Enable breadcrumbs token at /includes/pageheader.html.twig

UK Details New Cybersecurity Legislation To Promote Economic Growth

The Cyber Security and Resilience Bill will update cybersecurity regulations set in 2018.

The United Kingdom is taking steps toward improving its cyber defenses through the introduction of the Cyber Security and Resilience Bill. Credit: Chatchanan - stock.adobe.com generated with AI

Following several instances of cyber attacks, the United Kingdom is moving forward with more robust cybersecurity legislation to protect its critical national infrastructure.

After the United Kingdom’s government announced it would introduce the Cyber Security and Resilience Bill to strengthen the nation’s cyber defenses in July 2024, it released a policy statement on April 1 to further detail the intent of the bill.

“At the core of our proposals is this government’s number one mission: economic growth. Growth is the only route to creating new jobs and putting more money in working people’s pockets. But there is no growth without stability. By securing the digital infrastructure upon which a growing number of our businesses depend, we can deliver the stability they need to innovate and invest,” said Peter Kyle, U.K. secretary of state for the department for science, innovation and technology.

According to the policy statement, more than half of U.K. businesses have reported a cybersecurity breach or attack within the last year, and a ransomware attack on the National Health Service (NHS) caused the postponement of more than 11,000 outpatient appointments and procedures. The legislative plan will increase the nation’s cyber defenses to encourage innovation and investment, ultimately spurring more economic growth.

Siân John, chief technology officer of cybersecurity consulting firm NCC Group, responded to the policy statement, calling it a “significant step forward for the United Kingdom’s cyber resilience.”

“Notably, the Cyber Security and Resilience Bill will extend network and information systems regulations to new sectors of the economy such as data centers, managed service providers and critical suppliers to bolster cybersecurity for critical national infrastructure,” John said. “NCC Group welcomes the strengthening of U.K. cyber laws. For U.K. growth to be sustainable, growth must go hand in hand with increased cyber resilience.”

As of now, the Network and Information Systems Regulations 2018, which place security duties on essential services operators, are the only pieces of cyber legislation in the United Kingdom.

“Network and Information Systems regulations introduce minimum cyber security requirements for critical national infrastructure in the U.K. These regulations help organizations identify and assess their security risks, remediate and manage vulnerabilities, and improve their overall resilience,” John stated. “Additionally, the regulations promote public-private partnerships and collaboration with law enforcement, the public sector, academia and private firms to enhance cyber resilience.”

The new policy statement outlines three key measures and three additional measures necessary to enable swift and effective government decisions in the face of imminent cyber threats to national security.

The Cyber Security and Resilience Bill measures include bringing more managed service providers into scope of the regulatory framework and strengthening supply chain security by designating critical suppliers; empowering regulators and enhancing oversight via technical security requirements, more thorough incident reporting and improved regulators’ cost recovery mechanisms; and ensuring a flexible regulatory framework that can keep pace with the ever-changing cyber landscape by delegating the power to update the regulatory framework to the secretary of state, without requiring an act of Parliament.

Additionally, the government is considering bringing data centers into the scope of the regulatory framework, publishing a statement of strategic priorities for regulators and allowing the secretary of state to direct a regulated entity to take action if necessary to maintain national security.

“Our proposals will ensure that critical infrastructure is protected from hostile actors—securing essential services, such as the NHS and energy providers. Improved standards and regulation will also foster the secure networks and systems that are essential for business growth and innovation,” the policy statement reads.

According to the U.K. government, the Cyber Security and Resilience Bill will be introduced to Parliament later this year.