The new UK government used the recent King’s Speech to announce a proposal for a new Cyber Security and Resilience Bill (the Bill).
The Bill is intended to enhance the security of the digital economy of the UK, addressing vulnerabilities and plugging gaps in the UK’s digital resistance framework, particularly in relation to the provision of essential digital services.
Background
The announcement of this Bill comes in the context of an increasingly hostile digital landscape, within which cyber-attacks and disruptions from threat actors are becoming increasingly common. Such attacks have been particularly problematic within the context of the UK’s national infrastructure, such as the NHS. A recent example is that of the ransomware attack suffered by the NHS, which disrupted thousands of appointments and operations at major London hospitals.
Regulations currently covering the UK’s national cybersecurity regime include the NIS Regulations 2018, which impose duties on Operators of Essential Services (OES) (such as the healthcare, energy or utilities sectors) regarding their cybersecurity measures. Under the current regulations, OES are required to take proportionate technical and organizational measures to manage risks to the security of the network and information systems that their essential services rely on, and measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used to provide their essential services in order to ensure service continuity.
The previous UK Government had intended to reform the NIS Regulations prior to the July 2024 general election, but the new Government has announced this Bill to target more digital services and supply chains in an effort to fortify the national cyber resilience of the UK.
Key cybersecurity measures
The primary aim behind the Bill is to address the increased cyber threat to UK businesses and public sector bodies. The proposed updates to the current regulatory framework are anticipated to include the following:
- Critical national infrastructure protections. The Bill will expand the scope of the current NIS Regulations, safeguarding a wider range of digital services and supply chains than currently protected. It is expected that this will include stricter security requirements and vulnerability assessments from organizations, in an effort to encourage OES to strengthen their cyber protections.
- Empowering regulators and expanding regulations. It has been implied that this Bill will empower regulators further, placing greater requirements on organizations (particularly CNI (Critical National Infrastructure)-related organizations) to report data breaches and cyber security incidents. Regulators are also expected to be provided with additional powers to proactively investigate potential vulnerabilities.
- Supply chain cyber management. The Bill will recognise the vulnerabilities that supply chains pose, in light of the fact that modern supply chains are increasingly complex and involve a wide range of parties. Accordingly, organizations will newly be expected to monitor their supply chains, ensuring that their suppliers and partners maintain an adequate level of cybersecurity standards.
- Incident reporting. The Bill is likely to mandate increased incident reporting in order to improve government understanding on cyberattacks; the improved data provided will provide a better basis for understanding where cyber threats are coming from, and provide better foresight on potential future attacks.
Implications
This Bill comes in conjunction with a new Digital Information and Smart Data Bill, which is intended to bolster and improve the data protection framework within the UK. It is clear that the new Government intends to further develop the UK’s data and technology economies, whilst also creating firm protections to ensure that the cyber protections within the UK are resilient.
Given the emphasis on increased cybersecurity standards, businesses will likely need to prepare for this new legislation by reviewing their cybersecurity protections, particularly in relation to supply chains and third party interaction.
Businesses most likely to be affected will be those operating in the technology sector, and above all those involved in the operation of critical national infrastructure. It will be crucial for such businesses to enhance their cyber defences both to stay ahead of potential attacks and to ensure that they will be compliant with the Bill when and if it passes into law.
David Varney is a partner in the technology team and advises on a range of data protection, technology, intellectual property and commercial matters for clients in a number of sectors, including technology, financial services, media, retail and energy, at Burges Salmon.