UK Proposes Laws To Strengthen Cyber Defenses for Public Services

Since releasing a policy statement in April detailing the Cyber Security and Resilience (Network and Information Systems) Bill’s intent to strengthen cyber defenses, the United Kingdom’s government officially introduced the bill to Parliament on Wednesday and released more information via policy papers.

The overall goal is to update the United Kingdom’s existing cybersecurity legislation, the Network and Information Systems Regulations 2018, to better protect essential public services, like health care, drinking water providers, transport, energy and digital infrastructure, from cyber attacks.

“We all know the disruption daily cyber attacks cause. Our new laws will make the U.K. more secure against those threats,” said Science, Innovation, and Technology Secretary Liz Kendall. “It will mean fewer canceled NHS [National Health Service] appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”

According to the policy paper, more than 40% of U.K. businesses experienced cyber attacks last year, and these attacks are estimated to cost 14.7 billion euros, which is approximately $17 billion, per year. The bill’s impact analysis estimates the cost of implementing the new legislation to be less than 150 million euros per year.

The current legislation helps secure services like the National Health Service, transport system and energy network, but malicious cyber actors have found ways to infiltrate managed service providers, data centers and critical parts of supply chains. The bill aims to bring these core services into scope.

Twelve regulators across different technology sectors are responsible for implementing the laws. The new bill aims to increase and expedite reports of harmful cyber incidents to the regulators, requiring initial notification within 24 hours, a fuller report within 72 hours and communication to clients about the incident. The criteria for considering a cyber incident serious will be expanded.

Additionally, regulators will have the power to designate critical suppliers to the United Kingdom’s essential services, such as providers of health care diagnostics or chemicals to a water firm, to reduce gaps in supply chains.

The Secretary of State will have the power to set priority outcomes for regulators, and important cybersecurity information and data will be shared between the regulators, U.K. intelligence agencies and law enforcement, ensuring that all entities are aware of current cyber threats and are prepared to respond.

To better enforce the new cybersecurity standards, the bill proposes an increased standard maximum penalty for not complying with regulations or failing to report incidents at 10 million euros, which is more than $11.5 million.

“The bill will help tackle rising supply chain risks and strengthen incident reporting,” said Karen Fryatt, U.K. market head at NCC Group, a cybersecurity consulting firm. “However, it must not be seen as a silver bullet. There are still important questions around incentivizing secure technology development, uplifting SME [subject matter expert] cyber resilience and modernizing the U.K.’s cyber crime laws.”

According to the policy paper, more details will be released in secondary legislation, and implementation proposals for the bill are expected to be considered in 2026. The bill started in the House of Commons and is in its second reading.

John Carberry, chief marketing officer at Xcape Inc., noted the robust oversight and enforceable standards proposed in the Cyber Security and Resilience (Network and Information Systems) Bill.

“Resilience is turning into a controlled result: either demonstrate your ability to fend off an attack or pay for the privilege of failing,” Carberry said.