On 30 September 2024, the UK Department of Science, Innovation and Technology announced that the Cyber Security and Resilience Bill (Bill) will be introduced to Parliament in 2025. The Bill was first announced in the King’s Speech on 17 July 2024. Its aim is to strengthen the UK’s cybersecurity and ensure that critical infrastructure and digital services are secure and resilient. See our 8 August 2024 client alert “New UK Government Announces AI and Cybersecurity Reforms."
What We Know So Far
The Bill will update the existing Network and Information Systems Regulations 2018 (the NIS Regulations) to:
- Expand the scope of the NIS Regulations to cover more sectors, including digital services and supply chains.
- Put sectoral regulators of the NIS Regulations (such as Ofgem for energy providers) on a stronger footing, including providing resources to regulators funded by fees collected from regulated organizations and powers to proactively investigate potential vulnerabilities in cyber safety measures.
- Mandate increased incident reporting, including where a company has been held to ransom, to give the government better data on cyber attacks.
What Organizations Should Consider
While limited details are available to date, organizations should follow developments on the Bill closely. In particular, the Bill will impose cybersecurity obligations on sectors that were previously unregulated, and the mooted incident reporting obligation for ransomware incidents will significantly expand the range of incidents that are reportable.
Given the increased attacks by cyber criminals and state actors, the Bill is just one of a broader set of regulatory reforms being implemented by the UK government, including the Financial Conduct Authority’s PS21/3 Building Operational Resilience rules and the Treasury’s Critical Third Party regime for financial services.
Similar reforms are also underway in the EU, where companies are already grappling with the EU’s reformed NIS 2 Directive, along with its Digital Operational Resilience Act for financial entities. See our 11 October 2024 client alert “Navigating the New Cybersecurity Landscape: Key Implications of the EU’s NIS 2 Directive.”
Compliance programs for these types of all-encompassing regulations are often lengthy processes, so early preparation to identify in-scope systems and plot a compliance program is key.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.