The Cyber Security and Resilience Bill is being introduced in Parliament, having been announced as part of the incoming Labour Government’s July 2024 King’s Speech.
Department of Science, Innovation, and Technology (DSIT) Secretary Liz Kendall said: “Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target. We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”
A recent letter from government ministers including the Technology Secretary, Chancellor and Business Secretary went to business leaders and FTSE 350 firms, urging them to strengthen their cyber defences. For serious breaches, turnover-based penalties will be set.
Those falling in scope of the law (digital and essential services such as healthcare, transport, energy and water) will need to have plans in place; and to report more harmful cyber incidents, including where a company has been held to ransom, to their sector regulator and the UK official National Cyber Security Centre (NCSC) within 24 hours, with a full report within 72 hours.
National Chief Information Security Officer (CISO) for Health and Care at Department of Health and Social Care, Phil Huggins described the Bill as a huge opportunity to strengthen cyber security and resilience. He said: “The reforms will make fundamental updates to our approach to addressing the greatest risks and harms, such as new powers to designate critical suppliers. Working with the healthcare sector, we can drive a step change in cyber maturity and help keep services available, protect data, and maintain trust in our systems in the face of an evolving threat landscape.”
Comments
Tim Jones, cyber security partner at the law firm Norton Rose Fulbright, said: “Some of these changes will bring the UK’s cybersecurity regime closer to the EU’s NIS2. However, the regimes will not be identical – organisations will need to assess their obligations under each and update their incident notification playbooks.
“They will, naturally, also need to make separate notifications under applicable UK and EU legislation in the event of an incident. The EU Commission may propose a “single-entry point” for fulfilling EU incident notification obligations as part of its digital package on simplification, but notifications under the UK NIS Regulations and other applicable regimes – such as the GDPR – will need to be made separately.”
Darren Guccione, CEO and Co-Founder of Keeper Security, called the Billa decisive step toward further strengthening the nation’s digital defences. He said: “Expanding the scope of existing NIS regulations to cover managed service providers, data centres and other essential digital services reflects the reality that the UK’s critical infrastructure is only as secure as the weakest link in its digital supply chain.
“The bill’s success will ultimately depend on the practicalities of its execution. Regulation in isolation doesn’t stop breaches, and organisations need adequate funding, support and the appropriate technical solutions to ensure effective operational security. The majority of successful attacks still begin with compromised credentials, over-privileged accounts or weaknesses in third-party access. Addressing these fundamentals through robust identity and privileged access management should be a top priority for any organisation falling within the bill’s remit.”
Mayur Upadhyaya, CEO at APIContext, said: “As regulatory frameworks like DORA highlight, resilience is about more than uptime. It’s about understanding the full digital supply chain: cloud dependencies, DNS behavior, and the APIs that connect everything together. To manage that risk, we need to lift the bonnet and proactively test what’s under the surface. Without checks across third-party infrastructure, even minor disruptions can cascade into major outages, as demonstrated recently by prominent cloud providers. The UK’s Cyber Security and Resilience Bill is a step in the right direction, but operational resilience must include continuous testing, not just better incident reporting.”
Tom Cope, Senior Lead Consultant at the cyber consultancy Bridewell, pointed to the need for scoping which suppliers would require extra scrutiny under the new bill. He said that operators of essential services (OES) can alleviate a sudden rush and bottleneck once the legislation has been passed, in negotiations with suppliers. He said: “This focus will be particularly vital given that organisational supply chains have become one of the most common and complex targets for cyber criminals. High-profile incidents such as SolarWinds and NotPetya have demonstrated how deeply these attacks can infiltrate and disrupt global operations. Until now, UK regulation has not directly addressed supply chain risk management, instead relying on non-statutory guidance like the NCSC’s Cyber Assessment Framework (CAF) to bridge the gap. The new Bill will give the government the ability to introduce secondary legislation requiring OES and RDSPs to adopt proportionate measures to manage supply chain risks, ensuring that third-party cyber threats are properly assessed and mitigated.”
Trevor Dearing, Director of Critical Infrastructure at Illumio, said: “Security across the public sector is too fragmented, and a move towards a more centralised plan will be beneficial for establishing a unified security posture that is better suited to defending against cyber threats. Third-party providers form the lifeblood of government departments. Cybercriminals will always target the weakest link in the chain to gain access to more valuable systems. A risk-based approach to security is key to achieving this, ensuring that the most threatened services receive the most resources.
“The shift from reporting only successful breaches to reporting all cyber incidents is long overdue and will drive rapid improvements in how organisations protect their most critical assets and respond to attacks. Granting the Technology Secretary new powers to ensure that regulators and organisations monitor or isolate high-risk systems is a smart move. The goal must be to reach a point where organisations can contain and limit the impact of attacks before they cripple essential services, isolating critical systems helps to achieve this.
“Whilst it is understandable that the government is introducing tougher penalties for poor security practices, it is equally important that sufficient support is provided to help organisations achieve compliance. The government must ensure that investment is made in supporting organisations, particularly those with limited budgets.”
You can read more at – https://www.gov.uk/government/collections/cyber-security-and-resilience-bill.
