In the King’s Speech, the government unveiled the new Cyber Security and Resilience Bill, aimed at fortifying the UK’s defences against the growing threat of cyber attacks.
This initiative comes in response to the increasing frequency and sophistication of attacks on critical sectors and their supply chains, with high-profile incidents impacting high-profile organisations and impacting service delivery.
With threats coming from both other state actors and AI-technology, there’s a need for change to regulation to strengthen UK businesses’ defences.
What Is The Purpose Of The Cyber Security And Resilience Bill
The primary objective of the Cyber Security and Resilience Bill is to address the current gaps in the UK’s cyber security framework, enhancing the country’s ability to defend against cyber threats.
By broadening the scope of existing regulations, giving regulators greater authority, and increasing mandatory reporting requirements, the bill seeks to reduce vulnerabilities and ensure more resilient digital infrastructure.
Current UK Cyber Security Regulations
The UK’s existing cyber security regulations are primarily governed by the Network and Information Systems (NIS) Regulations 2018. These regulations – which were initially derived from the EU’s NIS Directive – apply to operators of essential services across various critical sectors, including water, digital infrastructure, energy, health, and transport.
Plans to update the NIS Regulations have been under consideration for some time. A post-implementation review highlighted the need for modernisation to better reflect the current cyber threat landscape.
In 2022, the previous government proposed updates which included extending the regulations to managed service providers, granting ministers the authority to add new sectors, and introducing a full cost recovery model for regulatory compliance. However, these proposals stalled due to the lack of parliamentary time.
What Changes Will The New Bill Introduce?
The newly proposed Cyber Security and Resilience Bill aims to modernise the UK’s cyber security regime by:
- Expanding Regulatory Scope: The bill intends to extend the reach of existing regulations to cover a broader range of digital services and supply chains, recognising these areas as increasingly attractive targets for cybercriminals.
- Empowering Regulators: The bill will provide regulators with more robust powers to enforce cyber security measures, including the ability to implement cost recovery mechanisms and proactively investigate potential vulnerabilities.
- Enhancing Reporting Requirements: The bill will mandate more comprehensive incident reporting, enabling the government to gather better data on cyber attacks, notably incidents involving ransomware.
While some of these proposals echo those put forward by the previous government, the current framework remains high-level, with further details expected once a draft of the bill is made available.
Matching The EU’s Developments
The proposed legislation has come as the EU has been actively advancing its own cyber security legislation.
The NIS Directive, which inspired the UK’s NIS Regulations, is being replaced by the NIS 2 Directive. This new directive came into force on 16 January last year, and requires EU Member States to transpose it into national law by 17 October this year.
The NIS 2 Directive introduces significant changes to the EU’s cyber security landscape, including expanded scope, stricter risk management measures, and more rigorous incident reporting criteria.
Recent developments under the NIS 2 Directive include a draft implementing regulation launched by the European Commission. This regulation will apply to entities such as cloud service providers, data centres, and online platforms, setting technical and methodological standards for risk management and defining what constitutes a significant incident.
To this end, the proposed regulation will keep the UK closely aligned with the EU, ensuring that cyber security does not become a barrier to trade.
Akita’s Comment On Legislation
“The Cyber Security and Resilience Bill is a great step towards strengthening our defences against cyber threats,” says George Wood, Head of Cyber Security at Akita. “By concentrating on the regulations and giving more power to the regulators it tackles the weaknesses in our systems.”
“It also keeps us in step with NIS2 changes in the EU. For businesses, this means they must follow stricter security rules and report incidents more thoroughly. Businesses must adapt to these changes if they want to protect their data and infrastructure, and stay resilient against cyber attacks.”
What Should Businesses Do In The Light Of The Cyber Security And Resilience Bill?
While legislation is forthcoming, organisations wishing to begin making cyber security improvements should look to do so.
As a baseline, organisations should look to obtain Cyber Essentials or adopt a comparable stance for their security.
For organisations trading in or with Europe, moving to the cyber security standards laid out by NIS 2 is advantageous and may help avoid being left out of tenders and potential contracts.
Akita’s experts can provide guidance on the right security measures for your organisation based on profile and industry.
For more information about cyber security services, please get in touch: