UK introduces comprehensive cybersecurity overhaul with wider scope and stricter enforcement

The UK Government has launched the Cyber Security and Resilience Bill, expanding regulatory scope, increasing penalties, and strengthening oversight to combat escalating cyber threats impacting critical infrastructure and vital services.

The UK Government has launched its Cyber Security and Resilience Bill to significantly update the existing Network and Information Systems Regulations 2018 (NIS Regulations), recognising mounting cyber threats that cost businesses billions annually and disrupt vital services. Recent high-profile cyber incidents affecting major organisations such as Jaguar Land Rover, Marks & Spencer, Royal Mail, and the British Library have underscored the urgent need for a stronger regulatory response. The Government acknowledges that cybersecurity is not only crucial for protecting critical infrastructure but also fundamental to sustainable economic growth, stating the imperative that “we cannot have growth without stability.”

The new Bill represents a modernization of the UK’s cybersecurity framework, originally introduced as a domestic implementation of the EU’s NIS Directive. Given that the EU replaced its directive with the updated NIS2 Directive in 2022, which many member states are still transposing into national law, the Bill brings the UK’s approach into alignment with contemporary threats while adapting it to national priorities. Key among the proposed changes is a significant expansion of the regulations’ scope. Beyond the traditional focus on sectors such as energy, transport, health, and digital services like cloud computing, the Bill extends coverage to data centre operators with enterprise-scale IT loads above 10 megawatts, managed service providers, a group more narrowly defined than in the EU’s NIS2, and “large load operators” in the electricity sector. This expansion means a wider range of organisations will come under the regulatory umbrella, with the Secretary of State for Science, Innovation and Technology and Ofcom poised to oversee data centre providers, while the soon-to-be-renamed Information Commission will regulate managed service providers.

A notable enhancement is the broadening of incident reporting obligations to capture a wider array of cybersecurity events. Previously, only incidents with a “significant impact” on essential service provision triggered reports, but the Bill shifts to encompass incidents that are “capable of” causing such impacts, even if they do not yet manifest. This change reflects a desire to move from reactive to more proactive incident management, with entities required not only to alert regulators but also to notify customers adversely affected by incidents, considering factors like disruption, data integrity, and system security. While the Bill does not detail new specific security mandates for providers, it empowers the Government to impose such requirements, especially for national security concerns, offering a flexible tool to respond to emerging threats.

An innovative addition is the creation of a formal category of “critical suppliers”, third-party service providers whose disruption could have significant ramifications on essential services and the economy. Although these suppliers are not immediately subject to direct obligations under the Bill, they may face directions or be bound by future cybersecurity codes of practice. This reflects an understanding of the systemic risks posed by supply chain vulnerabilities and positions the Government to intervene as needed, recognising that an incident in a critical supplier could ripple through multiple sectors.

The Bill substantially increases the financial penalties for non-compliance, setting a maximum fine at the greater of £17 million or 4% of global turnover, aligning with wider trends in cybersecurity and data protection enforcement globally. Furthermore, ongoing breaches can incur daily fines until rectified. Competent authorities are also granted enhanced powers to investigate, inspect, and enforce compliance, including mechanisms for cost recovery through charging schemes. Information sharing capabilities have been expanded to facilitate cooperation among UK regulators, law enforcement, GCHQ, and international counterparts, improving the collective response to cyber incidents.

Central to the Bill is the establishment of a strategic and operational framework enabling the UK Government to steer cybersecurity policy dynamically. This includes requirements for the Government to publish and maintain a statement of strategic priorities, pass secondary legislation imposing specific cybersecurity measures, empower regulators with new powers, and issue codes of practice detailing compliance methods. These provisions underscore a commitment to an adaptable regulatory environment capable of evolving alongside the threat landscape.

Overall, the Cyber Security and Resilience Bill marks a substantial strengthening of the UK’s approach to defending critical infrastructure and essential services from cyber risks. By broadening the scope of regulation, enhancing reporting and enforcement powers, addressing supply chain risks, and embedding governmental oversight, the Bill aims to provide the robust and flexible framework necessary to safeguard national wellbeing and economic prosperity amid escalating cyber threats. The Data Privacy and Cybersecurity Practice at Covington has noted its readiness to assist organisations in navigating these changes and preparing for compliance challenges ahead.

📌 Reference Map:

• ^[1] Inside Privacy – Paragraphs 1-7
• ^[2] UK Government Fact Sheets – Paragraphs 2,3,5,7
• ^[3] UK Government Policy Statement – Paragraphs 1,6,7
• ^[4] UK Government News Release – Paragraphs 1,4,6
• ^[5] UK Government Bill Collection – Paragraphs 2,5,7

Source: Noah Wire Services