The road to cyber resilience for UK critical infrastructure (CNI) has been a long and winding one. The government’s NIS Regulations 2018 is woefully outdated and limited in scope – based on an EU directive of two years prior. But after some positive noises, the previous administration’s efforts came to nought. So it is heartening that the Labour government is finally giving the subject the attention it deserves.

After months of waiting around for more detail following the King’s Speech, we now have a government policy statement to dissect. So what will the Cyber Security and Resilience Bill look to achieve? And how challenging will it be for firms to comply?

Why We Need It

The UK is a very different place from the one in which the NIS Regulations 2018 became law. CNI, society and UK PLC are more reliant than ever on IT and digital systems. In most organisations, that has meant investments that have increased the size of the cyber-attack surface, handing threat actors an advantage. The geopolitical backdrop has made state-aligned but plausibly deniable attacks from third parties more likely. And it has emboldened nation-states to conduct their own.

As if anyone needed reminding of the potential impact of serious breaches on CNI sectors, just remember the chaos the Synnovis ransomware attack caused last year – leading to thousands of cancelled appointments and a critical blood shortage in south-east England. It’s also a reminder that supply chains are an increasingly vulnerable target for such attacks. Too often, skills and resource challenges hit hard in these smaller organisations. And while they struggle, threat actors are using AI to do more with less, accelerating attacks and improving outcomes.

The fact that half of UK firms have shelved digital transformation plans due to the fear of nation-state attacks also makes improving cyber resilience a business imperative. So, what will be on their to-do list when the bill finally becomes law?

What’s in the Bill?

Although changes may yet be introduced as it winds its way through parliament, as it currently stands, the legislation aims to:

Create more in-scope entities

The government will:

  • Include managed service providers (MSPs) in the scope of the new provisions, estimating approximately 900-1100 of these firms.
  • Include datacentre operators: around 182 colocation sites and 64 operators, plus a small number of enterprise datacentres (with capacity above 10MW)
  • Enable government and regulators to set stronger requirements for certain critically important/high-impact operators of essential services (OES), even if they’re microbusinesses (unless subject to existing cyber resilience laws)

Empower regulators and enhance oversight

The government will:

  • Clarify the “technical and methodological security requirements” demanded of in-scope organisations – aligning closer with NIS 2 and the NCSC Cyber Assessment Framework (CAF)
  • Expand incident response reporting to include any incidents that “significantly affect the confidentiality, availability, and integrity of a system” – including data compromise, spyware attacks and ransomware. Firms will need to report to their regulator and the NCSC. Notification requirements will be “no more onerous than NIS 2”: 24 hours initially followed by an incident report within 72 hours.
  • Empower the technology secretary to mandate a regulated entity take specific actions when it is deemed necessary for national security.
  • Enhance ICO info-gathering powers so it can identify the most critical digital service providers and proactively assess their cybersecurity posture.
  • Allow regulators to set a fee regime, recover costs, or combine the two to cover enforcement expenses and other regulatory costs.

Create delegated powers

The government has also committed to ensuring the law is adaptable: granting new powers to the tech secretary to update the legislation to ensure it is “current and effective”.

Questions Left to Answer

Non-profit business resilience specialist CSBR welcomes the bill but demands clarity on a series of questions, ranging from NIS 2 alignment to ICO powers.

“The challenge is to ensure that seeking better cybersecurity resilience regulation doesn’t have the unintended effect of stifling innovation and creating onerous or bureaucratic obstacles, especially for small and medium-sized enterprises,” it says. “There is also a need for the government to recognise that it is the government itself which is often the most vulnerable part of the system, as the recent NAO report made clear in its recent report.”

Oscar Tang, senior associate in Clifford Chance’s Tech Group, agrees that many questions remain unanswered at this stage, including the basis for the “technical and methodological security requirements” the new law aims to clarify for in-scope organisations.

“We might see a multi-layered approach that references the CAF as a core UK benchmark, alongside ISO and other guidelines, to ensure consistency in practice,” he tells ISMS.online. “The government’s policy intent notes the importance of a proportionate and agile approach to security, so organisations are unlikely to be required to reinvent the wheel. Leveraging existing frameworks such as ISO 27001 should help demonstrate robust risk management and security controls.”

Will Richmond-Coggan, a partner at Freeths LLP specialising in data and cybersecurity litigation, also cites ISO standards as potentially laying the groundwork for what’s expected in the new UK law.

“Although the government is late to the party in producing legislation to reflect the developments in Europe around cybersecurity embedded in the NIS 2 Directive, there are some advantages to this,” he tells ISMS.online.

“A number of existing information security standards already reflect the changed focus under NIS 2: for example, ISO 27001:2022 and ISO 27302, which provides specific recommendations for strengthening an organisation’s cyber-resilience. These are also likely to support compliance under the Cyber Security and Resilience Bill when it comes into force, and for those organisations already operating in Europe and adhering to NIS 2, the parallels between the legislation are likely to be helpful.”

However, to get to the point of true cyber resilience, organisations must embed what they learn by working through ISO 27001 and other standards “into the operational core of businesses” – which will demand a “culture of compliance”, Richmond-Coggan adds.

“In truth, the legislation will already be outdated in relation to some of the risks that it is intended to address, by the time it comes into force,” he concludes.

“Businesses need to use this as a wake-up call to investigate their end-to-end security posture, resilience and business continuity planning if they are to be truly ready for the risks that the government is responding to with this legislation and its wider cybersecurity initiatives.”