UK sets out new cyber reporting requirements for critical infrastructure

In a policy statement published Tuesday, the British government set out what its forthcoming Cyber Security and Resilience Bill will include when it is introduced to parliament later this year.

The belated reworking of the country’s cybersecurity regulations comes three years after the previous government had prematurely described those laws as “updated” while failing to actually introduce the legislation.

“For too long, successive governments have failed to properly address the growing risk posed by cyber criminals and hostile states. Our people have paid the price,” said Peter Kyle, the Secretary of State, in a foreword to the policy document.

Britain’s cybersecurity laws were passed in 2018 and are based on the European Union’s Network and Information Systems (NIS) Directive. They were not reworked following the United Kingdom’s withdrawal from the European Union in 2020, even though the EU itself did so through the NIS2 update in 2022.

The original law introduced duties for organizations in critical sectors to report cyber incidents to their regulators, but the thresholds for reportable incidents were based on the “interruption to the continuity of the essential or digital service” meaning that organizations had no duty to report compromises that involved pre-positioning or reconnaissance so long as the attacker didn’t disrupt the target system.

“This is too narrow in scope and many incidents of concern are not reported,” the government said on Tuesday. “The Bill will expand this [threshold] to capture incidents that are capable of having a significant impact on the provision of the essential or digital service.”

Improving these thresholds was also part of NIS2, something the British government said on Tuesday it was keen to align with where possible. But legislating in this area has proven difficult, and to-date only seven of the EU’s 27 member states have actually transposed the directive into domestic law, despite the deadline for doing so last October.

Under the new rules in Britain, as with NIS2, any “incidents that significantly affect the confidentiality, availability, and integrity of a system” will be considered reportable.

“This will include the compromise of data confidentiality, spyware attacks that use firms that provide digital services (including [Managed Service Providers]) as a vector to access other organisations, or other incidents significantly affecting the integrity of a system,” stated the government.

Regulated entities will have to notify their sector-specific regulator and inform the National Cyber Security Centre (NCSC) within the first 24 hours of becoming aware of an incident. This notification will need to be followed by a full incident report within 72 hours.

The new legislation aims to complement a Home Office consultation proposing a major overhaul of how Britain responds to ransomware attacks, including by banning public sector bodies from making extortion payments and requiring all victims to report incidents to the government.

Alongside the improvements to incident reporting, the government is expanding the number of entities that would be covered by the regulation. These will include not just Managed Service Providers (MSPs) but other cloud-based and digital services that form a critical part of many businesses’ supply chains.

It will also see the designation of data centres as critical national infrastructure put on a statutory footing, meaning they “can now expect greater government support in recovering from and anticipating critical incidents.”

Securing supply chains

The new law will also “enable the government to set stronger supply chain duties for operators of essential services (OES) and relevant digital service providers (RDSP) in secondary legislation, subject to consultation,” announced the government.

A trial-run of a similar approach is already underway in the financial sector, where last year a group of some of the country’s largest banks pledged to incorporate Cyber Essentials — the government’s certification scheme — into their contractual supplier requirements.

The idea is that directly regulated entities will require the organizations they depend on to adhere to cybersecurity standards, hardening broader critical sectors.

The government acknowledged that the move is likely to increase costs for up to 1,100 providers, but said “these investments will position MSPs as trusted and reliable partners in the cyber security landscape.”

Critically, the law will also introduce a new power for regulators to identify and designate “specific high-impact suppliers” — expected to account for “a very small number and percentage of those suppliers providing goods or services” — who will have to comply with the same kinds of standards as critical national infrastructure entities.

To help enforce the act, regulators will be provided with improved enforcement powers and cost recovery mechanisms.

“In light of the rapidly evolving cyber threat and technology landscape, government must be able to update regulations to mitigate new risks and to capitalise on technological advancements,” stated the policy document.

As such, the government aims for the law to give the Secretary of State the power to update the regulations without requiring an Act of Parliament — for instance “to bring new sectors and sub-sectors in scope of the regulations and make changes to the responsibilities and functions of NIS regulators.”

The legislation would also empower the Secretary of State “to direct a regulated entity to take action, when it is necessary for national security.”

Presently, there is no mechanism for the government to issue directions to regulated entities to address cyber threats, “even where this is judged to be essential for safeguarding national security. The growing threat posed by high capability actors and hostile states means that this is a gap that could be exploited with increasing regularity and impact, putting the operation of the UK’s critical infrastructure at risk.”

The new measure would mean the government could issue a direction to a regulated entity regarding a specific cyber incident or threat. These directions “would be laid in Parliament to enable public scrutiny, unless doing so would present a national security risk," said the government.

The government said the legislation would be introduced to Parliament this year, when it will be debated and amended.