Blog Details

The latest news, updates and insights from our technology specialist lawyers at Law 365.

UK Cyber Security & Resilience Bill

UK Cyber Security Bill
Contents

    With all of the Cyber Security that seems to be failing (or being hacked) these past few years, the Government has introduced the UK Cyber Security and Resilience (NIS) Bill, a major overhaul of the current UK NIS regulations. The message is clear: cyber threats are escalating, the old regime is creaking and the UK wants a more muscular framework to protect the digital backbone of the economy.

    This bill reflects the EU’s NIS2, but this is a little more flexible for regulators (or ministers). So for our clients who have business in the EU and comply with NIS2 or even DORA, the provisions of this bill may seem familiar.

    What’s changing?

    1. More businesses will be in-scope

    For the first time, data centres, managed service providers, IT helpdesks, cybersecurity services and even large load controllers are being pulled firmly into the regulatory net. Cloud providers, online marketplaces, and search engines remain in scope and regulators will gain power to designate a provider “critical” even if they’re not explicitly listed. This will mean, presuming no major changes, any tech and IT service firms that were previously unaffected will now face mandatory security duties and incident-reporting obligations.

    2. Government gets the power to update NIS regularly

    The Bill allows ministers (through secondary legislation) to set mandatory minimum security standards, covering tech, organisational measures, supply-chain risk and physical security. So we could expect to see a more detailed and non-optional cybersecurity requirements and expect them to evolve quicker.

    3. Tougher incident-reporting rules

    In-scope organisations must report significant cyber incidents that could disrupt services (not just those that actually did).

    Initial report: within 24 hours

    Full report: within 72 hours

    4. New powers to issue binding directions

    In a national-security scenario (e.g, a cyber attack), the Government can order an entity to take or stop specific actions; this could range from deploying certain controls to restricting use of systems.

    5. Higher fines

    For serious breaches: up to £17m or 4% of global turnover

    For failure to comply with a Government direction: up to £17m or 10% of turnover

    Yes, that’s GDPR-level territory.

    Also, to strengthen enforcement and reduce administrative burdens, regulators will gain powers to recover costs and share information more effectively.

    6. Extra-territorial reach

    Non-UK providers of cloud, MSP, SaaS platform services etc. must appoint a UK representative and register with the ICO (currently) within three months of the Bill coming into force.

    Do you need to do anything now?

    • Does your business fall within the expanded scope? (for most Law 365 clients, this is likely the case -think MSPs, data-centre operators, cybersecurity service providers etc)

     

    • Could your business meet a 24-hour initial incident-notification window?

     

    • Does your current technical and organisational controls meet the likely baseline? Maybe using the EU’s NIS2 as a starting position.

     

    • Review your policies and procedures for data, security and cyber breaches.

     

    • Consider whether your current contractual wording places the right obligations on both parties to ensure effective cooperation in responding to cyber incidents and data breaches.

    The Bill (when passed into law) will be phased in, with some measures effective immediately and others via secondary legislation after consultation. Early preparation is worth it, the Bill has teeth, and the regulator will expect evidence of maturity, not scrambling. Law 365 shall be monitoring the Bills progress through Parliament and shall be on hand to answer your questions.

    Resources: