Back in July 2024, The UK government announced that it would introduce a Cyber Security and Resilience Bill in the current Parliamentary session.
The UK government has since released a policy paper which reveals some further details on the upcoming bill.
The Rt Hon Peter Kyle MP, Secretary of State for Department for Science, Innovation and Technology has said:
“The digital revolution is transforming our Critical National Infrastructure and our essential public services. It offers an extraordinary opportunity – to make our people and our country better off. However, it may also bring new and dangerous vulnerabilities.
In an increasingly dangerous and unstable world, we will not hesitate to protect our people from those who seek to do us harm. For too long, successive governments have failed to properly address the growing risk posed by cyber criminals and hostile states. Last year’s cyber-attack on a supplier to NHS hospitals in London caused more than 11,000 acute outpatient appointments and elective procedures to be postponed. Some of those people will have waited months to be seen.
I will not allow this to continue. We must take decisive action to deliver effective and enduring change. That is why, within weeks of entering government, I announced plans for a Cyber Security and Resilience Bill. In this Policy Statement, I set out legislative proposals for this Bill. I also acknowledge that the cyber landscape moves exponentially – a lot can happen in a short space of time. This statement proposes several additional measures to tackle the threats that we are facing now.”
What are the main measures of the bill?
The new legislation will introduce measures which have been designed to make the UK one of the most cyber resilient economies in the world. Some of the key aspects of the bill include:
1. Mandatory Cyber requirements for key sectors
Over one thousand service providers will be required by law to follow minimum cybersecurity requirements. This includes:
- IT service providers
- MSPs (Managed Service Providers)
- Operators of critical infrastructure (for example, power, water and healthcare)
- Datacentres and cloud service providers (under consideration)
- Third-party suppliers to public services
2. Expanded Regulatory Oversight
Regulators will be given enhanced powers to:
- Audit security practices
- Enforce compliance
- Require mandatory reporting of cyber incidents
3. Rapid Response Powers
- The Technology Secretary will be able to direct regulated organisations to take immediate action during a major cyber threat. This gives the UK government flexibility to respond to evolving threats in real time.
4. Economic Protection Measures
- The bill is seen as a defensive wall against disruptions that could cripple key services and the wider economy.
Further details are still undisclosed at this moment of time.
What are our thoughts?
We’re pleased to hear that the UK government are taking a proactive step to ensure more responsibility and accountability within the sector. We support and encourage anything that will raise awareness of Cyber Security and ensure that providers are providing a quality service to their customers.
Although a lot of the detail has still not been disclosed, we are pleased that from what we’ve seen so far, D2NA are in a very good place to being fully compliant with the new bill and we meet every minimum requirement set out so far. This is in part due to the steps we’ve been taking over the last few years to fully comply with frameworks such as ISO9001, ISO27001 and Cyber Essentials.