Understanding the Cyber Security and Resilience Bill

Jack Porter at Logpoint explains what the Cyber Security and Resilience Bill means for British business

The Cyber Security and Resilience Bill proposed in the King’s Speech aims to strengthen the UK’s cyber-defences by ensuring that critical infrastructure and digital services are secure by protecting those services and supply chains. 

It’s essentially a much-needed update to the current Network and Information Security (NIS) regulations. Only just over half of operators of essential services caught under NIS have updated or strengthened existing policies and processes since it was brought in back in 2018. It was reviewed two years ago post-Brexit for precisely this reason.

In the interim, the EU drafted and approved NIS2 which is set to come into force in October, and this triggered the government to look at an “urgent update in the UK” in the form of the bill. 

Will the Bill emulate NIS2?

If we take a look at NIS2, it’s seen as being much more substantial than NIS. It’s far more wide ranging in scope, applying to both important as well as essential entities that contribute to economic stability. It will therefore see the number of verticals expand from seven to 17 and affect over 160,000 entities. 

NIS2 will also see personal liability introduced. This could see senior management personnel suspended or disbarred from holding similar positions in the future if they have failed to implement adequate risk management processes.

And it carries punitive fines for non-compliance on a par with GDPR set at €10m or 2% of global annual revenue, whichever is higher, for essential entities and €7m or 1.4% of global annual revenue, whichever is higher, for important entities. 

Entities must implement risk management measures, vet and monitor their supply chains, and put in place incident response and report data breaches within specific timeframes. An early warning needs to be made within 24 hours by essential entities or 72 hours in the case of important entities. Formal disclosure must be made within 72 hours and a full report within a month.

In contrast, details on the Cyber Security and Resilience Bill have yet to emerge. The speech outlines that more entities will come into scope so that in addition to covering transport, energy, water, health and digital infrastructure we can expect more digital service providers to be added. 

The Bill also alludes to the need to address digital supply chain security and sets out the intention to place supply chain and supply-side attacks via third parties under the remit of regulators. 

Incident reporting requirements will be increased under the Bill and will include the mandatory disclosure of ransomware attacks. This will give the government better data on attacks, helping to guide policy as the scale of the problem is largely unknown.

But there’s no indication yet of the timelines that will be put in place, whether senior personnel will be held accountable or what the fines will be for non-compliance. So, while we have some indication of what is likely to be in the bill there are some glaring omissions which may be due to the UK wanting to take a less heavy-handed approach. 

What’s missing from the Bill?

If we look at the general course of travel when it comes to global regulations, it’s clear the Bill will need to address issues such as accountability. In the US, the SEC clamped down on incident reporting obligations in July 2023, requiring public companies to disclose a material cyber-security incident in Item 106 under Form 8-K within four days.

What’s more, there is a compunction for the board to detail its oversight of risk and the role of management in assessing and managing those risks from cyber-security threats. This indicates a growing appetite for personal accountability.

The generalisations we’ve seen up until this point under the Bill may be due to the fact it will be tailored to the UK which is very much a service-led economy. It may well include provisions specific to the financial sector, for example, which is seen as a cornerstone of the economy. Provisions for this have been made separately under the Digital Operational Resilience Act (DORA) on the continent which takes precedence over NIS2. 

A more detailed regulatory framework will emerge when the Bill is enacted following the return of parliament but ideally it should incorporate much of the core concepts of NIS2 i.e. risk management measures, requirements to vet and monitor supply chains, and incident response processes to ensure business continuity including training for staff and board members on effective risk management. 

What’s still unclear is just how wide ranging it will be in scope. Both mid-sized and large organisations are likely to be in scope and they should now start to look at how they can practically comply by assessing the risk management they have in place and their incident response and reporting capabilities.  

Is the Bill good for business?

To generate the kind of data the government requires on supply chain vulnerabilities and ransomware attacks it will need to be extensive, but this will then increase the compliance burden. A recent report predicted the cost of implementing the NIS2 regulations would be 31.2bn euros per year, with smaller business facing a much larger burden relative to their total revenue than larger businesses. 

However, it’s also worth noting that the regulations will serve to bolster cyber-security and any investment in measures will undoubtedly improve the security posture of these businesses. The Bill has therefore been positively received even though it will require additional processes to be put in place, increase culpability and auditing and reporting.

What remains to be seen is whether it will go far enough as its only then that resilience will be increased and the threat posed to our economy by cyber-attacks countered. 

Jack Porter is Public Sector Specialist at Logpoint

Main image courtesy of iStockPhoto.com and Fredex8