The UK Cyber Security and Resilience Bill

0
334

By Jonathan Armstrong


There are planned changes to UK cyber security law which will have an impact across the compliance community.

On 1 April 2025, the UK Government published a policy statement providing further details of the UK’s proposed new Cyber Security and Resilience Bill [i], which was first announced in the King’s Speech on 17 July 2024. [ii]

UK law already reflects the original NIS (Network and Information Security) regime which was introduced in the EU in 2016 when the UK was still part of the EU.  The new Bill will extend the scope of the UK cyber security regulatory framework and in many respects mirrors the EU’s upgrade of the NIS regime with the introduction of the NIS2 Directive [iii].

What are the key changes proposed?

Amongst the changes planned are the following:

  • Expanded scope: The scope of the cybersecurity framework will be expanded to cover managed service providers (MSPs), which will include a large number of B2B IT service providers. The government estimates that an additional 900-1100 MSPs will come within the new scope.  There are also plans to allow the Secretary of State to widen the scope of this legislation without going back to Parliament.
  • Tighter incident reporting deadlines and a new two-stage reporting structure: In-scope companies will have to make an initial report within 24 hours, and another report within 72 hours of a significant incident. Reports are to be made to the National Cyber Security Centre (NCSC) as well as the relevant regulator. In some circumstances customers will also have to be told.  The policy paper specifically referenced its similarities with NIS2’s incident reporting timelines.
  • ICO powers: the new Bill will enhance the Information Commissioner’s Office (ICO, the main data protection authority in the UK, and the regulator for digital service provider firms) powers to obtain information and serve notices. Interestingly, another Bill, the Data Use and Access Bill, plans to replace the current Information Commissioner with a more board-like Information Commission in a similar vein to Ireland’s replacement of its Data Protection Commissioner with a Data Protection Commission.
  • Critical Services Providers: Regulators will be able to designate a supplier as a designated critical supplier (DCS) “if the supplier’s goods or services are so critical that disruption could cause a significant disruptive effect on the essential or digital service it supports.” A DCS could be an SME even if it would be too small to fall under the UK’s existing NIS regime.  This might mean that some smaller businesses come within the regime for the first time.
  • New fee regimes: Regulators will be able to set up new fees and costs recovery regimes, to “reduce the need to pass regulatory costs to the taxpayer”. New powers are proposed for the ICO to enforce registration fee payments.  These powers coupled with the ability to designate even micro-businesses as a DCS could mean significant financial burdens for some organisations.

What about NIS2?

The policy statement noted that the “legislative proposals reflect the insights we have gathered from our international partners, including valuable lessons from the European Union on the implementation of its NIS2 regime.”

In our view, efforts to harmonise some aspects of the new Bill with NIS2 are to be welcomed – differing regimes with different requirements add complexity, and resources are finite.  Many providers of digital or IT services who offer services in both the UK and EU will have already started incorporating NIS2 compliance into their policies and procedures.  We know that some organisations have taken front-line resources away from cybersecurity to look at their obligations under NIS2 and additional new legislation, so a key task for the Government will be to introduce measures which add strength to cybersecurity resilience without simply adding administration.

What’s missing?

There are some topics that the policy statement did not cover, including penalties and personal liability. Personal liability has been an increasing focus of law makers, prosecutors and regulators around the world.  NIS2 allows for personal liability provisions though some EU Member States opted out.  The UK’s plans regarding personal liability for noncompliance are not yet detailed.[iv]

The question of regulators’ resources needs to be addressed, given the criticism about lack of resources at some regulators including the ICO, who admitted that it was failing to meet some KPIs in its statement on 1 April 2025[v].

What happens next?

A draft Bill is expected to be presented for parliamentary scrutiny later this year.

How could businesses prepare?

Some practical tips to consider:

  1. Monitor developments with the Bill to review the likely scope and impact on your organisation.
  2. Review processes & procedures. Most organisations now have a data breach reporting procedure for GDPR reporting deadlines. Like NIS2, the proposed reporting obligations have tighter time limits and are likely to be wider in nature.  You may also want to review any additional reporting requirements e.g.: those under DORA, or the EU AI Act.
  3. Train your people, especially the response team. Will they be ready to report if required within 24 hours?
  4. Do a cyber fire drill. In our experience, organisations which regularly rehearse cybersecurity incidents handle them more effectively.
  5. Review supplier contracts. You may need suppliers to tell you more quickly about incidents given the reporting obligations.
  6. Look at the technical and organisational measures (TOMs) you use to keep secure. As technology moves on, check that you’re still best placed to defend your organisation from current threats, including AI based threats.
  7. Make sure you have people on the board who understand the requirements of the Bill and cybersecurity risks more generally.

Jonathan Armstrong is a specialist in compliance and technology law, and Partner at Punter Southall Law in London.  See more information on Punter Southall Law’s cybersecurity practice here: Cyber Security Lawyers | London

[i] The policy statement can be seen here: Cyber Security and Resilience Bill: policy statement – GOV.UK

[ii] The Labour Government & The King’s Speech: What might this mean for compliance? – Punter Southall Law.

[iii] The EU’s NIS2 Directive | Compliance Lawyers | London).

[iv] There’s a discussion on personal liability trends in the Life with GDPR podcast here: Life With GDPR – Navigating CCO and CISO Liability Trends – Compliance Podcast Network.

[v] The ICO statement on KPI failures: Statement from the ICO on data protection complaint response times | ICO