The state opening of parliament is an occasion filled with the kind of pomp and ceremony Britain still does better than any other country. What it’s not as good at is providing concrete details about upcoming legislation. The King’s Speech is kept deliberately vague by the government of the day in order to ensure some flexibility in their plans. That said, there are some clear signals about what we can expect over the coming months. And, unusually this parliamentary session, cyber is front and centre in several proposed laws.

From digital ID cards and new cyber-resilience mandates to closer ties with European regulation, there’s plenty to keep security and compliance teams busy this year. Here’s our round up of the most noteworthy proposals:

Cyber Security and Resilience Bill

The long-awaited update to the NIS Regulations 2018 continues to make its way through parliament, with the expectation that it will become law before the end of the year. The Cyber Security and Resilience Bill (CSRB) will increase the number of in-scope organisations – to include managed service providers (MSPs) and datacentre operators. It will require new “appropriate and proportionate” security measures including enhanced incident reporting and supply chain risk management. And it will increase the maximum penalties for non-compliance.

Yet the number of sectors that fall under the new regulatory regime remain small, in comparison to Europe’s NIS2. SonicWall EVP EMEA, Spencer Starkey, tells IO (formerly ISMS.online) that most of the UK economy remains untouched.

“The EU’s NIS2 Directive already casts a wider net, covering manufacturing, food production and chemicals that the CSRB doesn’t, meaning multinationals may already be doing the heavy lifting the CSRB isn’t designed to do,” he suggests. “The government’s real bet is supply-chain pressure – regulated organisations auditing and managing their suppliers’ cyber standards, pushing minimum requirements downward without legislating everyone directly.”

The government has also announced a Cyber Resilience Pledge initiative, in which large firms are asked to commit to requiring Cyber Essentials across their supplier base – among other things. This could also help to improve baseline security among UK firms, although “voluntary pledges only work when enforced commercially”, Starkey argues.

Digital Access to Services Bill

This will introduce a controversial voluntary digital ID scheme to the UK for the first time. The government is trying to win over a sceptical public by positioning it as a time-saving technology that will reduce bureaucracy and improve public services. For businesses, it could also be beneficial if it reduces the volume of records they need to store and process to verify customer identities. It could theoretically reduce identity fraud and even streamline the process of vetting third-party identity providers.

However, the devil will be in the detail, according to SmartSearch CEO, Phil Cotter. “If it integrates strong biometrics and liveness detection at critical payment points, it could materially reduce identity-based fraud,” he says. “Designed poorly, it risks becoming just another credential that can be stolen or socially engineered, creating the illusion of security without delivering it.”

Questions also need to be answered about how the scheme will be delivered in practice.

“If a single system becomes the default for national identities across both public services and financial services, it will become a high-value target,” Cotter warns. “A failure or compromise wouldn’t be isolated – it could have a knock-on effect for the entire economy.”

National Security Bill

Aside from regulating violent content online, the most consequential part of the bill from a cyber perspective is proposed reforms to the Computer Misuse Act 1990. Created before the web even existed in its current form, the law has been widely criticised for failing to protect cybersecurity researchers from being accused of illegality. The new proposals will address these shortcomings, providing legal cover for vulnerability research, pen testing and more.

“The hope is we fall into an open research model where anything is fair game as long as it’s reported properly,” Closed Door Security CEO, William Wright, tells IO. “That will give everyone a chance to measure risks themselves and researchers/threat hunters a more open world to operate in, leading to a better environment for everyone.”

Michael Jepson, penetration testing manager at CybaVerse, adds that it could encourage SOCs to act on intelligence rather than sit on it, and make vetting of suppliers easier and more thorough. “Supply-chain security could be bolstered on top of the standard questionnaires and SOC2 reports, which would mean organisations could actually verify claims made on paper by suppliers,” he tells IO.

NHS Modernisation Bill

Sweeping reforms designed to improve patient care include proposals for a single patient record (SPR). That’s a potentially huge security risk given the personal and medical information it could contain, argues Huntress vCISO, Muhammad Yahya Patel.

“The moment that data is unified and reachable through a single access pathway, it becomes one of the most attractive targets in the UK’s entire digital infrastructure,” he tells IO. “Cybercriminals have continued to target the NHS and key suppliers over the years. The SPR fundamentally changes the blast radius of any successful compromise.”

Risk assessments will need to be run to close security, procedural and process gaps, and zero trust approaches adopted for identity and access in order to bolster public trust, says Patel. It could help bolster security for an NHS supply chain that already mandates Cyber Essentials Plus, he adds.

“Every organisation that touches the SPR whether providing infrastructure, software, or data integration services becomes part of the security perimeter by definition,” says Patel. “That drives a practical requirement for the NHS to understand and manage the security posture of that entire chain.”

The reforms also include the abolition of NHS England and transfer of functions to Department of Health and Social Care (DHSC). This may help “sharpen accountability” from a regulatory and governance perspective, although it could also introduce bureaucratic friction, Patel warns. “Combined with the CSRB’s mandatory incident reporting timelines and penalty framework, there is at least a clearer enforcement architecture than existed before,” he says.

European Partnership Bill

Ten years on from Brexit, the government appears to have realised that the UK cannot forge its own path on regulation without at least aligning with its continental neighbours. The European Partnership Bill aims to strengthen ties with the EU to bolster trade and reduce red tape.

“The government will have the power to fast-track evolving Single Market regulations into UK law without triggering a full, traditional parliamentary vote on every update,” explains James Clark, partner at Spencer West LLP. Although the priority areas for alignment are food and drink, energy and emissions trading, and youth mobility, digital and cyber could potentially follow, he tells IO.

“It could be argued that the EU’s introduction of additional red tape has created a competitive advantage for the more lightly regulated UK. But in reality, many businesses operate across both markets, meaning that the shadow of EU regulation still has a material impact on the UK economy,” Clark continues. “It is a simple truth that most businesses that operate internationally prefer as much commonality as possible in terms of standards.”

However, it’s unclear how closer alignment on cyber would work, given the divergence between NIS2 and the CSRB. “Meanwhile, there is currently no direct equivalent to the EU’s Cyber Resilience Act, which requires hardware and software products to have secure-by-design standards, mandatory updates, and vulnerability management throughout their lifecycle,” Clark points out.

Much More to Come

As is the government’s wont, some of these proposals will no doubt be quietly shelved, while others not mentioned in the Kings Speech emerge. It’s also still too early to say whether cybersecurity professionals will be impacted by other proposed legislation in the speech, including the Tackling State Threats Bill and the Energy Independence Bill. IO will be keeping a close eye on proceedings as this parliamentary session unfolds.

Expand Your Knowledge

Blog: Why the UK’s NIS Update May Mean Extra Work for In-Scope Organisations

Blog: Meeting the Data Use and Access Act with Confidence: Why the ISO 27001, 27701 and 42001 Loop Delivers

Blog: Closing the Resilience Gap: Where the Government Says UK PLC Is Still Failing