UK government fails to bring forward promised cyber laws in King’s Speech

A year after prematurely announcing that the United Kingdom’s cyber laws had been “updated,” the British government has missed what is likely to be its last opportunity to actually update the laws before a general election next year.

The legislation was not mentioned during the King's Speech on Tuesday — the formal opening of Parliament in the United Kingdom — during which the government sets out the whole of its legislative agenda for the session to come.

Laws that would have, in the government’s own words, “better protected” essential services in the country — including in the water, energy and transport sectors — are now unlikely to be introduced to Parliament until 2025, and probably won’t take effect until 2026 at the earliest. The delay potentially leaves the country exposed to what officials have warned is an increase in cyberattacks.

Known as the NIS Regulations, the laws were initially passed in 2018 based on a European Union directive. They prescribe security standards for the providers of critical infrastructure and essential digital services, alongside establishing mandatory reporting obligations in the wake of disruptive cyberattacks.

The updated laws would improve the standards around this mandatory reporting, with fines up to £17 million ($20.9 million) for non-compliance. As previously covered by Recorded Future News, a large number of cyberattacks are not recorded as NIS incidents due to the current thresholds set by the legislation.

These thresholds are based on the impact of a cybersecurity incident on the provision of the essential service — for instance, whether an attack disrupted energy production at a power plant or prevented a train company from running a number of services.

As the thresholds do not measure the depth of the attackers’ computer network access, nor whether the threat actors had the capability to disrupt any essential services, they risk leaving government authorities without any effective visibility into how targeted their sectors are.

“In response to a public consultation, we set out detailed plans to broaden the scope of reportable incidents, extending beyond those impacting the delivery of essential or digital services,” a government spokesperson previously told Recorded Future News.

The updates also would have introduced obligations on managed service providers (MSPs) — companies paid to manage IT infrastructure and provide support, often to smaller businesses that don't have a designated IT department — which the government said were “an attractive and high value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services.”

Financially motivated ransomware attacks have impacted MSPs such as Kaseya in the United States and the NHS supplier Advanced in Britain, with the latter severely impacting patient care according to BBC News.

Recorded Future News reported previously on how the ransomware incident affecting Advanced prompted the government to hold several Cabinet Office Briefing Rooms (COBR) crisis management meetings.

Multiple sources who spoke to Recorded Future News on the condition of anonymity to discuss government business said the updates to the cyber laws have already been written and are just waiting for the government to introduce them to Parliament.

When the British government announced the new NIS regulations last year following a public consultation, it claimed to be able to “update these laws to better fit the country’s cyber security needs” because the United Kingdom had left the European Union.

Despite this, the European Union’s own update to the NIS directive, known as NIS2, has now already entered into force and will be part of member states’ domestic legislation by this time next year.

A spokesperson for the government said: “The government takes the cyber resilience of the UK very seriously and is working with operators, regulators and other government departments to ensure that they meet set levels of resilience and have the necessary means to improve their cyber security."