The government has announced a Cyber Resilience Bill, which will hand more power to regulators around cybersecurity incidents – and will mandate reporting for ransomware attacks.
The bill was announced in today’s King’s Speech, alongside 40 others. The government said the bill was introduced in response to attacks on the United Kingdom’s digital economy by both cybercriminals and state actors, which have impacted public services and infrastructure.
The announcement arrives in the wake of a devastating Russian cyber attack on Synnovis, a private company that provides pathology services, such as blood tests, to the NHS. Following the attack, some patients have been informed they may have to wait up to six months for blood tests.
The bill will expand the remit of regulators to cover supply chains and address the growing prevalence of supply-side attacks, where malicious actors enter networks via third-party suppliers. It also promises to create a stronger regulatory environment to ensure cyber safety measures are actually being introduced.
Additionally, the government will mandate further incident reporting, including for ransomware.
Research fellow at defence thinktank RUSI, Jamie Maccoll, says mandatory reporting of ransomware will be particularly useful to better understand the cybercrime landscape in the UK.
“At the moment, we know cybercrime is a really big issue, but we don’t know the scale of it or the true cost of it to the UK, which makes it hard to design effective policy,” Maccoll says.
Rohan Massey is managing partner at law firm Ropes and Gray and leader of its data, privacy and cybersecurity practice. In his view, the new Cyber Security and Resilience Bill will align, in principle, with the EU’s NIS2 Directive, an upcoming piece of cybersecurity legislation which is due to take effect in October 2024 but will not apply to the UK.
NIS2, Massey adds, brings into scope a “broader range of critical and important service suppliers and their supply chains” than were subject to the previous Network Information Systems Directive in 2016, NIS1.
“In an increasingly digital society, ensuring our critical infrastructure and public services organisations are obligated to have robust security governance and controls in place is prudent,” he says. “Effective data on attack vectors and trends is also critical, and has been shown to be best collated through mandatory notification obligations.”
Massey adds: “The government should be able to draw on the experience of the ICO and NCSC in breach notification management and incident investigation under both to give practical scope to these issues”
Other commentators suggested that the bill made sense given recent developments in asymmetric warfare. According to Kai Roer, CEO and founder of cybersecurity firm PraxisLabs, a “failure to consider the digital domain is a failure to recognise that warfare in 2024 includes a multitude of domains”.
Ian Stretton, director of EMEA and Nordics at cybersecurity provider Darkscope, agrees that cyber attacks are now a standard part of any conflict, whether directed at infrastructure, government or individuals. The fact that “communications, power, finance, health, education, rail and even things as simple as traffic control are all targets” is driving a change of focus in modern conflict management, he adds.
Meanwhile, a new Digital Information and Smart Data Bill may have compliance implications for businesses in the UK. While one of its aims is to support further digitising of government services, it will also reform data-sharing standards and give the Information Commissioner’s Office new powers.
In its election manifesto, Labour promised that it would set its regulatory sights on the frontier AI operators – think Google, Anthropic, Microsoft and OpenAI – however, an expected AI Bill was missing from the raft of announcements. Accordingly, there is a “huge amount” that industry and government will need to work through, says Julian David, CEO of technology industry group TechUK.
“This will include working closely with industry as new laws on AI are drafted, ensuring we get the right balance between those new laws and promoting the economic growth needed for the new prime minister to achieve his missions for government,” David says.
The government has announced a Cyber Resilience Bill, which will hand more power to regulators around cybersecurity incidents – and will mandate reporting for ransomware attacks.
The bill was announced in today’s King’s Speech, alongside 40 others. The government said the bill was introduced in response to attacks on the United Kingdom’s digital economy by both cybercriminals and state actors, which have impacted public services and infrastructure.
The announcement arrives in the wake of a devastating Russian cyber attack on Synnovis, a private company that provides pathology services, such as blood tests, to the NHS. Following the attack, some patients have been informed they may have to wait up to six months for blood tests.
