Cyber Security and Resilience Bill
On July 17th 2024, it was announced at the State Opening of Parliament that the Labour government will introduce the Cyber Security and Resilience Bill (CS&R).[1] The proposed legislation is intended to update the existing Network and Information Security Regulations 2018, known as UK NIS.[2] CS&R will strengthen the UK's cyber defences and resilience to hostile attacks thus ensuring that the infrastructure and critical services relied upon by UK companies are protected by addressing vulnerabilities, while ensuring the digital economy can deliver growth.[3]
The legislation will expand the remit of the existing regulations and put regulators on a stronger footing, as well as increasing the reporting requirements placed on businesses to help build a better picture of cyber threats.[4] Its aim is to strengthen UK cyber defences, ensuring that the critical infrastructure and digital services which companies rely on are secure.[5] The Bill will extend and apply UK-wide.[3]
The new laws are part of the Government's pledge to enhance and strengthen UK cyber security measures and protect the digital economy.[6] CS&R will introduce a comprehensive regulatory framework designed to enforce stringent cyber security measures across various sectors. This framework will include mandatory compliance with established cyber security standards and practices to ensure essential cyber safety measures are being implemented. Ultimately, businesses will need to demonstrate their adherence to these standards through regular audits and reporting.[7] Also included in the legislation are potential cost recovery mechanisms to provide resources to regulators and provide powers to proactively investigate potential vulnerabilities.[8]
Key facts
[edit]The key facts from the King's Speech are:[3]
i) The current UK NIS cyber security regulations play an essential role in safeguarding the UK’s critical national infrastructure by placing security duties on industry involved in the delivery of essential services.[9] These regulations cover the five sectors of transport, energy, drinking water, health and digital infrastructure, as well as some digital services including online marketplaces, online search engines, and cloud computing services. 12 regulators are responsible for implementing the present regulations.
ii) Hostile cyber actors are increasingly targeting UK critical sectors and supply chains. Recent serious high-profile attacks impacting London hospitals and the Ministry of Defence, as well as ransomware attacks on the British Library and Royal Mail, have highlighted that UK services and institutions are vulnerable to attack.
iii) The impacts of a cyber attack on these sectors pose severe risks to UK citizens, core services and the economy at large. For example, as a result of the ransomware attack affecting the NHS in England in June [2024], 3,396 outpatient appointments and 1,255 elective procedures were postponed across King's College Hospital, Guy’s Hospital and St Thomas’ Hospital, all in South London. It has been estimated that the cost of cybercrime in the UK in 2023 was $320 billion, near £225 billion.[10]
iv) The National Cyber Security Centre (NCSC) assess that the increased threat from hostile states and state-sponsored actors continues to escalate. At a recent speech at CyberUK, NCSC CEO Felicity Oswald warned that providers of essential services in the UK cannot afford to ignore these threats.[11]
v) 2 UK NIS Post-Implementation Reviews found that the original regulations are having a positive impact, but that progress has not been fast enough.[12][13] In 2022 the review found that they "are a vital framework in raising wider UK resilience against network and information systems security threats", but updates are required to keep pace with growing threats. Just over half of the operators of essential services have updated or strengthened existing policies and processes since the inception of the UK NIS Regulations in 2018, which were introduced after EU NIS Directive 2016/1148.[2][14]
Consequences
[edit]Digital verification services would be established and include "digital identity products to help the public quickly and securely share key information about themselves as they use online services in their everyday life."[4]
A National Underground Asset Register would be created enabling "planners and excavators instant, standardised access to pipe and cable data around the country."[4]
The Bill will enable the creation of smart data schemes, "which would allow for the secure sharing of customer data, upon their request, with authorised third-party service providers."[4]
It will introduce compulsory ransomware reporting so that the authorities can better understand the threat and "alert us to potential attacks by expanding the type and nature of incidents that regulated entities must report."[6][15] While this information collection is likely to increase resilience to attacks, the administrative burden for businesses from this reporting might well bring with it additional costs as well as the original cyber incident's expense.[6]
As modern business practices are interconnected, organisations must ensure that their partners and suppliers also adhere to the standards set by the CS&R.[6]
In the EU, the original Network and Information Security Directive (NIS Directive 2016/1148) is being updated to Directive 2022/2555, known as EU NIS 2.[16][17] EU NIS 2 introduces wide-reaching changes to the existing EU cyber security laws for network and information systems.[16] The CS&R should bring the existing UK NIS regulations 2018 to a framework similar to that of the EU.[16][18]
The Bill as yet has no information on any punishments for non-compliance or what the data regulators' demands from an organisation that has experienced a cyber security incident will be.[19]
Reaction
[edit]Jon Ellison, NCSC Director of National Resilience, said that the proposed bill was "a landmark moment tackling the growing threat to the UK's critical systems".[20] He continued that it will be "a crucial step towards a more comprehensive regulatory regime, fit for our volatile world".[20]
Former head of the NCSC Ciaran Martin along with other experts welcomed the legislative proposal. On social media, he wrote that the proposed legislation seemed sensible, with mandatory reporting requirements being significant and positive steps.[21]
A representative of the CyberUp Campaign Matt Hull said that the organisation is looking forward to the Government updating UK cyber resilience and in particular the Computer Misuse Act 1990. Any updates to this Act would help cyber professionals protect the U.K., safeguard the digital economy and unlock the potential growth within the cybersecurity industry.[21]
Schedule
[edit]The Bill will proceed through seven stages of the legislative process which happens in both houses of the UK parliament: first reading, second reading, committee stage, report stage, third reading, opposite house and royal assent.
