The Cyber Security and Resilience Bill

The government has announced in the King’s Speech that the Cyber Security and Resilience Bill will be introduced to Parliament in 2025. The current law reflects the framework inherited from the EU and is the only cross sector legislation dealing with cyber security. The EU has updated its laws in this area and so an urgent update is required to ensure that the UK is not left comparatively more vulnerable. 

Cyber attacks have been on the rise in recent months, with attacks on public services such as hospitals, local authorities and government departments. The effects can be wide reaching; for example, 10,000 outpatient appointments had to be postponed after cyber attacks on King’s College Hospital and St Thomas’ Hospital.  

The aim of the Bill is to strengthen defences and ensure that more digital services are protected. The Bill seeks to achieve this by: 

• expanding the current remit to protect more digital services and fill in the gap in defences, aiming to prevent more cyber attacks from occurring; 

• putting regulators on a stronger footing by implementing cost recovery mechanisms to provide resources to regulators and powers to proactively investigate potential vulnerabilities; 

• increasing reporting requirements and the types of attacks which need to be reported, in order to improve the understanding of these threats and ensure alertness to potential attacks. 

The National Cyber Security Centre assesses that the threat from hostile states and state sponsored actors continues to increase, and so laws need to keep pace to better protect essential services.  

Due to the increase in cyber threats, the government has also confirmed that data centres will be classed as Critical National Infrastructure. This allows the government to support the sector in the event of critical incidents, seeking to minimise the effect on the economy and better protect data from being compromised during cyber attacks. The aim is to provide greater reassurance to businesses setting up in the UK.  

Although it has not been confirmed exactly how the Cyber Security and Resilience Bill will affect organisations, it could mean the following: 

• Increased protection and measures in place for data, reducing the risk of cyber attacks 

• Stricter cyber security protocols and regulations to comply with  

• Stronger operational resilience for data centres, aiming to minimise disruption to services.  

Need advice?  

If you have any questions or need advice on cyber security measures, policies or practices in your workplace, please contact us.