The U.K. has published a policy statement on Cyber Security and Resilience Bill that sets out the policy measures to be included in the forthcoming Cyber Security and Resilience Bill, which will be introduced to Parliament later this year. The policy statement is also being laid before Parliament on Tuesday and will be introduced to Parliament in the current Parliamentary session.
The bill will make crucial updates to the legacy regulatory framework by expanding the remit of the regulation to protect more digital services and supply chains; putting regulators on a strong footing to ensure essential cyber safety measures are being implemented; and mandating increased incident reporting to give government better data on cyber attacks, including where a company has been held to ransom.
“The digital revolution is transforming our Critical National Infrastructure and our essential public services. It offers an extraordinary opportunity – to make our people and our country better off,” Peter Kyle, Secretary of State for the Department for Science, Innovation and Technology (DSIT), wrote in a Ministerial foreword. “However, it may also bring new and dangerous vulnerabilities. In an increasingly dangerous and unstable world, we will not hesitate to protect our people from those who seek to do us harm. For too long, successive governments have failed to properly address the growing risk posed by cyber criminals and hostile states.”
Kyle added that the “legislative proposals reflect the insights we have gathered from our international partners, including valuable lessons from the European Union on the implementation of its NIS2 regime. They are also informed by consultations conducted by the previous Government in 2022 and 2023. However, it is vital that we also recognise the unique threats that the UK faces now and the threats that we cannot yet predict in the decades to come. At the same time, we must ensure that regulation works for businesses and investors, today and tomorrow.”
The policy statement comes as the U.K. is facing unprecedented threats to its critical national infrastructure, posing a risk to its citizens. Hostile cyber activity in the country has grown more intense, frequent, and sophisticated, with real-world impacts for its citizens.
Noting that cyber criminals have continually exploited advances in technology to improve the effectiveness of their malicious activities, the document added that regulatory framework must keep pace and provide flexibility to respond to future threats as and when they emerge. Adversaries are exploiting vulnerabilities in critical infrastructure and supply chains, using tools such as artificial intelligence and commercial cyber capabilities to enhance their espionage and disruptive activities.
“Our growing dependency on technology has made supply chains particularly vulnerable, with ransomware and data extortion emerging as significant threats,” the policy statement added. “Less than one tenth of operators of essential services feel confident in managing the risk from their wider supply chains (Network and Information Systems (NIS) 2018 Second Post Implementation Review). As these actors continue to evolve, the risk to supply chains remains a critical concern, necessitating heightened vigilance and robust cyber resilience measures.”
Cyber security is crucial for economic growth, creating a stable environment for innovation and investment. Secure digital services enable businesses to thrive, attract investment, and encourage technological development. This stability enhances competitiveness and drives economic progress by minimizing downtime and disruptions.
Resilient cyber infrastructure supports innovation by providing a secure foundation for new technologies, maintaining the U.K.’s leadership in global technological advancements. A legislative plan aims to increase the adoption of essential cyber defenses, protecting entities from cyber attacks and fostering an environment conducive to investment and innovation.
Last July, the U.K. government said that it planned to introduce the Cyber Security and Resilience Bill in Parliament soon, as highlighted in King Charles’ speech. The legislation aims to strengthen the U.K.’s cyber defenses and secure critical infrastructure and essential digital services. The document emphasizes the vulnerability of essential services to hostile actors, citing recent cyber attacks on the NHS and Ministry of Defence, and calls for urgent action to protect the digital economy and promote growth.
The measures introduced in the Cyber Security and Resilience Bill included expanding the regulatory framework to encompass more entities. The King’s Speech announced that the Bill would make significant updates to the NIS Regulations 2018 by incorporating additional firms to better address the growing dependence on digital services and the vulnerabilities within supply chains. This initiative aims to enhance supply chain security and allow regulators to designate ‘Critical Suppliers’.
It also seeks to empower regulators and improve oversight. Strengthening the UK’s cyber security requires that regulators are adequately prepared to assume their new responsibilities, supported by robust government data on cyber threats. This includes enhancing incident reporting, augmenting the Information Commissioner’s Office’s information-gathering capabilities, and improving regulators’ cost recovery mechanisms.
The bill also addressed the necessity of ensuring that the regulatory framework can keep pace with the ever-evolving cyber landscape. New technologies and emerging threats demand agile regulations. For the sake of national security, the regulatory framework must remain dynamic. The measures ensure that the government is not constrained by the timescales of primary legislation when updates to regulations are needed in the future. It examined delegated powers to ensure the regulatory framework remains adaptable to emerging threats.
