Big Ben and Westminster Bridge showing UK cyber resilience bill

New UK Cyber Resilience Bill Proposes Much-Needed Upgrades to NIS Regulations 2018

The UK government has introduced its new Cyber Security and Resilience Bill, seeking to upgrade national defenses in the wake of a string of attacks on critical infrastructure and government services. The bill also proposes updates to Network and Information Systems (NIS) Regulations 2018, the only national law currently in place that sets cyber resilience standards across the different critical sectors.

New cyber resilience bill crafted in response to managed service provider hacks

The UK has experienced a long string of disruptive cyber incidents, but the announcement of the cyber resilience bill cites attacks on managed service providers as a particular impetus for the overhaul of existing laws. These incidents include the 2024 breach of the Ministry of Defence payroll system, and the breach of third-party lab services contractor Synnovis that led to severe disruption of NHS services. The UK government now estimates the cost of cyber attacks at almost £15 billion per year, or over 0.5% of the national GDP. Individual attacks are now estimated to cost over £190,000 each, and a particularly damaging attack on critical infrastructure might precipitate as much as £30 billion in borrowing to remediate.

The new cyber resilience bill’s terms will apply to the country’s 13 critical national infrastructure sectors and their associated subsectors. This will include service providers in IT management, IT help desk support and cyber security, which were previously not covered by any similar law. In general, the regulations can be expected to apply to any organization with some form of trusted cyber access to either UK government systems, critical infrastructure or business networks that would have a broad impact on the national population if taken out of service or if a massive leak of sensitive personal data should occur.

Some flexibility would also be granted to regulators to designate a specific entity that might not otherwise be covered as a “critical supplier” subject to the new rules, should they meet a set of criteria yet to be adopted. The example the government provides at this point would be suppliers of particular necessary chemicals to water treatment plants, or health care diagnostics firms that support NHS functions. The Technology Secretary would also be given the power to order regulators to enforce temporary enhanced security steps with the organizations they oversee if a specific threat to UK national security is detected.

The end goal is to minimize the potential disruption of services should something like a ransomware attack happen to an impacted organization. These organizations will be prompted to improve their cyber resilience by a tougher set of fines and penalties for serious breaches, which the government indicates will be large enough that cutting corners will not be seen as a less expensive option. The current proposed maximum being floated is a daily fine of either £100,000 or 10% of daily turnover, whichever is higher.

The proposed reporting requirements for impacted organizations are a little more clear at this point: “more harmful” incidents must be reported to the National Cyber Security Centre (NCSC) within 24 hours, with a full incident report prepared within 72 hours. If the incident involves a managed service provider or a data center, customers that are likely to be impacted must be notified “promptly.”

Seven-step process remains before UK cyber resilience bill goes into force

The cyber resilience bill is far from finalized. From this initial proposal stage, it will move through a total of seven more stages in both Houses of Parliament before being set into law. While it is broadly expected to be adopted eventually, the overall time schedule is not fixed and it may emerge with differences by the time it makes it to the end of the process. Major changes are not anticipated, however, as the bill has been deliberated since its introduction in the 2024 King’s Speech and the present version is barely changed from that initial draft.

Managed service providers are almost certain to be roped to the new rules when all is said and done, between the emphasis seen with this announcement and the fact that there was a prior push to get these same terms for them into the NIS 2022 update. Once in force the cyber resilience bill is expected to impact roughly 1,000 UK MSPs.

While this process plays out, organizations are directed to the recently-published Cyber Governance Code of Practice in terms of general preparation for expected cyber resilience standards going forward. The NCSC also has an assortment of free tools and guidance available that is tailored to critical infrastructure organizations, such as the Cyber Assessment Framework and Active Cyber Defence services.

Mayur Upadhyaya, CEO of APIContext, believes that this is a positive step forward but in its current form is not a complete one: “As regulatory frameworks like DORA highlight, resilience is about more than uptime. It’s about understanding the full digital supply chain: cloud dependencies, DNS behavior, and the APIs that connect everything together. To manage that risk, we need to lift the bonnet and proactively test what’s under the surface. Without checks across third-party infrastructure, even minor disruptions can cascade into major outages, as demonstrated recently by prominent cloud providers. The UK’s Cyber Security and Resilience Bill is a step in the right direction, but operational resilience must include continuous testing, not just better incident reporting.”

Camellia Chan, CEO of X-PHY, adds some advice for impacted organizations: “The UK Government’s Cyber Security and Resilience Bill rightly recognises that suppliers of Critical National Infrastructure must be regulated to protect essential public services from dangerous cyber-attacks. With an increase in CNI organisations being targeted by data breaches, the real-world, devastating impacts of cyber incidents are becoming more visible. UK national security is at risk. Now that threat actors can leverage tools to rapidly exploit vulnerabilities throughout the entire technology stack from the hardware up, traditional, software-based defences are no longer enough to safeguard IT systems – let alone vital public services. This new mandate requires all companies that support CNI to adopt stringent, proactive cyber-defence postures. To effectively deliver on this promise, businesses must implement measures that secure hardware and software at all levels for holistic, autonomous monitoring and protection across entire IT estates.”