Article Details

UK's Cyber Security and Resilience Bill makes Parliamentary debut. Various touch-ups added as MPs seek greater resilience to attacks on critical sectors. UK government introduced the Cyber Security and Resilience (CSR) Bill to Parliament today, marking a significant overhaul of local cybersecurity legislation to sharpen the security posture of the most critical sectors. First teased during the 2024 King's Speech, the Cyber Security and Resilience (CSR) Bill builds on the NIS 2018 regulations. While largely unchanged from the draft revealed by former tech secretary Peter Kyle in April, it now confirms datacenters will fall under the new regulations - an expected move after they were designated critical national infrastructure in September 2024. Prior to the bill's introduction to Parliament today, the Department for Science, Technology and Innovation (DSIT) stated: "Datacenters keep the UK running, from patient records and payments to email services and AI development. The bill will bring them into scope of the regulations, ensuring they meet robust cybersecurity standards." Managed service providers (MSPs) will also be covered by the laws once passed, a change originally planned for the NIS 2022 update that didn't come into force. The full list of organizations and sectors in scope of the CSR Bill has not yet been codified, but the current regulations cover two main types of entity: DSIT said new rules will also apply to organizations that oversee the delivery of electricity to smart appliances, including devices such as electric vehicle charging points and smart heating appliances in homes. The government sees the bill as "a step change" toward stronger national security, putting the current cost of cyberattacks to the economy at £14.7 billion ($19.3 billion, roughly 0.5 percent of the UK's GDP). Richard Horne, CEO at the UK's National Cyber Security Centre (NCSC), said: "The real-world impacts of cyberattacks have never been more evident than in recent months, and so we welcome the move to strengthen legislation and regulatory powers to help drive up the level of defence and resilience across critical national infrastructure." Greater powers The bill today also confirms plans to hand the government new powers to issue specific security demands to in-scope organizations, similar to how the US Cybersecurity and Infrastructure Security Agency (CISA) can compel federal agencies to patch vulnerabilities on tight deadlines. These emergency instructions will be sent down to regulators from the technology secretary, Liz Kendall, including demands such as improved monitoring or system isolation during national security threats. Kendall said: "Cybersecurity is national security. This legislation will enable us to confront those who would disrupt our way of life. I'm sending them a clear message: the UK is no easy target.  "We all know the disruption daily cyberattacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge." Penalities for serious violations under the new rules will reach daily fines equivalent to £100,000 ($131,000), or 10 percent of the organization's daily turnover - whichever is higher. Organizations suffering "more harmful" cyberattacks will also have report themselves to the relevant regulator and the NCSC within 24 hours under the CSR Bill's current wording, and issue a full report issued within 72 hours. The rule is part of with the government's ambition to gain better clarity on cyberattacks on the UK's most critical sectors, so that actionable advice can be quickly issued to defenders.