Introduction of the cyber security and resilience (network and information systems) bill

The government have introduced the Cyber Security and Resilience (Network and Information Systems) Bill - marking a major milestone in their response to the evolving cyber threat.

The Bill aims to safeguard public services, ensure the UK economy is better protected than ever, and deliver a step change in national security.  

As everyone has surely witnessed this year, the growing cyber threat is not a hypothetical one - with household names hit hard and the repercussions felt in our day to day lives. Last year the UK was the most targeted country in Europe for cyber attacks, and new research published this week has shown that significant cyber attacks cost UK businesses around £15 billion each year.

The CEO of the National Cyber Security Centre has warned that ‘the challenge we face is growing at an order of magnitude’. 

That is why The Government's Department for Science, Innovation and Technology (DSIT) is bringing forward the Cyber Security and Resilience (Network and Information Systems) Bill, updating laws from 2018 to reflect the threats we face in 2025 and beyond.

The Bill has three pillars of reforms to update the Network and Information Systems Regulations (2018). These address current vulnerabilities, increasing the UK’s defences against cyber-attacks:

1. Expanded scope: The regime does not cover every UK organisation. It is about those services which are so essential, that their disruption would affect our daily lives. The original regulations in 2018 brought into scope services like the NHS, transport system and energy network. Since then, cyber criminals are exploiting new routes - managed service providers, data centres, and critical parts of supply chains - to threaten our way of life. This reflects the interconnected economy we live in, potentially causing huge disruption and financial losses to their clients. By bringing into scope more of the core services relied on across the economy, UK businesses and public services will be more secure and resilient. 

2. Effective regulators: 12 regulators are responsible for implementing these laws. This allows for a sector-specific approach, as different organisations are vulnerable to threats in different ways, such as through the technology they use. The Bill will drive a more consistent and effective regime, with expanded and more timely reporting of harmful cyber attacks, a stronger mechanism for government to set priority outcomes for regulators to work to, and a fuller toolkit for sharing information, recovering costs and enforcement.  

3. Enabling resilience: The government no longer has powers to head off the threats faced by the UK as they change and evolve. That is why the Government will be given the tools to quickly strengthen the nation’s cyber security and resilience in response to the ever-changing threat landscape, and respond to imminent threats to our national security and way of life.

More information on the Bill, including detailed factsheets on each of the Bill’s measures, can be found on GOV.UK at: https://www.gov.uk/government/collections/cyber-security-and-resilience-bill

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).