The Cyber Security and Resilience Bill

Changes from NIS 2018 

Business should be aware of four key updates from the NIS Regime: 

1. More entities in scope of the regulations: the NIS regulations currently apply to operators of essential services (OES) and relevant digital service providers (RSDP: operators of cloud computing services, online marketplaces and online search engines). The proposed Cyber Security and Resilience Bill is intending to go further and include the following additional businesses within the scope of the regime: 
   1. Managed service providers (businesses that provide services related to installing, managing or operating ICT products, networks and applications); 
   2. Designated critical supply chains. The government will be able to designate the suppliers of OES and RDSP as in scope if they meet certain as yet to be confirmed thresholds; and 
   3. Data centres. Although the government has not yet confirmed that this Bill will be legislative vehicle through which they will bring data centres into scope, we know government intends to bring data centres into scope of the regulations. 
2. Enhanced Cyber Security Requirements: firms will be required to follow new, more onerous security measures. These measures will closely align with the EU’s NIS2 and in-scope firms will be required to follow the NCSC’s Cyber Assessment Framework. Technical requirements will be iteratively kept up to date via Codes of Practice and regulations. 
3. Expanded Incident Reporting: the Bill will lower the bar at which a cyber incident must be reported to the regulator and NCSC. This will mean moving from a regime in which an incident must be reported if it has resulted in an interruption to service to a regime in which an incident that is “capable of having significant impact” must be reported. The reporting timeline will aim to mirror the NIS2 process (notification within 24 hours and an incident report within 72 hours). Importantly, firms that experience a significant incident will be required to alert customers who may be affected by that incident, increasing the level of public scrutiny on a company’s cyber security measures. 
4. More Assertive Regulatory Oversight: the ICO will have more powers to gather information from regulated firms about the nature of the cyber threat and powers to develop a cost-recovery scheme that levies the cost of enforcing these new regulations on regulated firms themselves. 

Divergence from NIS2 

While many of the updates above aim to maximise the regulatory coherence between the UK and EU, business should be aware of the potential for divergence. In particular the following proposals are novel and may have significant business impacts: 

1. Powers to direct: the government is considering a power that enables the Secretary of State to direct a firm in scope of the Bill to take action when it is necessary for national security. This would mean that Ministers could ask firms to take actions to safeguard national security. There is limited clarity at this stage about in what circumstances such a broad power could be exercised, how firms could appeal against a direction, or how they would be consulted about the practicalities of making a necessary change. 
2. Ransomware: the Cyber Security and Resilience Bill may be the legislative vehicle for the government’s proposals on reducing ransomware payments. The Home Office are consulting on new ways in which firms are required to respond to ransomware attacks. Pending the outcome of that consultation, firms may be required to i) not make any ransomware payments, ii) seek clearance from the government before making a ransomware payment or simply iii) report all ransomware attacks. We will continue to watch the outcome of this Home Office consultation and how the government chooses to legislate to meet its policy objective.

Timelines for Implementation

This Bill was announced in the King’s Speech and it is still expected to be introduced in this session. However, given the log jam that is developing in the House of Lords, we would be surprised if this reached the statute books this year. 2026 feels more realistic. As with the EU’s NIS2 we also expect a period of transition for businesses to get ready for compliance after the Bill has received Royal Assent. We have yet to see the policy detail about how this transition might be phased. 

How to Prepare 

If you will be newly in scope of the regulations or are updating your existing cyber security processes, you should prepare to comply with the new regulatory requirements. 

Equally, if there are aspects of the regulations that could be changed to better meet commercial objectives, businesses should consider how they can best influence the Bill both now and once it has been introduced into Parliament. 

Authored by Dan Whitehead, Nicola Da Costa, and Edward Roberts.