The government has released a policy paper revealing further details on the upcoming Cyber Security and Resilience Bill, first teased in the King’s Speech last July.
There are three main parts to the bill, which enters Parliament later this year. One of these pillars will bring 1,000 IT suppliers to government or public services under the scope of the NIS Regulations 2018.
As a result, these suppliers will be redefined as critical national infrastructure and therefore have to adhere to greater cyber safeguards or face hefty fines of up to £100,000 a day. The goal is to toughen cyber supply chains and build digital resilience – a key requirement with the increase in supply-side attacks, where providers in the supply chain are targeted, allowing attackers to move laterally and harm further targets.
Regulators will define critical suppliers as those that, if they suffered an attack or other cyber disruption, would have a significant impact on public services.
Also in the bill are plans to strengthen the Information Commissioners Office’s “information-gathering powers” so that the regulator can more proactively identify cyber risks and move to a prevention function rather than a reactive position.
Finally, the bill proposes giving the secretary of state new powers to update cyber regulations without going through Parliament. The idea here, says the policy paper, is to keep government up to date with the rapidly evolving technology and cyber landscape so that mitigation and regulation can be brought in quickly to respond to emerging threats. There will be “certain safeguards,” the government says.
What hasn’t been included in the Cyber Security and Resilience Bill?
There are three further measures under consideration although not yet included in the bill.
Data centres could be folded into the scope of the regulation – a firm possibility, given that the UK redefined the facilities as critical national infrastructure in September 2024. All data centres at 1 megawatt (MW) capacity would be in scope of the regulation, unless they’re enterprise data centres, in which case the threshold will be 10MW.
Of the 224 colocation data centres in the UK, managed by 68 operators, the government expects 182 third-party sites and 64 operators will fall in scope of the regulation.
Secondly, the government is considering publishing a “statement of strategic priorities for regulators”. This would create a new standardised cybersecurity framework for all regulators, creating a “unified set of objectives” for implementing regulations.
The final proposal would create new executive powers for the secretary of state in order to deal with emerging cyber threats. This proposal will allow the secretary of state to appoint a “regulated entity to take action” when “necessary for national security”.
Essentially, this power means that, if an entity subject to regulation is not taking adequate action to address a cyber threat – and the issue could impact national security – the secretary of state could demand that organisation to take action.
What the industry thinks of the updates
Industry figures welcomed the details announced in the bill. Etay Maor, chief security strategist at Cato Networks, described the proposals as a “necessary course correction”.
“When attackers hit London hospitals by compromising a managed service provider, it wasn’t just a breach, it was a failure in how we delegate trust,” Maor says. “MSPs have privileged access, deep integration and wide operational reach. Treating them like passive vendors ignores the fact that when one falls, the blast radius is massive.”
Martin Lee, EMEA lead at Cisco Talos adds: “Critical services must be secured against a constantly evolving threat from those who seek to undermine our society or profit from the chaos and destruction of a cyber attack. The government’s plans for a Cyber Security and Resilience Bill are a welcome step forward in boosting the nation’s cyber resilience.”
Ensuring government and regulators work closely with industry on the detail and delivery will be a crucial next step, says Lee.
The government first announced the Cyber Resilience Bill in July, promising at the time to hand more power to regulators around cybersecurity incidents and to mandate reporting for ransomware attacks.
The government said the bill was introduced in response to attacks on the United Kingdom’s digital economy by both cybercriminals and state actors, which have impacted public services and infrastructure.
The announcement arrived in the wake of a devastating Russian cyber attack on Synnovis, a private company that provides pathology services, such as blood tests, to the NHS. Following the attack, some patients were informed they may have to wait up to six months for blood tests.
Research fellow at defence think-tank RUSI, Jamie Maccoll, says mandatory reporting of ransomware will be particularly useful to better understand the cybercrime landscape in the UK.
“At the moment, we know cybercrime is a really big issue, but we don’t know the scale of it or the true cost of it to the UK, which makes it hard to design effective policy,” Maccoll says.
In its election manifesto, Labour promised that it would set its regulatory sights on the frontier AI operators – think Google, Anthropic, Microsoft and OpenAI – however, an expected AI Bill was missing from the raft of announcements. Accordingly, there is a “huge amount” that industry and government will need to work through, says Julian David, CEO of technology industry group TechUK.
“This will include working closely with industry as new laws on AI are drafted, ensuring we get the right balance between those new laws and promoting the economic growth needed for the new prime minister to achieve his missions for government,” David says.
The government has released a policy paper revealing further details on the upcoming Cyber Security and Resilience Bill, first teased in the King’s Speech last July.
There are three main parts to the bill, which enters Parliament later this year. One of these pillars will bring 1,000 IT suppliers to government or public services under the scope of the NIS Regulations 2018.
As a result, these suppliers will be redefined as critical national infrastructure and therefore have to adhere to greater cyber safeguards or face hefty fines of up to £100,000 a day. The goal is to toughen cyber supply chains and build digital resilience – a key requirement with the increase in supply-side attacks, where providers in the supply chain are targeted, allowing attackers to move laterally and harm further targets.
