The incoming British government has fired the first shot in its efforts to enhance the nation’s cyber-resilience, with a new bill cited in the King’s Speech on July 17.
The Cyber Security and Resilience Bill aims to “strengthen our defences and ensure that more essential digital services than ever before are protected,” the government said in background notes published yesterday.
It will do this by building on the NIS Regulations 2018, which itself is the result of an EU directive. While the EU is introducing a NIS 2, UK efforts to update the regulation had stalled.
“Some of the work towards reforming the UK NIS regime has already been done by the previous UK government, which carried out its own review of the NIS Regulations 2018 and then consulted on potential reforms,” explained Pinsent Masons partner Stuart Davey.
“The proposed reforms were focused on expanding the scope of NIS to other types of digital service providers and emphasizing the importance of supply chain cyber management, but it has been quiet on this front for 18 months since the government published its response paper in November 2022 – until now.”
Focus on Critical Infrastructure
The new bill will focus on critical infrastructure providers, extending the scope of the current NIS regime “to protect more digital services and supply chains.”
It will introduce mandatory ransomware reporting to help the authorities better understand the scale of the threat and “alert us to potential attacks by expanding the type and nature of incidents that regulated entities must report.”
The proposed legislation will also give new powers to regulators and expand the scope of existing regulations.
“The government has identified the heightened and evolving cyber threat facing organizations, citing recent high-profile cyber-attacks affecting the NHS and the Ministry of Defence, and its plans to bring forward this new bill also come hot on the heels of public warnings from the UK National Cyber Security Centre about the cyber capabilities of China and Russia in particular,” said Davey.
It also comes weeks after a major ransomware attack on an NHS supplier which has led to thousands of cancelled appointments and operations.
“According to our own data there were 69 cyber-extortion attacks on healthcare businesses during Q1 of this year, up more than 100% from Q1 in 2023. To combat this, organizations must optimise access to skills, adoption of appropriate processes and the right use of technology to achieve cyber-resilience,” explained Orange Cyberdefense director of strategy and alliances, Dominic Trott.
“It is pleasing to see that the bill will make updates to the legacy regulatory framework by expanding the remit of the regulation to protect supply chains, which are an increasingly significant threat vector for attackers.”
Boosting Growth Through Cyber-Resilience
Martin Greenfield, CEO of Quod Orbis, added that the bill would help the Labour government deliver on its promise to boost economic growth.
“The reality is that multiple disruptions can impact a business at any time. Without proactive and cohesive cybersecurity strategies, businesses will struggle to achieve sustained economic growth,” he said.
“The initiatives announced in the King’s Speech are a necessary and timely push towards a more secure and prosperous digital economy.”
A separate Digital Information and Smart Data Bill will incorporate many of the legislative measures featured in the Data Protection and Digital Information Bill, a proposed update to the UK GDPR which failed to pass in time in the last parliament.