UK’s new Cyber Security and Resilience Bill targets weak links in critical services

The UK government has introduced the Cyber Security and Resilience Bill, a major piece of legislation designed to boost the country’s protection against cyber threats.

The new law aims to strengthen the digital defenses of essential public services and update the ageing Network and Information Systems (NIS) Regulations 2018, the UK’s only cross-sector cyber security law.

New types of organizations in scope

“Recent cyber-attacks on managed service providers clearly make the case for updated laws. In 2024, hackers accessed the Ministry of Defence’s payroll system via a managed service provider, while other recent attacks such as the Synnovis incident in the NHS resulted in over 11,000 disrupted medical appointments and procedures and some estimates suggesting costs of £32.7 million. This brings into sharp focus the impact cyber incidents can have on the public and our essential public services,” the the UK Department for Science, Innovation and Technology noted today.

“The Bill targets [organizations] that will have the maximum impact on improving cyber resilience, bringing the services that retailers, hospitals, councils and others depend on into scope – raising their baseline protects thousands of businesses in the long-term.”

Aside from covering public services like healthcare, drinking water, transport and energy providers, and digital services providers (cloud computing, online marketplaces, etc.), the new bill will also cover:

• Managed service providers (MSPs), certain operators of data centre services, and organizations providing services relating to load control (for example, organizations that manage the flow of electricity to smart appliances such as heating appliances in homes)
• Suppliers that regulators classify as “critical” to operators of essential services

Companies providing IT management, IT help desk support and cyber security services to both public and private sector organizations will be regulated for the first time.

“Because they hold trusted access across government, critical national infrastructure and business networks, they will need to meet clear security duties. This includes reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences,” the department pointed out.

Data centers, which have been designated critical national infrastructure last year, will also be subjected to regulatory oversight and will have to meet “robust” cyber security standards.

Reporting requirements, fines, and powers

“Organisations in scope will need to report more harmful cyber incidents to their regulator and the National Cyber Security Centre (NCSC) within 24 hours, with a full report within 72 hours, to ensure support can be on hand more quickly to help build a stronger national picture of cyber threats,” the department added.

“If a data centre, or digital and managed service providers face a significant or potentially significant attack, they will have to notify customers which are likely to be impacted promptly so organisations can act fast to protect their business, people and services.”

Finally, the Bill will also update how cyber security rules are enforced and will introduce stronger fines for serious breaches, and will give the Technology Secretary new powers to step in when there’s a serious cyber threat to the UK’s national security, and order regulators and the organizations they oversee to take specific actions to prevent or contain an attack.

“We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge,” the Science, Innovation, and Technology Secretary Liz Kendall concluded.

What happens next?

The Bill has now been introduced in the UK Parliament, but it must pass through seven stages in both Houses before becoming law. The process allows for changes and refinements through amendments, so the final form of the legislation may still evolve as it moves through Parliament.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!