The newly elected Labour government announced the introduction of two new Bills which formed part of the King's Speech in July 2024. The Bills form part of Labour's forthcoming parliamentary plans and focus on the requirement of a modernised cybersecurity defence regime. Historically, the need for reform originated from Sunak's government who announced their intention to strengthen cybersecurity in 2022, and these new Bills formalise these plans. The Digital Information and Smart Data Bill aims to amend existing data protection legislation. The new Cyber Security and Resilience Bill ("CSRB") aims to strengthen the UK's cybersecurity defences.
Whilst the King's Speech did not announce the anticipated 'AI Bill', whereby the government plans on introducing legislation to regulate the development of powerful AI models, it is not to say that the Labour party will not introduce such laws in the near future.
CSRB aims to strengthen the UK's cybersecurity measures for critical services which have been flagged as a priority in response to recent high-profile cyber incidents. An example of this was highlighted in a recent ransomware attack on 'Synnovis' (a pathology and testing services provider) which disrupted the healthcare for thousands of patients registered with hospitals across London. The Bill is also intended to ensure the UK does not lag behind the EU Member States in their cybersecurity measures for critical services and the digital economy. This is intended to update the existing data protection laws, as well as align the Network and Information Security Regulations 2018 (NIS) to the Network and Information Security (NIS2) Directive and Cyber Resilience Act, collectively referred to as the "cybersecurity regulations".
The current cybersecurity regulations place security and incident notification obligations on those responsible for delivering essential services. The relevant sectors include digital infrastructure, energy, health, transport and water and digital services (such as cloud computing services, online marketplaces and online search engines).
Key current takeaways from how CSRB will modernise the cybersecurity regulations:
- It expands the scope of the NIS to protect more digital services and supply chains.
- Implements greater resources (e.g., cost recovery mechanisms) and stronger powers to regulators (mandated regular vulnerability assessments) to coincide with stricter security requirements.
- It requires increased incident reporting to obtain more accurate data on cyber-attacks such as the mandatory reporting of ransomware attacks. This means that businesses working in critical sectors will face heightened requirements for reporting cybersecurity incidents and may face higher fines and penalties for failing to comply with these standards.
HC's Comment:
The UK government has acknowledged that the current NIS regime requires modernisation. The CSRB is intended to ensure that the UK implements a modernised cybersecurity regulatory framework in response to increasing threats against its critical services. By increasing the scope of the regulations, regulators have the means to ensure that effective cybersecurity measures are being implemented. As such, businesses are likely to benefit from a stronger digital economy which in term, will protect essential service providers and subsequently their clients (i.e. the general public). If you would like to obtain legal advice about legislative changes within the cybersecurity landscape, please contact us to speak to a member of our Commercial Team.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.