Out-Law / Your Daily Need-To-Know

Out-Law News 1 min. read

King’s Speech: new cyber resilience laws planned in the UK

State opening of parliament 2024 SEO

The state opening of parliament, 17 July 2024. Photo by Henry Nicholls - WPA Pool/Getty Images


A new Cyber Security and Resilience Bill is to be introduced into parliament in the coming months, according to government legislative plans confirmed in the King’s Speech on Wednesday.

Cyber risk expert Stuart Davey of Pinsent Masons said news of the proposed new legislation comes amidst a heightened and evolving threat environment for organisations and as policymakers in other jurisdictions move to strengthen their own cybersecurity frameworks.

In a background briefing paper published alongside the King’s Speech, the government said the new Cyber Security and Resilience Bill “will strengthen the UK’s cyber defences, ensure that critical infrastructure and the digital services that companies rely on are secure”.

The Bill is intended to update existing regulations in place in the UK, the Network and Information Security (NIS) Regulations 2018. Those regulations are derived from the EU’s NIS Directive – a piece of legislation that sets out distinct cybersecurity and incident reporting obligations so-called operators of ‘essential services’ and digital service providers. EU policymakers and law makers have moved to update the original NIS regime – ‘NIS2’ is due to be implemented in the EU member states by 17 October 2024.

In the briefing paper, the government acknowledged the EU reforms and said the UK’s own regime requires “urgent update … to ensure that our infrastructure and economy is not comparably more vulnerable”.

Davey highlighted how some of the work towards reforming the UK NIS regime has already been done by the previous UK government, which carried out its own review of the NIS Regulations 2018 and then consulted on potential reforms.

“The proposed reforms were focussed on expanding the scope of NIS to other types of digital service providers and emphasising the importance of supply chain cyber management, but it has been quiet on this front for 18 months since the government published its response paper in November 2022 – until now,” Davey said.

According to the government’s briefing paper, the new Bill will seek to extend the scope of the existing NIS regime “to protect more digital services and supply chains” and impose additional incident reporting obligations – including in relation to ransomware attacks. Other measures will be put forward to strengthen regulators’ powers.

“The government has identified the heightened and evolving cyber threat facing organisations, citing recent high-profile cyber attacks affecting the NHS and the Ministry of Defence, and its plans to bring forward this new Bill also come hot on the heels of public warnings from the UK National Cyber Security Centre about the cyber capabilities of China and Russia in particular,” Davey said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.