[co-author: Josh Turner]
Since its announcement during the King’s Speech on 17 July 2024, there has been much anticipation over the contents of the Cyber Security and Resilience Bill (“CS&R Bill“) and in particular the extent to which it will bring the UK into alignment with its European counterpart, the NIS2 directive. Currently, cyber regulation in the UK is heavily reliant on the 2018 transposition of the NIS1 Directive (in the form of the NIS Regulations 2018), with a far narrower scope applying to critical infrastructure and Digital Service Providers only. Now, given the substantial progress in NIS2 implementation across Europe (with Finland being the latest to fully implement as at the date of this article), the appetite for UK cyber security reform continues to grow.
In a recent update from the Secretary of State for the Department for Science, Innovation and Technology (found here, Cyber security and resilience policy statement – GOV.UK), the UK Government has started to address some of this anticipation, dropping clues as to how the CS&R Bill will look when compared to its European cousin. So, what have we learnt about the Bill and its alignment with NIS2?
Expanded scope
In addition to the current in-scope sectors (energy, transport, health, drinking water supply and distribution, and digital infrastructure, as well as some digital services such as online marketplaces, search engines and cloud computing), the policy statement confirms the intention to bring Managed Service Providers (“MSPs“) within the remit of cyber security regulation, subjecting them to the same duties as ‘relevant digital service providers’ under the current NIS regulations. MSPs (also regulated by NIS2) are B2B services that provide IT systems, infrastructure and network support.
The Government also demonstrated its commitment to bolster supply chain security for operators of essential services (“OES“) and relevant digital service providers (“RDSPs“) that meet certain thresholds. Secondary legislation is intended to be used as a vehicle for imposing stricter duties on contractual requirements, security checks and continuity plans in an effort to target underlying cyber vulnerabilities in supply chains echoing, if not exceeding the requirements of NIS2 to ensure cybersecurity controls extend to the supply chains of in-scope entities. Additionally, regulators will have the power to identify suppliers of critical services (including SMEs) whose disruption could cause significant impacts on the essential/digital service being supplied. These will be classed as “designated critical suppliers” (“DCS“), bringing them within scope of core security requirements and reporting obligations.
While expansion of the UK’s cybersecurity regime to include MSPs and critical supply chains will bring us one step closer to the reforms sweeping EU nations, it is unclear whether the UK will follow Europe in expanding the scope of cyber regulation to include sectors such as public administration entities, space, manufacturing, food production and postal and courier services (to name but a few).
Regulatory reinforcement
Perhaps amongst the measures most easily associable with the CS&R Bill’s European counterpart will be the updated incident reporting criteria. Incidents that are “capable of having a significant impact on the provision of essential or digital services and that significantly affect the confidentiality, availability, and integrity of a system” will need to be reported. This closely follows the requirements found in Art 23 of NIS2, as does the requirement that entities such as data centres and those providing digital services will be obligated to report incidents directly to customers in certain instances.
Equally alike in their resemblance to NIS2 are the reporting deadlines, with the relevant regulator and National Cyber Security Centre (“NCSC“) to be notified of significant incidents within 24 hours, and further incident reports to be provided within 72 hours. As the policy statement makes clear, “in practice [the Government] intends this procedure to be similar to, and no more onerous, than the… NIS2 directive“.
To provide some steer to regulators in their additional duties, the Government aims to issue a code of practice setting out guidance on minimum regulatory requirements which will put the existing NCSC Cyber Assessment Framework (CAF) profiles on a firmer footing and extend their scope to include OES. Particular focus is also given to the UK Information Commissioner (“ICO“) as a national guardian of cyber security, with a raft of seemingly familiar powers relating to registration and notice requirements, information sharing and enforcement, being introduced to support risk identification and mitigation. This all comes with a boost in financial means, as regulators will be able to set fees regimes and recover costs through various measures in order to contribute to financing their increase in regulatory work.
Measures to keep on your radar
Despite not confirming their inclusion in the CS&R Bill, the Government flagged upcoming measures to keep an eye on. Most notable would be the classification of data centres as an essential service, bringing them within scope of the regulatory framework and aligning with NIS2’s approach. This has been contemplated since their designation as Critical National Infrastructure in September 2024 and would aim to strengthen the level of consistency and protection across the sector.
Other contemplated measures include bolstered powers for the Secretary of State, allowing a Statement of Strategic Priorities to be issued as well as powers of direction relating to entities and regulators. Collectively, these would allow the Government to require certain actions be taken to address significant incidents and threats to national security.
Conclusion
In summary, it is clear that the Government’s planned amendments to the current NIS Regulations will make clear and decisive steps to bridge UK cyber laws and the new European NIS2 regime. However, the CS&R Bill does not appear to be following NIS2 in expanding the reach of its reforms to a raft of new industries. While Managed Service Providers are the biggest industry to whom new UK laws will apply, it is likely that many of the industries new to the NIS2 regime – for example food producers and chemicals manufacturers – will remain beyond the UK’s cyber reforms. Only time will tell whether that remains the case when the fully-formed Bill hits the statute books, the timing of which is still unclear.
From the little we do know however, it is evident that the burden and application of cyber regulation together with accompanying cyber certifications and industry standards will only increase, making it more critical than ever that businesses operating in both the UK and beyond continue to focus on enhancing their cyber controls, underpinned by robust cybersecurity governance and equally robust controls on supply chains. Only then can businesses be ready for the inevitable swathe of new cyber regulation hitting UK shores, as well as the very real cyber threat it is all aimed at combatting.
[View source.]
