Home / Blog / Cyber Security / Navigating the Cyber Security and Resilience Bill: What They Could Mean for Your Business

July 18, 2024

The UK’s cyber security landscape is set for a significant transformation with the introduction of the Cyber Security and Resilience Bill, announced in the King’s Speech on Wednesday 17th July.

This new legislation aims to strengthen the nation’s defences against the ever-evolving digital threat landscape. Here we take an initial look at the key changes and what they might mean for businesses and essential service providers.

Expanding the Scope of NIS2 Regulations

The Network and Information Systems (NIS) regulations, initially enacted in 2018, have been pivotal in enhancing the cyber security of critical service providers like energy, transport, healthcare, and digital infrastructure.

The updated legislation, known as NIS2 (an EU regulation) expands the regulatory framework to include additional sectors and organisations, such as Managed Service Providers (MSPs), who offer essential IT services like cyber security monitoring.

Following the UK’s exit from the EU, we believe the new Cyber Security and Resilience Bill will draw upon the principles of NIS2 and expand these regulations for the UK’s specific needs. This expansion recognises MSPs (like us here at CyberOne) as critical to maintaining the integrity of the digital supply chain, reflecting a more comprehensive approach to cyber resilience.

Enhanced Cyber Incident Reporting

One of the notable updates within the initial details shared is the requirement for more rigorous cyber incident reporting. Under the new regulations, essential and digital service providers must report a wider range of incidents that could disrupt services or pose a high risk, even if no immediate disruption occurs.

This change aims to improve transparency and enable quicker responses to potential threats, thus enhancing overall cyber resilience. Additionally, the government will mandate further incident reporting, including for ransomware, to better understand the cybercrime landscape in the UK.

Future-Proofing the Legislation

The bill grants the government the power to amend the NIS regulations as needed to address emerging threats and include new sectors or organisations critical to the UK’s economy, ensuring regulations can evolve in response to the dynamic nature of cyber threats, and maintaining robust protection for critical services. The government will also be able to utilise the experience of the ICO and NCSC in breach notification management and incident investigation to give practical advice on these issues.

Cost Recovery and Regulatory Efficiency

To reduce the financial burden on taxpayers, the updated NIS regulations will allow regulators to establish a cost recovery system for enforcing these rules. This means that the costs associated with regulatory compliance will be transferred from the public sector to the organisations covered by the legislation, encouraging more efficient and effective implementation of security measures.

Emphasising Supply Chain Security

Recognising the vulnerabilities in the digital supply chain, the bill emphasises the need for organisations to assess and mitigate risks posed by their immediate and extended suppliers. This approach aims to close gaps that could be exploited by cyber criminals and hostile states, ensuring a more secure and resilient infrastructure across sectors.

The bill will expand the remit of regulators to cover supply chains and address the growing prevalence of supply-side attacks, where malicious actors enter networks via third-party suppliers. It also promises to create a stronger regulatory environment to ensure cyber safety measures are being introduced accordingly.

This announcement arrives in the wake of a devastating Russian cyber-attack on Synnovis, a private company that provides pathology services to the NHS. Following the attack, some patients have been informed they may have to wait up to six months for blood tests. This highlights the urgent need for enhanced cyber resilience measures to protect critical services.

Dominic List, CEO and Founder of CyberOne, emphasises:

“At CyberOne, we recognise that resilience in the face of cyber threats goes beyond mere compliance, it’s about establishing a secure foundation for businesses to thrive amidst evolving digital threats.

The introduction of the upcoming Cyber Security and Resilience Bill will mark a significant milestone and we want to ensure we provide businesses with the tools and knowledge needed to make any necessary changes with confidence.

We’re committed to securing the present, but it’s crucial that building cyber resilience is seen as an integral part of an organisation’s strategy for future innovation and success. At CyberOne, we are dedicated to ensuring our clients not only meet the standards set by the new bill when finalised, but go further and exceed them.”

What Does This Mean for Businesses?

For businesses, especially those providing critical services, the new Cyber Security and Resilience Bill underscores the importance of robust cyber security practices. Organisations will need to:

  1. Strengthen Cyber Security Measures: Ensure compliance with enhanced security standards and be prepared for more stringent incident reporting requirements.
  2. Assess Supply Chain Risks: Conduct thorough risk assessments of their supply chains and implement measures to mitigate identified vulnerabilities.
  3. Prepare for Regulatory Changes: Stay informed about potential updates to the NIS regulations and be ready to adapt to new requirements as they are introduced.
  4. Invest in Cyber Resilience: Consider the long-term benefits of investing in cyber resilience, not just for compliance, but to safeguard operations against future threats.

By proactively addressing these aspects, businesses can not only comply with the new legislation, but also enhance their overall security posture, contributing to a more resilient digital economy.

For more detailed information on the proposed legislation and its implications, you can review the full consultation documents on the UK Government’s website (GOV.UK – The King’s Speech 2024)