Amid a sharp spike in ransomware attacks disrupting essential services and critical infrastructure, the U.K. government has set out the scope of its upcoming Cyber Security and Resilience Bill for the first time. It aims to patch the holes in the country’s existing cyber regulations and protect critical infrastructure from ransomware and other attack types.
“The Cyber Security and Resilience Bill, will help make the UK’s digital economy one of the most secure in the world – giving us the power to protect our services, our supply chains, and our citizens – the first and most important job of any government,” technology secretary Peter Kyle said in a press release.
On April 1, the government released the Cyber Security and Resilience Policy Statement, outlining the proposed bill and some additional measures currently under consideration. It is expected to be introduced in Parliament later this year, although no exact implementation timeline has been confirmed.
There are three main facets to the bill: expanding the regulatory scope, strengthening the powers of regulators, and allowing the government to make changes at will.
Expanding the regulatory scope
Current cyber legislation in the U.K. has been inherited from the E.U. and consists of the Network and Information Systems (NIS) Regulations 2018. These regulations cover transport, energy, drinking water, health, digital infrastructure, online marketplaces, online search engines, and cloud computing services. A 2022 review found that they are wildly out of date.
While the E.U. has updated them, the U.K. has not, so the Cyber Security and Resilience Bill aims to add about 1,000 service providers under their scope. There is a proposed amendment to include data centres, following their designation as Critical National Infrastructure in September.
Impacts of the bill may take time to be realised
William Richmond-Coggan, a dispute management partner at Freeths law firm, thinks that the impacts of the bill may not be felt as quickly as the government may hope.
He told TechRepublic in an email: “Even if every organisation that the new rules are directed to have the budget, technical capabilities and leadership bandwidth to invest in updating their infrastructure to meet the current and future wave of cyber threats, it is likely to be a time consuming and costly process bringing all of their systems into line. And with an ever evolving cyber threat profile, those twin investments of time and budget need to be incorporated as rolling commitments – achieving a cyber secure posture is not a ‘one and done’.
“Of at least equal importance is the much needed work of getting individuals employed in these nationally important organisations to understand that cyber security is only as strong as its weakest link, and that everyone has a role to play in keeping such organisations safe.
“An emphasis on top-down regulating change risks diluting or distracting from this message, at a point where constant vigilance is required at every level to guard against the burgeoning threats posed by increasingly sophisticated cyber-criminals, and ever more aggressive nation-state actors.”
Strengthened regulatory powers
The Cyber Security and Resilience Bill will grant regulators more powers to ensure adequate security measures are in place. They would be provided more tools, such as the ability to set and recover fees for regulatory activities and the authority to issue codes of practice and sector-specific guidelines. The Information Commissioner’s Office will have new capabilities, too, like the power to issue more information notices, allowing it to proactively investigate potential vulnerabilities.
Increased mandatory reporting
The new bill will introduce compulsory reporting of a broader range of cyber incidents, including ransomware attacks, to regulators. It is hoped this will ultimately improve government threat intelligence and response strategies.
Instead of just those that interrupt continuity, reportable incidents will include those that could significantly impact the provision of essential services or affect system confidentiality, availability, and integrity. For example, businesses will need to report if their data confidentiality is compromised or if they fall victim to a spyware attack that affects their client companies.
The bill will require companies to notify their regulator and the National Cyber Security Centre of a significant incident within 24 hours of its discovery, and provide an incident report within 72 hours. Data centres or firms that provide digital services must also notify affected customers.
Government can make ad hoc changes to the bill
The Technology Secretary will be able to update the regulatory framework whenever deemed necessary for national security, such as by expanding its scope to cover new sectors. A proposed amendment would also give the government the power to issue security directions to in-scope organisations and regulators during an active cyber threat or incident. This could include orders to patch systems within a set timeframe.
When it comes to enforcement, the policy statement says it will “consider the precedents set by the Telecommunications (Security) Act 2021”. This legislation allows the government to impose daily penalties of up to £100,000 or 10% of the company’s turnover until compliance is achieved.
U.K. is a hotbed for cyber crime
The U.K. has experienced a surge in high-profile hacking events over the past year, including ransomware incidents targeting the British Library, supermarkets Sainsbury’s and Morrisons, and pathology company Synnovis, which disrupted the NHS operations. The NCSC handled 430 incidents in 2024 compared to 371 in 2023, and 89 of them were “nationally significant” ransomware incidents threatening essential services or the wider economy.
In December, the head of the NCSC warned that the country’s cyber risks are “widely underestimated” and that “the defence and resilience of critical infrastructure, supply chains, the public sector and our wider economy must improve” to protect against these nation-state threats.
In January, the U.K. government announced it was considering banning ransomware payments from public sector bodies and critical industries to make them “unattractive targets for criminals,” reducing the frequency and impact of incidents in the country. Experts say that critical infrastructure and healthcare sectors should be exempt from bans, as withholding the ransom and resulting downtime could lead to fatalities.
