Under the sweeping proposals, certain services and suppliers will face new compliance obligations, forcing them to strengthen their cybersecurity measures, while regulators will gain enhanced powers to investigate, enforce, and respond rapidly to emerging threats.
Technology Secretary Peter Kyle said: “The Cyber Security and Resilience Bill will help make the UK’s digital economy one of the most secure in the world - giving us the power to protect our services, our supply chains, and our citizens – the first and most important job of any government.”
What’s in the bill?
Changes to compulsory ransomware reporting
Under the terms of the Cyber Security and Resilience Bill, services deemed within the regulatory scope would be forced to disclose to the relevant authorities if they’ve been hit with a cyber attack
While reporting rules currently exist, they’re set to be strengthened, forcing firms to inform both their relevant regulator but also the National Cyber Security Centre (NCSC) no later than 24 hours after becoming aware of an incident.
Current rules state that incidents are only reportable if they result in service disruption.
Under the Cyber Security and Resilience Bill, this threshold is set to be broadened.
Cyber events that affect the confidentiality, availability, or integrity of systems, including spyware intrusions or data theft, would now need to be reported — even if service remains operational.
This change aims to give the NCSC and regulators earlier visibility of threats and risks within critical sectors.
Data centres are now covered
The updated Cyber Security and Resilience Bill’s remit extends to data centres after UK facilities were recognised as Critical National Infrastructure last September.
UK data centres with 1MW capacity and above would be subject to the terms of the Cyber Security and Resilience Bill. The only exception would be for enterprise data centres, which will only be in scope if they are at or above 10MW capacity.
Data centres covered by the bill would be forced to introduce “proportionate measures” to manage cybersecurity risks as well as the compulsory reporting requirements.
In addition to incident reporting, data centres, along with companies that provide “digital services”, would be legally required to inform customers who may be affected by an incident.
The government said such a stipulation would “encourage openness and accountability among the services in scope”.
Managed service providers brought into scope
The bill also proposes new duties for managed service providers (MSPs), recognising their access to sensitive client systems and data as a significant cyber risk.
MSPs, or companies that offer outsourced IT services like infrastructure management, security monitoring, or application support, would be treated in a similar fashion to digital service providers under existing legislation, bringing them under the regulatory microscope for the first time.
Critical suppliers can be singled out
To shore up supply chain resilience, the bill gives regulators the power to designate certain vendors as “critical suppliers”.
This means that even smaller firms, if judged to be essential to the delivery of a regulated service, could be required to meet elevated cybersecurity standards and incident reporting obligations, regardless of their size.
The government said this would ensure “consistent standards across the most critical tiers of the supply chain”.
A step forward, but not far enough?
Richard Horne, the CEO of the NCSC, described the Cyber Security and Resilience Bill as a “pivotal step toward stronger, more dynamic regulation”.
“By bolstering their cyber defences and engaging with the NCSC’s guidance and tools, such as Cyber Assessment Framework, Cyber Essentials, and Active Cyber Defence, organisations of all sizes will be better prepared to meet the increasingly sophisticated challenges,” Horne added.
While the government unveiled the contents of the bill, it’s not set to be introduced into Parliament until later this year.
Carla Baker, senior director for government affairs in UK&I at Palo Alto Networks said the bill “ helps the UK to not only safeguard its digital infrastructure, but also position itself as a global leader in cyber resilience”.
While the firm supports the bill, Baker said the Labour government “could go further to protect the UK by including the public sector in the scope of the legislation”.
“The government can no longer afford to sit on the sidelines and solely focus on pushing security obligations onto industry,” she said. “Recent high profile public sector cyber attacks have demonstrated exactly why the government must do more to enhance its own resilience and lead by example. The time to act is now.”
RELATED STORIES
CrowdStrike: Cyber threats skyrocket as attackers think like businesses
Zscaler just found malware that hides in your GPU
Chinese hackers secretly infiltrated Asian telcos for years, report finds
