The UK government introduced its long-awaited Cyber Security and Resilience Bill to parliament this morning, promising that it will help bolster national security and protect the economy.
The proposed legislation aims to upgrade the UK’s Network and Information Systems (NIS) Regulations 2018, which were based on the EU’s NIS Directive. The latter has since been updated to NIS2, which introduces strict new baseline security requirements for operators of essential services (OES).
The UK equivalent includes the following proposals:
- Managed service providers (MSPs) will be regulated for the first time, bringing an additional 900-1100 firms into the scope of the law
- Regulators will be given powers to designate critical suppliers that must meet minimum security standards
- New duties (to be confirmed in secondary legislation) will require OES to manage supply chain risks
- OES will need to meet “proportionate and up-to-date security requirements” drawn from the NCSC Cyber Assessment Framework (CAF)
- Incident reporting criteria will be expanded, and initial reporting will be required no later than 24 hours after an incident followed by a full report within 72 hours. Digital and data center providers will be required to notify customers
- The powers of the Information Commissioner’s Office (ICO) will be enhanced, enabling it to identify the most critical digital service providers and adopt a proactive approach to assessing cyber risk
- Regulators will be able to recover costs through a new fee regime
- Data center providers and those managing “the flow of electricity to smart appliances” will be brought into scope
- Tougher, turnover-based penalties will be brought in for serious offenses
Matt Houlihan, VP government affairs, Europe, Cisco, said British organizations urgently need new regulation to protect them from sophisticated cyber-attacks and AI threats.
“The success of this bill will rely on clarity and practical timelines to help organizations implement the necessary measures effectively. We’d also urge the government not to miss an important opportunity to tackle the growing risks from unsupported, end-of-life equipment – a persistent weak point in UK infrastructure that too often leaves organizations exposed,” he added.
“By working alongside and collaborating with industry, the government has the opportunity with this bill to meet the complex cybersecurity needs of UK organizations by providing clear, proportionate guidance, grounded in the practical realities of securing the UK’s cyber landscape.”
A Long Time Coming
Although the bill still needs to be debated in parliament, it is already nearly two years since the NIS2 directive came into force, although some EU member states have still not ratified it.
Since then, the UK has suffered multiple serious breaches impacting critical infrastructure and services, including the ransomware attack on NHS supplier Synnovis, and a state-sponsored cyber-espionage effort that compromised information on all Ministry of Defence staff.
According to government figures the average cost of a “significant cyber-attack” is now over £190,000 – which the government claimed amounts to £14.7bn a year across the entire economy, or 0.5% of national GDP.
“As a nation, we must act at pace to improve our digital defenses and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services,” said NCSC boss Richard Horne.
“Cybersecurity is a shared responsibility and a foundation for prosperity, and so we urge all organizations – no matter how big or small – to follow the advice and guidance available at ncsc.gov.uk and act with the urgency that the risk requires.”