Government introduces the Cyber Security and Resilience Bill

Cyber Security and Resilience Bill set to expand regulatory scope, empower regulators and ensure an adaptive regulatory landscape

The Cyber Security and Resilience (Network and Information Systems) Bill will be introduced to Parliament today – Wednesday 12 November.

The Bill, which supports the government’s Plan for Change, will strengthen national security and protect growth by boosting cyber protections for the services that people and businesses rely on every day.

In the face of increasing cyber threats, it will prevent disruption – keeping the taps running, the lights on and the UK’s transport services moving – while making sure those who supply our vital services have tougher cyber protections, by updating the Network & Information Systems Regulations 2018.

There are three key areas of reform which include expanding the regulatory scope; empowering regulators and enhancing oversight; and ensuring and adaptive regulatory landscape to respond to the evolving threat landscape. Under the proposals:

• Medium and large companies providing services like IT management, IT help desk support and cyber security to private and public sector organisations like the NHS, will also be regulated for the first time. Because they hold trusted access across government, critical national infrastructure and business networks, they will need to meet clear security duties. This includes reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences
• Regulators will be given new powers to designate critical suppliers to the UK’s essential services such as those providing healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria. This would mean they’d have to meet minimum security requirements – shutting down gaps in supply chains criminals could exploit which could cause wider disruption
• Enforcement will be modernised, including tougher turnover-based penalties for serious breaches so cutting corners is no longer cheaper than doing the right thing. That’s because companies providing taxpayer services should make sure they have tough protections in place to keep their systems up and running
• The Technology Secretary gets new powers to instruct regulators and the organisations they oversee, like NHS trusts and Thames Water, to take specific, proportionate steps to prevent cyber attacks where there is a threat to UK national security. This includes requiring that they beef up their monitoring or isolate high-risk systems to protect and secure essential services

Organisations in scope will need to report more harmful cyber incidents to their regulator and the National Cyber Security Centre (NCSC) within 24 hours, with a full report within 72 hours, to ensure support can be on hand more quickly to help build a stronger national picture of cyber threats. If a data centre, or digital and managed service providers face a significant or potentially significant attack, they will have to notify customers which are likely to be impacted promptly so organisations can act fast to protect their business, people and services.

As data centres keep the UK running, from patient records and payments to email services and AI development, the Bill will bring them into scope of the regulations, ensuring they meet robust cyber security standards.

New safeguards will also cover organisations that manage the flow of electricity to smart appliances like electric vehicle charge points and electrical heating appliances in homes. This will reduce the risk of disruption to consumers using smart-energy appliances, and the grid, bolstering the UK’s energy security.

The Bill represents a step change in how the government protects people in an increasingly dangerous world, supporting the National Security Strategy.

It will help to deliver greater economic stability, protect businesses and working people from the impact of cyber-attacks, and support further investment into the UK’s cyber security sector, which contributed £13.2 billion to the economy in the latest financial year.