thank you very much, Paul and Lorraine.
Mr Grocott: Thank you, Chair and members.