The last week of January was data privacy week, and that makes it a perfect time to unpack the consequences of one of the most important recent developments in data security regulation: The UK’s new Cyber Security and Resilience Bill, which is rapidly headed toward becoming law.

The Bill, which updates and significantly expands the scope of the UK’s 2018 NIS framework, is one of the most significant pieces of cyber regulation legislation in the UK in recent memory and has far-reaching consequences that organisations in the UK, across Europe, and around the world will soon have to grapple with. In this piece, I’ll unpack the three most significant changes imposed by the Bill and offer practical tips to help affected organisations grapple with these developments.

1) Significant Incident Reporting Requirements Introduced

Today, organisations operating in the UK must notify regulators of IT and security incidents (such as cyber-attacks or service interruptions) that have caused a disruption in their services—but the new bill changes that, additionally imposing new, stringent deadlines for reporting.

In the current draft of the legislation, organisations will now have to notify regulators within 24 hours when an incident occurs that disrupts—or threatens to disrupt—their services. After that initial notification, they’ll have to provide a more thorough report within 72 hours.

This might sound like a minor change, but for many organisations—particularly smaller enterprises that may not have large in-house security teams—these new regulations will require lots of new investment and resources. Not only do organisations now have to report incidents on an ambitious timeline, they also have to report incidents that threaten to impact their operations, in addition to those that actually have a material effect. That’s a change drastically increases the number of incidents that organisations must report to regulators.

For smaller security teams, the best way to grapple with this change is through smart automation. Rather than hiring lots of new security professionals or overburdening existing staff with new requirements, it’s smarter and more efficient to invest in technology that can detect and report on security incidents in real-time. This makes the burden of compliance significantly less and decreases the risk of a costly fine.

 2) The Compliance Cliff: Penalties for Non-Compliance Skyrocket 

For many leaders, this is the eye-catching change of the new law: Penalties for non-compliance are rising, with the maximum now capped at 17 million or 4% of turnover.

This raises the stakes of non-compliance significantly, and the introduction of new reporting requirements and other regulations also means that there are more ways to run afoul of the law than ever before.

As the law progresses and the “compliance cliff” nears, the costs of non-compliance will soon require organisations to rethink the way that they approach cyber security. To stay on the right side of the new law, leaders will have to implement continuous protection monitoring strategies to ensure that they’re able to accurately detect, catalog, and report not only all incidents, but also actionable potential incidents.

This is a slippery slope, because many organisations are attacked regularly. Defense against those attacks is continuous. So, what rises to the level of reportable will need to be reenvisioned. While these new consequences may feel onerous, it’s important to remember that better reporting and stronger, more centralized and coherent regulations will lower the risk of cyber catastrophe, which is good for all organisations and individuals in the UK and abroad.

3) New Sectors, Regions, and Organisations Now Within Scope

One of the main objectives of the new law is to make critical infrastructure and services more resilient to attacks and accidental breaches.

To that end, the law proposes a slew of new regulations that apply to specific verticals and essential industries and services. Sectors like healthcare, power, water, and more, will all face closer scrutiny from regulators and a slate of industry-specific requirements that non-essential industries will not face.

In addition, managed service providers (MSPs) will now be within scope of the 2018 NIS legislation—a big change for MSPs, their customers, and the vendors they associate with. To ensure that they’re compliant with the regulations of the 2018 NIS legislation and the new law, MSPs will have to significantly revamp the way that they approach security. Here, too, smart automation will be key. MSPs have limited resources, and many are already stretched. To comply with the law, they’ll likely need to invest in new technology that can automate compliance effectively, efficiently, and reliably.

Finally, it’s important to note that the new law has global scope and will require non-UK organisations that operate within the UK to nominate a representative to interface with regulators.

By bringing more organisations into scope and applying closer regulation to critical industries, the bill will help insulate the UK from growing cyber threats.

Modern Problems, Modern Solutions: The Brave New World of Cyber Resilience

The looming arrival of this new legislation means that regulatory compliance is no longer a point-in-time achievement and instead requires continuous work—but that doesn’t have to be an unamalgamable burden.  By embracing smart automation and rethinking the way that they approach cyber resilience, leaders can insulate their organisations from attacks and regulatory consequences.

Ultimately, the goal of this law is to keep everyone safe, and to limit the possibility of costly errors or breaches. If we all get it right, we’ll all be better off. I think it’s important to keep that in mind as we work to meet these new requirements.

Dana Simberkoff Chief Risk, Privacy, and Information Security Officer AvePoint

In her role as Chief Risk, Privacy, and Information Security Officer, Dana Simberkoff leads AvePoint’s global privacy, data protection, and security programs. She oversees a global team of subject matter experts who monitor industry trends, emerging technologies, and best practices in risk management and compliance. She also provides strategic guidance on product direction, technology enhancements, customer challenges, and market opportunities, partnering closely with internal and external executive stakeholders. Dana is an industry leader, previously serving on the Education Advisory Board for the International Association of Privacy Professionals (IAPP) and as a founding member of the Women Leading Privacy Advisory Board. She is consistently recognized by organizations like IDC and CSO as an influential woman in cybersecurity.