UK to bolster cyber defences with new Cyber Security and Resilience Bill

Following the King's Speech on 17 July 2024, much of the press focus will on the new Labour government's headline political priorities such as planning, devolution, energy and reforms to the electoral process.

However, a crucial protector and enabler of growth, cybersecurity, is also due to receive legislative attention in the forthcoming parliamentary session. A new Cyber Security and Resilience Bill is set to be introduced, aiming to strengthen the UK's defences against cyber attacks at a time of increasing global threat. This comes alongside the Digital Information and Smart Data Bill which is due to take forward elements of the UK's previous efforts to reform data protection (read our separate article on this here).

A series of recent high profile attacks, most recently, the ransomware attack on Synnovis which disrupted critical hospital services across London, have demonstrated the cost and impact of such attacks on the economy and well-being of the population. The government states that the Cyber Security and Resilience Bill will "fill an immediate gap in our defences".

The accompanying briefing paper notes that the EU is in the process of implementing reforms to the Network and Information Systems Directive 2018 (which was implemented in the UK during its EU membership) to create a more robust framework, known as NIS2, which will be in effect in the EU from 17 October 2024 (see our previous commentary here).

The previous UK government had indicated that NIS2 would not be replicated in the UK and following a consultation in 2022, had proposed more limited changes to the existing UK NIS regulations, such as extending their scope to include managed service providers. These changes were not implemented however. The briefing paper notes that the UK's regime needs an "urgent update" to ensure that it is not "comparably more vulnerable" than that of the EU. This suggests that the UK's bill may take some inspiration from NIS2 and other EU legislation.

In this regard, the proposed legislation seeks to achieve a number of key objectives:

• Expanding the scope of regulation: The existing UK NIS regulations focus on essential services and digital service providers. The bill aims to broaden this net, encompassing more organizations and sectors.
• Empowering Regulators: The bill intends to grant regulators greater powers to ensure cybersecurity measures are being implemented. Cost recovery mechanisms to provide resources to regulators and providing powers to proactively investigate potential vulnerabilities are also explicitly mentioned.
• Increased Incident Reporting: The government intends on increasing cyber incident reporting requirements, particularly ransomware attacks. The stated objective is to improve the understanding of cyber threats at a national level, providing valuable data and insights to enable identification of attack patterns and formulate effective responses.

As yet there is no indication of whether the thorny issue of ransomware payments will be dealt with, following recently rumoured indications that such payments would be banned (see here).

The Cyber Security and Resilience Bill signifies the government's commitment to fortifying the UK's cybersecurity defences. By expanding regulations, empowering oversight bodies, and gathering better intelligence on cyber threats, the bill aims to create a more resilient digital landscape. This will benefit businesses, critical infrastructure operators, and ultimately, the public who rely on these services.

The comments made in the briefing paper regarding the EU legislative situation, and the government's stated intention to "recalibrate" relations more generally, may also indicate a less divergent approach with closer alignment with EU cyber resilience standards, which could also help international businesses to manage their compliance efforts across jurisdictions.

Subscribe