A new Cyber Security and Resilience Bill

Following on from our Cyber Roundtable post, as part of the King’s Speech on 17 July 2024, the Government announced plans for a new Cyber Security and Resilience Bill (the Bill). The Bill will be introduced to Parliament in 2025. 

Background

We have seen increasing levels of cyber attacks on institutions from the NHS to the Ministry of Defence, demonstrating the importance of the UK’s cyber defences to protect essential services and businesses. The ransomware attack on NHS England in June 2024 resulted in over 10,000 outpatient appointments and 1,693 elective procedures being postponed across a number of UK hospitals. The total cost of these attacks and the associated impact on citizens, supply chains and the economy run to billions of pounds. 

While there are cyber security regulations in force, such as the NIS Regulations 2018, these need to be strengthened to reflect the increasing scale of risk. The Department for Science, Innovation and Technology has said, ‘laws have not kept pace with technological change’, and the UK needs ‘swift action to address the vulnerabilities and protect our digital economy to deliver growth’.

Details of the Bill

The Bill, which will apply UK-wide, will make the following updates to the regulatory framework:

• broaden the regulatory scope to offer better protection for digital services and supply chains;
• require increased incident reporting to give the Government better data on cyber attacks;
• empower regulators to ensure essential cyber safety measures are being implemented.

The above updates will help by:

• addressing immediate vulnerabilities and preventing similar copycat attacks which target essential services and businesses;
• leading to a better understanding of cyber threats and helping earlier detection of potential attacks by expanding regulated entities’ obligations to report various types of incidents; 
• including provisions for regulators to potentially recover costs (to fund their operations) and to proactively investigate potential cyber weaknesses.

Impact on Businesses

By identifying immediate vulnerabilities, the Bill could improve communication across essential services and businesses and create more pro-active messaging about attack risks. At our recent roundtable on Cyber, we heard about business confusion caused by the number of training vendors and detection technologies available. Targeted endorsement of training providers and technologies by regulators coupled with joined-up communication about best practice, could improve confidence and thereby business investment. This could also lead to a more inclusive UK-wide approach to ransomware response. 

The Bill will also encourage businesses to focus on proactively managing vulnerabilities, and ensuring suitable training and investment is made into an embedded cyber security road map. This should reduce business interruption and the consequential impact to supply chains. 

Finally, a more proactive and joined-up approach should lead to fewer debilitating cyber attacks and greater confidence for essential services and businesses on a national and global scale. 

Impact on the Public

A stronger and more joined-up approach to UK cyber security reduces the risk that personal and sensitive information will be leaked, giving the public greater reassurance around personal data. 

Next Steps

The Bill will be introduced to Parliament in 2025. The Government will work with key stakeholders to gather input on the content of the Bill, with further announcements to be made in due course.