The Government has introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament.

The Bill seeks to reform the existing Network and Information Systems (NIS) Regulations 2018 in order to address the growing number and increasingly sophisticated cyber security threats in the UK. As the Government’s policy paper explains, the UK was the most targeted country in Europe for cyber attacks last year, as over 40% of all UK businesses experienced attacks at a cost of nearly £15 billion.

The Bill has three core objectives:

The Bill extends the scope of the NIS Regulations beyond existing so-called ‘operators of essential services’ so that, for example, data centres will be classed as essential services. Similarly, managed service providers which provide services such as IT management, IT help desk support and cyber security services to critical private and public sector organisations will be brought into scope. At the same time, regulators will be given powers to designate organisations as critical suppliers to the UK’s essential services.

No fewer than 12 regulators are responsible for implementing the existing cyber security regime, reflecting the different threats faced by different sectors. The Bill aims to provide a “more consistent and effective regime” by, for example, empowering the Secretary of State to set out strategic priorities that must be achieved.

Stricter rules on incident reporting will also be introduced, requiring regulated entities to make an initial report within 24 hours, followed by a full report within 72 hours. Entities will also be required to report not only incidents that have caused significant disruption, but also those with the potential to cause significant impact.

New measures are also introduced in relation to sharing information, recovering costs, and enforcement.

Finally, the Bill will allow the Government to respond more effectively to evolving threats through secondary legislation by, for example, bringing more sectors into scope, introducing new requirements, and directing regulators or regulated entities to take targeted and proportionate action in response to imminent threats.

Once passed, it is envisaged that the measures in the Bill – many of which will come into force through secondary legislation – will be phased in following consultations where necessary, which are currently anticipated to take place next year.

To read more, click here.