In the July 2024 King’s Speech, the UK government announced its intention to introduce a Cyber Security and Resilience Bill (the “Bill”) to improve the UK’s cyber defenses and protect essential public services. The announcement comes as companies and countries increasingly face attacks by cyber criminals and state actors, sometimes disrupting public services and infrastructure. Currently, the UK’s cyber security regulations (the NIS Regulations 2018 – “NIS 1”) reflect law inherited from the European Union and only apply to a limited number of organizations in a small number of sectors. They are therefore seen by the UK (and the EU) authorities as being inadequate for the current environment.
The briefing notes published alongside the King’s Speech indicate that the Bill is intended to address a concern shared by the EU, namely that regulation is lagging behind technological developments. The EU has already taken action and has passed the Network and Information Security 2 Directive (“NIS 2”), which is due to enter into force in Member States this week as set out in our blog post on the topic. The UK government wants to ensure that Britain does not become a target for cyber criminals because of a perceived gap in regulation.
The UK Department for Science, Innovation and Technology has indicated that the Bill will be introduced to Parliament in 2025, and while not yet released the UK government has indicated what we can expect to see in the Bill. It will make crucial updates to the UK’s legacy framework by:
- Expanding the remit of the regulation to protect more digital services and supply chains, as the UK government noted that these are increasingly attractive targets for attack. NIS 2 effects a similar change in the EU. This means we can expect the regulations to cover more than just the “essential services” and “digital service providers” that are covered by NIS 1, and reflects the fact that secure digital services are critical to the functioning of the UK economy.
- Empowering regulators to ensure essential cyber safety measures are being implemented.
- Mandating increased incident reporting to give the government better data about cyber attacks. Expanding the type and nature of incidents that regulated entities must report, for example including reporting where a company has been held to a ransom, will improve the government’s understanding of the threat landscape.
Although the Bill could mean increased security and regulatory compliance obligations for companies, if the Bill mirrors NIS 2 as expected, most global companies should not see a significant increase in compliance requirements.
