Proposals for tighter cybersecurity law have been confirmed by the UK Government in a policy statement. The Cyber Security and Resilience Bill (the Bill) is expected later this year, bringing modernised and strengthened UK cyber defences to improve the resilience of UK critical infrastructure, supply chains, public sector services and the wider economy. The aim of the new law is to minimise the impact of cyberattacks on UK citizens and to improve economic growth.

Businesses managing and operating essential and digital services will need to assess and potentially upgrade cybersecurity practices to ensure readiness for upcoming legislative change. As regulators will be empowered to conduct proactive investigations, organisations in scope must prepare for increased oversight and ensure that their cybersecurity practices are robust and well-documented. In particular, in-scope organisations will need to enhance protocols for timely reporting of cyber incidents. Investment in monitoring and response capabilities may be required.

Non-compliance with the new law, once in force, could result in significant fines.

Here we set out the key proposed changes we expect in the Bill:

  1. Alignment with EU law:

    The Bill will align with the approach taken in the EU's NIS 2 Directive.

  2. Expanded scope:

    It is proposed that the bill will broaden the existing Network and Information Systems (NIS) Regulations 2018 (2018 Regulations) to bring a wider range of digital services, and supply chains, in scope of cyber law.

    The 2018 Regulations safeguard the cyber and physical resilience of much of the UK's Critical National Infrastructure (CNI) by placing security duties on the operators involved in the delivery of essential services. Those include operators of critical national infrastructure (water, transport, energy) and other important services, such as healthcare and digital infrastructure.

    Bringing more entities into scope recognises the growing reliance on cloud-based and other digital services in supply chains for essential services.

  3. Managed service providers in scope:

    Due to their unprecedented access to clients' IT systems, networks, infrastructure and data, managed service providers (MSP) will be brought into scope of the proposed new cyber law. It is expected that this will reach 900 – 1100 MSPs.

    The Bill will define MSPs but the policy statement sets out expected characteristics of MSPs. Organisations covered could include but are not limited to those offering services such as:

    • managed IT services
    • IT infrastructure and applications management
    • IT remote support and systems integration and management (SIAM)
    • managed security services such as managed security service providers (MSSPs)
    • managed service operations centre (SOC)
    • security information and event management (SIEM)
    • incident response and threat and vulnerability management, and
    • relevant business process outsourcing.

    The Information Commissioner's Office (ICO) will act as the regulator and will regulate MSPs through information gathering, investigation and enforcement powers.

  4. Supply chains in scope

    With ransomware and data extortion emerging as significant threats, the risk to supply chains is of critical concern. The Bill will enable the Government to set stronger supply chain duties for operators of essential services (OES) and relevant digital service providers (RDSP) in secondary legislation. There will be a consultation on this.

    The Bill will also introduce a power for regulators to identify and designate specific high-impact suppliers as 'designated critical suppliers' (DCS), bringing them into scope with OES and RDSPs.

    The policy statement anticipates that DCS will only account for a small number and percentage of those suppliers providing goods or services to OES and RDSPs. The likely threshold criteria for designation is shared in the policy statement - supplier's good or services need to be so critical that disruption could cause a 'significant disruptive effect' on the essential or digital service it supports, and designation will not kick in if the supplier is subject to similar cyber resilience regulations elsewhere e.g. under Part 2 of the Communications Act 2003.

    Designation will extend to certain small and micro RDSPs where they play a key role in supporting essential services.

    Duties will be designed to ensure appropriate and proportionate checks are taken, such as contractual requirements, security checks or continuity plans. It is proposed that secondary legislation would clarify duties on OES and RDSPs. Duties and threshold criteria could be refined through secondary legislation, subject to appropriate consultation.

  5. Technical and methodological security requirements

    The Bill will provide power to make regulations to update the principles and objectives in the National Cyber Security Centre (NCSC) Cyber Assessment Framework, which will ensure proportionate and up to date security measures are in place. This will make it essential (and easier) for organisations already in scope, and for those coming into scope, to follow best practice. A code of practice is proposed, with powers for the Government to tailor requirements for each sector.

  6. Mandatory incident reporting

    Reporting of significant incidents will provide regulators and the NCSC with a better view of the evolving threat landscape, enabling identification and assessment of vulnerabilities. The Bill will update and enhance the current incident reporting requirements for regulated entities by expanding the incident reporting criteria, updating incident reporting times, streamlining reporting, and enhancing transparency requirements for digital services and data centres.

    There will be a two-stage reporting structure requiring regulated entities to notify their regulator and inform the NSCS of a significant incident no later than 24 hours after becoming aware of that incident ('early warning' notification). An incident report within 72 hours will then be required. This aligns process with the EU's NIS 2 Directive.

    Enhancing transparency requirements, organisations providing digital services, and data centres that experience a significant incident, will be required to alert customers who may be affected by that incident.

    The Government's work on ransomware (consultation closed on 8 April) will complement the Bill.

  7. Enhanced powers for ICO

    The ICO regulates RDSPs and will regulate MSPs once the Bill is passed. Under the Bill, the Government intends to improve the ICO 's capability to identify and mitigate cyber risks before they materialise by enhancing its information gathering powers.

    Powers will include:

    1. an expanded duty for organisations that provide digital services to share information with the ICO on registration;
    2. expanded criteria for the ICO to use existing current power to serve information notices on organisations that provide digital services, and
    3. appropriate information gateways for other entities, outside the scope of the NIS Regulations, to share information with the ICO.

    The Bill will also introduce powers for the ICO to enforce a failure to register with the ICO.

    The Bill would introduce the ability for regulators to set up new fee regimes, allowing for fees to be levied as well as recovering costs via invoices. It will extend this regime to all activities required for the ICO to perform its functions, including enforcement.

  8. Adaptable regulatory framework to keep pace:

    As highlighted in 5 and 6 above, through the Bill, the Government will seek powers to update the regulatory framework without requiring primary legislation, subject to certain safeguards. New sectors and sub-sectors could be brought in scope, and changes to the responsibilities and functions of the regulators could be made. This would allow the Government to act quickly against emerging threats, providing an adaptable approach to counter an evolving threat landscape.

  9. Additional measures under consideration
  • Data centres in scope

    It is intended that data centres, designated as CNI in September 2024, will be brought into scope of the new cyber law, irrespective of the nature of service(s) offered from them and their ownership. A UK data centre would be in scope at or above 1MW capacity unless it is an enterprise data centre which will only be in scope if it is at or above 10MW capacity. The scope would be adjustable with specific conditions, to account for developments in the market and risk landscape.

    The policy indicates that there are currently 224 colocation data centres in the UK, managed by 68 operators. Of these, around 182 third-party sites and 64 operators will fall within scope. The Government expect the number of enterprise data centres in scope of full duties to be relatively low. A full impact assessment would be provided upon legislating.

    See our previous article regarding proposed new cyber law in relation to data centres.

  • Statement of strategic priorities for regulators

    The Government is considering introducing a power to publish a Statement of Strategic Priorities, which would provide a clear and coherent framework for cyber security regulation across the 12 regulators and their sectors. It is envisaged to be similar to models from other regulatory regimes such as telecoms and online safety and would be updated once every 3 to 5 years.

  • Additional measures to respond to threats to national security:

    • The proposal for the Bill outlines several additional measures the Government is considering which would enable it to response decisively to imminent threats to national security.

If you would like to discuss the upcoming Cyber Security and Resilience Bill and its impact on your business, please contact Patrick Arben or a member of our Cyber team.