The UK Cyber Security and Resilience Bill

Background

The UK government has recently announced that it plans to introduce a Cyber Security and Resilience Bill (Bill). The Bill seeks to update the 2018 Network and Information Security Regulations, which implemented the European Union (EU) NIS 1 Directive when the UK was a member of the EU.

A key driver behind the UK government’s plans is a desire to stay broadly aligned with evolving EU legislation, particularly with the significant expansion in scope of the new EU NIS 2 Directive. Once presented to Parliament, the Bill could become law by early 2026.

Rationale for the Bill

The UK’s digital economy is increasingly vulnerable to cyber threats from criminals and state actors targeting essential public services and infrastructure. Recent cyberattacks on institutions such as hospitals, universities, local authorities and democratic institutions have demonstrated the severe impacts such incidents can have. Notably, attacks on the Ministry of Defence and the NHS (for example a ransomware attack on NHS England, which led to over 10,000 outpatient appointment cancellations at King’s College Hospital and Guy’s and St Thomas’ Hospital) have exposed significant vulnerabilities.

Key Provisions of the Bill

While a draft bill has not yet been laid before Parliament for debate, the UK government has set out some detail on what it plans to include in the proposed legislation, including:

Expanding Regulatory Remit

• It is proposed that the Bill will extend coverage to additional digital services and supply chains, which are increasingly targeted by cyberattackers. Such expansion would be intended to address current gaps in cyber defences and prevent incidents like recent ransomware attacks on public services.

Strengthening Regulators’ Capabilities

• The government’s briefing note also suggests regulators will be given stronger powers to ensure essential cyber safety measures are implemented across sectors.
• This includes potential cost recovery mechanisms to fund regulatory activities, which may lead to larger fines for noncompliance, similar to the higher new penalties under NIS 2.
• There is further suggestion that regulators may also gain powers to proactively investigate potential vulnerabilities.

Increased Incident Reporting

• The Bill is expected to align with NIS 2 in expanding incident reporting requirements. Companies will likely be required to report a wider range of cyber incidents, including ransomware attacks.
• The Bill is also likely to reduce the current 72-hour reporting window established under NIS 1, again to align more closely with the approach under NIS2.
• It is suggested that enhanced reporting requirements will aim to improve the UK government’s ability to understand evolving threats and better prepare for future attacks.

Expanded Sectoral Coverage

The UK’s existing cybersecurity regulations cover five key sectors, enforced by 12 competent authorities:

1. Energy (electricity, gas and oil)
2. Transport (air, rail, water and road)
3. Health (healthcare providers and hospitals)
4. Drinking water supply and distribution
5. Digital infrastructure

This is rather limited in scope when compared with the greatly expanded remit of regulators under NIS 2, which covers around 18 sectors. As a result, the Bill is expected to expand its reach, likely starting with sectors related to critical infrastructure and B2B ICT services.