The new UK government used the recent King’s Speech to announce a proposal for a new Cyber Security and Resilience Bill (the “Bill”).

The Bill will be intended to enhance the security of the digital economy of the UK, addressing vulnerabilities and plugging gaps in the UK’s digital resistance framework, particularly in relation to the provision of essential digital services. 

Background

The announcement of this Bill comes in the context of an increasingly hostile digital landscape, within which cyber-attacks and disruptions from threat actors are becoming increasingly common. Such attacks have been particularly problematic within the context of the UK’s national infrastructure, such as the NHS. A recent example is that of the ransomware attack suffered by the NHS, which disrupted thousands of appointments and operations at major London hospitals. 

Regulations currently covering the UK’s national cybersecurity regime include the NIS Regulations 2018, which impose duties on Operators of Essential Services (“OES”) (such as the healthcare, energy or utilities sectors) regarding their cybersecurity measures. Under the current regulations, OES are required to take proportionate technical and organisational measures to manage risks to the security of the network and information systems that their essential services rely on, and measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used to provide their essential services in order to ensure service continuity.

The previous UK Government had intended to reform the NIS Regulations prior to the July 2024 general election, but the Government has announced this Bill to target more digital services and supply chains in an effort to fortify the national cyber-resilience of the UK. 

Key Cybersecurity Measures

The primary aim behind the Bill is to address the increased cyber threat to UK businesses and public sector bodies. The proposed updates to the current regulatory framework are anticipated to include the following:

  • Critical national infrastructure protections. The Bill will expand the scope of the current NIS Regulations, safeguarding a wider range of digital services and supply chains than currently protected. It is expected that this will include stricter security requirements and vulnerability assessments from organisations, in an effort to encourage OES to strengthen their cyber protections. 
  • Empowering Regulators and Expanding Regulations. It has been implied that this Bill will empower regulators further, placing greater requirements on organisations (particularly CNI-related organisations) to report data breaches and cyber security incidents. Regulators are also expected to be provided with additional powers to proactively investigate potential vulnerabilities. 
  • Supply Chain Cyber Management. The Bill will recognise the vulnerabilities that supply chains pose, in light of the fact that modern supply chains are increasingly complex and involve a wide range of parties. Accordingly, organisations will newly be expected to monitor their supply chains, ensuring that their suppliers and partners maintain an adequate level of cybersecurity standards.
  • Incident Reporting. The Bill is likely to mandate increased incident reporting in order to improve government understanding on cyber-attacks; the improved data provided will provide a better basis for understanding where cyber-threats are coming from, and provide better foresight on potential future attacks. 

Implications 

This Bill comes in conjunction with a new Digital Information and Smart Data Bill, which is intended to bolster and improve the data protection framework within the UK. It is clear that the new Government intends to further develop the UK’s data and technology economies, whilst also creating firm protections to ensure that the cyber protections within the UK are resilient. 

Given the emphasis on increased cybersecurity standards, businesses will likely need to prepare for this new legislation by reviewing their cybersecurity protections, particularly in relation to supply chains and third party interaction. Businesses most likely to be affected will be those operating in the technology sector, and above all those involved in the operation of critical national infrastructure; it will be crucial for such businesses to enhance their cyber defences both to stay ahead of potential attacks and to ensure that they will be compliant with the Bill when and if it passes into law. 

This article was written by Victoria McCarron

If you would like any further information or have queries on the content of this article, please contact David Varney or another member of our Technology team.