In the King’s Speech introduced by the new UK government in July 2024, the UK Cyber Security & Resilience Bill was one of two pieces of legislation introduced to strengthen the UK’s cyber defences.
This bill is part of the UK’s broader strategy to bolster national security against cyber threats and follows legislation brought in across the EU such as NIS2 and DORA aimed to improve on existing and now outdated legislation as well as increasing the scope of organisations to which it applies.
The introduction of this much delayed legislation is set against the backdrop of a significant cost to the economy from ever increasing and impactful cyber-attacks along with other significant failures of digital systems, such as the recent global IT outage caused by a failed update to the CrowdStrike security software. The cost of such incidents to the UK economy is estimated to be in the tens of billions, hence the determination of the UK government to introduce the bill.
What does the bill consist of?
The intention of the bill is to update existing legislation which was inherited from the now out of date EU Network and Information Systems regulations. Principally this will involve:
Expanding the remit of the regulation so that more critical services and digital services, as well as supply chains, are covered. It’s been well publicised that the government is terrified of the impact of supply chain cyber attacks (https://www.prodriveit.co.uk/blog/supplychainattacks) and they wish to close down this significant attack vector.
Regulators will be given more power to enforce the measures contained in the legislation, investigate vulnerabilities and issue compliance notices as well as fines for non-adherence.
There will be a requirement for business to report cyber incidents promptly via specific channels to allow government agencies to manage co-ordinated response to quickly address incidents, contain them and mitigate their impact. Reporting can be on interruptions to business operations as well as ransom attacks and cyber and personal data breaches.
What does this mean for businesses?
First and foremost, there will be an increase in the cost of doing business as a result of this, especially for organisations that currently do not operate an appropriate information security strategy (the majority of SME businesses fall into this category). Even if your organisation is not specifically covered by the new legislation, you will be impacted by supply chain requirements.
There will also need to be a significant change in attitude and culture towards cyber security in many organisations. Many firms take the view that they are not a target or feel they have delegated responsibility to their IT company. As almost all cyber breaches involve human actions, they will need to take action to train and educate their staff and make cyber security a regular whole-company discussion point.
The bill also presents an opportunity. As a result of the changes brought in by the bill, cyber security will become a major decision factor when businesses are evaluating tenders and proposals for work. Firms that are ahead of the game and can clearly demonstrate a proactive approach towards managing cyber risk and digital resilience will have an advantage in winning work and be able to command higher prices.
What should you do now?
Whilst it will undoubtably take some time for the new bill to pass through parliament and become law, we recommend starting work on your cyber and digital resilience strategy now. Spreading the work over time will reduce the cost and people impact on your business and allow you to get ahead of the competition.
Get in touch now using the form below to find out how our IT maturity framework can help you build your cyber security roadmap.