Timeline Set for UK Cybersecurity and Resilience Reforms

Nicola Kerr-Shaw, David Simon
Skadden, Arps, Slate, Meagher & Flom LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Skadden, Arps, Slate, Meagher & Flom LLP

[co-author: Aleksander ALeksiev]

On 30 September 2024, the UK Department of Science, Innovation and Technology announced that the Cyber Security and Resilience Bill (Bill) will be introduced to Parliament in 2025. The Bill was first announced in the King’s Speech on 17 July 2024. Its aim is to strengthen the UK’s cybersecurity and ensure that critical infrastructure and digital services are secure and resilient. See our 8 August 2024 client alert “New UK Government Announces AI and Cybersecurity Reforms."

What We Know So Far

The Bill will update the existing Network and Information Systems Regulations 2018 (the NIS Regulations) to:

  • Expand the scope of the NIS Regulations to cover more sectors, including digital services and supply chains.
  • Put sectoral regulators of the NIS Regulations (such as Ofgem for energy providers) on a stronger footing, including providing resources to regulators funded by fees collected from regulated organizations and powers to proactively investigate potential vulnerabilities in cyber safety measures.
  • Mandate increased incident reporting, including where a company has been held to ransom, to give the government better data on cyber attacks.

What Organizations Should Consider

While limited details are available to date, organizations should follow developments on the Bill closely. In particular, the Bill will impose cybersecurity obligations on sectors that were previously unregulated, and the mooted incident reporting obligation for ransomware incidents will significantly expand the range of incidents that are reportable.

Given the increased attacks by cyber criminals and state actors, the Bill is just one of a broader set of regulatory reforms being implemented by the UK government, including the Financial Conduct Authority’s PS21/3 Building Operational Resilience rules and the Treasury’s Critical Third Party regime for financial services.

Similar reforms are also underway in the EU, where companies are already grappling with the EU’s reformed NIS 2 Directive, along with its Digital Operational Resilience Act for financial entities. See our 11 October 2024 client alert “Navigating the New Cybersecurity Landscape: Key Implications of the EU’s NIS 2 Directive.”

Compliance programs for these types of all-encompassing regulations are often lengthy processes, so early preparation to identify in-scope systems and plot a compliance program is key.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Skadden, Arps, Slate, Meagher & Flom LLP

Written by:

Skadden, Arps, Slate, Meagher & Flom LLP
Skadden, Arps, Slate, Meagher & Flom LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Skadden, Arps, Slate, Meagher & Flom LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide