Cyber Security and Resilience Bill

 

 

  • Our digital economy is increasingly being attacked by cyber criminals and state actors, affecting essential public services and infrastructure. In the last 18 months, our hospitals, universities, local authorities, democratic institutions and government departments have been targeted in cyber attacks.

 

  • Our essential services are vulnerable to hostile actors and recent cyber attacks affecting the NHS and Ministry of Defence show the impacts can be We need to take swift action to address vulnerabilities and protect our digital economy to deliver growth. The Bill will strengthen the UK’s cyber defences, ensure that critical infrastructure and the digital services that companies rely on are secure.

 

 

What does the Bill do?

 

  • The Bill will strengthen our defences and ensure that more essential digital services than ever before are protected, for example by expanding the remit of the existing regulation, putting regulators on a stronger footing, and increasing reporting requirements to build a better picture in government of cyber threats.

 

  • The existing UK regulations reflect law inherited from the EU and are the UK’s only cross-sector cyber security legislation. They have now been superseded in the EU and require urgent update in the UK to ensure that our infrastructure and economy is not comparably more vulnerable.

 

  • The Bill will make crucial updates to the legacy regulatory framework by:

 

  • expanding the remit of the regulation to protect more digital services and supply chains. These are an increasingly attractive threat vector for This Bill will fill an immediate gap in our defences and prevent similar attacks experienced by critical public services in the UK, such as the recent ransomware attack impacting London hospitals.

 

  • putting regulators on a strong footing to ensure essential cyber safety measures are being implemented. This would include potential cost recovery mechanisms to provide resources to regulators and providing powers to proactively investigate potential vulnerabilities.

 

  • mandating increased incident reporting to give government better data on cyber attacks, including where a company has been held to ransom – this will improve our understanding of the threats and alert us to

 

potential attacks by expanding the type and nature of incidents that regulated entities must report.

 

Territorial extent and application

 

  • The Bill will extend and apply UK-wide.

 

Key facts

 

  • The current cyber security regulations play an essential role in safeguarding the UK’s critical national infrastructure by placing security duties on industry involved in the delivery of essential services. The regulations cover five sectors (transport, energy, drinking water, health and digital infrastructure) and some digital services (including online marketplaces, online search engines, and cloud computing services). Twelve regulators (competent authorities) are responsible for implementing the regulations.

 

  • Hostile cyber actors are increasingly targeting our critical sectors and supply Recent serious high-profile attacks impacting London hospitals, and the Ministry of Defence as well as ransom attacks on the British Library and Royal Mail, have highlighted that our services and institutions are vulnerable to attack.

 

  • The impacts of a cyber attack on these sectors pose severe risks to UK citizens, core services, and the economy at For example, as a result of the ransomware attack affecting the NHS in England in June, 3,396 outpatient appointments and 1,255 elective procedures were postponed across King’s College Hospital, and Guy’s and St Thomas’ Hospital. The total cost of cyber attacks to the UK was estimated at £27 billion per annum in 2011, this figure is likely to have increased.

 

  • National Cyber Security Centre assess that the increased threat from hostile states and state-sponsored actors continues to ramp up. At a recent speech at CyberUK, National Cyber Security Centre CEO Felicity Oswald warned that providers of essential services in the UK cannot afford to ignore these threats.

 

  • Two Post-Implementation Reviews found the original regulations are having a positive impact, but that progress has not been fast enough. In 2022, the review found that they ‘are a vital framework in raising wider UK resilience against network and information systems security threats’, but updates are required to keep pace with growing threats. Just over half of operators of essential services have updated or strengthened existing policies and processes since the inception of the Regulations in 2018.