The UK’s Cyber Security & Resilience Bill at a glance

On 12 November, the highly anticipated Cyber Security and Resilience (Network and Information Systems) Bill (“Bill”) was introduced to Parliament, representing a significant expansion and modernisation of the UK’s cyber security rules. Building on the foundation set by the Network & Information Systems Regulations 2018 (“NIS”), the Bill aims to enhance national security and safeguard essential services. The Department for Science, Innovation and Technology (“DSIT”) has published a policy paper detailing the Bill’s objectives.

Cyber-attacks have caused major disruptions in recent years, with estimated annual costs reaching £14.7 billion. The National Cyber Security Centre (“NCSC”) reported 429 nationally significant cyber incidents over the past year alone.

This alert follows our previous update addressing the importance of board-level engagement in cyber security matters, highlighting the implications of this Bill even before its text was released. Below, we outline some of the key changes being proposed in the new Bill that are a step change from NIS.

Key changes

• Expanded scope:

  • NIS had a narrower reach and covered certain operators of essential services (“OES”) (e.g. energy, transport, health, water) and relevant digital service providers (“RDSPs”) (e.g. online search engines, marketplaces and cloud computing services). 
  • The new legislation now captures certain operators of data centres and large load controllers as OES, and expands to medium and large managed service providers (“MSPs”) and critical suppliers (such as healthcare diagnostics providers).
  • The definition of RDSPs and their duties under NIS are also clarified. For example:
    • The NIS definition of cloud computing services refers to “a scalable and elastic pool of shareable computing resources”, so the Bill has added criteria on what this means, such as “broad and remote access” and “capable of being provided on demand and on a self-service basis.”; and
    • An RDSP’s duty under NIS to “prevent and minimise the impact of incidents affecting their network and information systems with a view to ensuring the continuity of those services” will be clarified to apply the duty to not just a RDSP’s own systems, but a third party’s systems on which the RDSP’s service relies on.

• Directions: The Secretary of State will now have authority to direct in-scope entities to take necessary and proportionate action where a cyber incident presents a risk to national security. Non-compliance could lead to enforcement measures, including a notice of contravention. A new Code of Practice will be issued by the Secretary of State too.

• Regulators: 12 regulators are responsible for implementing the Bill, allowing a sector specific approach, with a cost recovery regime for enforcement. Under NIS, regulators can recover reasonable costs (but not those for enforcement notices, penalties and appeals) – the Bill will allow regulators to impose a fee regime and charges. There will be a designated public statement of strategic priorities for the regulators to act in line with. Again, the Secretary of State will have the power to direct regulators to set out more stringent measures, and entities will need to register with their relevant regulator.

• Penalties: The maximum financial penalty will be increased from £17m (for a material contravention under NIS) to new maximums tied to turnover, being the higher of £17m or 4% of worldwide turnover for serious breaches.

• Incident reporting: The Bill enhances incident reporting requirements:

  • Cyber incidents must be notified to the designated regulator and the NCSC within 24 hours of when the in-scope entity is first aware that an incident has occurred, or is occurring, with a full report required within 72 hours. Note, we expect it’s likely for any ransomware specific proposals to build on top of this (see our previous alert here).
  • RDSPs, MSPs and essential services (except data centres) must report an incident related to the UK, if the incident: (i) “has affected or is affecting the operation or security the network and information systems relied on to provide the essential service”, and (ii) impact is or is likely to be significant having regard to certain factors (e.g., number of people affected and duration). For RDSPs and MSPs, specific factors to determine if the impact is or likely to be significant would also include the impact to the economy/day-to-day functioning of society.
  • Data centre reporting will be required if an incident in the UK “could have had, has had, is having or is likely to have” one of the following: (a) “a significant impact on the operation or security of the network and information systems relied on to provide the data centre service” (b) “a significant impact on the continuity of the data centre service”, or (c) “any other impact[…]which is significant”
  • Customers of data centres, RDSPs, or MSPs must be notified as soon as practicable if they are likely to be adversely affected, helping to protect the supply chain and support prompt mitigation.

• Future proof: The Secretary of State will also have powers to make changes to the NIS regime for future proofing purposes and to adapt as necessary to new threats and challenges. 

Commentary

The new Bill does not require organisations to be established in the UK to fall within its scope, marking another set of considerations for international organisations. This approach is consistent with the previous NIS, which already applied to RDSPs offering services in the UK. For instance, under the new Bill, a MSP could be covered if it delivers managed services into the UK. Additionally, the Bill empowers regulators to designate an entity as a critical supplier to an in-scope organisation, even if that supplier is not established in the UK (provided certain criteria are met).

This reinforces the importance for affected companies to review and align their incident response protocols with the updated demands, as well as address contractual implications throughout their supply chains. The inclusion of MSPs reflects their critical role and extensive access to systems and data, and the designation of critical suppliers will be covering the supply chain more extensively.

We have previously commented on several developments in this evolving regulatory landscape. Looking ahead, an implementation period will follow the Bill’s passage, which will include secondary legislation detailing technical requirements. Regulators such as the ICO have already issued holding statements, and we expect further sector-specific guidance. We note that whilst the technical requirements will be welcomed, it’ll be key for Boards to be able to interpret such measures and cyber risks in the form of business impact.

We’ll be watching closely as the Bill moves through Parliament. Please feel free to contact our team of cyber resilience and incident response experts at Crowell & Moring to learn more, or subscribe for ongoing updates.