Will changes and increased responsibility placed on the ICO in the Cyber Security and Resilience Bill be manageable?
This week saw the announcement of the planned measures and regulatory changes that will form the Cyber Security and Resilience Bill.
The major inclusions will place greater responsibility on the Information Commissioner’s Office (ICO), expanding its scope to include more sectors—most notably managed service providers (MSPs)—bringing the UK government into compliance with NIS2. Also announced are new requirements to manage enhanced incident reporting requirements, establish new fee regimes, and, perhaps most significantly, strengthen the ICO’s information-gathering powers.
Increased Oversight and Responsibilities
Section 2 of the proposal leans most heavily on the ICO, as it focuses on "empowering regulators and enhancing oversight." A closer look at Section 2.3 reveals that the ICO will be supported in proactively identifying cyber risks and taking steps to prevent imminent attacks.
A section titled "Improving the Information Commissioner’s Office’s information-gathering powers" states that the ICO’s previous reactive approach is no longer deemed sufficient, particularly in light of the increasing threat posed by vulnerabilities in digital services, which are supplied at scale and across multiple sectors.
This will enhance the ICO’s ability to identify and mitigate cyber risks before they materialise by ensuring it has access to more information on critical firms providing digital services.
The changes will include:
An expanded duty for digital service providers to share information with the ICO upon registration.
Expanded criteria allowing the ICO to issue information notices to digital service providers.
Appropriate information-sharing mechanisms for entities outside the scope of the NIS Regulations to report to the ICO.
New enforcement powers for the ICO to act against firms that fail to register.
Is the ICO Ready for This?
SC UK considered whether the ICO is equipped to handle this increased regulatory responsibility.
The proposals acknowledge that the ICO will likely incur additional costs associated with ongoing monitoring while shifting to a more proactive supervisory role.
“These will include the cost of evidence collection, review, analysis, and feedback,” the proposal states. “We recognise that this will be a challenging and complex task and intend to work closely with the ICO to ensure that appropriate support is in place.”
Will closer collaboration be enough? Considering the current cuts to the civil service, can the ICO actually fulfil these new duties without a significant increase in funding and manpower?
SC UK contacted the ICO for comment. An ICO spokesperson responded: “We note the Government’s plans for the Cyber Security and Resilience Bill and look forward to it being introduced and progressed through the parliamentary process.
"This is an important piece of legislation that will strengthen the country’s cyber resilience and ultimately better protect people’s data.”
Does a closer working relationship with the UK government provide enough resources? The ICO spokesperson stated that the Government is responsible for determining the sectors the ICO regulates, including registration requirements, adding that the organisation “looks forward to reviewing the Bill.”
A Shift from Reactive to Proactive
On the move from a reactive to a proactive approach, how exactly will this be achieved?
The spokesperson emphasised the ICO’s commitment to helping organisations “get it right from the outset so security incidents can be avoided.”
“We will continue to engage with industry, publishing guidance and providing advice so organisations understand their obligations under cyber and NIS regulations. We’ll continue to prioritise our activities in this area, including investigating cyber and NIS incidents that present the greatest harm.”
Jonathan Armstrong, partner at Punter Southall, pointed out that another upcoming piece of legislation—the Data Use and Access Bill—proposes replacing the current Information Commissioner with a board-like Information Commission, similar to Ireland’s shift from a Data Protection Commissioner to a Data Protection Commission.
On the widening regulatory scope, Armstrong noted that the definition of MSPs will encompass a significant number of B2B IT service providers. Although the government has not yet finalised its definition of MSPs, estimates suggest that 900–1,100 additional MSPs will fall under the new regulatory framework.
“How the government has arrived at such a precise estimate without first defining MSPs remains unexplained,” Armstrong remarked. “Additionally, the Bill includes a provision allowing the Secretary of State to expand its scope without requiring parliamentary approval.”
A Major Expansion of ICO Powers
This is arguably the most significant change to the ICO’s authority since the introduction of GDPR in 2018 and the ability to issue £500,000 fines in the early 2010s.
The key question remains: Can the ICO rapidly acquire the necessary skills to handle these expanded responsibilities? Armstrong suggested that Wilmslow, where the ICO is headquartered, may limit recruitment efforts, as the transition from reactive to proactive regulation demands a different skill set.
The optimist in me believes these changes could bring major benefits to UK cybersecurity and data protection; but are we truly ready to implement them?
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
