Strengthening the UK's Digital Defences: An Overview of the Cyber Security and Resilience Bill

Having been introduced in the King’s Speech last July, we see for the first time what changes can be expected against the backdrop of increasingly sophisticated cyber security threats.

In an era where digital infrastructure underpins nearly every aspect of modern life, the importance of robust cyber security measures cannot be overstated particularly for entities key to critical infrastructure. The Bill is expected to be a significant step forward in the UK's efforts to safeguard its critical national infrastructure and essential public services, with many similarities to Europe’s NIS2.

Will this impact me?

The current UK regime, under the Network and Information Systems Regulations 2018, covers:

• Operators of essential services (OES) – An organisation operating services deemed essential for the maintenance of critical societal or economic activities, where the service provision depends on network and information systems and any incident would have ‘significant disruptive effects’ on that service.
• Relevant digital service providers (RDSP) – A provider of a digital service that is an online market, an online search engine or a cloud computing service – with a head office or nominated representative in the UK, and 50 or more staff or a balance sheet of at least EUR 10 million.

The Bill will expand the current network and information systems security regulatory regime to include more entities and update requirements for operators of essential services and relevant digital services providers.

Key proposals for reform include the following:

Expansion of the scope of the regime to include more entities

Managed service providers (MSP) providing core essential IT services to the public sector and UK businesses will be within scope of the Bill. MSPs have considerable access to their clients IT systems and yet can themselves be vulnerable to cyber-attacks.

In-scope MSPs include those providing services to another organisation which: (i) rely on the use of network and information systems to deliver the service; (ii) relate to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications, and/or IT networks, including for the purpose of activities relating to cyber security; and (iii) involve a network connection and/or access to the customer’s network and information systems.

By including MSPs, the Government hopes to enhance the security of the IT infrastructure of a broader range of services. An estimated 900-1100 MSPs are expected to be caught by this change.

Strengthening supply chain security and establishing new designated ‘Critical Suppliers’ framework

Supply chains are naturally seen as a key area of vulnerability, given the heavy reliance for essential services. The Bill will enable the Government, by way of secondary legislation, to clarify and strengthen supply chain duties for OESs and RDSPs against vulnerabilities that may undermine essential or digital services

In addition, regulators will be given powers to bring other high-impact suppliers within the scope of the legislation as designated critical suppliers (DCS). Proportionate and appropriate measures (though not described yet in any detail) will be required to be adopted to prevent vulnerabilities in suppliers, for example through contractual requirements and security checks. Under the plans, suppliers who provide goods or services to an OES or an RDSP that rely on network and information systems, can be individually designated as a DCS where a regulator considers that a disruption to their goods or services could cause ‘a significant disruptive effect on the essential or digital service it supports’. Small and micro RDSPs are currently outside of the regime however under these proposals, smaller RDSPs may be designated as a critical supplier by regulators. It is expected that DCSs will be a very small number of suppliers providing goods or services to OESs and RDSPs.

Empowering regulators and enhancing oversight

The Bill will:

• expand the ICO’s information gathering powers and allow the ICO to enforce a failure to register with the ICO. These changes are intended to enhance the ICO’s capabilities in proactively identifying and mitigating risks before they materialise.
• enable regulators to proactively raise funds, set a fees regime and recover costs, to address cash flow issues.
• give the Secretary of State new powers to update existing technical and methodological security requirements, with the ability to adopt a tailored approach to the requirements for different sectors as well as issuing codes of practice.
• require incidents to be notified to the applicable regulator and the National Cyber Security Centre within 24 hours of becoming aware of the incident, with an incident report to follow within 72 hours. This is intended to be similar to reporting procedures under the EU NIS2. Digital service providers and data centres that experience a significant incident will also be required to alert customers.

New powers to ensure agility and flexibility of approach

The Secretary of State will be granted new powers to update the regulatory framework, without an Act of Parliament, for example to allow for new sectors and sub-sectors to be brought within the scope of the regulations, or for new requirements for regulated entities to be introduced. The apparent intention of those extended powers being to ensure an agile approach can accommodate developments in the cyber security landscape.

New duties for data centres

Following data centres being designated as Critical National Infrastructure in 2024, the Government is now planning to move forward with extending regulatory oversight to data centres, given the potential scale of impact on wider sectors of the economy which would be caused by disruption to data centres. Key points:

The approach will be broad as all UK data centres will be included in scope of the regulatory regime, irrespective of the nature of services offered from them and their ownership, although there are some minor carve outs based on size and whether or not they are enterprise data centres

This decision is based on feedback received to the 2023 consultation. Data centre operators may want to consider whether they want to supplement or amend their responses based on changing market conditions or other variables in the past two years

Data centres will need to meet certain duties, including providing information, having in place measures to manage risk, and arrangements for reporting significant incidents.  These requirements will have a cost although not expected to be “significant” – but this will depend on the detail and, in addition, the paper notes that the scope would be adjustable over time to respond to developments.  An impact assessment will be undertaken and data centre operators may want to consider potential cost and other impacts as more detail emerges so that the Government has full visibility of the economic and growth impacts

Timing is uncertain as the measures may not be included in the Cyber Security and Resilience Bill. The Government will decide the appropriate legislative vehicle for the measures in due course. 

A comment on regulation

The policy statement begins with a bold statement of intent from the Secretary of State that the UK needs “agile, pro-innovation regulation that is designed for the digital world we live in.”  Coming on the heels of the Government’s recent action plan to ensure regulators support growth, setting out a need to overhaul the regulatory system, do the proposals to regulate via the Cyber Security and Resilience Bill square with that ambition? Areas to watch out for are:

• Do regulators have the skills, resources and information available to make good regulatory decisions? There is recognition of challenges and discussion of a fees regime, but historically regulators have struggled with significant expansion of their duties without extra resource – which is unlikely to be forthcoming in the current climate. The regulators will also need to be able to access the information they need to make decisions. For example, the proposal to impose supply chain duties on critical suppliers requires the regulators to have the knowledge and expertise to be able to utilise that power
• How does minimisation of the regulatory burden play out? The question of which entities are brought into scope and the proportionately of regulation will be key - consultation will be key. The “Statement of strategic priorities for regulators” is promised to set a framework for cyber security regulation across the twelve regulators and their sectors. This will need to be carefully scrutinised to ensure it lives up to its promise
• Are the proposals good enough to keep up with a changing landscape of cybersecurity? The Government proposes using a traditional framework of delegated powers to ensure that regulation is agile and flexible enough. There remains the risk of creeping powers extension here but also a wider issue of whether even secondary legislation is flexible enough.
• Alignment with the EU NIS 2, as much for ease of implementation and learning the lessons of those grappling with that now, as for geopolitical reasons.

We will also be monitoring the progress of the Bill once introduced into Parliament later this year and so keep an eye out for future updates.

Further reading

Look out for our upcoming article comparing the approaches taken by the UK and EU to cyber security regulation, via the Cyber Security and Resilience Bill and NIS2.

You can find our guide to NIS2 here.