Cyber Security and Resilience Bill explained

On July 17th 2024, it was announced at the State Opening of Parliamentthat the Labour government will introduce the Cyber Security and Resilience Bill (CS&R).^[1] The proposed legislation is intended to update the existing Network and Information Security Regulations 2018, known as UK NIS.^[2] CS&R will strengthen the UK's cyber defences and resilience to hostile attacks thus ensuring that the infrastructure and critical services relied upon by UK companies are protected by addressing vulnerabilities, while ensuring the digital economy can deliver growth.^[3]

The legislation will expand the remit of the existing regulations and put regulators on a stronger footing, as well as increasing the reporting requirements placed on businesses to help build a better picture of cyber threats.^[4] Its aim is to strengthen UK cyber defences, ensuring that the critical infrastructure and digital services which companies rely on are secure.^[5] The Bill will extend and apply UK-wide.^[3]

The new laws are part of the Government's pledge to enhance and strengthen UK cyber security measures and protect the digital economy.^[6] CS&R will introduce a comprehensive regulatory framework designed to enforce stringent cyber security measures across various sectors. This framework will include mandatory compliance with established cyber security standards and practices to ensure essential cyber safety measures are being implemented. Ultimately, businesses will need to demonstrate their adherence to these standards through regular audits and reporting.^[7] Also included in the legislation are potential cost recovery mechanisms to provide resources to regulators and provide powers to proactively investigate potential vulnerabilities.^[8]

Key facts

The key facts from the King's Speech are:^[3]

Consequences

Digital verification services would be established and include "digital identity products to help the public quickly and securely share key information about themselves as they use online services in their everyday life."^[4]

A National Underground Asset Register would be created enabling "planners and excavators instant, standardised access to pipe and cable data around the country."^[4]

The Bill will enable the creation of smart data schemes, "which would allow for the secure sharing of customer data, upon their request, with authorised third-party service providers."^[4]

It will introduce compulsory ransomware reporting so that the authorities can better understand the threat and "alert us to potential attacks by expanding the type and nature of incidents that regulated entities must report."^{[6] [9]} While this information collection is likely to increase resilience to attacks, the administrative burden for businesses from this reporting might well bring with it additional costs as well as the original cyber incident's expense.^[6]

As modern business practices are interconnected, organisations must ensure that their partners and suppliers also adhere to the standards set by the CS&R.<ref name=CSRB_4/>

In the EU, the original Network and Information Security Directive (NIS Directive 2016/1148) is being updated to Directive 2022/2555, known as EU NIS 2.^{[10] [11]} EU NIS 2 introduces wide-reaching changes to the existing EU cyber security laws for network and information systems.^[10] The CS&R should bring the existing UK NIS regulations 2018 to a framework similar to that of the EU.^{[10] [12]}

The Bill as yet has no information on any punishments for non-compliance or what the data regulators' demands from an organisation that has experienced a cyber security incident will be.^[13]

Reaction

Jon Ellison, NCSC Director of National Resilience, said that the proposed bill was "a landmark moment tackling the growing threat to the UK's critical systems".^[14] He continued that it will be "a crucial step towards a more comprehensive regulatory regime, fit for our volatile world".^[14]

Former head of the NCSC Ciaran Martin along with other experts welcomed the legislative proposal. On social media, he wrote that the proposed legislation seemed sensible, with mandatory reporting requirements being significant and positive steps.^[15]

A representative of the CyberUp Campaign Matt Hull said that the organisation is looking forward to the Government updating UK cyber resilience and in particular the Computer Misuse Act 1990. Any updates to this Act would help cyber professionals protect the U.K., safeguard the digital economy and unlock the potential growth within the cybersecurity industry.^[15]

Schedule

See main article: Act of Parliament (United Kingdom). The Bill will proceed through seven stages of the legislative process which happens in both houses of the UK parliament: first reading, second reading, committee stage, report stage, third reading, opposite house and royal assent.

1. July 17th Bill announced.^[1]
2. Stage: Pre-legislative Scrutiny (current).
3. Stage: First reading - The Bill will be introduced to Parliament in 2025.^[16]

See also

• Cyber Resilience Act - EU regulation to improve cybersecurity and cyber resilience.
• GDPR - The General Data Protection Regulation.
• Malware - Examples include Computer viruses, spyware and adware.

External links

• Cyber security in the UK Research Briefing - House of Commons Library

Notes and References

1. News: Key points in King's Speech at a glance. Seddon, P.. 15 July 2024. BBC News. 30 July 2024.
2. Web site: King's Speech: new cyber resilience laws planned in the UK. Pinsent Masons. 17 July 2024. 5 August 2024.
3. Web site: The King's Speech 2024. UK GOV. 94. 30 July 2024.
4. News: Labour announces host of new tech rules – but does not reveal much-hyped 'AI bill'. Griffin, A.. Independent. 17 July 2024. 30 July 2024.
5. Web site: Government announces new Bill to strengthen the UK's cyber security and resilience. Patefield, D.. Broom, J.. Collings, A.. Tsolova, R.. Modha, T.. techUK. 19 July 2024. 30 July 2024.
6. Web site: Cyber Security and Resilience Bill: what businesses and insurers need to know. CMS Legal. 18 July 2024. 30 July 2024.
7. News: What businesses need to know about the Cyber Security and Resilience Bill. ITN. 22 July 2024. 30 July 2024.
8. Web site: UK set to debut Cyber Security and Resilience Bill to boost national cyber defenses, secure critical infrastructure. Industrial Cyber. 19 July 2024. 30 July 2024.
9. Web site: UK Government Set to Introduce New Cyber Security and Resilience Bill. Muncaster, P.. Reed Exhibitions. 18 July 2024. 5 August 2024.
10. Web site: New Cyber Security & Resilience Bill announced in King's Speech. Belcheva, R.. The Lens. 23 July 2024. 13 August 2024.
11. Web site: The NIS 2 Directive. Cyber Risk. 2022. 13 August 2024.
12. Web site: Poireault, K.. Navigating Regulation Discrepancies: EU's NIS 2 v UK's Cyber Security and Resilience Bill. RELX. 12 August 2024. 26 September 2024.
13. Web site: Revamped UK cybersecurity bill couldn't come soon enough, but details are patchy. Jones, C.. The Register. 30 July 2024. 4 August 2024.
14. Web site: NCSC highlights importance of Cyber Security Bill. Say, M.. Informed Communications Ltd. 25 July 2024. 29 August 2024.
15. Web site: UK Labour Introduces Cyber Security and Resilience Bill. Akshaya, A.. Information Security Media Group. 17 July 2024. 16 August 2024.
16. Web site: Cyber Security and Resilience Bill. Crown. 30 September 2024. 11 October 2024. The Bill will be introduced to Parliament in 2025.