- July 17th Bill announced.[1]
- Stage: Pre-legislative Scrutiny (current).
- Stage: First reading - The Bill will be introduced to Parliament in 2025.[22]
See also
[edit]- Cyber Resilience Act - EU regulation to improve cybersecurity and cyber resilience.
- GDPR - The General Data Protection Regulation.
- Malware - Examples include Computer viruses, spyware and adware.
References
[edit]- ^ a b Seddon, P. (15 July 2024). "Key points in King's Speech at a glance". BBC News. Retrieved 30 July 2024.
- ^ a b "King's Speech: new cyber resilience laws planned in the UK". Pinsent Masons. 17 July 2024. Retrieved 5 August 2024.
- ^ a b c "The King's Speech 2024" (PDF). UK GOV. p. 94. Retrieved 30 July 2024.
- ^ a b c d Griffin, A. (17 July 2024). "Labour announces host of new tech rules – but does not reveal much-hyped 'AI bill'". Independent. Retrieved 30 July 2024.
- ^ Patefield, D.; Broom, J.; Collings, A.; Tsolova, R.; Modha, T. (19 July 2024). "Government announces new Bill to strengthen the UK's cyber security and resilience". techUK. Retrieved 30 July 2024.
- ^ a b c d "Cyber Security and Resilience Bill: what businesses and insurers need to know". CMS Legal. 18 July 2024. Retrieved 30 July 2024.
- ^ "What businesses need to know about the Cyber Security and Resilience Bill". ITN. 22 July 2024. Retrieved 30 July 2024.
- ^ "UK set to debut Cyber Security and Resilience Bill to boost national cyber defenses, secure critical infrastructure". Industrial Cyber. 19 July 2024. Retrieved 30 July 2024.
- ^ "The Network and Information Systems Regulations 2018". Crown. 10 May 2024. Retrieved 4 August 2024.
- ^ "Annual cost of cybercrime in the UK 2017-2028". Ani Petrosyan. 1 December 2023. Retrieved 7 August 2024.
- ^ "CYBERUK 2024: Felicity Oswald keynote speech". National Cyber Security Centre. May 2024. Retrieved 15 August 2024.
- ^ "Review of the Network and Information Systems Regulations". Crown. 29 May 2020. Retrieved 2 November 2024.
- ^ "Second Post-Implementation Review of the Network and Information Systems Regulations 2018". Crown. 27 July 2022. Retrieved 15 August 2024.
- ^ "Directive (EU) 2016/1148 of the European Parliament and of the Council". Crown. 6 July 2016. Retrieved 22 August 2024.
- ^ Muncaster, P. (18 July 2024). "UK Government Set to Introduce New Cyber Security and Resilience Bill". Reed Exhibitions. Retrieved 5 August 2024.
- ^ a b c Belcheva, R. (23 July 2024). "New Cyber Security & Resilience Bill announced in King's Speech". The Lens. Retrieved 13 August 2024.
- ^ "The NIS 2 Directive". Cyber Risk. 2022. Retrieved 13 August 2024.
- ^ Poireault, K. (12 August 2024). "Navigating Regulation Discrepancies: EU's NIS 2 v UK's Cyber Security and Resilience Bill". RELX. Retrieved 26 September 2024.
- ^ Jones, C. (30 July 2024). "Revamped UK cybersecurity bill couldn't come soon enough, but details are patchy". The Register. Retrieved 4 August 2024.
- ^ a b Say, M. (25 July 2024). "NCSC highlights importance of Cyber Security Bill". Informed Communications Ltd. Retrieved 29 August 2024.
- ^ a b Akshaya, A. (17 July 2024). "UK Labour Introduces Cyber Security and Resilience Bill". Information Security Media Group. Retrieved 16 August 2024.
- ^ "Cyber Security and Resilience Bill". Crown. 30 September 2024. Retrieved 11 October 2024.
The Bill will be introduced to Parliament in 2025