The government has published a Cyber Security and Resilience policy paper (Cyber security and resilience policy statement - GOV.UK) which fleshes out details of the Cyber Security Bill (the Bill) announced in the King’s speech last year. The Bill is designed to strengthen the UK’s cyber defences and build the resilience of essential services, infrastructure, and digital services and update cybersecurity legislation set out in the Network and Information Systems Regulations 2018 (NIS).
The Bill would “address the specific cyber security challenges faced by the UK while aligning, where appropriate, with the approach taken in the EU NIS 2 directive… and will make substantial improvements to this existing framework by bringing more entities into scope and putting regulators on a stronger footing.” The EU NIS 2 Directive, which became enforceable in the EU on October 18, 2024, does not directly apply to the UK. However, as evidenced by the Bill and policy paper, the UK has been updating its cybersecurity framework to align with similar principles.
The current position
The government seems committed to the implementation of the measures as set out in the Bill and to reform of the cybersecurity landscape in general. This policy statement follows the recent consultation on ransomware payments in the UK (which is discussed further here: Shaping cybersecurity: New consultation launched by the Home Office on ransomware payments - Stevens & Bolton LLP) and the designation of data centres as critical national infrastructure in September last year.
NIS as it stands currently applies to the following:
- Operators of Essential Services (OES) which cover transport, energy, drinking water, health and digital infrastructure sectors; and
- Relevant Digital Service Providers (RDSPs) which cover online marketplaces, online search engines and cloud computing services.
Proposals
Under the Bill, crucial updates to NIS will be made with the following key proposals:
1. Additional categories of service providers brought into scope
The definition of Managed Service Providers (MSPs) will be expanded to include those services which: are provided to another organisation (i.e not in house); relies on the use of network and information systems to deliver the service; and relates to ongoing management support, active administration and or monitoring of IT systems, applications, infrastructure and networks, including for the purpose of activities relating to cyber security.
In scope MSPs will have the same duties as those providing digital services as defined under NIS and shall be regulated by the Information Commissioner’s Office (ICO).
2. Stronger supply chain duties for OES, RDSPs and suppliers
The Bill is designed to embed supply chain security requirements directly into the regulatory framework. This is to be achieved by imposing supply chain duties for OES and RDSPs to manage cyber risks with: contractual requirements; security checks, or continuity plans.
It is proposed that regulators will be able to individually designate a supplier as a "designated critical supplier" if the supplier’s goods or services are so critical that disruption could cause a significant disruptive effect on the essential digital services it supports. Designation will bring such suppliers directly in scope of core security requirements and incident reporting obligations, ensuring consistent standards across the most critical tiers of the supply chain.
Further, under the proposals, regulators may designate a smaller RDSP as a critical supplier if it meets certain designation criteria.
3. Enhancing regulators enforcement and oversight powers
Secretary of State
The Bill will provide the Secretary of State with powers to make regulations to update existing requirements. The Secretary of State would be able to exercise these powers following consultation with appropriate bodies. Measures would further include powers to: issue a code of practice setting out guidance on how regulatory requirements should be satisfied; as well as powers to tailor the requirements for each sector.
ICO
The ICO would be afforded greater powers to require information from RDSPs on registration, with further scope to serve information notices and powers to enforce a failure to register.
Costs recovery mechanism
The Bill proposes to allow regulators to set a fees regime, allowing for fees to be levied as well as recovering costs via invoices. It will also clarify the intent and scope of the costs regulations and extend this regime to all activities necessary for the performance of the regulators’ function, including enforcement. The measures are designed to ensure that regulators are financially independent and capable of effectively performing their duties.
Enhancing incident reporting
The Bill will enhance the current incident reporting requirements for regulated entities by: expanding their incident reporting criteria; updating incident reporting times; streamlining reporting; and enhancing transparency requirements for digital services and data centres. Regulated entities will be required to notify their regulator and also inform the National Cyber Security Centre of a significant incident no later than 24 hours after becoming aware of that incident, followed by an incident report within 72 hours (as per EU NIS2 Directive). Firms that provide digital services and data centres that experience a significant incident will be required to alert affected customers.
4. Power to reform without primary legislation
The Bill would grant the Secretary of State new powers to update the regulatory framework without requiring an Act of Parliament (subject to certain safeguards), enabling a rapid response to cyber threats.
5. Additional measures under consideration
The policy paper sets out additional measures to those set out in the King’s speech for consideration. Below is a summary of the additional measures, how they would work in practice and their impact:
| Summary of intent | How it would work in practice | Impact |
|---|---|---|
| Bringing data centres within the regulatory framework | UK data centres would be in scope at or above 1MW capacity unless it is an enterprise data centre which will only be in scope if they are at or above 10MW capacity. The operation of a data centre (that meets the thresholds in the UK) will require duties to be met. This would include notifying and providing certain information, having in place appropriate and proportionate measures to manage risks, and reporting significant incidents. | Aims to strengthen the protection of critical network infrastructure and all it supports and enables. Externally commissioned research (2024) indicates that there are currently 224 colocation data centres in the UK, managed by 68 operators. Of these, around 182 third-party sites and 64 operators will fall within scope. |
| Publish a "Statement of Strategic Priorities" for regulators | This would include a new duty for regulators, tied to the objectives contained within the statement. The objectives set out in a statement of strategic priorities would be developed in consultation with sectors and regulators periodically. | The Statement would serve as a crucial instrument to streamline roles, responsibilities, and expectations, ensuring that all regulators, across all relevant sectors are implementing the regulations in a consistent manner. |
Powers of Direction for Secretary of State | Empower the Secretary of State to: - direct a regulated entity to take action; and - direct a regulator to take action. | The power to direct regulated entities would ensure that the government can respond swiftly to incidents and threats with significant national security risks – protecting critical infrastructure from sophisticated cyber threats. The power to direct regulators would serve as an essential tool to ensure that whole sectors are more resilient against cyber security threats in periods of heightened risk. |
What next?
The policy statement gives a clear indication that the UK cybersecurity reform is on the government agenda, and that the measures will align to an extent with the EU NIS2 Directive. No indication has yet been given as to the Bill’s timing or indeed when the finalised text will be ready. We will continue to monitor the progress of the Bill, and other cybersecurity related reforms and updates.
Beverley Flynn
Emma Thompson