What the UK’s New Cyber Resilience Bill Means for Businesses—and How to Stay Ahead

The UK is facing the same evolving digital challenges as the rest of the world, and its new Cyber Security and Resilience Bill is designed to not only help it catch up – but stay ahead.

Attackers change their tactics all the time. Without an agile, living framework that gives lawmakers some breathing room, adversaries could easily outstrip the clunky government processes that govern cybersecurity (and often a step behind).

Ultimately, the new legislation underlies a commitment iterated in an official Statement outlining the Bill: economic growth. As noted by the Secretary of State for Science, Innovation, and Technology, “By securing the digital infrastructure upon which a growing number of our businesses depend, we can deliver the stability they need to innovate and invest.”

Let’s dive into the UK’s newest cybersecurity policy.

Why the change?

The short answer is that the UK’s NIS Regulations 2018, designed to secure the digital safety of critical infrastructure, needed a facelift. In the digital world, a lot can happen in a little time. Data infrastructure, for example, was designated just last year as a critical national infrastructure (CNI) sector in the UK, but pre-dated 2018 Regulations obviously didn’t account for that. Nor do they properly mitigate third-party risk. In addition, reporting requirements were insufficient and unclear, and legislators lacked the ability to move swiftly and make changes as evolving threat circumstances demanded.

As noted in the Statement, “A Cyber Security and Resilience Bill will address the specific cyber security challenges faced by the UK” and will take its cues from the EU NIS2 directive “where appropriate.” The result? A new Bill that centers around:

1. Bringing more entities into scope.
2. Giving regulators a stronger footing to enforce policy.
3. Establishing clear, concise reporting requirements.
4. Enabling the Government to “act against emerging threats without the need for new primary legislation.”

In a sentence, it attempts to bring the UK’s 2018 Regulations up-to-speed with modern digital threats and give the powers that be the appropriate freedom and tools to do so, both now and in the future. The point is a sleeker, more powerful, more responsive, faster-moving policy engine that can create and enforce the digital protections necessary to keep the UK’s critical (and even moderately important) infrastructure safe, securing its economic future.

Now, let’s dig into the various parts of the UK’s new Cyber Security and Resilience Bill.

Expanded scope: Supply chain partners, MSPs, and more

There is currently no existing mechanism under the UK’s 2018 Regulations to address critical supply chain vulnerabilities (surprisingly), so the new Bill will open the door for the government to enact stronger regulation around these issues. Namely, subject to consultation, supply chain security responsibilities will be increased for:

• Operators of Essential Services (OES)
• Relevant Digital Service Providers (RDSP)

And regulators will be empowered to designate certain high-impact suppliers as ‘designated critical suppliers’ (DCS), which would make them subject to similar security laws. Also different, size no longer plays a part in deeming importance: even small and micro RDSPs (previously off the hook) can be pulled into the new legislative requirements if they play a crucial role in supporting essential services.

More power to regulators

The UK’s Cyber Security and Resilience Bill will provide the Secretary of State with powers to make regulations to update the existing requirements” and exercise them after consulting with “appropriate bodies.” They also would be provided with the ability to tailor policies to each sector, with the end result of creating a system that can create and maintain relevant, up-to-date, industry-specific cybersecurity requirements as adjusting needs demand.

Better incident reporting

Current laws only require reporting on incidents that have interrupted a critical service, but the new Bill expands that definition. Now, entities are required to report on a cyber incident with even the potential to impact CNI or jeopardize the confidentiality, integrity, or availability of a system. Clearer reporting guidelines mean a two-stage timeline (with the first notification required within 24 hours), mandatory simultaneous reporting to the NCSC, and customer notification.

Futureproofing to ensure the UK’s cyber policy never falls behind

As noted in the Statement, the intent is to ensure “the government is not beholden to the timescales of primary legislation if the regulations require updating in the future.” To this end, the following measures are put in place:

The Secretary of State will “seek” powers (via the Bill) to update the regulatory framework without an Act of Parliament. These powers could be used to pull other entities into scope and further expand the responsibilities of regulators, as needed. By delegating more functions to regulators, the Government could be free to introduce further security duties for CNI and digital firms.

Lasting cyber resilience with Fortra

Fortra Integrity and Compliance Monitoring can help entities covered by the UK’s new Cyber Security and Resilience Bill invest wisely in the security tools they need to fill compliance gaps. Fortra solutions are designed to empower you to break every stage of the attack chain. With real-time indicators of compromise and exclusive AI models that increase accuracy and automation, you can make your organization one UK institution that outsmarts adversaries – now, and for years to come.

Get ahead of the compliance curve. Check out Fortra’s range of solutions today.