Gov Sets Out More Details of New UK Cyber Security and Resilience Bill

The UK government has set out the scope and ambition for their new Cyber Security and Resilience Bill (CSRB), which aims to respond to increasing attacks from “cyber criminals and state actors” by toughening and expanding the existing rules for broadband, mobile, managed service providers, data centres and even their suppliers.

The move partly reflects the fact that the UK’s existing rules, some of which were only implemented last year via the tedious Product Security and Telecommunications Infrastructure Act (here), have already been superseded in the EU and thus require another update on this side of the channel to “ensure that our infrastructure and economy is not comparably more vulnerable.”

The CSRB means that more organisations and suppliers will need to meet the government’s cyber security requirements, including data centres, Managed Service Providers (MSPs) and critical suppliers (i.e. 1,000 service providers will fall into scope). This means third-party suppliers will need to boost their security in areas such as risk assessment to minimise the possible impact of cyber-attacks, while also beefing up their data protection and network security defences.

In addition, regulators will gain more tools to improve cyber security and resilience in the areas they regulate, with companies now being required to report more incidents to help build a stronger picture of cyber threats and weaknesses in the country’s online defences. The government will also gain “greater flexibility to update regulatory frameworks when needed” and may give the Technology Secretary powers to direct regulated organisations to shore up their cyber defence, such as when responding to “changing threats and technological advancement” (i.e. extending the framework to new sectors or updating security requirements).

Peter Kyle MP, Secretary of State for Science, Innovation, and Technology, said:

“Economic growth is the cornerstone of our Plan for Change, and ensuring the security of the vital services which will deliver that growth is non-negotiable.

Attempts to disrupt our way of life and attack our digital economy are only gathering pace, and we will not stand by as these incidents hold our future prosperity hostage.

The Cyber Security and Resilience Bill, will help make the UK’s digital economy one of the most secure in the world – giving us the power to protect our services, our supply chains, and our citizens – the first and most important job of any government.”

Richard Horne, NCSC CEO, said:

“The Cyber Security and Resilience Bill is a landmark moment that will ensure we can improve the cyber defences of the critical services on which we rely every day, such as water, power and healthcare.

It is a pivotal step toward stronger, more dynamic regulation, one that not only keeps up with emerging threats but also makes it as challenging as possible for our adversaries.

By bolstering their cyber defences and engaging with the NCSC’s guidance and tools, such as Cyber Assessment Framework, Cyber Essentials, and Active Cyber Defence, organisations of all sizes will be better prepared to meet the increasingly sophisticated challenges.”

In the year to September 2024, the National Cyber Security Centre (NCSC) managed 430 cyber incidents, with 89 of these being classed as nationally significant. The most recent iteration of the Cyber Security Breaches Survey also highlights how 50% of British businesses suffered a cyber breach or attack in the last 12 months, with more than 7 million incidents being reported in 2024.

However, it may be worth pointing out that any organisation, individual or business with a public online presence (e.g. websites, servers etc.) will be getting hit by robotic attacks on a more or less daily basis, which has long been par for the course with the internet. But this does make separating that from more serious attacks quite difficult in such surveys.

In principle, all of the above sounds like positive news, although we do worry about the risk of political interference creating an increasingly cumbersome burden for network security teams, which in some cases might actually risk slowing down their ability to respond or cause an excessive cost burden.

Similarly, it’s easy for the government to put all of this pressure and responsibility on network operators and businesses, which we must not forget are also the victims of cyberattacks. But as usual, there seems to be less of a focus on bolstering the police and security services, which need more resources to help them combat and pursue the perpetrators of such crimes. Likewise, it would be good if more resources were also made available to help businesses enhance their security and deal with attacks when they occur.

The Bill itself is currently due to be introduced into parliament sometime later this year.