UK Cyber Security Bill introduced to Parliament

“Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life.

I’m sending them a clear message: the UK is no easy target”.

Liz Kendall, Science, Innovation and Technology Secretary

New legislation has been introduced to Parliament which aims to strengthen the UK’s defences against cyber-attacks. The Cyber Security and Resilience (Network and Information Systems) Bill will reform and expand the scope of the existing Network and Information Systems (NIS) Regulations 2018.

This Bill is specifically aimed at targeting organisations which will have the most impact on improving the nation’s cyber resilience. It follows repeated warnings about the significant cyber-threat facing all organisations, along with new research published by the Government which estimates cyber-attacks cost the UK economy nearly £15 billion a year.

The Government says this new legislation is designed to bolster UK protections across essential public services such as healthcare, transport and energy against the threat of cyber criminals and state-backed actors.

Expanded scope

A range of companies which provide services critical to the UK’s national infrastructure will be regulated for the first time. It’s recognised that while the 2018 NIS Regulations cover services like the NHS, transport system and energy network, cyber criminals have been increasingly exploiting vulnerabilities in critical parts of supply chains.

For example, medium and large companies providing data centres, IT management, IT helpdesk support, AI development, payment services, email services and so on, will have new clearly defined duties. This is likely to include, but not be limited to, enhancing baseline protections, reporting significant cyber incidents promptly and having robust plans in place to deal with the consequences.

Many hospitals, councils, retailers and others rely heavily on external companies to support and deliver their services. A case in point is the company providing software services to the NHS which was fined by the ICO earlier this year following a cyber attack which disrupted critical services. ICO fines software company

“Large load controllers” will also be brought into the scope of cyber regulations, for example, organisations which manage electrical load for smart appliances.

New regulatory powers

The Bill is expected to give new powers to regulators to designate critical suppliers to the UK’s essential services. Examples given in the Government’s announcement include companies “providing healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria”.

Twelve regulators, including the ICO, are responsible for implementing the NIS Regulations, and the Bill aims to build a more consistent and effective regime, with a stronger mechanism for Government to set priority outcomes for regulators and a more robust ‘toolkit’ for sharing information, recovering costs and enforcement.

Tougher penalties

The maximum financial penalty will be amended to enable potentially higher fines for serious violations of the law. Turnover-based penalties, similar to UK GDPR, could be introduced. The hope is bigger penalties will push companies into complying rather than ignoring requirements.

This new Bill follows the Government’s Cyber Governance Code of Practice which was published earlier this year and sets out the steps organisations must implement to manage digital risks and safeguard their day-to-day.

Implementation

The Government says it plans a ‘sequenced approached to implementation’ with some of the Bill’s reforms taking effect as soon as possible, while also giving affected businesses and regulators time to plan and prepare. Some aspects of the Bill’s proposals will require secondary legislation before taking affect.

For more detail see the Government’s Summary of the Bill.