Cyber Security and Resilience Bill
The forthcoming Cyber Security and Resilience Bill will improve UK cyber defences and protect our essential public services.
As part of the July 2024 King’s Speech the government announced it would introduce a Cyber Security and Resilience Bill.
Why do we need this Bill?
Our digital economy is increasingly being attacked by cyber criminals and state actors, affecting essential public services and infrastructure. In the last 18 months, our hospitals, universities, local authorities, democratic institutions and government departments have been targeted in cyber attacks.
Recent cyber attacks affecting the NHS and Ministry of Defence show the impacts can be severe. Our laws have not kept pace with technological change so we need to take swift action to address vulnerabilities and protect our digital economy to deliver growth. The Bill will strengthen the UK’s cyber defences and ensure critical infrastructure and the digital services companies rely on are secure.
What does the Bill do?
The Bill will strengthen our defences and ensure that more essential digital services than ever before are protected, for example by expanding the remit of the existing regulation, putting regulators on a stronger footing, and increasing reporting requirements to build a better picture in government of cyber threats.
The existing UK regulations reflect law inherited from the EU and are the UK’s only cross-sector cyber security legislation. They have now been superseded in the EU and require urgent update in the UK to ensure that our infrastructure and economy is not comparably more vulnerable.
The Bill will make crucial updates to the legacy regulatory framework by:
- expanding the remit of the regulation to protect more digital services and supply chains. These are an increasingly attractive threat vector for attackers. This Bill will fill an immediate gap in our defences and prevent similar attacks experienced by critical public services in the UK, such as the recent ransomware attack impacting London hospitals.
- putting regulators on a strong footing to ensure essential cyber safety measures are being implemented. This would include potential cost recovery mechanisms to provide resources to regulators and providing powers to proactively investigate potential vulnerabilities.
- mandating increased incident reporting to give government better data on cyber attacks, including where a company has been held to ransom. This will improve our understanding of the threats and alert us to potential attacks by expanding the type and nature of incidents that regulated entities must report.
Territorial extent and application
The Bill will apply UK-wide.
When will the Bill happen?
The Bill will be introduced to Parliament in 2025.
How can I provide my views on the content of the Bill?
The government is working with key stakeholders to gather input and will issue further communications on this in due course.
Key facts
The current cyber security regulations play an essential role in safeguarding the UK’s critical national infrastructure by placing security duties on industry involved in the delivery of essential services.
The regulations cover five sectors (transport, energy, drinking water, health and digital infrastructure) and some digital services (including online marketplaces, online search engines, and cloud computing services). Twelve regulators (competent authorities) are responsible for implementing the regulations.
Hostile cyber actors are increasingly targeting our critical sectors and supply chains. Recent serious high-profile attacks impacting London hospitals and the Ministry of Defence, as well as ransom attacks on the British Library and Royal Mail, have highlighted that our services and institutions are vulnerable to attack.
The impacts of a cyber attack on these sectors pose severe risks to UK citizens, core services, and the economy at large. For example, as a result of the ransomware attack affecting the NHS in England in June, over 10,000 outpatient appointments and 1,693 elective procedures were postponed across King’s College Hospital, and Guy’s and St Thomas’ Hospital. The total cost of cyber attacks to the UK was estimated at £27 billion per annum in 2011 and this figure is likely to have increased.
The National Cyber Security Centre assess that the increased threat from hostile states and state-sponsored actors continues to ramp up. In a recent speech at CyberUK, National Cyber Security Centre CEO Felicity Oswald warned that providers of essential services in the UK cannot afford to ignore these threats.
Two Post-Implementation Reviews (one in 2020 and one in 2022) found the original regulations are having a positive impact, but that progress has not been fast enough. The 2022 review found the regulations ‘are a vital framework in raising wider UK resilience against network and information systems security threats’, but updates are required to keep pace with growing threats. Just over half of operators of essential services have updated or strengthened existing policies and processes since the inception of the Regulations in 2018.
Existing cyber security regulation
Details of the current regulations and two-post implementation reviews which assessed their impact.
Previous work on cyber security regulation
Background on the government’s previous work to assess and update cyber security regulations.