Chamber and committees

:We came to agreement on that.

I will hand over to Mr Chapman.

:It depends on the incident. There is directorate support, but the point about leadership depends on whether the incident involves, for example, a local authority, a school or a health board. There may be particular portfolios and ministers that are more impacted at particular times and that are pushed for a response—

:I have not been to Lithuania, just for the record, but I do not know whether Mr Chapman or any of his colleagues have been there.

:The point about the criminal world and the changing nature of crime and offending is that things are moving at pace. As was indicated earlier, the threat is increasing and is becoming more sophisticated.

The timescale for the bill is not within my gift. It is fair to say that there are probably other examples of both the Scottish Government and the UK Government having legislated at pace. I have been involved with some of that legislation. I am thinking about the Post Office legislation—the quashing of convictions would be an example of things having operated at pace.

On the point about global connections and the global aspect of crime, geopolitics plays into that, of course. One positive about the bill from the UK Government is that it aligns more with the European Union’s network and information security directive 2—the NIS2 directive—and the EU’s Cyber Resilience Act has implications for the UK. It is not that we are subject to that legislation, but many businesses operate internationally, so they are already complying with it.

Just to be clear, the Network and Information Systems Regulations 2018 and the bill clearly cover a reserved area, but there are devolved aspects around the regulation of sectors such as health, drinking water, roads, cross-border rail services and onshore oil and gas.

:That would be my view, Mr Kerr, and it is imperative that people comply with the requirements, given the nature of the threat.

Good morning. I think that this is the first time that I have been to the Economy and Fair Work Committee as justice secretary. However, in a previous session, in the dim and distant past, I served for a wee while on this committee—I think with Willie Coffey at some point.

I am pleased to be here to discuss the legislative consent memorandum, which will enable several clauses of the Cyber Security and Resilience (Network and Information Systems) Bill to take effect in Scotland. Cyberthreats are growing in scale and sophistication, and they pose a real threat and risk to essential services that people, communities and businesses rely on every day. As systems become more digitally interconnected, the impact of any single incident can spread very quickly. We must therefore make sure that our laws and regulations keep pace with the change in risk and the evolving challenge.

The bill strengthens and updates the existing network and information systems regulations and expands the scope to include digital and operational services, such as managed service providers, large data centres, large load controllers and designated critical suppliers, all of which play a major role in the delivery of essential national activities. The bill also strengthens the powers of competent authorities in key areas, including information gathering, incident reporting, cost recovery and enforcement.

In addition, the bill provides the United Kingdom Government with the tools to ensure a consistent strategic direction for the UK. That includes powers for the secretary of state to publish strategic priorities, issue a code of practice for regulators and direct operators of essential services and competent authorities where there are national security concerns. For those measures to be effective, they must be applied consistently across all four nations. Many operators, regulators and suppliers work across national borders, and fragmented arrangements could create avoidable burdens that would weaken our collective resilience. A co-ordinated approach is strongly supported by stakeholders, and it also aligns with the ambitions that we set out in the updated strategic framework for a cyber resilient Scotland, which I launched in November last year.

The Scottish Government therefore proposes legislative consent for clauses related to critical suppliers, incident reporting, cost recovery, information gathering, information sharing, content of guidance, financial penalties, enforcement, appeals, code of practice, progress reporting and inspections. Those changes will give competent authorities, including Scottish ministers and the Drinking Water Quality Regulator for Scotland, enhanced powers to ensure cybersecurity and resilience across devolved sectors. Expanding the scope to include managed service providers and critical suppliers reflects the reality of complex supply chains and the potential impact of cyber incidents across sectors. It also directly supports the ambitions in our strategic framework.

However, parts of the bill are still subject to on-going discussions with the UK Government. Those include provisions where current drafting lacks explicit requirements to consult or seek consent before altering Scottish ministers’ executive competence or before amending acts of the Scottish Parliament through secondary UK legislation. Those matters are likely to form the basis of a supplementary legislative consent motion in the coming months, as the bill progresses.

Cybersecurity and resilience are shared responsibilities. The bill offers important and timely improvements to the UK’s cyber regulatory framework, and we support measures that strengthen our ability to protect critical services in Scotland.

:It is difficult to answer that question without going through the bill clause by clause. As I said, we are still in negotiations, and I want to be respectful of that. I do not want to be obtuse with the committee, but I also do not want to show my hand.

I suppose that any final Scottish Government position or recommendation to the Scottish Parliament will depend on our view of the bill clause by clause. Where we have a more fundamental concern is around the ability of UK secondary legislation to alter Scottish primary legislation. That is a fundamental concern—it is my central concern in all this.

In my experience of dealing with other pieces of legislation, as well as focusing on principles, it is very often about how the legislation would work in practice. However, as I said, there is a fundamental issue here, bearing in mind that we do not know what a future UK Government or a future Scottish Government will look like. It is all very well to say that, in this instance, relationships are positive and constructive, but the notion of UK secondary legislation—very quickly, with a lower level of scrutiny—

:—changing our primary legislation is fundamentally concerning. I would hope that we are in consensus about that, at least in this Parliament.

:Broadly speaking, yes. As the bill updates existing regulations, it is not expected that there will be any immense or unwieldy costs. We are continuing to monitor and look at that, though, because things can change as a result of some quite small detail in an amendment, and we have to be alert to that.

We are conscious of the impact on small to medium-sized enterprises, and we will work with the UK Government in and around that area. Mr Chapman will keep me right if I do not get this right, but competent authorities will be able to designate those providing services that are essential and absolutely crucial to the country. Although such authorities would see that as a last resort, given the additional burden on SMEs, we have to be alert to that. I ask Paul Chapman to say a bit more about the practicalities.

:I will start broadly from a fairly narrow justice perspective, and then Paul Chapman can add more detail if he wishes.

With our removal, against our will, from the European Union, well-oiled information-sharing arrangements such as the European arrest warrant and various systems of sharing intelligence, which had evolved over the decades and were operating smoothly and well, were disrupted. It took some time, post-Brexit, to find workarounds and alternative arrangements. There are now alternative work arrangements. Law enforcement agencies tell me that those are more bureaucratic, but different systems are now in place.

I do not know whether Mr Chapman has any other information on the detail of engagement between the UK and Europe regarding cyber resilience.