In the wake of the evolving cyber landscape and cyber hackers changing their tactics to circumvent protections, the DSIT said that it has set out four measures under consideration, which are additional to the commitments made in the King’s Speech. The government will consider the most appropriate legislative vehicle to take forward these measures in due course, which could be this Cyber Security and Resilience Bill.
The new measures include bringing data centres into the scope of the regulatory framework. By doing this, the government aims to strengthen the protection of critical national infrastructure and all it supports and enables. The move is designed to balance security and resilience with the need for growth and investment, recognising that they support each other. Therefore, responsible operators are not intended or expected to incur significant compliance costs, but a full impact assessment would be provided upon legislating.
Last September, the U.K. government labeled data centers as ‘Critical National Infrastructure,’ recognizing their essential role in the economy. This status allows for greater government support during crises, reducing disruptions and aiding recovery while boosting industry confidence and economic growth.
The DSIT also intends to publish a statement of strategic priorities for regulators. This would serve as a crucial instrument to streamline roles, responsibilities, and expectations, ensuring that all regulators, across all relevant sectors are implementing the regulations in a consistent manner. Reporting requirements would reassure ministers, the public, and Parliament that appropriate measures are being adopted across sectors.
The government is also proposing new executive powers to enable swift and decisive action in response to cyber threats, ensuring rapid and effective protection. Empowering the government to respond effectively is crucial for national security. The following powers would enhance the ability to protect critical infrastructure and essential services, strengthening the nation’s resilience in a digitally enabled economy. Empower the Secretary of State to direct a regulated entity to take action when it is necessary for national security.
The DSIT is considering giving the Secretary of State the power to direct regulators on national security grounds, ensuring action across sectors. Currently, regulated entities must take ‘appropriate and proportionate’ measures against cyber threats, with regulators providing guidance. However, the Government cannot mandate specific guidance, such as requiring certain levels of network monitoring. This measure aims to fill that gap by allowing the Secretary of State to direct regulators to recommend stricter cyber security measures when necessary for national security.
In conclusion, the DSIT recognizes that it is the right time to update the UK’s legacy frameworks, address gaps in the current regulation, and ensure that relevant entities are brought within the scope of the rules. “Through these measures, we will make sure that our critical infrastructure and services remain protected – for people across the UK to rely on. Our proposals will ensure that critical infrastructure is protected from hostile actors – securing essential services, such as the NHS and energy providers. Improved standards and regulation will also foster the secure networks and systems that are essential for business growth and innovation.”
The Cyber Security and Resilience Bill is one essential tool in the government’s wider approach to addressing the threat posed by cyber attacks, reflecting our commitment to safeguarding the digital economy through a wider tapestry of measures and initiatives. It reflects the government’s commitment to safeguarding the digital economy through a wider tapestry of measures and initiative.
The U.K. National Cyber Security Centre (NCSC) welcomed the publication of the Cyber Security and Resilience Policy Statement which sets out a series of legislative proposals that will help tackle the increasingly prolific and diverse cyber threats to the U.K.
Identifying that the NCSC’s role is to raise awareness of the cyber threat to the U.K., and to guide citizens and organisations towards trusted cyber security advice, tools and services – promoting best practice, preparedness and mitigation, Jonathon Ellison, director of national resilience at the NCSC, added in a post that the NCSC also plays an important role in strengthening the country’s cyber ecosystem, supporting its growth and cultivating talent.
Ellison said that the proposals announced will bolster the regulatory framework, ensuring more effective and consistent application across the different NIS-regulated sectors.
NCSC resources will assist operators of essential services, digital service providers, and critical suppliers covered by the NIS Regulations in managing and evaluating their cyber risks through the NCSC Cyber Assessment Framework (CAF).
Additionally, the Cyber Resilience Audit scheme and the Cyber Essentials assessment service will be deployed as complementary tools to the CAF, allowing industry professionals to provide independent evidence of CAF outcomes. These resources are available for regulators to enhance resilience and cybersecurity within their sectors.
“These legislative proposals offer a real opportunity to tackle the increasing acceleration and diversification of cyber threats to UK critical sectors,” according to Ellison. “We will work closely with DSIT, colleagues across government, and our partners in industry and the wider cyber ecosystem, as the proposals are further developed and implemented. We encourage those organisations likely to be affected by these proposals to familiarise themselves with the detail in the DSIT Cyber Security and Resilience Policy Statement.”
Last week, the NCSC introduced a comprehensive set of eight principles for privileged access workstations, designed to assist organizations and cybersecurity experts deploy privileged access workstation solutions. The principles detail the key features of these workstations and offer practical advice for their implementation in everyday scenarios. Additionally, they provide a framework for evaluating whether third parties with high-risk access to the environment are utilizing securely configured devices.
link