British government unveils long-awaited landmark cybersecurity bill

After more than four years of development and multiple delays, the British government on Wednesday introduced its landmark Cyber Security and Resilience Bill to Parliament, threatening large fines for companies that fail to protect themselves from cyberattacks.

The proposed law would, at its core, require a wider range of organizations working within critical infrastructure and essential services sectors to follow improved cybersecurity standards. It would apply to organizations in sectors including energy, transport, healthcare, and water, and to an expanded number of digital infrastructure providers such as data centers and certain IT companies.

The previous version of those standards, under the Network & Information Systems (NIS) Regulations 2018, were seen as insufficient to tackle what intelligence officials described as the growing threat posed by financially-motivated hackers and hostile foreign states.

Recorded Future News understands the draft bill is substantially identical to one prepared in 2022 under the government of Prime Minister Rishi Sunak, when the laws were prematurely described as “updated” despite the then-government failing to actually introduce them to Parliament. 

It was delayed again in September when Prime Minister Keir Starmer’s government had planned to introduce its bill to the House of Commons before it was put on hold amid a cabinet reshuffle of senior and junior ministers.

Now given its first full reading, the draft bill sees the government attempt to negotiate two conflicting political priorities in promoting economic growth by reducing the regulatory burden on businesses, and by tackling the negative economic impacts of cyberattacks. 

Published alongside the bill are several new government-sponsored research papers into the economic impact of those attacks, which found that incidents affecting individual businesses are potentially costing the British economy £14.7 billion ($19.3 billion) annually, equivalent to around 0.5% of the country’s gross domestic product, while the cyber-enabled theft of intellectual property from the country could be costing up to 0.3% of GDP per year.

The total cost to business of implementing the Cyber Security and Resilience Bill is estimated to be up to £590 million (about $775 million) — equivalent to around 0.00022% of GDP.

Read more: Hackers are attacking Britain’s drinking water suppliers

One of the perceived shortcomings of the existing NIS Regulations was the blindspot it left for critical supply-chain entities, such as diagnostics firms used in the National Health Service, or chemical suppliers to water firms. The new law would empower regulators to designate these entities as critical suppliers, meaning they would also have to meet minimum security requirements.

Aligned with the concept that “the polluter pays,” the legislation also aims to address the perceived shortage of resources that sector-specific regulators actually put into enforcing the legislation. The new provisions intend to improve “the cost recovery regime so that it is more comprehensive and flexible, reducing the need to pass the costs of regulation to the taxpayer.”

It would provide new powers to the technology secretary to instruct regulators and regulated entities to take specific steps, for instance “requiring that they beef up their monitoring or isolate high-risk systems” when there is a threat to national security.

“These are areas which could pose huge negative implications for the British economy and public services if targeted,” the government said Wednesday. “The Office for Budget Responsibility estimates that a cyberattack on critical national infrastructure could temporarily increase borrowing by over £30 billion — equivalent to 1.1% of GDP.” 

While the original NIS Regulations require organizations in critical sectors to report cyber incidents to their regulators, the thresholds for reportable incidents were based on the “interruption to the continuity of the essential or digital service,” meaning that organizations had no duty to report compromises that involved pre-positioning or reconnaissance so long as the attacker didn’t disrupt the target system.

The draft law expands these thresholds “to capture incidents that are capable of having a significant impact on the provision of the essential or digital service” even if such an impact doesn’t immediately occur. Any “incidents that significantly affect the confidentiality, availability, and integrity of a system” would meet the new threshold.

“Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target,” said incumbent Technology Secretary Liz Kendall.

“We all know the disruption daily cyberattacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”.

The introduction of the bill follows several high-profile cyberattacks causing disruption to the country within recent months, including one affecting pathology laboratory Synnovis believed to have contributed to at least one death, and another hitting Jaguar Land Rover, one of the British economy’s most significant manufacturers.

Alongside the text of the draft bill itself, the government has published an in-depth impact assessment revealing the extent of the policy work that has gone into developing the proposed law.

The assessment identifies five market failures across different sectors of the economy that are driving poor cybersecurity outcomes, reinforcing warnings by the National Cyber Security Centre (NCSC) Chief Technology Officer Ollie Whitehouse regarding the information asymmetry between vendors and buyers, as well as the externalities and lack of shared risk when it comes to cybersecurity failures.

A wider net

The bill would also bring a new swath of businesses into the scope of regulations, including managed service providers — companies providing IT management, help desk support, and cybersecurity services to other businesses.

Regulating these companies is a necessity because of the exponential risk posed by supply chain vulnerabilities in these kinds of businesses, the impact assessment found. It cited the attack on SolarWinds by hackers working for Russian intelligence, stating it impacted 18,000 customers — although according to Solarwinds itself the malware was only activated on fewer than 100 victims’ networks.

“Because they hold trusted access across government, critical national infrastructure and business networks, they will need to meet clear security duties. This includes reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences,” the government said.

The legislation would also regulate new parts of the electricity grid, including large load controllers such as smart changing networks and industrial demand aggregators that could destabilize the grid if compromised.

Organizations covered by the new law would have to report the most harmful cyber incidents to both their regulator and the NCSC within 24 hours, with a full report sent within 72 hours, for the sake of ensuring that support is on hand and to build a national picture of cyber threats.

Richard Horne, the NCSC's chief executive, said: “The real-world impacts of cyber attacks have never been more evident than in recent months, and at the NCSC we continue to work round the clock to empower organisations in the face of rising threats. 

“As a nation, we must act at pace to improve our digital defences and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical service,” he said.

Critics may say the new legislation remains too focused on resilience — encouraging organizations to improve their cybersecurity, and to prepare to recover quickly if a compromise does occur — a priority that has been described as leaving the country “absorbing the punches” instead of “campaigning on the forward foot” to tackle the perpetrators causing the trouble in the first place.

The bill will need to be passed by both Houses of Parliament before receiving royal assent and becoming law. It contains several grace periods before coming into effect, meaning its provisions won’t be enforced until 2027.