Cyber Security and Resilience Bill - Policy Statement Published

The Department for Science, Innovation and Technology (DSIT) published the Policy Statement of Intent for the Cyber Security and Resilience Bill.

The Statement introduces three overarching measures, each covering the summary of intent, implementation details and impact.

1. Bring more entities into scope of the regulatory framework.

Include Managed Service Providers (MSPs)

The Bill will extend regulations to MSPs, defined as service providers offering ongoing IT management, monitoring, and infrastructure support that involve network access to clients’ systems. This aims to enhance IT security, covering an additional 900-1,100 MSPs. DSIT expect this will come with associated costs due to security improvements and compliance.

Strengthening supply chain security & designate ‘Critical Suppliers’

The government will set stricter supply chain security duties for essential service operators and relevant digital service providers through secondary legislation, subject to consultation. Regulators can designate high-impact suppliers as ‘Critical Suppliers’, imposing security and reporting obligations. Certain SME relevant digital service providers (RDSPs) may fall under this category if they meet the designation criteria.

2. Empowering regulators and enhancing oversight

Technical & methodological security requirements

The Bill will formalise the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) Basic and Enhanced Profiles, to ensure best practice. It will also grant the Secretary of State the powers to:

• Update regulation following consultation
• Issue a Code of Practice for compliance
• Tailor requirements to different sectors

Improving Incident Reporting

The Bill will revise incident reporting requirements to include significant threats to service integrity, such as data breaches and spyware attacks. A two-stage reporting structure will be introduced:

• Initial Notification: Within 24 hours of discovery, entities must notify their regulator and NCSC.
• Incident Report: A full report must be submitted within 72 hours.

Digital service providers and Data Centres will be expected to alert affected customers.

Improve the ICO’s information gathering powers

The Bill will empower the Information Commissioner’s Office (ICO) to:

• Collect additional data to assess cyber risks in digital services
• Require digital services firms to share registration information
• Expand the criteria for information sharing with the ICO
• Enforce registration compliance.

Improve regulators’ cost recovery mechanisms

The Bill will allow regulators to introduce new fee structures, enabling cost recovery through:

• Information requests from regulated entities proportionate to the sector.
• A duty on regulators to publish a Statement of Charing Principles – this sets out the methodology for raising funds.
• Consultations with firms that provide digital services before setting fees and a duty to publish an end-of-cycle statement.
• A legal obligation for entities to pay fees.

3. An adaptive regulatory landscape

Delegated powers for regulatory flexibility

The Secretary of State will have powers to update the regulatory framework without new Acts of Parliament, subject to safeguards. This allows adjustments, such as adding new sectors under regulation or refining existing rules, following consultations.

Additional measures under consideration

1. Bringing data centres into scope of the regulation

The government will bring data centres into scope of the regulation, as they will be considered an essential service after they were designated as CNI in September 2024. The Bill states UK data centres would be in scope at or above 1MW capacity unless it is an enterprise data centre which will only be in scope if they are at or above 10MW capacity.

They will be expected to notify and provide certain information, have in place appropriate and proportionate measures to manage risk and report significant incidents.

If you have questions about this measure, please get in touch with Luisa Cardani (Luisa.Cardani.techuk.org).

2. Publish a statement of strategic priorities for regulators

DSIT are considering a new measure to provide a framework for cyber security regulation across the 12 regulators and their sectors. The Secretary of State would publish a Statement of Strategic priorities in consultation with sectors and regulators. The Statement would be laid before Parliament and would be updated every 3 to 5 years.

3. Powers of direction

A new power would allow the Secretary of State to direct regulated entities to address cyber threats where there is a perceived risk to national security. The direction would be laid before Parliament, unless doing so would create a national security risk. When considering this measure DSIT will review the precedents set by the Telecommunications (Security) Act 2021.

What’s Next?

This Policy Statement provides insight into the government’s approach, but final measures will be confirmed when the Bill is presented to Parliament. There are still a number of clarifications expected, particularly around the definitions on terms like ‘critical dependencies’ and measures around incident reporting. The timeline for publication is still to be confirmed.