In a statement released today by the Department for Science, Innovation and Technology, the Cyber Security and Resilience Bill will address “specific cybersecurity challenges faced by the UK while aligning, where appropriate, with the approach taken in the EU NIS 2 directive.”

Announced today, this will see a strategic approach taken, to ensure flexibility and response to cyber threats “in a proportionate way that balances the impact on business.”

New Announcements

With an initial announcement made as part of last year’s King’s Speech, today’s update states that the Bill will bring more entities into scope of the regulatory framework and better recognise the increasing reliance on digital services and the vulnerabilities posed by supply chains.

Also, regulators will be enhanced to ensure essential cyber safety measures are being implemented. Finally, the Bill will ensure that the regulatory framework can keep pace with the ever-changing cyber landscape.

Entities Under Scope

Under the first section - bringing more entities into scope of the regulatory framework - it has been announced that the NIS Regulations 2018 will be updated to bring more firms into scope, and also better recognise the increasing reliance on digital services and the vulnerabilities posed by supply chains.

This will also include offering better defences for essential service providers, and where managed service providers will be subject to the same duties as those placed on ‘digital service providers’ under the 2018 Regulations. These companies will be regulated by the Information Commissioner’s Office, who  will act as the regulator and have authority to regulate MSPs through information gathering, investigation and enforcement powers.

The Bill will also enable the government to set stronger supply chain duties for operators of essential services and relevant digital service providers, including introducing a power for regulators to identify and designate specific high-impact suppliers as ‘designated critical suppliers’.

“By embedding supply chain security requirements directly into our regulatory framework, we aim to enhance national cyber resilience and reduce the threat of significant disruptions to critical services if a regulated entity is impacted by an attack on their supply chain,” the statement read.

“This new regime will create strong incentives for both regulators and regulated entities to ensure effective oversight of supply chain risk.”

Essential and Enhanced

The second section will boost the responsibilities of regulators to “ensure essential cyber safety measures are being implemented” and commit to enhanced incident reporting to improve understanding of the threats

The Bill will update and enhance the current incident reporting requirements for regulated entities by expanding the incident reporting criteria, updating incident reporting times, streamlining reporting, and enhancing transparency requirements for digital services and data centres. 

The intention here is to support the ICO in its ability to proactively identify cyber risks, and take appropriate steps to prevent imminent attacks. Saying the ICO’s previous reactive approach “is no longer deemed sufficient relative to the risks posed,” the primary intent of this measure is to enhance the ICO’s capability to identify and mitigate cyber risks before they materialise.

The third section will see the Secretary of State seek powers to update the regulatory framework without requiring an Act of Parliament, subject to certain safeguards. This will ensure that cyber legislation remains relevant and effective by providing a mechanism for timely updates, and enhance the UK’s regulatory framework, particularly in sectors critical to national security and economic stability.

Extra Steps

There are also additional measures under consideration to: bring data centres into scope of the regulatory framework; to publish a statement of strategic priorities for regulators; and create new executive powers for government to enable swift and decisive action in response to cyber threats, ensuring rapid and effective protection.

“It is clear that this is the right time to update the UK’s legacy frameworks, address gaps in the current regulation, and ensure that all relevant entities are brought within scope of the rules,” the statement concluded. “Through these measures, we will make sure that our critical infrastructure and services remain protected – for people across the UK to rely on.”

Commenting, Lee Driver, vice president of managed security services at Ekco, said that while this is the first time service providers are being formally brought into the scope of regulation, it reflects a direction of travel that’s been clear for some time. “This proposal simply formalises what many providers already acknowledge: that they play a critical role in the UK’s cybersecurity posture and must be held to consistently high standards,” he said.

““We’ve long advocated for more structured accountability across the digital supply chain and infrastructure and are ready to align with what’s required. As more organisations modernise and replatform their infrastructure, we hope to see clear, collaborative guidance in the coming months from the government that recognise the frontline roles providers play in defending UK’s digital infrastructure.” 

Tony Hasek, CEO and co-founder of Goldilock, said that if the government wants growth in line with its wider Plan for Change Policy, it needs to promote real change in how we protect critical, IT-driven services across both the private and public sectors through its regulation. 

He said: “It’s great that we’re widening the pool of organisations subject to cyber regulation to include data centres and larger IT providers and giving the government more flexibility to update regulation as threats evolve.

“However, we are only going to keep pace with cyber adversaries if we make sure organisations of all kinds – but especially those governing critical services such as healthcare and energy – are doing everything they can to make it as challenging as possible to breach networks.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.