Cyber Bill and the implications for UK business

The Cyber Security and Resilience Bill (CSRB) has passed its second reading in the House of Commons and looks set to be one of the most significant legislative changes ahead for those working in data protection and information / cyber security.

The UK faces an unprecedented cyber threat. Repeated attacks continue to expose weaknesses in high-profile businesses and the national infrastructure, with supply chains increasingly seen as a soft target. The Government is hoping tougher regulation will provide the foundations for stronger security protections across essential public services such as healthcare, transport and energy against cyber criminals and state-backed actors.

The Bill aims to overhaul the nation’s cybersecurity framework, amending and expanding the Network and Information Systems Regulations 2018. More organisations are brought into the scope of regulation, such as managed service providers and data centres. This will require them to adopt robust measures to combat the elevated cyber threat along with stricter reporting obligations and tougher enforcement powers.

DPO role to become more critical

The Information Commissioner’s Office (soon to be Information Commission) will play a central regulatory role in this new legislation, gaining new powers to issue information notices and conduct inspections. As the first point of contact for the ICO, DPOs will play a central role in liaison with the regulator. As such they’ll need to be prepared to receive proactive communications and information notices.

DPOs will also need to make sure compliance with UK GDPR, and the Data Protection Act 2018 is aligned with broader cyber resilience obligations, and ensure their organisations meet new requirements – notably in relation to supply chain security.

Expanded scope

Operators of Essential Services (OES) such as energy, transport, healthcare, water and digital infrastructure are already within scope of the current NIS Regulations. But it’s recognised cyber criminals have increasingly been exploiting vulnerabilities in critical parts of supply chains. The new legislation will expand the scope to include other services considered essential. This includes:

⏹ Data centres which host and support digital infrastructure
Operators which meet defined capacity or service thresholds will be required to maintain strong security and resilience capabilities, evidence of risk assessments and protect the availability and integrity of the services they host.

⏹ Large load controllers: organisations that can control the energy use of smart appliances, such as batteries and electric vehicles
Such organisations will be required to meet strengthened cyber and resilience standards, rapidly report incidents and manage risk across the systems and suppliers involved in controlling aggregated electrical loads.

⏹ Managed service providers: organisations that provide third-party IT services to other businesses
Managed Service Providers will have duties to implement appropriate and proportionate security and resilience measures across the services provided, including systems used to manage client environments.

⏹ Suppliers that are critical to a regulated organisation’s ability to provide its essential service
Specific suppliers will be designated as critical suppliers if their products and services are judged to be essential to maintaining national resilience. Duties for designated suppliers will be introduced via secondary legislation, with the intention of applying key security and incident reporting obligations proportionately.

Key requirements

Security measures

The core NIS security obligations will remain the same, with in-scope organisations needing to implement appropriate and proportionate technical and organisational measures to manage risks to network and information systems relied upon to deliver essential services. Secondary legislation will be used to prescribe additional security duties.

Enhanced incident reporting

For major incidents, an initial notification will be required within just 24 hours, with a full report within 72 hours. A new requirement to identify and notify adversely affected customers will be introduced.

Robust supply chain security

Supply-chain resilience is set to become a statutory obligation, with obligations on Designated Critical Suppliers (DCS) to be aligned with Operators of Essential Services (OES).

Tougher penalties

The maximum financial penalty will be amended to enable potentially higher fines for serious violations of the law. Turnover-based penalties similar to UK GDPR could be introduced. The hope is bigger penalties will push companies into complying rather than ignoring requirements.

This Bill follows the publication in 2024 of the Government’s Cyber Governance Code of Practice which sets out the steps organisations must implement to manage digital risks and safeguard their day-to-day.

Implementation

The Government says it plans a ‘sequenced approached to implementation’ with some of the Bill’s reforms taking effect as soon as possible, while also giving affected organisations and regulators time to plan and prepare. Some aspects of the Bill’s proposals will require secondary legislation before taking affect. For more detail see the official Summary of the Bill.