The Government confirmed last week that the new Cyber Security and Resilience Bill (the "Bill") will be introduced to Parliament in 2025. This new Bill was first proposed in the June 2024 King's Speech and you can read our initial post on the announcement here.
The Bill is intended to address the increased cyber threat to UK businesses and public sector bodies by expanding the scope of the existing Network and Information Systems Regulations 2018 (the "NIS Regulations"). The NIS Regulations implemented the EU's Network and Information Security Directive into UK law. However, the EU has since introduced the NIS2 Directive (which comes into force across the EU from 18 October 2024) and which significantly extends the scope of the original NIS regulations.
The previous UK Government had intended to amend the NIS Regulations and carried out a consultation which concluded in 2022, however the amendments were not implemented. The new proposed Bill is expected to expand the scope and remit of the NIS Regulations and to strengthen the UK's cyber defences in light of an increased number of high-profile cyber-attacks. Notable examples of recent cyber-attacks include the ransom attacks on Royal Mail, Transport for London and the British Library. Whilst the Bill will not completely follow the NIS2 Directive it is expected that the scope will be similarly expanded and for there to be a similar focus on supply chains.
The three central updates expected to be set out in the Cyber Security and Resilience Bill are:
- Empowering regulators and expanding regulations. Expanding the scope and powers of the regulators, including expanding the powers to include potential cost recovery mechanisms which would provide financial resources to regulators.
- Supply Chain Cyber Management. As an identified area of increasing vulnerability, a focus on monitoring and managing cybersecurity of supply chains is expected.
- Incident Reporting. Mandatory increased incident reporting for the purpose of collating better data on cyber incidents to improve understanding of the threat and impact of cyber incidents.
We expect the draft Bill to be published in 2025 and at this point will we have more details on the proposed measures, scope and a more detailed timeline for when it may pass into law.
If you would like any further information or have queries on the content of this article, please contact David Varney or another member of our Technology team.