Image may be NSFW.
Clik here to view.
The UK government has outlined further details about the forthcoming Cyber Security and Resilience Bill. The Bill, which was announced in last year’s King’s Speech (see King’s Speech introduces government plans for digital, data and cyber) aims to strengthen the UK's cyber defences and build resilience across essential services and infrastructure.
The policy statement details plans to update the Network and Information Systems (NIS) Regulations 2018, the UK's only cross-sector cyber security legislation, bringing more entities within scope of the regulatory framework. The Bill will also put regulators on a stronger footing with the aim of ensuring essential cyber safety measures are being implemented.
The NCSC managed 430 cyber incidents between September 2023 and August 2024, of which 89 were considered nationally significant (see NCSC reports rise in number and severity of UK cyber attacks). This includes Synnovis (see London hospitals hit by ransomware attack) and the British Library (see Ransomware attack to cause major financial hit to British Library). The organisation described the situation as “diffuse and dangerous”.
As stressed by recent reports from Europol, NCA and CETaS, the country is facing a spectrum of threats including hostile states and organised crime groups that are increasingly turning to technology to help automate and augment their activities.
Despite this growing threat, the NAO’s recent report (see NAO: Government must act now to build cyber resilience) highlighted a lack of understanding regarding the vulnerability of government legacy IT systems and significant gaps in cyber resilience, which would be difficult to rectify until there are improvements in governance and accountability.
The proposed Bill will have a significant impact on Managed Service Providers (MSPs), with the expansion expected to bring 900-1,100 MSPs under the regulation of the Information Commissioner's Office (ICO). The policy statement also outlines plans to strengthen supply chain security by enabling the government to set (subject to secondary legislation) stronger supply chain duties for operators of essential services (OES) and relevant digital service providers (RDSP), as well as introducing a power for regulators to identify and designate specific high-impact suppliers as ‘designated critical suppliers’ (DCS), bringing them under comparable obligations as OES and RDSP.
Regulators will be put on a stronger footing with enhanced powers and clearer objectives. The Bill will introduce updated technical and methodological security requirements, improved incident reporting mechanisms including a two-stage reporting structure, better information gathering powers for the ICO, and improved cost recovery mechanisms to ensure regulators can effectively perform their duties.
Reflecting the rapidly evolving threat and technology landscape, the government also intends to grant new powers to the Secretary of State, enabling the legislative framework to be updated to ensure it is current and effective. Additional measures under consideration include bringing data centres into scope as Critical National Infrastructure and publishing a statement of strategic priorities for regulators.
The proposed Bill will have significant implications for technology suppliers, particularly those supporting critical national infrastructure, increasing reporting requirements and the penalties for failing to act. With the country facing a rapidly expanding and evolving cyber threat, the need for change is clear and should be welcomed. The proposed changes should help to improve the security and resilience of key services; however, the cyber skills shortage, leadership capacity, and budgetary challenges remain serious barriers to delivering the requisite improvements.
